Skip to content

Commit

Permalink
[pfsense_openvpn_client/override/server] Add better tunnel_network va…
Browse files Browse the repository at this point in the history
…lidation
  • Loading branch information
opoplawski committed Jan 5, 2024
1 parent cce890f commit c2daca6
Show file tree
Hide file tree
Showing 5 changed files with 48 additions and 5 deletions.
19 changes: 19 additions & 0 deletions plugins/module_utils/__impl/checks.py
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,25 @@ def check_ip_address(self, address, ipprotocol, objtype, allow_networks=False, f
self.module.fail_json(msg='IPv4 and IPv6 addresses can not be used in objects that apply to both IPv4 and IPv6 (except within an alias).')


def validate_openvpn_tunnel_network(self, network, ipproto):
""" check openvpn tunnel network validity - based on pfSense's openvpn_validate_tunnel_network() """
if network is not None and network != '':
alias_elt = self.find_alias(network, aliastype='network')
if alias_elt is not None:
networks = alias_elt.find('address').text.split()
if len(networks) > 1:
self.module.fail_json("The alias {0} contains more than one network".format(network))
network = networks[0]

if not self.is_ipv4_network(network, strict=False) and ipproto == 'ipv4':
self.module.fail_json("{0} is not a valid IPv4 network".format(network))
if not self.is_ipv6_network(network, strict=False) and ipproto == 'ipv6':
self.module.fail_json("{0} is not a valid IPv6 network".format(network))
return True

return True


def validate_string(self, name, objtype):
""" check string validity - similar to pfSense's do_input_validate() """

Expand Down
7 changes: 7 additions & 0 deletions plugins/module_utils/openvpn_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,13 @@ def _validate_params(self):
# check name
self.pfsense.validate_string(params['name'], 'openvpn')

if params['state'] == 'absent':
return True

# check tunnel_networks - can be network alias or non-strict IP CIDR network
self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network'), 'ipv4')
self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network6'), 'ipv6')

# Check auth clients
if len(params['authmode']) > 0:
system = self.pfsense.get_element('system')
Expand Down
13 changes: 9 additions & 4 deletions plugins/module_utils/openvpn_override.py
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@
class PFSenseOpenVPNOverrideModule(PFSenseModuleBase):
""" module managing pfSense OpenVPN Client Specific Overrides """

from ansible_collections.pfsensible.core.plugins.module_utils.__impl.checks import validate_openvpn_tunnel_network

@staticmethod
def get_argument_spec():
""" return argument spec """
Expand Down Expand Up @@ -121,10 +123,13 @@ def _validate_params(self):
# check name
self.pfsense.validate_string(params['name'], 'openvpn_override')

if params.get('tunnel_network') and not self.pfsense.is_ipv4_network(params['tunnel_network']):
self.module.fail_json(msg='A valid IPv4 network must be specified for tunnel_network.')
if params.get('tunnel_network6') and not self.pfsense.is_ipv6_network(params['tunnel_networkv6']):
self.module.fail_json(msg='A valid IPv6 network must be specified for tunnel_network6.')
if params['state'] == 'absent':
return True

# check tunnel_networks - can be network alias or non-strict IP CIDR network
self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network'), 'ipv4')
self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network6'), 'ipv6')

if params.get('local_network') and not self.pfsense.is_ipv4_network(params['local_network']):
self.module.fail_json(msg='A valid IPv4 network must be specified for local_network.')
if params.get('local_network6') and not self.pfsense.is_ipv6_network(params['local_networkv6']):
Expand Down
7 changes: 7 additions & 0 deletions plugins/module_utils/openvpn_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,13 @@ def _validate_params(self):
# check name
self.pfsense.validate_string(params['name'], 'openvpn')

if params['state'] == 'absent':
return True

# check tunnel_networks - can be network alias or non-strict IP CIDR network
self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network'), 'ipv4')
self.pfsense.validate_openvpn_tunnel_network(params.get('tunnel_network6'), 'ipv6')

# Check auth servers
if len(params['authmode']) > 0:
system = self.pfsense.get_element('system')
Expand Down
7 changes: 6 additions & 1 deletion plugins/module_utils/pfsense.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,12 @@ class PFSenseModule(object):
parse_ip_network,
parse_port,
)
from ansible_collections.pfsensible.core.plugins.module_utils.__impl.checks import check_name, check_ip_address, validate_string
from ansible_collections.pfsensible.core.plugins.module_utils.__impl.checks import (
check_name,
check_ip_address,
validate_string,
validate_openvpn_tunnel_network,
)

def __init__(self, module, config='/cf/conf/config.xml'):
self.module = module
Expand Down

0 comments on commit c2daca6

Please sign in to comment.