Update to 2021-03-19 19:00

3 years ago · aa49738a76
parent 5eeadcb433
commit aa49738a76
7 changed files with 57 additions and 19 deletions
--- a/roles/documize/tasks/directories.yml
+++ b/roles/documize/tasks/directories.yml
@ -5,6 +5,8 @@
  loop:
    - dir: "{{ documize_root_dir }}"
    - dir: "{{ documize_root_dir }}/tmp"
+      group: "{{ documize_user }}"
+      mode: 770
    - dir: "{{ documize_root_dir }}/bin"
    - dir: "{{ documize_root_dir }}/etc"
      group: "{{ documize_user }}"
--- a/roles/documize/tasks/install.yml
+++ b/roles/documize/tasks/install.yml
@ -20,6 +20,7 @@

 - name: Install systemd unit
  template: src=documize.service.j2 dest=/etc/systemd/system/documize.service
+  notify: restart documize
  register: documize_unit
  tags: documize

--- a/roles/documize/templates/documize.service.j2
+++ b/roles/documize/templates/documize.service.j2
@ -6,6 +6,7 @@ After=network.target postgresql.service mariadb.service
 Type=simple
 User={{ documize_user }}
 ExecStart={{ documize_root_dir }}/bin/documize {{ documize_root_dir }}/etc/documize.conf
+WorkingDirectory={{ documize_root_dir }}/tmp
 Restart=always
 NoNewPrivileges=true
 PrivateDevices=true
--- a/roles/radius_server/defaults/main.yml
+++ b/roles/radius_server/defaults/main.yml
@ -36,6 +36,11 @@ rad_src_ip: []
 # If undefined, no check will be performed, and revoked certificates will be accepted
 # rad_tls_crl:

+# An email address to notify in case of CRL issue.
+# In case the CRL couldn't be fetched or is outdated, and rad_notify_crl is defined
+# the validation script will allow the authentication and notify the adress instead of failing
+# rad_notify_crl: admin@example.org
+
 # The issuer of the clients certificate
 # This can be usefull if you have several intermediate CA
 # all signed by the same root CA, but only want to trust clients from
--- a/roles/radius_server/files/rad_check_client_cert
+++ b/roles/radius_server/files/rad_check_client_cert
@ -4,47 +4,67 @@ use warnings;
 use strict;
 use Getopt::Long;
 use LWP::Simple qw($ua getstore);
+use Net::Domain qw(hostname hostfqdn hostdomain domainname);
+use Mail::Sendmail;

 my $cert;
 my $ca = '/etc/radius/certs/ca.pem';
 my $crl;
 my $issuer;
+my $notify_crl;

 GetOptions(
  'certificate=s' => \$cert,
-  'cacert=s' => \$ca,
-  'crl=s' => \$crl,
-  'issuer=s' => \$issuer
+  'cacert=s'      => \$ca,
+  'crl=s'         => \$crl,
+  'notify-crl=s'  => \$notify_crl,
+  'issuer=s'      => \$issuer
 );

 # Set a 5 sec timeout to fetch the CRL
 $ua->timeout(5);

+my $crl_file;
+my $crl_age;
 if ($crl){
-  if ($crl =~ m{^/}){
-    if (!-e $crl){
-      print STDERR "$crl doesn't exist, can't verify\n";
-      exit 1;
-    }
+  if ($crl =~ m{^/} && -e $crl){
+    $crl_file = $crl;
+    $crl_age = time - ( stat($crl) )[9];
  } elsif ($crl =~ m{^https?://}) {
-    my $crl_file = '/run/radiusd/tls/crl.pem';
-    my $age = 99999;
-    if (-e $crl_file){
-      $age = time - ( stat($crl_file) )[9];
+    $crl_age = 9999999;
+
+    if (-e '/run/radiusd/tls/crl.pem'){
+      $crl_age = time - ( stat('/run/radiusd/tls/crl.pem') )[9];
+      $crl_file = '/run/radiusd/tls/crl.pem';
    }
-    if (!-e $crl_file or $age > 900){
+
+    if (!-e '/run/radiusd/tls/crl.pem' or $crl_age > 900){
      my $code = getstore($crl,$crl_file);
-      if ($code != 200 && $age > 7200){
-        print STDERR "Can't fetch the CRL at $crl\n";
-        exit 1;
+      if ($code == 200){
+        $crl_age  = 0;
+        $crl_file = '/run/radiusd/tls/crl.pem';
      }
    }
+
+  }
+}
+
+if (defined $crl and (not defined $crl_file or ($crl =~ m{https?://} and $crl_age > 7200))){
+  if (defined $notify_crl){
+    my %mail = (
+      To      => $notify_crl,
+      From    => 'radius@' . hostdomain(),
+      Subject => 'CRL issue',
+      Message => 'Authentication done with an outdated CRL'
+    );
+    sendmail(%mail);
+  } else {
+    die "CRL is too old or missing\n";
  }
 }

 my $cmd = "openssl verify -trusted $ca -purpose sslclient";
-$cmd .= " -crl_check -CRLfile $crl" if ($crl and $crl =~ m{^/});
-$cmd .= " -crl_check -CRLfile /run/radiusd/tls/crl.pem" if ($crl and $crl =~ m{^https?://});
+$cmd .= " -crl_check -CRLfile $crl_file" if (defined $crl_file);
 $cmd .= " $cert";
 my $ca_check = qx($cmd);
 if ($? != 0){
--- a/roles/radius_server/tasks/main.yml
+++ b/roles/radius_server/tasks/main.yml
@ -6,6 +6,7 @@
      - freeradius
      - freeradius-utils
      - perl-LWP-Protocol-https  # For the check script to be able to fetch CRL on https URL
+      - perl-Mail-Sendmail
  tags: radius

 - name: Create configuration directories
@ -103,5 +104,13 @@
  when: iptables_manage | default(True)
  tags: [firewall,radius]

+# This is needed to allow the verification script to send email notification
+# when the CRL is too old
+- name: Configure SELinux
+  seboolean: name=nis_enabled state=True persistent=True
+  when: ansible_selinux.status == 'enabled'
+  tags: radius
+
 - name: Start and enable the service
  service: name=radiusd state=started enabled=True
+  tags: radius
--- a/roles/radius_server/templates/modules/eap.conf.j2
+++ b/roles/radius_server/templates/modules/eap.conf.j2
@ -17,7 +17,7 @@ eap {
 {% endif %}
    verify {
      tmpdir = /run/radiusd/tls
-      client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}"
+      client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}{% if rad_crl_notify is defined %} --notify-crl='{{ rad_crl_notify }}'{% endif %}"
    }
  }