Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api-fix for openvpn-server user-cn-strict (fix #125) #126

Merged
merged 1 commit into from
Dec 24, 2024
Merged

api-fix for openvpn-server user-cn-strict (fix #125) #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions docs/source/modules/openvpn.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ ansibleguy.opnsense.openvpn_server
"register_dns","boolean","false","false","\-","Run ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers."
"ocsp","boolean","false","false","use_ocsp, verify_ocsp","When the CA used supplies an authorityInfoAccess OCSP URI extension, it will be used to validate the client certificate."
"user_as_cn","boolean","false","false","username_as_cn","Use the authenticated username as the common-name, rather than the common-name from the client certificate."
"user_cn_strict","boolean","false","false","username_cn_strict","When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login."
"user_cn_strict","string","false","no","username_cn_strict","One of: 'yes', 'no', 'case-insensitive', 'ci', 'true', 'false'. When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login."
"mss_fix","boolean","false","false","mss","Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed the recommended size."
"reload","boolean","false","true","\-", .. include:: ../_include/param_reload.rst

Expand Down Expand Up @@ -235,7 +235,7 @@ ansibleguy.opnsense.openvpn_server
# ntp_servers: []
# register_dns: false
# user_as_cn: false
# user_cn_strict: false
# user_cn_strict: 'yes'
# mss_fix: false
# reload: true
# enabled: true
Expand Down Expand Up @@ -265,7 +265,7 @@ ansibleguy.opnsense.openvpn_server
data_ciphers: ['AES-256-GCM', 'CHACHA20-POLY1305']
max_connections: 100
user_as_cn: true
user_cn_strict: true
user_cn_strict: 'yes'
push_options: ['block-outside-dns', 'register-dns']
mtu: 1420

Expand All @@ -283,7 +283,7 @@ ansibleguy.opnsense.openvpn_server
data_ciphers: ['AES-256-GCM', 'CHACHA20-POLY1305']
max_connections: 100
user_as_cn: true
user_cn_strict: true
user_cn_strict: 'yes'
push_options: ['block-outside-dns', 'register-dns']
mtu: 1420
enabled: false
Expand Down
4 changes: 2 additions & 2 deletions plugins/module_utils/main/openvpn_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ class Server(BaseModule):
'data_cipher_fallback': 'data-ciphers-fallback',
}
FIELDS_TYPING = {
'bool': ['enabled', 'mss_fix', 'ocsp', 'user_as_cn', 'user_cn_strict', 'register_dns'],
'bool': ['enabled', 'mss_fix', 'ocsp', 'user_as_cn', 'register_dns'],
'list': [
'network_local', 'network_remote', 'options', 'data_ciphers', 'auth_mode', 'push_options',
'redirect_gateway', 'domain_list', 'dns_servers', 'ntp_servers',
Expand All @@ -74,7 +74,7 @@ class Server(BaseModule):
'mode', 'protocol', 'role', 'topology', 'crl', 'verify_client_cert', 'cert_depth',
'data_cipher_fallback', 'auth_group',
],
'select_opt_list_idx': ['log_level'],
'select_opt_list_idx': ['log_level', 'user_cn_strict'],
'int': ['fragment_size', 'mtu', 'route_metric'],
}
INT_VALIDATIONS = {
Expand Down
16 changes: 15 additions & 1 deletion plugins/modules/openvpn_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,16 @@
# DOCUMENTATION = 'https://opnsense.ansibleguy.net/modules/openvpn.html'
# EXAMPLES = 'https://opnsense.ansibleguy.net/modules/openvpn.html'

USER_CN_STRICT_MAP = {
'no': 0,
'false': 0,
'False': 0,
'yes': 1,
'true': 1,
'True': 1,
'case-insensitive': 2,
'ci': 2,
}

def run_module():
module_args = dict(
Expand Down Expand Up @@ -112,7 +122,8 @@ def run_module():
'from the client certificate.'
),
user_cn_strict=dict(
type='bool', required=False, default=False, aliases=['username_cn_strict'],
type='str', required=False, default=False, aliases=['username_cn_strict'],
choices=list(USER_CN_STRICT_MAP.keys()),
description='When authenticating users, enforce a match between the Common Name of the client '
'certificate and the username given at login.'
),
Expand Down Expand Up @@ -174,6 +185,7 @@ def run_module():
)



result = dict(
changed=False,
diff={
Expand All @@ -187,6 +199,8 @@ def run_module():
supports_check_mode=True,
)

module.params['user_cn_strict'] = USER_CN_STRICT_MAP[module.params['user_cn_strict']]

module_wrapper(Server(module=module, result=result))
module.exit_json(**result)

Expand Down
Loading