Update to 2021-03-19 19:00

master
Daniel Berteaud 4 years ago
parent 5eeadcb433
commit aa49738a76
  1. 2
      roles/documize/tasks/directories.yml
  2. 1
      roles/documize/tasks/install.yml
  3. 1
      roles/documize/templates/documize.service.j2
  4. 5
      roles/radius_server/defaults/main.yml
  5. 50
      roles/radius_server/files/rad_check_client_cert
  6. 9
      roles/radius_server/tasks/main.yml
  7. 2
      roles/radius_server/templates/modules/eap.conf.j2

@ -5,6 +5,8 @@
loop: loop:
- dir: "{{ documize_root_dir }}" - dir: "{{ documize_root_dir }}"
- dir: "{{ documize_root_dir }}/tmp" - dir: "{{ documize_root_dir }}/tmp"
group: "{{ documize_user }}"
mode: 770
- dir: "{{ documize_root_dir }}/bin" - dir: "{{ documize_root_dir }}/bin"
- dir: "{{ documize_root_dir }}/etc" - dir: "{{ documize_root_dir }}/etc"
group: "{{ documize_user }}" group: "{{ documize_user }}"

@ -20,6 +20,7 @@
- name: Install systemd unit - name: Install systemd unit
template: src=documize.service.j2 dest=/etc/systemd/system/documize.service template: src=documize.service.j2 dest=/etc/systemd/system/documize.service
notify: restart documize
register: documize_unit register: documize_unit
tags: documize tags: documize

@ -6,6 +6,7 @@ After=network.target postgresql.service mariadb.service
Type=simple Type=simple
User={{ documize_user }} User={{ documize_user }}
ExecStart={{ documize_root_dir }}/bin/documize {{ documize_root_dir }}/etc/documize.conf ExecStart={{ documize_root_dir }}/bin/documize {{ documize_root_dir }}/etc/documize.conf
WorkingDirectory={{ documize_root_dir }}/tmp
Restart=always Restart=always
NoNewPrivileges=true NoNewPrivileges=true
PrivateDevices=true PrivateDevices=true

@ -36,6 +36,11 @@ rad_src_ip: []
# If undefined, no check will be performed, and revoked certificates will be accepted # If undefined, no check will be performed, and revoked certificates will be accepted
# rad_tls_crl: # rad_tls_crl:
# An email address to notify in case of CRL issue.
# In case the CRL couldn't be fetched or is outdated, and rad_notify_crl is defined
# the validation script will allow the authentication and notify the adress instead of failing
# rad_notify_crl: admin@example.org
# The issuer of the clients certificate # The issuer of the clients certificate
# This can be usefull if you have several intermediate CA # This can be usefull if you have several intermediate CA
# all signed by the same root CA, but only want to trust clients from # all signed by the same root CA, but only want to trust clients from

@ -4,47 +4,67 @@ use warnings;
use strict; use strict;
use Getopt::Long; use Getopt::Long;
use LWP::Simple qw($ua getstore); use LWP::Simple qw($ua getstore);
use Net::Domain qw(hostname hostfqdn hostdomain domainname);
use Mail::Sendmail;
my $cert; my $cert;
my $ca = '/etc/radius/certs/ca.pem'; my $ca = '/etc/radius/certs/ca.pem';
my $crl; my $crl;
my $issuer; my $issuer;
my $notify_crl;
GetOptions( GetOptions(
'certificate=s' => \$cert, 'certificate=s' => \$cert,
'cacert=s' => \$ca, 'cacert=s' => \$ca,
'crl=s' => \$crl, 'crl=s' => \$crl,
'notify-crl=s' => \$notify_crl,
'issuer=s' => \$issuer 'issuer=s' => \$issuer
); );
# Set a 5 sec timeout to fetch the CRL # Set a 5 sec timeout to fetch the CRL
$ua->timeout(5); $ua->timeout(5);
my $crl_file;
my $crl_age;
if ($crl){ if ($crl){
if ($crl =~ m{^/}){ if ($crl =~ m{^/} && -e $crl){
if (!-e $crl){ $crl_file = $crl;
print STDERR "$crl doesn't exist, can't verify\n"; $crl_age = time - ( stat($crl) )[9];
exit 1;
}
} elsif ($crl =~ m{^https?://}) { } elsif ($crl =~ m{^https?://}) {
my $crl_file = '/run/radiusd/tls/crl.pem'; $crl_age = 9999999;
my $age = 99999;
if (-e $crl_file){ if (-e '/run/radiusd/tls/crl.pem'){
$age = time - ( stat($crl_file) )[9]; $crl_age = time - ( stat('/run/radiusd/tls/crl.pem') )[9];
$crl_file = '/run/radiusd/tls/crl.pem';
} }
if (!-e $crl_file or $age > 900){
if (!-e '/run/radiusd/tls/crl.pem' or $crl_age > 900){
my $code = getstore($crl,$crl_file); my $code = getstore($crl,$crl_file);
if ($code != 200 && $age > 7200){ if ($code == 200){
print STDERR "Can't fetch the CRL at $crl\n"; $crl_age = 0;
exit 1; $crl_file = '/run/radiusd/tls/crl.pem';
} }
} }
}
}
if (defined $crl and (not defined $crl_file or ($crl =~ m{https?://} and $crl_age > 7200))){
if (defined $notify_crl){
my %mail = (
To => $notify_crl,
From => 'radius@' . hostdomain(),
Subject => 'CRL issue',
Message => 'Authentication done with an outdated CRL'
);
sendmail(%mail);
} else {
die "CRL is too old or missing\n";
} }
} }
my $cmd = "openssl verify -trusted $ca -purpose sslclient"; my $cmd = "openssl verify -trusted $ca -purpose sslclient";
$cmd .= " -crl_check -CRLfile $crl" if ($crl and $crl =~ m{^/}); $cmd .= " -crl_check -CRLfile $crl_file" if (defined $crl_file);
$cmd .= " -crl_check -CRLfile /run/radiusd/tls/crl.pem" if ($crl and $crl =~ m{^https?://});
$cmd .= " $cert"; $cmd .= " $cert";
my $ca_check = qx($cmd); my $ca_check = qx($cmd);
if ($? != 0){ if ($? != 0){

@ -6,6 +6,7 @@
- freeradius - freeradius
- freeradius-utils - freeradius-utils
- perl-LWP-Protocol-https # For the check script to be able to fetch CRL on https URL - perl-LWP-Protocol-https # For the check script to be able to fetch CRL on https URL
- perl-Mail-Sendmail
tags: radius tags: radius
- name: Create configuration directories - name: Create configuration directories
@ -103,5 +104,13 @@
when: iptables_manage | default(True) when: iptables_manage | default(True)
tags: [firewall,radius] tags: [firewall,radius]
# This is needed to allow the verification script to send email notification
# when the CRL is too old
- name: Configure SELinux
seboolean: name=nis_enabled state=True persistent=True
when: ansible_selinux.status == 'enabled'
tags: radius
- name: Start and enable the service - name: Start and enable the service
service: name=radiusd state=started enabled=True service: name=radiusd state=started enabled=True
tags: radius

@ -17,7 +17,7 @@ eap {
{% endif %} {% endif %}
verify { verify {
tmpdir = /run/radiusd/tls tmpdir = /run/radiusd/tls
client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}" client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}{% if rad_crl_notify is defined %} --notify-crl='{{ rad_crl_notify }}'{% endif %}"
} }
} }

Loading…
Cancel
Save