From 2ad84c1932644f7e9a76c32ae6599bcbd842247f Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Wed, 31 Jul 2024 20:46:29 +0200 Subject: [PATCH] VPN: OpenVPN: Client Export - use new trust model to link users by common_name. closes https://github.com/opnsense/core/issues/7696 It looks like we left some old code in the openvpn export, since our model parses the certificate data already, we should be able to reuse the same data for a more consistent approach. Common name is the only relevant linking pin between a user and the certificate, which also means there can only be one link. To avoid api breakage, keep the return format as it was, but make sure we only return one name when found. In the long run we might consider changing the ui to just mark the record with an icon so the user knows an entity exists. --- .../OPNsense/OpenVPN/Api/ExportController.php | 49 ++++++------------- .../app/views/OPNsense/OpenVPN/export.volt | 2 +- 2 files changed, 16 insertions(+), 35 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php index e18364950..de2625ac0 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php @@ -36,6 +36,7 @@ use OPNsense\Trust\Store; use OPNsense\OpenVPN\OpenVPN; use OPNsense\OpenVPN\Export; use OPNsense\OpenVPN\ExportFactory; +use OPNsense\Trust\Cert; /** * Class ExportController handles client export functions @@ -124,23 +125,6 @@ class ExportController extends ApiControllerBase } } - /** - * find CA record - * @param string $caref - * @return mixed - */ - private function getCA($caref) - { - if (isset(Config::getInstance()->object()->ca)) { - foreach (Config::getInstance()->object()->ca as $cert) { - if (isset($cert->refid) && (string)$caref == $cert->refid) { - return $cert; - } - } - } - return null; - } - /** * Determine configured settings for selected server * @param string $vpnid server handle @@ -208,24 +192,21 @@ class ExportController extends ApiControllerBase ]; $server = (new OpenVPN())->getInstanceById($vpnid); if ($server !== null) { - // collect certificates for this server's ca - if (isset(Config::getInstance()->object()->cert)) { - foreach (Config::getInstance()->object()->cert as $cert) { - if (isset($cert->refid) && isset($cert->caref) && $server['caref'] == $cert->caref) { - $result[(string)$cert->refid] = array( - "description" => (string)$cert->descr, - "users" => array() - ); - } - } - } - // collect linked users + $usernames = []; foreach (Config::getInstance()->object()->system->user as $user) { - if (isset($user->cert)) { - foreach ($user->cert as $cert) { - if (!empty($result[(string)$cert])) { - $result[(string)$cert]['users'][] = (string)$user->name; - } + $usernames[] = (string)$user->name; + } + foreach ((new Cert())->cert->iterateItems() as $cert) { + if ($cert->caref == $server['caref']) { + $result[(string)$cert->refid] = [ + "description" => (string)$cert->descr, + "users" => [] + ]; + if ( + in_array($cert->commonname, $usernames) && + in_array($cert->cert_type, ['usr_cert', 'combined_server_client']) + ) { + $result[(string)$cert->refid]['users'][] = (string)$cert->commonname; } } } diff --git a/src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt b/src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt index 1bdd11347..f56cd48ad 100644 --- a/src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt +++ b/src/opnsense/mvc/app/views/OPNsense/OpenVPN/export.volt @@ -196,7 +196,7 @@ {{ lang._('Certificate')}} - {{ lang._('Linked user(s)')}} + {{ lang._('Linked user')}}