[feature] Added support for more WPA EAP client parameters #313

pandafy · nemesifier · commit c15de71ff9d8 · 2024-11-07T18:02:24.000-03:00
Closes #313
diff --git a/netjsonconfig/backends/openwrt/converters/wireless.py b/netjsonconfig/backends/openwrt/converters/wireless.py
@@ -283,10 +283,16 @@ def __netjson_wifi_typecast(self, wifi):
         'vlan_bridge',
         'eap_type',
         'auth',
+        'anonymous_identity',
         'identity',
         'password',
         'ca_cert',
         'client_cert',
+        'ca_cert_usesystem',
+        'subject_match',
+        'altsubject_match',
+        'domain_match',
+        'domain_suffix_match',
         'priv_key',
         'priv_key_pwd',
         'wps_config',
diff --git a/netjsonconfig/backends/openwrt/schema.py b/netjsonconfig/backends/openwrt/schema.py
@@ -900,6 +900,62 @@
                     },
                 }
             },
+            "encryption_wpa_enterprise_sta_base_settings": {
+                "properties": {
+                    "ca_cert_usesystem": {
+                        "title": "Use system certificates",
+                        "type": "boolean",
+                        "default": False,
+                        "format": "checkbox",
+                        "description": (
+                            'Validate server certificate using built-in'
+                            ' system CA bundle, requires the "ca-bundle" package'
+                        ),
+                        "propertyOrder": 7.9,
+                    },
+                    "subject_match": {
+                        "title": "Certificate constraint (Subject)",
+                        "type": "string",
+                        "description": (
+                            "Certificate constraint substring"
+                            " - e.g. /CN=wifi.mycompany.com See `logread -f` during"
+                            " handshake for actual values"
+                        ),
+                        "propertyOrder": 8.9,
+                    },
+                    "altsubject_match": {
+                        "title": "Certificate constraint (SAN)",
+                        "description": (
+                            "Certificate constraint(s) via Subject Alternate"
+                            " Name values (supported attributes: EMAIL, DNS, URI)"
+                            " - e.g. DNS:wifi.mycompany.com"
+                        ),
+                        "type": "array",
+                        "items": {"type": "string"},
+                        "propertyOrder": 8.91,
+                    },
+                    "domain_match": {
+                        "title": "Certificate constraint (Domain)",
+                        "description": (
+                            "Certificate constraint(s) against DNS SAN values"
+                            " (if available) or Subject CN (exact match)"
+                        ),
+                        "type": "array",
+                        "items": {"type": "string"},
+                        "propertyOrder": 8.92,
+                    },
+                    "domain_suffix_match": {
+                        "title": "Certificate constraint (Wildcard)",
+                        "description": (
+                            "Certificate constraint(s) against DNS SAN values "
+                            "(if available) or Subject CN (suffix match)"
+                        ),
+                        "type": "array",
+                        "items": {"type": "string"},
+                        "propertyOrder": 8.93,
+                    },
+                }
+            },
         },
         "properties": {
             "general": {
diff --git a/netjsonconfig/schema.py b/netjsonconfig/schema.py
@@ -662,6 +662,7 @@
                     "propertyOrder": 5,
                 },
                 "identity": {"type": "string", "propertyOrder": 6},
+                "anonymous_identity": {"type": "string", "propertyOrder": 6.1},
                 "password": {"type": "string", "propertyOrder": 7},
                 "ca_cert": {
                     "type": "string",
diff --git a/tests/openwrt/test_encryption.py b/tests/openwrt/test_encryption.py
@@ -563,8 +563,12 @@ def test_parse_wpa2_enterprise_client(self):
                         "cipher": "auto",
                         "eap_type": "ttls",
                         "auth": "MSCHAPV2",
+                        "anonymous_identity": "anonymous",
                         "identity": "test-identity",
                         "password": "test-password",
+                        "client_cert": "/etc/ssl/wifi.openwisp.io/cert.crt",
+                        "priv_key": "/etc/ssl/wifi.openwisp.io/private.key",
+                        "domain_match": ["wifi.openwisp.io"],
                     },
                 },
             }
@@ -573,15 +577,19 @@ def test_parse_wpa2_enterprise_client(self):
     _wpa2_enterprise_ttls_client_uci = """package wireless
 
 config wifi-iface 'wifi_wlan0'
+    option anonymous_identity 'anonymous'
     option auth 'MSCHAPV2'
     option bssid '00:26:b9:20:5f:09'
+    option client_cert '/etc/ssl/wifi.openwisp.io/cert.crt'
     option device 'radio0'
+    list domain_match 'wifi.openwisp.io'
     option eap_type 'ttls'
     option encryption 'wpa2'
     option identity 'test-identity'
     option ifname 'wlan0'
     option mode 'sta'
     option password 'test-password'
+    option priv_key '/etc/ssl/wifi.openwisp.io/private.key'
     option ssid 'enterprise-client'
 """
 
