From 9f993935cea441c9018534527e8331d9b8e103f0 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Mon, 27 Jan 2025 11:24:57 -0700 Subject: [PATCH] [pfsense_openvpn_client/server] TLS fixes - pfsense_openvpn_client/server - apply `tls` setting to config (fixes #132) - pfsense_openvpn_client - add `tls_type` parameter - add some basic valied to complain if `tls` is used with `p2p_shared_key` --- changelogs/fragments/openvpn_tls.yml | 3 +++ plugins/module_utils/openvpn_client.py | 9 +++++++++ plugins/module_utils/openvpn_server.py | 9 +++++++-- plugins/modules/pfsense_openvpn_client.py | 9 ++++++++- plugins/modules/pfsense_openvpn_server.py | 5 +++-- 5 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 changelogs/fragments/openvpn_tls.yml diff --git a/changelogs/fragments/openvpn_tls.yml b/changelogs/fragments/openvpn_tls.yml new file mode 100644 index 00000000..bf1132ab --- /dev/null +++ b/changelogs/fragments/openvpn_tls.yml @@ -0,0 +1,3 @@ +bugfixes: + - pfsense_openvpn_client/server - apply ``tls`` setting to config (https://github.com/pfsensible/core/issues/132) + - pfsense_openvpn_client - add ``tls_type`` parameter diff --git a/plugins/module_utils/openvpn_client.py b/plugins/module_utils/openvpn_client.py index 834d831e..2f5e8d6c 100644 --- a/plugins/module_utils/openvpn_client.py +++ b/plugins/module_utils/openvpn_client.py @@ -25,6 +25,7 @@ protocol=dict(default='UDP4', required=False, choices=['UDP4', 'TCP4']), dev_mode=dict(default='tun', required=False, choices=['tun', 'tap']), tls=dict(required=False, type='str'), + tls_type=dict(default='auth', required=False, choices=['auth', 'crypt']), ca=dict(required=False, type='str'), crl=dict(required=False, type='str'), cert=dict(required=False, type='str'), @@ -160,6 +161,10 @@ def _params_to_obj(self): self.module.fail_json(msg='%s is not a valid certificate' % (self.params['cert'])) obj['certref'] = cert_elt.find('refid').text + if self.params['tls'] is not None: + obj['tls'] = self.params['tls'] + obj['tls_type'] = self.params['tls_type'] + if self.params['mode'] == 'p2p_shared_key': obj['shared_key'] = self.params['shared_key'] @@ -175,6 +180,10 @@ def _validate_params(self): if params['state'] == 'absent': return True + # tls is not valid for p2p_shared_key + if params['mode'] == 'p2p_shared_key' and params['tls'] is not None: + self.module.fail_json(msg='tls parameter is not valied with p2p_shared_key mode.') + # check tunnel_networks - can be network alias or non-strict IP CIDR network self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network'), 'ipv4') self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network6'), 'ipv6') diff --git a/plugins/module_utils/openvpn_server.py b/plugins/module_utils/openvpn_server.py index e347df4e..53f88150 100644 --- a/plugins/module_utils/openvpn_server.py +++ b/plugins/module_utils/openvpn_server.py @@ -24,7 +24,7 @@ protocol=dict(default='UDP4', required=False, choices=['UDP4', 'TCP4']), dev_mode=dict(default='tun', required=False, choices=['tun', 'tap']), tls=dict(required=False, type='str'), - tls_type=dict(required=False, choices=['auth', 'crypt']), + tls_type=dict(default='auth', required=False, choices=['auth', 'crypt']), ca=dict(required=False, type='str'), crl=dict(required=False, type='str'), cert=dict(required=False, type='str'), @@ -180,7 +180,8 @@ def _params_to_obj(self): obj['ecdh_curve'] = self.params['ecdh_curve'] self._get_ansible_param(obj, 'tls') - if 'server_tls' in self.params['mode']: + if self.params['tls'] is not None: + obj['tls'] = self.params['tls'] obj['tls_type'] = self.params['tls_type'] if 'server' in self.params['mode']: @@ -205,6 +206,10 @@ def _validate_params(self): if params['state'] == 'absent': return True + # tls is not valid for p2p_shared_key + if params['mode'] == 'p2p_shared_key' and params['tls'] is not None: + self.module.fail_json(msg='tls parameter is not valied with p2p_shared_key mode.') + # check tunnel_networks - can be network alias or non-strict IP CIDR network self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network'), 'ipv4') self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network6'), 'ipv6') diff --git a/plugins/modules/pfsense_openvpn_client.py b/plugins/modules/pfsense_openvpn_client.py index 856ab118..1a66934e 100644 --- a/plugins/modules/pfsense_openvpn_client.py +++ b/plugins/modules/pfsense_openvpn_client.py @@ -66,8 +66,15 @@ choices: [ 'tun', 'tap' ] type: str tls: - description: TLS Key. If set to 'generate' it will create a key if one does not already exist. + description: TLS Key. If set to 'generate' it will create a key if one does not already exist. Not valid with p2p_shared_key mode. type: str + tls_type: + description: Use TLS for authentication ('auth') or encyprtion and authentication ('crypt'). Only used when tls is set. + default: 'auth' + required: false + choices: ["auth", "crypt"] + type: str + version_added: 0.6.2 ca: description: Certificate Authority name. type: str diff --git a/plugins/modules/pfsense_openvpn_server.py b/plugins/modules/pfsense_openvpn_server.py index cfc891f3..2bc54e34 100644 --- a/plugins/modules/pfsense_openvpn_server.py +++ b/plugins/modules/pfsense_openvpn_server.py @@ -66,10 +66,11 @@ choices: ['tun', 'tap'] type: str tls: - description: TLS Key. If set to 'generate' it will create a key if one does not already exist. + description: TLS Key. If set to 'generate' it will create a key if one does not already exist. Not valid with p2p_shared_key mode. type: str tls_type: - description: Use TLS for authentication ('auth') or encyprtion and authentication ('crypt'). + description: Use TLS for authentication ('auth') or encyprtion and authentication ('crypt'). Only used when tls is set. + default: 'auth' required: false choices: ["auth", "crypt"] type: str