From 722030e7694968664ad571cf306ff340a9810356 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 15 Oct 2018 08:51:40 +0200
Subject: [PATCH] security/openconnect: add groups and client certificates
 (#915)

---
 security/openconnect/Makefile                 |  3 +-
 .../OPNsense/Openconnect/forms/general.xml    | 12 +++
 .../models/OPNsense/Openconnect/General.xml   |  9 +++
 .../OPNsense/Openconnect/generate_certs.php   | 80 +++++++++++++++++++
 .../scripts/OPNsense/Openconnect/setup.sh     |  3 +
 .../conf/actions.d/actions_openconnect.conf   |  4 +-
 .../OPNsense/Openconnect/openconnect.conf     |  7 ++
 7 files changed, 114 insertions(+), 4 deletions(-)
 create mode 100644 security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/generate_certs.php
 create mode 100644 security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/setup.sh

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index 0e4ab5279..23edba9ad 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=     1
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
index 56a472801..8ce430a18 100644
--- a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
@@ -35,4 +35,16 @@
         <type>dropdown</type>
         <help>Select the type of hash. Possible values are SHA256 or SHA1.</help>
     </field>
+    <field>
+        <id>general.group</id>
+        <label>Group Name</label>
+        <type>text</type>
+        <help>When using profiles for group separation please set here.</help>
+    </field>
+    <field>
+        <id>general.clientcertificate</id>
+        <label>Client Certificate</label>
+        <type>dropdown</type>
+        <help>Select the client certificate to use.</help>
+    </field>
 </form>
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index 141cf3d7e..02adcf576 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -37,5 +37,14 @@
                     <sha1>SHA1</sha1>
                 </OptionValues>
         </hash>
+        <group type="TextField">
+            <Required>N</Required>
+            <mask>/^[a-zA-Z0-9]{1,64}$/</mask>
+            <ValidationMessage>Only a-zA-Z0-9 are allowed.</ValidationMessage>
+        </group>
+        <clientcertificate type="CertificateField">
+            <Type>cert</Type>
+            <Required>N</Required>
+        </clientcertificate>
     </items>
 </model>
diff --git a/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/generate_certs.php b/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/generate_certs.php
new file mode 100644
index 000000000..a4800d07d
--- /dev/null
+++ b/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/generate_certs.php
@@ -0,0 +1,80 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2015 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// use legacy code to generate certs and ca's
+// eventually we need to replace this.
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+
+use OPNsense\Core\Config;
+
+$cert_pem_filename = '/usr/local/etc/openconnect_cert.pem';
+$cert_pem_content = '';
+
+$key_pem_filename = '/usr/local/etc/openconnect_key.pem';
+$key_pem_content = '';
+
+// traverse Openconnect plugin for certficiates
+$configObj = Config::getInstance()->object();
+if (isset($configObj->OPNsense->openconnect)) {
+    foreach ($configObj->OPNsense->openconnect->children() as $find_cert) {
+        $cert_refid = (string)$find_cert->clientcertificate;
+        if ($cert_refid != "") {
+            foreach ($configObj->cert as $cert) {
+                if ($cert_refid == (string)$cert->refid) {
+                    // generate cert pem file
+                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                        "\r",
+                        "",
+                        base64_decode((string)$cert->crt)
+                    )));
+                    $pem_content .= "\n";
+                    $cert_pem_content .= $pem_content;
+
+                    $key_content .= trim(str_replace(
+                        "\n\n",
+                        "\n",
+                        str_replace("\r", "", base64_decode((string)$cert->prv))
+                    ));
+                    $key_content .= "\n";
+                    $key_pem_content .= $key_content;
+                }
+            }
+        }
+    }
+}
+
+file_put_contents($cert_pem_filename, $cert_pem_content);
+chmod($cert_pem_filename, 0600);
+echo "Certificates generated $cert_pem_filename\n";
+
+file_put_contents($key_pem_filename, $key_pem_content);
+chmod($key_pem_filename, 0600);
+echo "Keys generated $key_pem_filename\n";
diff --git a/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/setup.sh b/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/setup.sh
new file mode 100644
index 000000000..9e095bf21
--- /dev/null
+++ b/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/setup.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/local/opnsense/scripts/OPNsense/Openconnect/generate_certs.php
diff --git a/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf b/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf
index cd1596665..7768fcf1f 100644
--- a/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf
+++ b/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf
@@ -5,13 +5,13 @@ type:script_output
 message:stop openconnect
 
 [start]
-command:sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+command:/usr/local/opnsense/scripts/OPNsense/Openconnect/setup.sh;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
 parameters:
 type:script_output
 message:start openconnect
 
 [restart]
-command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0;/usr/local/opnsense/scripts/OPNsense/Openconnect/setup.sh;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
 parameters:
 type:script_output
 message:restart openconnect
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
index b03dd087f..cce9adaae 100644
--- a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
@@ -11,4 +11,11 @@ passwd-on-stdin
 {%   if helpers.exists('OPNsense.openconnect.general.servercert') and OPNsense.openconnect.general.servercert != '' %}
 servercert={{ OPNsense.openconnect.general.hash }}:{{ OPNsense.openconnect.general.servercert }}
 {%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.group') and OPNsense.openconnect.general.group != '' %}
+authgroup={{ OPNsense.openconnect.general.group }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.clientcertificate') and OPNsense.openconnect.general.clientcertificate != '' %}
+certificate=/usr/local/etc/openconnect_cert.pem
+sslkey=/usr/local/etc/openconnect_key.pem
+{%   endif %}
 {% endif %}