|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Copyright (C) 2016 SURFnet. |
|
4
|
|
|
* |
|
5
|
|
|
* This program is free software: you can redistribute it and/or modify |
|
6
|
|
|
* it under the terms of the GNU Affero General Public License as |
|
7
|
|
|
* published by the Free Software Foundation, either version 3 of the |
|
8
|
|
|
* License, or (at your option) any later version. |
|
9
|
|
|
* |
|
10
|
|
|
* This program is distributed in the hope that it will be useful, |
|
11
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
12
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
13
|
|
|
* GNU Affero General Public License for more details. |
|
14
|
|
|
* |
|
15
|
|
|
* You should have received a copy of the GNU Affero General Public License |
|
16
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
17
|
|
|
*/ |
|
18
|
|
|
namespace SURFnet\VPN\Server; |
|
19
|
|
|
|
|
20
|
|
|
use SURFnet\VPN\Server\Exception\ConnectionException; |
|
21
|
|
|
use RuntimeException; |
|
22
|
|
|
|
|
23
|
|
|
class Connection |
|
24
|
|
|
{ |
|
25
|
|
|
/** @var string */ |
|
26
|
|
|
private $baseDir; |
|
27
|
|
|
|
|
28
|
|
|
public function __construct($baseDir) |
|
29
|
|
|
{ |
|
30
|
|
|
$this->baseDir = $baseDir; |
|
31
|
|
|
} |
|
32
|
|
|
|
|
33
|
|
|
public function connect(array $envData) |
|
34
|
|
|
{ |
|
35
|
|
|
$userId = self::getUserId($envData['common_name']); |
|
36
|
|
|
|
|
37
|
|
|
$dataDir = sprintf('%s/data/%s', $this->baseDir, $envData['INSTANCE_ID']); |
|
38
|
|
|
|
|
39
|
|
|
// is the user account disabled? |
|
40
|
|
|
// XXX we have to be careful, if the directory is not readable by the |
|
41
|
|
|
// openvpn user, it is assumed the user is not disabled! We have to |
|
42
|
|
|
// find a more robust solution for this! |
|
43
|
|
|
$disabledUsersDir = sprintf('%s/users/disabled', $dataDir); |
|
44
|
|
|
if (@file_exists(sprintf('%s/%s', $disabledUsersDir, $userId))) { |
|
45
|
|
|
throw new ConnectionException('client not allowed, user is disabled'); |
|
46
|
|
|
} |
|
47
|
|
|
|
|
48
|
|
|
// is the common name disabled? |
|
49
|
|
|
// XXX we have to be careful, if the directory is not readable by the |
|
50
|
|
|
// openvpn user, it is assumed the user is not disabled! We have to |
|
51
|
|
|
// find a more robust solution for this! |
|
52
|
|
|
$disabledCommonNamesDir = sprintf('%s/common_names/disabled', $dataDir); |
|
53
|
|
|
if (@file_exists(sprintf('%s/%s', $disabledCommonNamesDir, $envData['common_name']))) { |
|
54
|
|
|
throw new ConnectionException('client not allowed, CN is disabled'); |
|
55
|
|
|
} |
|
56
|
|
|
|
|
57
|
|
|
$configDir = sprintf('%s/config/%s', $this->baseDir, $envData['INSTANCE_ID']); |
|
58
|
|
|
|
|
59
|
|
|
// read the instance/pool configuration |
|
60
|
|
|
$instanceConfig = InstanceConfig::fromFile( |
|
61
|
|
|
sprintf('%s/config.yaml', $configDir) |
|
62
|
|
|
); |
|
63
|
|
|
|
|
64
|
|
|
// is the ACL enabled? |
|
65
|
|
|
$poolId = $envData['POOL_ID']; |
|
66
|
|
|
$poolConfig = new PoolConfig($instanceConfig->v('vpnPools', $poolId)); |
|
67
|
|
|
if ($poolConfig->v('enableAcl')) { |
|
68
|
|
|
$aclGroupProvider = $poolConfig->v('aclGroupProvider'); |
|
69
|
|
|
$groupProviderClass = sprintf('SURFnet\VPN\Server\GroupProvider\%s', $aclGroupProvider); |
|
70
|
|
|
$groupProvider = new $groupProviderClass($dataDir, $instanceConfig); |
|
71
|
|
|
$aclGroupList = $poolConfig->v('aclGroupList'); |
|
72
|
|
|
|
|
73
|
|
|
if (false === self::isMember($groupProvider->getGroups($userId), $aclGroupList)) { |
|
74
|
|
|
throw new ConnectionException(sprintf('client not allowed, not a member of "%s"', implode(',', $aclGroupList))); |
|
75
|
|
|
} |
|
76
|
|
|
} |
|
77
|
|
|
} |
|
78
|
|
|
|
|
79
|
|
View Code Duplication |
private static function getUserId($commonName) |
|
|
|
|
|
|
80
|
|
|
{ |
|
81
|
|
|
if (false === $uPos = strpos($commonName, '_')) { |
|
82
|
|
|
throw new RuntimeException('unable to extract userId from commonName'); |
|
83
|
|
|
} |
|
84
|
|
|
|
|
85
|
|
|
return substr($commonName, 0, $uPos); |
|
86
|
|
|
} |
|
87
|
|
|
|
|
88
|
|
|
private static function isMember(array $memberOf, array $aclGroupList) |
|
89
|
|
|
{ |
|
90
|
|
|
// one of the groups must be listed in the pool ACL list |
|
91
|
|
|
foreach ($memberOf as $memberGroup) { |
|
92
|
|
|
if (in_array($memberGroup['id'], $aclGroupList)) { |
|
93
|
|
|
return true; |
|
94
|
|
|
} |
|
95
|
|
|
} |
|
96
|
|
|
|
|
97
|
|
|
return false; |
|
98
|
|
|
} |
|
99
|
|
|
} |
|
100
|
|
|
|
eduVPN /
vpn-server-api
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.
You can also find more detailed suggestions in the “Code” section of your repository.