Currently both users and groups store multiple <priv/> tags within the same container, but if we want to use MVC structures, we need to move to a single container to hold the access roles for them.
Our common seperator is a comma (,) which is not used in acl tags as these are not valid within xml tags anyway, by supporting both the future storage privA,privB and the current one we can feed this change easily in a future minor release without having to move all new mvc code already.
After this change, a config.xml may contain (combinations of):
<priv>page-X</priv>
<priv>page-Y</priv>
<priv>page-X,page-Y</priv>
The use of plugins_argument_map() makes it fully backwards
compatible now although external callers need to cope with
the new reality of handling arrays (maps) going forward with
25.1 to avoid having two events one of which slows down the
processing.
Not sure where this comes from but the concensus is that
closelog() is relatively useless and testing verifies that
it works as expected without it.
Now we just have to make sure that each component using
openlog() will reopen the actual GUI log so that it can
keep logging correctly.
According to rfc5280 an CRL update should be issued before "next update", but does not seem to define a validity. Various sources seem to indicate updates should be fetched at least every couple of hours, in which case an hourly update sounds reasonable.
To avoid excessive writes, we compare each CRL offered with the last one received before flushing it to disk and keep track of actual changes. When nothing changes, no rehash is neede, which the configd action takes care of.
Distribution points could either be HTTP or LDAP, LDAPS and HTTPS may not be used according to the RFC (CAs SHOULD NOT include URIs that specify https, ldaps, or similar schemes in extensions.)
We actually only want the vpn_map event in the stable branch
and move to a backwards compatible format for 25.1 but as a
new coalesced (mapped) caller.
This helper parses "mapped" arguments for batch reloads of e.g.
interfaces or devices or items related to that (like gateway
names). The rules are simple:
o If the mapped argument is null reload in full (return true)
o If the mapped argument is an array handle it under later conditionals (return true)
o If the mapped argument is of an unsupported type do nothing (return false)
o If the mapped argument is not null but empty do nothing (return false)
o If the argument is a string convert it to an array, splitting the string
by comma (return true)
o Modify the $map argument to be either null or a non-empty array to normalize
the passed map (also for backwards-compatible reasons of newwanip_map
and vpn_map intermediate steps).
* System: Trust: Settings - add boilerplate and move existing store_intermediate_certs setting to new module including migration
* System: Trust: Settings - add configuration constraints and glue to flush CRL's to local trust store when requested.
This implements the following options:
* Enable/Disable legacy providers (enabled by default, which is the current default)
* Option to write specific configuration constraints, when enabled, CipherString, Ciphersuites and MinProtocol[DTS] can be configured
One last piece of the puzzle is the "crl" event action, which should deploy to the local trust store as well ehen requested.
* Update src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml
Co-authored-by: Franco Fichtner <franco@opnsense.org>
* System: Trust: Settings - process review comments https://github.com/opnsense/core/pull/7854
* System: Trust: Settings - flush CRL's when "Store CRL's" is selected
---------
Co-authored-by: Franco Fichtner <franco@opnsense.org>
Add RRD package with a simple factory class and a basic construct to define different rrd output types we support.
This package contains the following:
* RRD/Types -- Output definitions, responsible for generating RRD structures and feeding data
* RRD/Stats -- Statistics gathering classes
* Factory -- binds types and statistics together.
On my end on a simple test this is roughly 40% faster than running /var/db/rrd/updaterrd.sh, which makes caching of metadata (config access) less relevant.
The new script should be able to replace all existing rrd cruft and supports a debug mode to find discrepanties between defined outputs in types and collected data in stats.
```
Usage: updaterrd.php [-h] [-d]
-d debug mode, output errors to stdout
```
Everything has been converted and plugins do not ship with a
"vpn" event. "newwanip" is similar and the plugins have been
ensured to be moved to the new one in 24.7.3 already.
