Update to 2021-03-19 19:00

master
Daniel Berteaud 4 years ago
parent 5eeadcb433
commit aa49738a76
  1. 2
      roles/documize/tasks/directories.yml
  2. 1
      roles/documize/tasks/install.yml
  3. 1
      roles/documize/templates/documize.service.j2
  4. 5
      roles/radius_server/defaults/main.yml
  5. 56
      roles/radius_server/files/rad_check_client_cert
  6. 9
      roles/radius_server/tasks/main.yml
  7. 2
      roles/radius_server/templates/modules/eap.conf.j2

@ -5,6 +5,8 @@
loop:
- dir: "{{ documize_root_dir }}"
- dir: "{{ documize_root_dir }}/tmp"
group: "{{ documize_user }}"
mode: 770
- dir: "{{ documize_root_dir }}/bin"
- dir: "{{ documize_root_dir }}/etc"
group: "{{ documize_user }}"

@ -20,6 +20,7 @@
- name: Install systemd unit
template: src=documize.service.j2 dest=/etc/systemd/system/documize.service
notify: restart documize
register: documize_unit
tags: documize

@ -6,6 +6,7 @@ After=network.target postgresql.service mariadb.service
Type=simple
User={{ documize_user }}
ExecStart={{ documize_root_dir }}/bin/documize {{ documize_root_dir }}/etc/documize.conf
WorkingDirectory={{ documize_root_dir }}/tmp
Restart=always
NoNewPrivileges=true
PrivateDevices=true

@ -36,6 +36,11 @@ rad_src_ip: []
# If undefined, no check will be performed, and revoked certificates will be accepted
# rad_tls_crl:
# An email address to notify in case of CRL issue.
# In case the CRL couldn't be fetched or is outdated, and rad_notify_crl is defined
# the validation script will allow the authentication and notify the adress instead of failing
# rad_notify_crl: admin@example.org
# The issuer of the clients certificate
# This can be usefull if you have several intermediate CA
# all signed by the same root CA, but only want to trust clients from

@ -4,47 +4,67 @@ use warnings;
use strict;
use Getopt::Long;
use LWP::Simple qw($ua getstore);
use Net::Domain qw(hostname hostfqdn hostdomain domainname);
use Mail::Sendmail;
my $cert;
my $ca = '/etc/radius/certs/ca.pem';
my $crl;
my $issuer;
my $notify_crl;
GetOptions(
'certificate=s' => \$cert,
'cacert=s' => \$ca,
'crl=s' => \$crl,
'issuer=s' => \$issuer
'cacert=s' => \$ca,
'crl=s' => \$crl,
'notify-crl=s' => \$notify_crl,
'issuer=s' => \$issuer
);
# Set a 5 sec timeout to fetch the CRL
$ua->timeout(5);
my $crl_file;
my $crl_age;
if ($crl){
if ($crl =~ m{^/}){
if (!-e $crl){
print STDERR "$crl doesn't exist, can't verify\n";
exit 1;
}
if ($crl =~ m{^/} && -e $crl){
$crl_file = $crl;
$crl_age = time - ( stat($crl) )[9];
} elsif ($crl =~ m{^https?://}) {
my $crl_file = '/run/radiusd/tls/crl.pem';
my $age = 99999;
if (-e $crl_file){
$age = time - ( stat($crl_file) )[9];
$crl_age = 9999999;
if (-e '/run/radiusd/tls/crl.pem'){
$crl_age = time - ( stat('/run/radiusd/tls/crl.pem') )[9];
$crl_file = '/run/radiusd/tls/crl.pem';
}
if (!-e $crl_file or $age > 900){
if (!-e '/run/radiusd/tls/crl.pem' or $crl_age > 900){
my $code = getstore($crl,$crl_file);
if ($code != 200 && $age > 7200){
print STDERR "Can't fetch the CRL at $crl\n";
exit 1;
if ($code == 200){
$crl_age = 0;
$crl_file = '/run/radiusd/tls/crl.pem';
}
}
}
}
if (defined $crl and (not defined $crl_file or ($crl =~ m{https?://} and $crl_age > 7200))){
if (defined $notify_crl){
my %mail = (
To => $notify_crl,
From => 'radius@' . hostdomain(),
Subject => 'CRL issue',
Message => 'Authentication done with an outdated CRL'
);
sendmail(%mail);
} else {
die "CRL is too old or missing\n";
}
}
my $cmd = "openssl verify -trusted $ca -purpose sslclient";
$cmd .= " -crl_check -CRLfile $crl" if ($crl and $crl =~ m{^/});
$cmd .= " -crl_check -CRLfile /run/radiusd/tls/crl.pem" if ($crl and $crl =~ m{^https?://});
$cmd .= " -crl_check -CRLfile $crl_file" if (defined $crl_file);
$cmd .= " $cert";
my $ca_check = qx($cmd);
if ($? != 0){

@ -6,6 +6,7 @@
- freeradius
- freeradius-utils
- perl-LWP-Protocol-https # For the check script to be able to fetch CRL on https URL
- perl-Mail-Sendmail
tags: radius
- name: Create configuration directories
@ -103,5 +104,13 @@
when: iptables_manage | default(True)
tags: [firewall,radius]
# This is needed to allow the verification script to send email notification
# when the CRL is too old
- name: Configure SELinux
seboolean: name=nis_enabled state=True persistent=True
when: ansible_selinux.status == 'enabled'
tags: radius
- name: Start and enable the service
service: name=radiusd state=started enabled=True
tags: radius

@ -17,7 +17,7 @@ eap {
{% endif %}
verify {
tmpdir = /run/radiusd/tls
client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}"
client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}{% if rad_crl_notify is defined %} --notify-crl='{{ rad_crl_notify }}'{% endif %}"
}
}

Loading…
Cancel
Save