From 2ba6da4eef3eec47e55e2abfe5b302cfbd8bfb25 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 18 May 2021 10:08:07 +0200
Subject: [PATCH] OpenVPN  export: offer the ability to export a user without a
 certificate and increase consistency between export types.

---
 .../OPNsense/OpenVPN/Api/ExportController.php |  7 ++++++-
 .../OPNsense/OpenVPN/ArchiveOpenVPN.php       | 20 ++++++++++---------
 .../library/OPNsense/OpenVPN/PlainOpenVPN.php |  3 ++-
 .../library/OPNsense/OpenVPN/TheGreenBow.php  | 20 ++++++++++---------
 .../OPNsense/OpenVPN/ViscosityVisz.php        | 20 ++++++++++---------
 5 files changed, 41 insertions(+), 29 deletions(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php
index 6633ca04a..c4b731341 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php
@@ -203,7 +203,12 @@ class ExportController extends ApiControllerBase
      */
     public function accountsAction($vpnid)
     {
-        $result = array();
+        $result = [
+            null => [
+                "description" => gettext("(none) Exclude certificate from export"),
+                "users" => []
+            ]
+        ];
         $server = $this->findServer($vpnid);
         if ($server !== null) {
             // collect certificates for this server's ca
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
index e9395b796..f3caf67ec 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
@@ -75,16 +75,18 @@ class ArchiveOpenVPN extends PlainOpenVPN
         mkdir($content_dir, 0700, true);
 
         if (empty($this->config['cryptoapi'])) {
-            // export keypair
-            $p12 = $this->export_pkcs12(
-                $this->config['client_crt'],
-                $this->config['client_prv'],
-                !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
-                !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
-            );
+            if (!empty($this->config['client_crt'])) {
+                // export keypair
+                $p12 = $this->export_pkcs12(
+                    $this->config['client_crt'],
+                    $this->config['client_prv'],
+                    !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
+                    !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
+                );
 
-            file_put_contents("{$content_dir}/{$base_filename}.p12", $p12);
-            $conf[] = "pkcs12 {$base_filename}.p12";
+                file_put_contents("{$content_dir}/{$base_filename}.p12", $p12);
+                $conf[] = "pkcs12 {$base_filename}.p12";
+            }
         } else {
             // use internal Windows store, only flush ca (when available)
             if (!empty($this->config['server_ca_chain'])) {
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
index 6393a9eb2..c64267453 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
@@ -180,7 +180,8 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
             }
             $conf[] = "</ca>";
         }
-        if ($this->config['mode'] !== "server_user" && empty($this->config['cryptoapi'])) {
+
+        if (!empty($this->config['client_crt']) && empty($this->config['cryptoapi'])) {
             $conf[] = "<cert>";
             $conf = array_merge($conf, explode("\n", trim($this->config['client_crt'])));
             $conf[] = "</cert>";
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php
index b20a9e366..0d1960d52 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php
@@ -170,15 +170,17 @@ class TheGreenBow extends BaseExporter implements IExportProvider
         }
 
         // client certificate
-        $output->cfg_ssl->cfg_sslconnection->authentication->certificate[0]->public_key =
-            "\n" . $this->config['client_crt'];
-        $output->cfg_ssl->cfg_sslconnection->authentication->certificate[0]->private_key =
-            "\n" . $this->config['client_prv'];
-        // server CA-chain
-        $output->cfg_ssl->cfg_sslconnection->authentication->certificate[1]->public_key = "\n" . implode(
-            "\n",
-            $this->config['server_ca_chain']
-        );
+        if (!empty($this->config['client_crt'])) {
+            $output->cfg_ssl->cfg_sslconnection->authentication->certificate[0]->public_key =
+                "\n" . $this->config['client_crt'];
+            $output->cfg_ssl->cfg_sslconnection->authentication->certificate[0]->private_key =
+                "\n" . $this->config['client_prv'];
+            // server CA-chain
+            $output->cfg_ssl->cfg_sslconnection->authentication->certificate[1]->public_key = "\n" . implode(
+                "\n",
+                $this->config['server_ca_chain']
+            );
+        }
 
         // export to DOM to reformat+pretty-print output
         $dom = new \DOMDocument("1.0");
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
index e0da12d70..9407e4b60 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
@@ -109,16 +109,18 @@ class ViscosityVisz extends PlainOpenVPN
         mkdir($content_dir, 0700, true);
 
         if (empty($this->config['cryptoapi'])) {
-            // export keypair
-            $p12 = $this->export_pkcs12(
-                $this->config['client_crt'],
-                $this->config['client_prv'],
-                !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
-                !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
-            );
+            if (!empty($this->config['client_crt'])) {
+                // export keypair
+                $p12 = $this->export_pkcs12(
+                    $this->config['client_crt'],
+                    $this->config['client_prv'],
+                    !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
+                    !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
+                );
 
-            file_put_contents("{$content_dir}/pkcs.p12", $p12);
-            $conf[] = "pkcs12 pkcs.p12";
+                file_put_contents("{$content_dir}/pkcs.p12", $p12);
+                $conf[] = "pkcs12 pkcs.p12";
+            }
         } else {
             // use internal Windows store, only flush ca (when available)
             if (!empty($this->config['server_ca_chain'])) {