diff options
| author | jim-p <jimp@pfsense.org> | 2011-04-26 17:11:11 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2011-04-26 17:11:11 -0400 |
| commit | 780af2e7678dcccf0fd730a06549facd00906707 (patch) | |
| tree | 11bc9f82840e9c6a9be75a8c58734ea55508b912 /config | |
| parent | a7227f4cf070bd26d738f089aa35485de6d72190 (diff) | |
| download | pfsense-packages-780af2e7678dcccf0fd730a06549facd00906707.tar.gz pfsense-packages-780af2e7678dcccf0fd730a06549facd00906707.tar.bz2 pfsense-packages-780af2e7678dcccf0fd730a06549facd00906707.zip | |
Allow exporting OpenVPN with SSL/TLS+User Auth+External source (LDAP, Radius), by listing certificates from the same CA as the OpenVPN server.
Diffstat (limited to 'config')
| -rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.inc | 18 | ||||
| -rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.xml | 2 | ||||
| -rwxr-xr-x | config/openvpn-client-export/vpn_openvpn_export.php | 93 |
3 files changed, 88 insertions, 25 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 82eae161..48be5f0f 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -128,7 +128,11 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke // lookup user certificate info if ($settings['mode'] != "server_user") { - $cert = $user['cert'][$crtid]; + if ($settings['authmode'] == "Local Database") { + $cert = $user['cert'][$crtid]; + } else { + $cert = $config['cert'][$crtid]; + } if (!$cert) return false; // If $cert is not an array, it's a certref not a cert. @@ -295,7 +299,11 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $uset // lookup user certificate info if ($settings['mode'] != "server_user") { - $cert = $user['cert'][$crtid]; + if ($settings['authmode'] == "Local Database") { + $cert = $user['cert'][$crtid]; + } else { + $cert = $config['cert'][$crtid]; + } if (!$cert) return false; // If $cert is not an array, it's a certref not a cert. @@ -414,7 +422,11 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead // lookup user certificate info if ($settings['mode'] != "server_user") { - $cert = $user['cert'][$crtid]; + if ($settings['authmode'] == "Local Database") { + $cert = $user['cert'][$crtid]; + } else { + $cert = $config['cert'][$crtid]; + } if (!$cert) return false; // If $cert is not an array, it's a certref not a cert. diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index 9e0973f0..2e9e96da 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>0.6</version> + <version>0.7</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index c4ae806c..837b854b 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -46,31 +46,49 @@ if (!is_array($config['system']['user'])) $a_user = $config['system']['user']; +if (!is_array($config['cert'])) + $config['cert'] = array(); + +$a_cert = $config['cert']; + $ras_server = array(); foreach($a_server as $sindex => $server) { if (isset($server['disable'])) continue; $ras_user = array(); + $ras_certs = array(); if (stripos($server['mode'], "server") === false) continue; - foreach($a_user as $uindex => $user) { - if (!is_array($user['cert'])) - continue; - foreach($user['cert'] as $cindex => $cert) { - // If $cert is not an array, it's a certref not a cert. - if (!is_array($cert)) - $cert = lookup_cert($cert); - + if ($server['authmode'] == "Local Database" && ($server['mode'] != "server_user")) { + foreach($a_user as $uindex => $user) { + if (!is_array($user['cert'])) + continue; + foreach($user['cert'] as $cindex => $cert) { + // If $cert is not an array, it's a certref not a cert. + if (!is_array($cert)) + $cert = lookup_cert($cert); + + if ($cert['caref'] != $server['caref']) + continue; + $ras_userent = array(); + $ras_userent['uindex'] = $uindex; + $ras_userent['cindex'] = $cindex; + $ras_userent['name'] = $user['name']; + $ras_userent['certname'] = $cert['descr']; + $ras_user[] = $ras_userent; + } + } + } elseif (!empty($server['authmode']) && ($server['mode'] != "server_user")) { + foreach($a_cert as $cindex => $cert) { if ($cert['caref'] != $server['caref']) continue; - $ras_userent = array(); - $ras_userent['uindex'] = $uindex; - $ras_userent['cindex'] = $cindex; - $ras_userent['name'] = $user['name']; - $ras_userent['certname'] = $cert['descr']; - $ras_user[] = $ras_userent; + $ras_cert_entry['cindex'] = $cindex; + $ras_cert_entry['certname'] = $cert['descr']; + $ras_cert_entry['certref'] = $cert['refid']; + $ras_certs[] = $ras_cert_entry; } } + $ras_serverent = array(); $prot = $server['protocol']; $port = $server['local_port']; @@ -81,6 +99,7 @@ foreach($a_server as $sindex => $server) { $ras_serverent['index'] = $sindex; $ras_serverent['name'] = $name; $ras_serverent['users'] = $ras_user; + $ras_serverent['certs'] = $ras_certs; $ras_serverent['mode'] = $server['mode']; $ras_server[] = $ras_serverent; } @@ -342,20 +361,29 @@ var servers = new Array(); servers[<?