security/openconnect: add groups and client certificates (#915)

2026-06-09 08:56:23 -04:00 · 2018-10-15 08:51:40 +02:00 · 2018-10-15 08:51:40 +02:00 · 722030e769
commit 722030e769
parent 8ecabc36cf
7 changed files with 114 additions and 4 deletions
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@ -1,6 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=     1
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
--- a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
@ -35,4 +35,16 @@
        <type>dropdown</type>
        <help>Select the type of hash. Possible values are SHA256 or SHA1.</help>
    </field>
+    <field>
+        <id>general.group</id>
+        <label>Group Name</label>
+        <type>text</type>
+        <help>When using profiles for group separation please set here.</help>
+    </field>
+    <field>
+        <id>general.clientcertificate</id>
+        <label>Client Certificate</label>
+        <type>dropdown</type>
+        <help>Select the client certificate to use.</help>
+    </field>
 </form>
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@ -37,5 +37,14 @@
                    <sha1>SHA1</sha1>
                </OptionValues>
        </hash>
+        <group type="TextField">
+            <Required>N</Required>
+            <mask>/^[a-zA-Z0-9]{1,64}$/</mask>
+            <ValidationMessage>Only a-zA-Z0-9 are allowed.</ValidationMessage>
+        </group>
+        <clientcertificate type="CertificateField">
+            <Type>cert</Type>
+            <Required>N</Required>
+        </clientcertificate>
    </items>
 </model>
--- a/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/generate_certs.php
+++ b/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/generate_certs.php
@ -0,0 +1,80 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2015 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// use legacy code to generate certs and ca's
+// eventually we need to replace this.
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+
+use OPNsense\Core\Config;
+
+$cert_pem_filename = '/usr/local/etc/openconnect_cert.pem';
+$cert_pem_content = '';
+
+$key_pem_filename = '/usr/local/etc/openconnect_key.pem';
+$key_pem_content = '';
+
+// traverse Openconnect plugin for certficiates
+$configObj = Config::getInstance()->object();
+if (isset($configObj->OPNsense->openconnect)) {
+    foreach ($configObj->OPNsense->openconnect->children() as $find_cert) {
+        $cert_refid = (string)$find_cert->clientcertificate;
+        if ($cert_refid != "") {
+            foreach ($configObj->cert as $cert) {
+                if ($cert_refid == (string)$cert->refid) {
+                    // generate cert pem file
+                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                        "\r",
+                        "",
+                        base64_decode((string)$cert->crt)
+                    )));
+                    $pem_content .= "\n";
+                    $cert_pem_content .= $pem_content;
+
+                    $key_content .= trim(str_replace(
+                        "\n\n",
+                        "\n",
+                        str_replace("\r", "", base64_decode((string)$cert->prv))
+                    ));
+                    $key_content .= "\n";
+                    $key_pem_content .= $key_content;
+                }
+            }
+        }
+    }
+}
+
+file_put_contents($cert_pem_filename, $cert_pem_content);
+chmod($cert_pem_filename, 0600);
+echo "Certificates generated $cert_pem_filename\n";
+
+file_put_contents($key_pem_filename, $key_pem_content);
+chmod($key_pem_filename, 0600);
+echo "Keys generated $key_pem_filename\n";
--- a/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/setup.sh
+++ b/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/setup.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/local/opnsense/scripts/OPNsense/Openconnect/generate_certs.php
--- a/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf
+++ b/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf
@ -5,13 +5,13 @@ type:script_output
 message:stop openconnect

 [start]
-command:sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+command:/usr/local/opnsense/scripts/OPNsense/Openconnect/setup.sh;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
 parameters:
 type:script_output
 message:start openconnect

 [restart]
-command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0;/usr/local/opnsense/scripts/OPNsense/Openconnect/setup.sh;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
 parameters:
 type:script_output
 message:restart openconnect
--- a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
@ -11,4 +11,11 @@ passwd-on-stdin
 {%   if helpers.exists('OPNsense.openconnect.general.servercert') and OPNsense.openconnect.general.servercert != '' %}
 servercert={{ OPNsense.openconnect.general.hash }}:{{ OPNsense.openconnect.general.servercert }}
 {%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.group') and OPNsense.openconnect.general.group != '' %}
+authgroup={{ OPNsense.openconnect.general.group }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.clientcertificate') and OPNsense.openconnect.general.clientcertificate != '' %}
+certificate=/usr/local/etc/openconnect_cert.pem
+sslkey=/usr/local/etc/openconnect_key.pem
+{%   endif %}
 {% endif %}