[feature] Added support for OpenVPN tls-auth option #174

pandafy · web-flow · commit eecbba448a50 · 2022-03-10T12:58:22.000-03:00
The OpenVPN backend will automatically create a file for the key present in "tls_auth" field and update the value of the "tls-auth" parameter. Closes #174
diff --git a/docs/source/backends/openvpn.rst b/docs/source/backends/openvpn.rst
@@ -114,6 +114,8 @@ Required properties:
 +--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``pkcs12``               | string  |              | any non whitespace character                                |
 +--------------------------+---------+--------------+-------------------------------------------------------------+
+| ``tls_auth``             | string  |              | string containing TLS Auth key                              |
++--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``ns_cert_type``         | string  |              | ``client``, ``server`` or empty string                      |
 +--------------------------+---------+--------------+-------------------------------------------------------------+
 | ``mtu_disc``             | string  | ``no``       | ``no``, ``maybe`` or ``yes``                                |
diff --git a/netjsonconfig/backends/openvpn/converters.py b/netjsonconfig/backends/openvpn/converters.py
@@ -1,5 +1,6 @@
 from copy import deepcopy
 
+from ...schema import X509_FILE_MODE
 from ..base.converter import BaseConverter
 from .schema import schema
 
@@ -46,8 +47,41 @@ def __intermediate_vpn(self, config, remove=[False, 0, '']):
         # do not display status-version if status directive not present
         if 'status' not in config and 'status_version' in config:
             del config['status_version']
+        config = self.__add_tls_auth_key(config)
         return self.sorted_dict(config)
 