=$sindex;?>] = new Array(); servers[<?=$sindex;?>][0] = '<?=$server['index'];?>'; servers[<?=$sindex;?>][1] = new Array(); -servers[<?=$sindex;?>][2] = '<?=$server['mode'];?>';; -<?php foreach ($server['users'] as $uindex => $user): ?> +servers[<?=$sindex;?>][2] = '<?=$server['mode'];?>'; +servers[<?=$sindex;?>][3] = new Array(); +<?php foreach ($server['users'] as $uindex => $user): ?> servers[<?=$sindex;?>][1][<?=$uindex;?>] = new Array(); servers[<?=$sindex;?>][1][<?=$uindex;?>][0] = '<?=$user['uindex'];?>'; servers[<?=$sindex;?>][1][<?=$uindex;?>][1] = '<?=$user['cindex'];?>'; servers[<?=$sindex;?>][1][<?=$uindex;?>][2] = '<?=$user['name'];?>'; servers[<?=$sindex;?>][1][<?=$uindex;?>][3] = '<?=str_replace("'", "\\'", $user['certname']);?>'; <? endforeach; ?> +<?php $c=0; + foreach ($server['certs'] as $cert): ?> +servers[<?=$sindex;?>][3][<?=$c;?>] = new Array(); +servers[<?=$sindex;?>][3][<?=$c;?>][0] = '<?=$cert['cindex'];?>'; +servers[<?=$sindex;?>][3][<?=$c;?>][1] = '<?=str_replace("'", "\\'", $cert['certname']);?>'; +<? $c++; + endforeach; ?> <? endforeach; ?> -function download_begin(act, i) { +function download_begin(act, i, j) { var index = document.getElementById("server").selectedIndex; var users = servers[index][1]; + var certs = servers[index][3]; var useaddr; if (document.getElementById("useaddr").value == "other") { @@ -430,6 +458,10 @@ function download_begin(act, i) { dlurl += "&usrid=" + escape(users[i][0]); dlurl += "&crtid=" + escape(users[i][1]); } + if (certs[j]) { + dlurl += "&usrid="; + dlurl += "&crtid=" + escape(certs[j][0]); + } dlurl += "&useaddr=" + escape(useaddr); dlurl += "&usetoken=" + escape(usetoken); if (usepass) @@ -455,6 +487,7 @@ function server_changed() { var index = document.getElementById("server").selectedIndex; var users = servers[index][1]; + var certs = servers[index][3]; for (i=0; i < users.length; i++) { var row = table.insertRow(table.rows.length); var cell0 = row.insertCell(0); @@ -465,13 +498,31 @@ function server_changed() { cell1.className = "listr"; cell1.innerHTML = users[i][3]; cell2.className = "listr"; - cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>"; + cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ", -1)'>Configuration</a>"; cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"confall\"," + i + ")'>Configuration archive</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"confall\"," + i + ", -1)'>Configuration archive</a>"; cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>Windows Installer</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ", -1)'>Windows Installer</a>"; cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ", -1)'>Viscosity Bundle</a>"; + } + for (j=0; j < certs.length; j++) { + var row = table.insertRow(table.rows.length); + var cell0 = row.insertCell(0); + var cell1 = row.insertCell(1); + var cell2 = row.insertCell(2); + cell0.className = "listlr"; + cell0.innerHTML = "External Auth+Cert"; + cell1.className = "listr"; + cell1.innerHTML = certs[j][1]; + cell2.className = "listr"; + cell2.innerHTML = "<a href='javascript:download_begin(\"conf\", -1," + j + ")'>Configuration</a>"; + cell2.innerHTML += "<br/>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"confall\", -1," + j + ")'>Configuration archive</a>"; + cell2.innerHTML += "<br/>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst\", -1," + j + ")'>Windows Installer</a>"; + cell2.innerHTML += "<br/>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"visc\", -1," + j + ")'>Viscosity Bundle</a>"; } if (servers[index][2] == 'server_user') { var row = table.insertRow(table.rows.length); |