Skip to content

Commit

Permalink
openvpn: T3834: verify() is not allowed to change anything on the sys…
Browse files Browse the repository at this point in the history
…tem (#3851)

Commit e3c71af ("remove secrets file if the tunnel is deleted and fix
opmode commands") added a code path into verify() which removed files on the
system if TOTP was not defined.

This commit moves the code path to the appropriate generate() function.

(cherry picked from commit 40c8359)

Co-authored-by: Christian Breunig <[email protected]>
  • Loading branch information
mergify[bot] and c-po authored Jul 23, 2024
1 parent f19a531 commit 218fbe0
Showing 1 changed file with 10 additions and 7 deletions.
17 changes: 10 additions & 7 deletions src/conf_mode/interfaces_openvpn.py
Original file line number Diff line number Diff line change
Expand Up @@ -235,10 +235,6 @@ def verify_pki(openvpn):

def verify(openvpn):
if 'deleted' in openvpn:
# remove totp secrets file if totp is not configured
if os.path.isfile(otp_file.format(**openvpn)):
os.remove(otp_file.format(**openvpn))

verify_bridge_delete(openvpn)
return None

Expand Down Expand Up @@ -624,9 +620,19 @@ def generate_pki_files(openvpn):


def generate(openvpn):
if 'deleted' in openvpn:
# remove totp secrets file if totp is not configured
if os.path.isfile(otp_file.format(**openvpn)):
os.remove(otp_file.format(**openvpn))
return None

if 'disable' in openvpn:
return None

interface = openvpn['ifname']
directory = os.path.dirname(cfg_file.format(**openvpn))
openvpn['plugin_dir'] = '/usr/lib/openvpn'

# create base config directory on demand
makedir(directory, user, group)
# enforce proper permissions on /run/openvpn
Expand All @@ -643,9 +649,6 @@ def generate(openvpn):
if os.path.isdir(service_dir):
rmtree(service_dir, ignore_errors=True)

if 'deleted' in openvpn or 'disable' in openvpn:
return None

# create client config directory on demand
makedir(ccd_dir, user, group)

Expand Down

0 comments on commit 218fbe0

Please sign in to comment.