def update_keys_provider(uuid, cert, key): # type: (str, str, str) -> None
"""
Update the key pare in the network manager configuration.
Typically called when the keypair is expired.
args:
uuid (str): unique ID of the network manager connection
cert (str):
key (str):
"""
logger.info(u"updating key pare for uuid {}".format(uuid))
write_cert(cert, 'cert', uuid)
write_cert(key, 'key', uuid)
def ovpn_to_nm(config, meta, display_name, username=None): # type: (dict, Metadata, str, Optional[str]) -> object
"""Generate a NetworkManager style config dict from a parsed ovpn config dict."""
logger.info("generating config for {} ({})".format(display_name, meta.uuid))
settings = {'connection': {'id': display_name,
'type': 'vpn',
'uuid': meta.uuid},
'ipv4': {'method': 'auto'},
'ipv6': {'method': 'auto'},
'vpn': {'data': {'auth': config.get('auth', 'SHA256'),
'cipher': config.get('cipher', 'AES-256-CBC'),
'connection-type': config.get('connection-type', 'tls'),
'dev': 'tun',
'remote': ",".join(":".join(r) for r in config['remote']),
'remote-cert-tls': 'server',
# 'tls-cipher' is not supported on older nm (like ubuntu 16.04)
# 'tls-cipher': config.get('tls-cipher', 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384')
},
'service-type': 'org.freedesktop.NetworkManager.openvpn'}
}
# issue #138, not supported by older network-manager-openvpn
# if 'server-poll-timeout' in config:
# settings['vpn']['data']['connect-timeout'] = config['server-poll-timeout']
if 'comp-lzo' in config:
settings['vpn']['data']['comp-lzo'] = config['comp-lzo'] or 'adaptive'
# 2 factor auth enabled
if 'auth-user-pass' in config:
if not username:
raise EduvpnException("You need to enroll for 2FA in the user portal "
"first before being able to connect to this profile.")
logger.info("looks like 2 factor authentication is enabled, enabling this in NM config")
settings['vpn']['data']['cert-pass-flags'] = '0'
settings['vpn']['data']['connection-type'] = 'password-tls'
settings['vpn']['data']['password-flags'] = '2'
settings['vpn']['data']['username'] = username
if 'ca' in config:
ca_path = write_cert(config.get('ca'), 'ca', meta.uuid)
settings['vpn']['data']['ca'] = ca_path
if 'tls-auth' in config:
settings['vpn']['data']['ta'] = write_cert(config.get('tls-auth'), 'ta', meta.uuid)
settings['vpn']['data']['ta-dir'] = config.get('key-direction', '1')
elif 'tls-crypt' in config:
settings['vpn']['data']['tls-crypt'] = write_cert(config.get('tls-crypt'), 'tc', meta.uuid)
else:
logging.info("'tls-crypt' and 'tls-auth' not found in configuration returned by server")
return settings
def store_provider(meta):
"""Store the eduVPN configuration"""
logger.info("storing profile with name {} using NetworkManager".format(meta.display_name))
meta.uuid = make_unique_id()
ovpn_text = format_like_ovpn(meta.config, meta.cert, meta.key)
config_dict = parse_ovpn(ovpn_text)
cert_path = write_cert(meta.cert, 'cert', meta.uuid)
key_path = write_cert(meta.key, 'key', meta.uuid)
ca_path = write_cert(config_dict.pop('ca'), 'ca', meta.uuid)
ta_path = write_cert(config_dict.pop('tls-auth'), 'ta', meta.uuid)
nm_config = ovpn_to_nm(config_dict, uuid=meta.uuid, display_name=meta.display_name, username=meta.username)
nm_config['vpn']['data'].update({'cert': cert_path, 'key': key_path, 'ca': ca_path, 'ta': ta_path})
insert_config(nm_config)
meta.write()
return meta.uuid
def store_provider(meta, config_dict):
"""Store the eduVPN configuration"""
logger.info("storing profile with name {} using NetworkManager".format(meta.display_name))
new = False
if not meta.uuid:
meta.uuid = make_unique_id()
new = True
cert_path = write_cert(meta.cert, 'cert', meta.uuid)
key_path = write_cert(meta.key, 'key', meta.uuid)
nm_config = ovpn_to_nm(config_dict, meta=meta, display_name=meta.display_name, username=meta.username)
nm_config['vpn']['data'].update({'cert': cert_path, 'key': key_path})
if new:
insert_config(nm_config)
else:
update_config_provider(meta, config_dict)
meta.write()
return meta.uuid
def update_config_provider(meta):
"""
Update an existing network manager configuration
args:
uuid (str): the unique ID of the network manager configuration
display_name (str): The new display name of the configuration
config (str): The new OpenVPN configuration
"""
logger.info("updating config for {} ({})".format(meta.display_name, meta.uuid))
config_dict = parse_ovpn(meta.config)
ca_path = write_cert(config_dict.pop('ca'), 'ca', meta.uuid)
ta_path = write_cert(config_dict.pop('tls-auth'), 'ta', meta.uuid)
if have_dbus():
nm_config = ovpn_to_nm(config_dict, uuid=meta.uuid, display_name=meta.display_name, username=meta.username)
old_conn = NetworkManager.Settings.GetConnectionByUuid(meta.uuid)
old_settings = old_conn.GetSettings()
nm_config['vpn']['data'].update({'cert': old_settings['vpn']['data']['cert'],
'key': old_settings['vpn']['data']['key'],
'ca': ca_path, 'ta': ta_path})
old_conn.Delete()
insert_config(nm_config)
def test_write_cert(self):
write_cert(content='test', type_='test', unique_name='test')
