From aa49738a7633836fd2dd931155f8499f0ead5e45 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Fri, 19 Mar 2021 19:00:06 +0100
Subject: [PATCH] Update to 2021-03-19 19:00

---
 roles/documize/tasks/directories.yml              |  2 +
 roles/documize/tasks/install.yml                  |  1 +
 roles/documize/templates/documize.service.j2      |  1 +
 roles/radius_server/defaults/main.yml             |  5 ++
 roles/radius_server/files/rad_check_client_cert   | 56 +++++++++++++++--------
 roles/radius_server/tasks/main.yml                |  9 ++++
 roles/radius_server/templates/modules/eap.conf.j2 |  2 +-
 7 files changed, 57 insertions(+), 19 deletions(-)

diff --git a/roles/documize/tasks/directories.yml b/roles/documize/tasks/directories.yml
index e5b29e5..887ed81 100644
--- a/roles/documize/tasks/directories.yml
+++ b/roles/documize/tasks/directories.yml
@@ -5,6 +5,8 @@
   loop:
     - dir: "{{ documize_root_dir }}"
     - dir: "{{ documize_root_dir }}/tmp"
+      group: "{{ documize_user }}"
+      mode: 770
     - dir: "{{ documize_root_dir }}/bin"
     - dir: "{{ documize_root_dir }}/etc"
       group: "{{ documize_user }}"
diff --git a/roles/documize/tasks/install.yml b/roles/documize/tasks/install.yml
index ee7a3be..bf4c95c 100644
--- a/roles/documize/tasks/install.yml
+++ b/roles/documize/tasks/install.yml
@@ -20,6 +20,7 @@
 
 - name: Install systemd unit
   template: src=documize.service.j2 dest=/etc/systemd/system/documize.service
+  notify: restart documize
   register: documize_unit
   tags: documize
 
diff --git a/roles/documize/templates/documize.service.j2 b/roles/documize/templates/documize.service.j2
index 1b44683..aa2ef8c 100644
--- a/roles/documize/templates/documize.service.j2
+++ b/roles/documize/templates/documize.service.j2
@@ -6,6 +6,7 @@ After=network.target postgresql.service mariadb.service
 Type=simple
 User={{ documize_user }}
 ExecStart={{ documize_root_dir }}/bin/documize {{ documize_root_dir }}/etc/documize.conf
+WorkingDirectory={{ documize_root_dir }}/tmp
 Restart=always
 NoNewPrivileges=true
 PrivateDevices=true
diff --git a/roles/radius_server/defaults/main.yml b/roles/radius_server/defaults/main.yml
index 6f02ff5..1f21da4 100644
--- a/roles/radius_server/defaults/main.yml
+++ b/roles/radius_server/defaults/main.yml
@@ -36,6 +36,11 @@ rad_src_ip: []
 # If undefined, no check will be performed, and revoked certificates will be accepted
 # rad_tls_crl:
 
+# An email address to notify in case of CRL issue.
+# In case the CRL couldn't be fetched or is outdated, and rad_notify_crl is defined
+# the validation script will allow the authentication and notify the adress instead of failing
+# rad_notify_crl: admin@example.org
+
 # The issuer of the clients certificate
 # This can be usefull if you have several intermediate CA
 # all signed by the same root CA, but only want to trust clients from
diff --git a/roles/radius_server/files/rad_check_client_cert b/roles/radius_server/files/rad_check_client_cert
index cf94f81..9cef3fb 100644
--- a/roles/radius_server/files/rad_check_client_cert
+++ b/roles/radius_server/files/rad_check_client_cert
@@ -4,47 +4,67 @@ use warnings;
 use strict;
 use Getopt::Long;
 use LWP::Simple qw($ua getstore);
+use Net::Domain qw(hostname hostfqdn hostdomain domainname);
+use Mail::Sendmail;
 
 my $cert;
 my $ca = '/etc/radius/certs/ca.pem';
 my $crl;
 my $issuer;
+my $notify_crl;
 
 GetOptions(
   'certificate=s' => \$cert,
-  'cacert=s' => \$ca,
-  'crl=s' => \$crl,
-  'issuer=s' => \$issuer
+  'cacert=s'      => \$ca,
+  'crl=s'         => \$crl,
+  'notify-crl=s'  => \$notify_crl,
+  'issuer=s'      => \$issuer
 );
 
