From patchwork Sun Oct 15 16:28:22 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 7282
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4S7lzh0tn0z3wmJ
	for <patchwork@web04.haj.ipfire.org>; Sun, 15 Oct 2023 16:28:32 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4S7lzd0yf1z1mF;
	Sun, 15 Oct 2023 16:28:29 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4S7lzc6hg8z33bV;
	Sun, 15 Oct 2023 16:28:28 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4S7lzb2hk4z2yvy
	for <development@lists.ipfire.org>; Sun, 15 Oct 2023 16:28:27 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4S7lzZ2KSszLn;
	Sun, 15 Oct 2023 16:28:26 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1697387306;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=qRFe37dd0pHsM1y70cGYzHhWeDkxDkLOq5LQCNUE/Vo=;
	b=tEM116M+BkVxAAbOaPQUAPDI6QnIupacurhjwYZEbC0yOxQO5mhvMdCuxxZW+6GFsY3w0u
	nFUcoyT60h9HZABg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1697387306;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=qRFe37dd0pHsM1y70cGYzHhWeDkxDkLOq5LQCNUE/Vo=;
	b=Cix1UpftU2CfJG0Ym4fQB2vIOYkmxYJbjLt2RXnSMQqmk5cUcbHZpe2+ZSDLe0E5hk6GzB
	gQ6bNkwpPB4RssmH05DzFmxswNpGgkC2WAyMjm4mojEDp+cJ3iwCF8UxFfZ7V9DeA19FJu
	KZOvD/aeyUmJLHBs8HCPa7HzGQl3FNaRdcOBCFWc/TTP7kwoffLRtvRZ3KjpRZEER5EehY
	tQw0bl6iwsaf/OBiO5wUVurBz3B7Nz6p6mfZGoWC+PsdR4CZDds8kRFRqRped+hK37yPKV
	7D/uI8+E8FmkKhhww4znYGzXtRYJaAKFUFdTYH+cDUwjrPs3ATyFRK1puQFa/g==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] backup.pl: Fix for bug#11048 - add script for adding pass/no
 pass to ovpnconfig from backup
Date: Sun, 15 Oct 2023 18:28:22 +0200
Message-ID: <20231015162822.7763-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: V63OMKF6RKMWZRJK2MD7IFC3GQV2PASZ
X-Message-ID-Hash: V63OMKF6RKMWZRJK2MD7IFC3GQV2PASZ
X-MailFrom: adolf.belka@ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/mailman3/hyperkitty/list/development@lists.ipfire.org/message/V63OMKF6RKMWZRJK2MD7IFC3GQV2PASZ/>
List-Archive: 
 <https://lists.ipfire.org/mailman3/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

- A script was added to the update.sh script to add pass/no pass to the ovpnconfig entries
   but I forgot that this was also needed in the backup.pl file to add those statuses into
   any ovpnconfig file restored from a backup before the pass/no pass entries were added.
- This patch corrects that oversight.
- Confirmed by testing on my vm. Before the script added to backup.pl a restore of older
   ovpnconfig ended up not showing any icons or status elements. With the script in
   backup.pl confirmed that the restored ovpnconfig showed up in the WUI page correctly
   with the right icons and with the status elements correctly displayed.

Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/backup/backup.pl | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 8d990c0f1..75a0e4f60 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -205,6 +205,30 @@ restore_backup() {
 	       done
 	fi
 
+	#Update ovpnconfig to include pass or no-pass for old backup versions missing the entry
+	# Check if ovpnconfig exists and is not empty
+	if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
+       	# Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update
+       	awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig
+       	# Make all N2N connections 'no-pass' since they do not use encryption
+       	awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+		# Evaluate roadwarrior connection names for *.p12 files
+       	for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
+       	    # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index
+       	        if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then
+       	                awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+       	        fi
+       	    # Sort all encrypted roadwarriors out and set 'pass' in [43] index
+       	        if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error')  ]]; then
+       	                awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+			 fi
+	       done
+	fi
+	# Replace existing ovpnconfig with updated index
+	mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig
+	# Set correct ownership
+	chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
+
 	return 0
 }