From c45cf897f208aca76aa9f92e213e402a3aeed1e7 Mon Sep 17 00:00:00 2001 From: Gagan Deep Date: Wed, 24 Jan 2024 20:28:15 +0530 Subject: [PATCH] [change] OpenWrt: updated WPA enterprise settings #291 - Generate "auth_sever", "auth_port" and "auth_secret" options from "server", "port" and "key" properties - Set "acct_secret" to the value of "key" if it is not configured in NetJSON - Add new options: "acct_inverval", "dae_client", "dae_port", "dae_secret" Closes #291 --- .../backends/openwrt/converters/wireless.py | 37 ++++++++++++---- netjsonconfig/backends/openwrt/schema.py | 42 +++++++++++++++++++ tests/openwrt/test_encryption.py | 25 +++++++++++ 3 files changed, 95 insertions(+), 9 deletions(-) diff --git a/netjsonconfig/backends/openwrt/converters/wireless.py b/netjsonconfig/backends/openwrt/converters/wireless.py index 66b365352..9e4e921e9 100644 --- a/netjsonconfig/backends/openwrt/converters/wireless.py +++ b/netjsonconfig/backends/openwrt/converters/wireless.py @@ -124,15 +124,18 @@ def __intermediate_encryption(self, wireless): if protocol == 'wep_open': uci['key1'] = 's:{0}'.format(uci['key1']) else: - if ( - 'enterprise' in protocol - and 'eap_type' in uci - and uci['eap_type'] == 'tls' - and 'auth' in uci - ): - # remove auth if not needed - # (not applicable to EAP-TLS) - del uci['auth'] + if 'enterprise' in protocol: + if 'eap_type' in uci and uci['eap_type'] == 'tls' and 'auth' in uci: + # remove auth if not needed + # (not applicable to EAP-TLS) + del uci['auth'] + if wireless['mode'] == 'ap': + for option in ['server', 'port']: + if option in encryption: + uci[f'auth_{option}'] = encryption[option] + uci['auth_secret'] = encryption['key'] + if 'acct_secret' not in encryption: + uci['acct_secret'] = encryption['key'] if 'key' in encryption: uci['key'] = encryption['key'] # add ciphers @@ -251,6 +254,8 @@ def __netjson_wifi_typecast(self, wifi): 'auth_cache', 'acct_port', 'acct_server', + 'acct_secret', + 'acct_interval', 'nasid', 'ownip', 'dae_client', @@ -325,6 +330,16 @@ def __netjson_encryption(self, wifi): # noqa: C901 if key.startswith('s:'): key = key[2:] settings['key'] = key + if 'enterprise' in settings['protocol']: + if 'auth_secret' in settings: + settings['key'] = settings.pop('auth_secret') + if settings.get('acct_secret') and settings['acct_secret'] == settings.get( + 'key' + ): + settings.pop('acct_secret') + for option in ['server', 'port']: + if f'auth_{option}' in settings: + settings[option] = settings.pop(f'auth_{option}') # Management Frame Protection if 'ieee80211w' in wifi: settings['ieee80211w'] = wifi.pop('ieee80211w') @@ -337,6 +352,10 @@ def __netjson_encryption_typecast(self, encryption): encryption['port'] = int(encryption['port']) if 'acct_port' in encryption: encryption['acct_port'] = int(encryption['acct_port']) + if 'dae_port' in encryption: + encryption['dae_port'] = int(encryption['dae_port']) + if 'acct_interval' in encryption: + encryption['acct_interval'] = int(encryption['acct_interval']) if 'wps_label' in encryption: encryption['wps_label'] = encryption['wps_label'] == '1' if 'wps_pushbutton' in encryption: diff --git a/netjsonconfig/backends/openwrt/schema.py b/netjsonconfig/backends/openwrt/schema.py index 32111cee7..7f2609203 100644 --- a/netjsonconfig/backends/openwrt/schema.py +++ b/netjsonconfig/backends/openwrt/schema.py @@ -704,6 +704,48 @@ {"$ref": "#/definitions/radio_60g_band"}, ] }, + "encryption_wpa_enterprise_ap_base_settings": { + "properties": { + "acct_secret": { + "title": "accounting shared secret", + "type": "string", + "propertyOrder": 9, + }, + "acct_interval": { + "type": "integer", + "title": "accounting interval", + "default": 600, + "propertyOrder": 10, + }, + "dae_client": { + "title": "DAE client", + "type": "string", + "description": ( + "Dynamic Authorization Extension client." + " This client can send \"Disconnect-Request\" or \"CoA-Request\" packets to forcibly disconnect a client or change connection parameters." + ), + "propertyOrder": 11, + }, + "dae_port": { + "type": "integer", + "title": "DAE port", + # "description": "port the Dynamic Authorization Extension server listens on.", + "default": 3799, + "propertyOrder": 12, + }, + "dae_secret": { + "title": "DAE secret", + "type": "string", + "propertyOrder": 13, + }, + "nasid": { + "title": "NAS ID", + "type": "string", + "description": "NAS ID for RADIUS authentication requests", + "propertyOrder": 13, + }, + } + }, }, "properties": { "general": { diff --git a/tests/openwrt/test_encryption.py b/tests/openwrt/test_encryption.py index aeaa25490..2496f710d 100644 --- a/tests/openwrt/test_encryption.py +++ b/tests/openwrt/test_encryption.py @@ -288,6 +288,9 @@ def test_parse_wpa_personal(self): package wireless config wifi-iface 'wifi_wlan0' + option acct_secret 'radius_secret' + option auth_secret 'radius_secret' + option auth_server '192.168.0.1' option device 'radio0' option encryption 'wpa3-mixed+ccmp' option ieee80211w '1' @@ -325,6 +328,10 @@ def test_parse_wpa2_enterprise_mixed_ap(self): "port": 1812, "acct_server": "192.168.0.2", "acct_port": 1813, + "acct_interval": 300, + "dae_client": "192.168.0.2", + "dae_port": 3799, + "dae_secret": "radius_secret", "nasid": "2", "wpa_group_rekey": "350", "ieee80211w": "2", @@ -345,8 +352,16 @@ def test_parse_wpa2_enterprise_mixed_ap(self): package wireless config wifi-iface 'wifi_wlan0' + option acct_interval '300' option acct_port '1813' + option acct_secret 'radius_secret' option acct_server '192.168.0.2' + option auth_port '1812' + option auth_secret 'radius_secret' + option auth_server '192.168.0.1' + option dae_client '192.168.0.2' + option dae_port '3799' + option dae_secret 'radius_secret' option device 'radio0' option encryption 'wpa3+ccmp' option ieee80211w '2' @@ -407,7 +422,11 @@ def test_parse_wpa3_enterprise(self): config wifi-iface 'wifi_wlan0' option acct_port '1813' + option acct_secret 'radius_secret' option acct_server '192.168.0.2' + option auth_port '1812' + option auth_secret 'radius_secret' + option auth_server '192.168.0.1' option device 'radio0' option encryption 'wpa2+tkip' option ifname 'wlan0' @@ -461,6 +480,9 @@ def test_parse_wpa2_enterprise(self): package wireless config wifi-iface 'wifi_wlan0' + option acct_secret 'radius_secret' + option auth_secret 'radius_secret' + option auth_server '192.168.0.1' option device 'radio0' option encryption 'wpa-mixed' option ifname 'wlan0' @@ -511,6 +533,9 @@ def test_parse_wpa_enterprise_mixed_ap(self): package wireless config wifi-iface 'wifi_wlan0' + option acct_secret 'radius_secret' + option auth_secret 'radius_secret' + option auth_server '192.168.0.1' option device 'radio0' option encryption 'wpa+ccmp' option ifname 'wlan0'