From 4c97c990fbf691d22639ade11daf035949d7439e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 22 Apr 2018 17:20:28 +0200
Subject: [PATCH] OpenVPN, save client specific overrides for non user auth
 types on client connect and cleanup on disconnect, this should remove the
 need to flush all and cleanup when a csc changes or when server changes occur
 and is more aligned with how the user authenticated overrides function now.

The attributes.sh still looks a bit weird, kept the state reset, although it looks odd that we only do this for part of the server options.

Next step is cleanup and additional testing. for https://github.com/opnsense/core/issues/2348
---
 src/etc/inc/plugins.inc.d/openvpn.inc         |  9 ++-
 .../inc/plugins.inc.d/openvpn/attributes.sh   |  1 +
 .../openvpn/ovpn_cleanup_cso.php              | 41 +++++++++++++
 .../plugins.inc.d/openvpn/ovpn_setup_cso.php  | 57 +++++++++++++++++++
 4 files changed, 106 insertions(+), 2 deletions(-)
 create mode 100755 src/etc/inc/plugins.inc.d/openvpn/ovpn_cleanup_cso.php
 create mode 100755 src/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php

diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index c42be199b..5d08350fd 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -594,9 +594,14 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
     switch ($settings['mode']) {
         case 'server_user':
         case 'server_tls_user':
-            $conf .= "client-connect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh\n";
-            $conf .= "client-disconnect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh\n";
+            $conf .= "client-disconnect \"/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh {$mode_id} \"\n";
             break;
+        case 'server_tls':
+        case 'p2p_tls':
+            // For non user auth types setup client specific overrides, user authenticated ones are commissioned
+            // using the auth script in option auth-user-pass-verify
+            $conf .= "client-connect \"/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php {$mode_id}\"\n";
+            $conf .= "client-disconnect \"/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_cleanup_cso.php {$mode_id} \"\n";
         default:
             break;
     }
diff --git a/src/etc/inc/plugins.inc.d/openvpn/attributes.sh b/src/etc/inc/plugins.inc.d/openvpn/attributes.sh
index 942cac6b4..60f2040a8 100755
--- a/src/etc/inc/plugins.inc.d/openvpn/attributes.sh
+++ b/src/etc/inc/plugins.inc.d/openvpn/attributes.sh
@@ -3,6 +3,7 @@
 if [ "$script_type" = "client-disconnect" ]; then
 	/sbin/pfctl -k $ifconfig_pool_remote_ip
 	/sbin/pfctl -K $ifconfig_pool_remote_ip
+	/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_cleanup_cso.php $1
 fi
 
 exit 0
diff --git a/src/etc/inc/plugins.inc.d/openvpn/ovpn_cleanup_cso.php b/src/etc/inc/plugins.inc.d/openvpn/ovpn_cleanup_cso.php
new file mode 100755
index 000000000..ca7160f05
--- /dev/null
+++ b/src/etc/inc/plugins.inc.d/openvpn/ovpn_cleanup_cso.php
@@ -0,0 +1,41 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2018 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+$vpnid = filter_var($argv[1], FILTER_SANITIZE_NUMBER_INT);
+$common_name = getenv("common_name");
+$target_filename = "/var/etc/openvpn-csc/".$vpnid."/".$common_name;
+
+openlog("openvpn", LOG_ODELAY, LOG_AUTH);
+if (is_file($target_filename)) {
+    syslog(LOG_NOTICE, "client config removed @ {$target_filename}");
+    unlink($target_filename);
+}
+
+closelog();
+exit(0);
diff --git a/src/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php b/src/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php
new file mode 100755
index 000000000..838941de1
--- /dev/null
+++ b/src/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php
@@ -0,0 +1,57 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2018 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("config.inc");
+require_once("util.inc");
+require_once("plugins.inc.d/openvpn.inc");
+
+/* setup syslog logging */
+openlog("openvpn", LOG_ODELAY, LOG_AUTH);
+$common_name = getenv("common_name");
+$vpnid = filter_var($argv[1], FILTER_SANITIZE_NUMBER_INT);
+if (isset($config['openvpn']['openvpn-server'])) {
+    foreach ($config['openvpn']['openvpn-server'] as $server) {
+        if ("{$server['vpnid']}" === "$vpnid") {
+            $all_cso = openvpn_fetch_csc_list();
+            if (!empty($all_cso[$vpnid][$common_name])) {
+                $cso = $all_cso[$vpnid][$common_name];
+            } else {
+                $cso = array("common_name" => $common_name);
+            }
+            $cso_filename = openvpn_csc_conf_write($cso, $server);
+            if (!empty($cso_filename)) {
+                syslog(LOG_NOTICE, "client config created @ {$cso_filename}");
+            }
+            break;
+        }
+    }
+}
+
+closelog();
+exit(0);