+    def __add_tls_auth_key(self, config):
+        tls_auth = config.get('tls_auth', None)
+        if not tls_auth:
+            return config
+        tls_auth = tls_auth.strip()
+        if len(tls_auth.split(' ')) == 2:
+            # The field already contains path to auth key
+            # and TLS Auth direction. No operation is required.
+            pass
+        else:
+            # The TLS Auth key is present in the field.
+            # Determine TLS Auth key file path from CA's file path.
+            ca_path = config.get('ca', '')
+            dev = config.get('dev', '')
+            tls_auth_path = '/'.join(ca_path.split('/')[:-1] + [f'{dev}_tls_auth.key'])
+            if config.get('mode') == 'server':
+                tls_auth_direction = 0
+            else:
+                tls_auth_direction = 1
+            config['tls_auth'] = f'{tls_auth_path} {tls_auth_direction}'
+            # Add TLS Auth key file
+            file_data = {
+                'path': tls_auth_path,
+                'mode': X509_FILE_MODE,
+                'contents': tls_auth,
+            }
+            try:
+                self.netjson['files'].append(file_data)
+            except KeyError:
+                self.netjson['files'] = [file_data]
+        return config
+
     def to_netjson_loop(self, block, result, index):
         vpn = self.__netjson_vpn(block)
         result.setdefault('openvpn', [])
diff --git a/netjsonconfig/backends/openvpn/openvpn.py b/netjsonconfig/backends/openvpn/openvpn.py
@@ -76,6 +76,17 @@ def auto_client(
         # remote_cert_tls
         remote_cert_tls = {None: '', '': '', 'client': 'server'}
         client['remote_cert_tls'] = remote_cert_tls[server.get('remote_cert_tls')]
+        tls_auth = server.get('tls_auth')
+        if tls_auth:
+            if len(tls_auth.strip().split(' ')) == 2:
+                # The field contains path to auth key and direction.
+                # auto_client does not support such format.
+                pass
+            else:
+                # The TLS Auth key is present in the field.
+                # Copy the TLS Auth key. Convertor will handle
+                # parsing it into file.
+                client['tls_auth'] = tls_auth
         copy_keys = [
             'name',
             'dev_type',
diff --git a/netjsonconfig/backends/openvpn/schema.py b/netjsonconfig/backends/openvpn/schema.py
@@ -190,6 +190,17 @@
                     "pattern": "^(\\S*)$",
                     "propertyOrder": 17,
                 },
+                "tls_auth": {
+                    "title": "TLS Auth",
+                    "description": (
+                        "Adds an additional layer of HMAC authentication on top of "
+                        "the TLS control channel to mitigate DoS attacks and "
+                        "attacks on the TLS stack"
+                    ),
+                    "type": "string",
+                    "format": "textarea",
+                    "propertyOrder": 18,
+                },
                 "ns_cert_type": {
                     "title": "NS cert type",
                     "type": "string",
diff --git a/tests/openvpn/test_backend.py b/tests/openvpn/test_backend.py
@@ -58,6 +58,7 @@ def test_server_mode(self):
                         "status": "/var/log/openvpn.status 10",
                         "status_version": 1,
                         "tls_server": True,
+                        "tls_auth": "tls_auth.key 0",
                         "tun_ipv6": False,
                         "up": "",
                         "up_delay": 0,
@@ -98,6 +99,7 @@ def test_server_mode(self):
 script-security 0
 status /var/log/openvpn.status 10
 status-version 1
+tls-auth tls_auth.key 0
 tls-server
 user nobody
 verb 3
@@ -151,6 +153,7 @@ def test_client_mode(self):
                         "status": "/var/log/openvpn.status 30",
                         "status_version": 1,
                         "tls_client": True,
+                        "tls_auth": "tls_auth.key 1",
                         "topology": "p2p",
                         "tun_ipv6": True,
                         "up": "/home/user/up-command.sh",
@@ -193,6 +196,7 @@ def test_client_mode(self):
 script-security 1
 status /var/log/openvpn.status 30
 status-version 1
+tls-auth tls_auth.key 1
 tls-client
 topology p2p
 tun-ipv6
@@ -742,3 +746,139 @@ def test_override(self):
         o = OpenVpn(self._simple_conf, templates=[template])
         # ensure dummy values in template have been overridden
         self.assertDictEqual(o.config, self._simple_conf)
+
+    _openvpn_server_tls_auth_config = {
+        "openvpn": [
+            {
+                "name": "test",
+                "ca": "/etc/openvpn/ca.pem",
+                "cert": "/etc/openvpn/cert.pem",
+                "dev": "tap0",
+                "dev_type": "tap",
+                "dh": "/etc/openvpn/dh.pem",
+                "key": "/etc/openvpn/key.pem",
+                "mode": "server",
+                "proto": "udp",
+                "status": "",
+                "status_version": 1,
+                "tls_server": True,
+                "tls_auth": (
+                    "#\n"
+                    "# 2048 bit OpenVPN static key\n"
+                    "#\n-----BEGIN OpenVPN Static key V1-----\n"
+                    "tls-auth-key\n"
+                    "-----END OpenVPN Static key V1-----"
+                ),
+            },
+            {
+                "name": "test2",
+                "ca": "/etc/openvpn/ca2.pem",
+                "cert": "/etc/openvpn/cert2.pem",
+                "dev": "tap1",
+                "dev_type": "tap",
+                "dh": "/etc/openvpn/dh2.pem",
+                "key": "/etc/openvpn/key2.pem",
+                "mode": "server",
+                "proto": "udp",
+                "status": "",
+                "status_version": 1,
+                "tls_server": True,
+                "tls_auth": (
+                    "#\n"
+                    "# 2048 bit OpenVPN static key\n"
+                    "#\n-----BEGIN OpenVPN Static key V1-----\n"
+                    "tls-auth-key2\n"
+                    "-----END OpenVPN Static key V1-----"
+                ),
+            },
+        ],
+    }
+
+    _openvpn_server_tls_auth_render = """# openvpn config: test
+
+ca /etc/openvpn/ca.pem
+cert /etc/openvpn/cert.pem
+dev tap0
+dev-type tap
+dh /etc/openvpn/dh.pem
+key /etc/openvpn/key.pem
+mode server
+proto udp
+tls-auth /etc/openvpn/tap0_tls_auth.key 0
+tls-server
+
+# openvpn config: test2
+
+ca /etc/openvpn/ca2.pem
+cert /etc/openvpn/cert2.pem
+dev tap1
+dev-type tap
+dh /etc/openvpn/dh2.pem
+key /etc/openvpn/key2.pem
+mode server
+proto udp
+tls-auth /etc/openvpn/tap1_tls_auth.key 0
+tls-server
+
+# ---------- files ---------- #
+
+# path: /etc/openvpn/tap0_tls_auth.key
+# mode: 0600
+
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+tls-auth-key
+-----END OpenVPN Static key V1-----
+
+# path: /etc/openvpn/tap1_tls_auth.key
+# mode: 0600
+
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+tls-auth-key2
+-----END OpenVPN Static key V1-----
+
+"""
+
+    _openvpn_client_tls_auth_render = """# openvpn config: test
+
+ca /etc/openvpn/ca.pem
+cert /etc/openvpn/cert.pem
+dev tap0
+dev-type tap
+key /etc/openvpn/key.pem
+mode p2p
+nobind
+proto udp
+remote vpn1.test.com 1195
+resolv-retry infinite
+tls-auth /etc/openvpn/tap0_tls_auth.key 1
+tls-client
+
+# ---------- files ---------- #
+
+# path: /etc/openvpn/tap0_tls_auth.key
+# mode: 0600
+
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+tls-auth-key
+-----END OpenVPN Static key V1-----
+
+"""
+
+    def test_tls_auth_key_present(self):
+        server = OpenVpn(self._openvpn_server_tls_auth_config)
+        self.assertEqual(server.render(), self._openvpn_server_tls_auth_render)
+        client_config = OpenVpn.auto_client(
+            'vpn1.test.com',
+            self._openvpn_server_tls_auth_config['openvpn'][0],
+        )
+        client = OpenVpn(client_config)
+        self.assertEqual(client.render(), self._openvpn_client_tls_auth_render)