 # Set a 5 sec timeout to fetch the CRL
 $ua->timeout(5);
 
+my $crl_file;
+my $crl_age;
 if ($crl){
-  if ($crl =~ m{^/}){
-    if (!-e $crl){
-      print STDERR "$crl doesn't exist, can't verify\n";
-      exit 1;
-    }
+  if ($crl =~ m{^/} && -e $crl){
+    $crl_file = $crl;
+    $crl_age = time - ( stat($crl) )[9];
   } elsif ($crl =~ m{^https?://}) {
-    my $crl_file = '/run/radiusd/tls/crl.pem';
-    my $age = 99999;
-    if (-e $crl_file){
-      $age = time - ( stat($crl_file) )[9];
+    $crl_age = 9999999;
+
+    if (-e '/run/radiusd/tls/crl.pem'){
+      $crl_age = time - ( stat('/run/radiusd/tls/crl.pem') )[9];
+      $crl_file = '/run/radiusd/tls/crl.pem';
     }
-    if (!-e $crl_file or $age > 900){
+
+    if (!-e '/run/radiusd/tls/crl.pem' or $crl_age > 900){
       my $code = getstore($crl,$crl_file);
-      if ($code != 200 && $age > 7200){
-        print STDERR "Can't fetch the CRL at $crl\n";
-        exit 1;
+      if ($code == 200){
+        $crl_age  = 0;
+        $crl_file = '/run/radiusd/tls/crl.pem';
       }
     }
+
+  }
+}
+
+if (defined $crl and (not defined $crl_file or ($crl =~ m{https?://} and $crl_age > 7200))){
+  if (defined $notify_crl){
+    my %mail = (
+      To      => $notify_crl,
+      From    => 'radius@' . hostdomain(),
+      Subject => 'CRL issue',
+      Message => 'Authentication done with an outdated CRL'
+    );
+    sendmail(%mail);
+  } else {
+    die "CRL is too old or missing\n";
   }
 }
 
 my $cmd = "openssl verify -trusted $ca -purpose sslclient";
-$cmd .= " -crl_check -CRLfile $crl" if ($crl and $crl =~ m{^/});
-$cmd .= " -crl_check -CRLfile /run/radiusd/tls/crl.pem" if ($crl and $crl =~ m{^https?://});
+$cmd .= " -crl_check -CRLfile $crl_file" if (defined $crl_file);
 $cmd .= " $cert";
 my $ca_check = qx($cmd);
 if ($? != 0){
diff --git a/roles/radius_server/tasks/main.yml b/roles/radius_server/tasks/main.yml
index 49c7e49..3f80769 100644
--- a/roles/radius_server/tasks/main.yml
+++ b/roles/radius_server/tasks/main.yml
@@ -6,6 +6,7 @@
       - freeradius
       - freeradius-utils
       - perl-LWP-Protocol-https  # For the check script to be able to fetch CRL on https URL
+      - perl-Mail-Sendmail
   tags: radius
 
 - name: Create configuration directories
@@ -103,5 +104,13 @@
   when: iptables_manage | default(True)
   tags: [firewall,radius]
 
+# This is needed to allow the verification script to send email notification
+# when the CRL is too old
+- name: Configure SELinux
+  seboolean: name=nis_enabled state=True persistent=True
+  when: ansible_selinux.status == 'enabled'
+  tags: radius
+
 - name: Start and enable the service
   service: name=radiusd state=started enabled=True
+  tags: radius
diff --git a/roles/radius_server/templates/modules/eap.conf.j2 b/roles/radius_server/templates/modules/eap.conf.j2
index d144f4c..f36efcd 100644
--- a/roles/radius_server/templates/modules/eap.conf.j2
+++ b/roles/radius_server/templates/modules/eap.conf.j2
@@ -17,7 +17,7 @@ eap {
 {% endif %}
     verify {
       tmpdir = /run/radiusd/tls
-      client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}"
+      client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}{% if rad_crl_notify is defined %} --notify-crl='{{ rad_crl_notify }}'{% endif %}"
     }
   }