From b3249c382735f2e97b9ab7c19b01e4eef48f93a9 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sun, 5 Feb 2017 22:47:16 +0100 Subject: [PATCH] security/acme-client: make HAProxy integration optional --- .../AcmeClient/Api/SettingsController.php | 9 +++- .../OPNsense/AcmeClient/forms/settings.xml | 2 +- .../models/OPNsense/AcmeClient/AcmeClient.php | 49 +++++++++++++++++++ .../models/OPNsense/AcmeClient/AcmeClient.xml | 2 +- 4 files changed, 58 insertions(+), 4 deletions(-) diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php index 8ba96ebb2..b62ce4f80 100644 --- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php +++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php @@ -34,7 +34,6 @@ use \OPNsense\Core\Backend; use \OPNsense\Cron\Cron; use \OPNsense\Core\Config; use \OPNsense\Base\UIModelGrid; -use \OPNsense\HAProxy\HAProxy; use \OPNsense\AcmeClient\AcmeClient; /** @@ -125,12 +124,18 @@ class SettingsController extends ApiMutableModelControllerBase if ($this->request->isPost()) { $mdlAcme = $this->getModel(); + // Check if the required plugin is installed + if ((string)$mdlAcme->isPluginInstalled('os-haproxy') != "1") { + $this->getLogger()->error("LE check: HAProxy plugin is NOT installed, skipping integration"); + return($result); + } + // Setup only if AcmeClient and HAProxy integration is enabled. // NOTE: We provide HAProxy integration no matter if the HAProxy plugin // is actually enabled or not. This should avoid confusion. if ((string)$mdlAcme->settings->haproxyIntegration == "1" and (string)$mdlAcme->settings->enabled == "1") { - $mdlHAProxy = new HAProxy(); + $mdlHAProxy = new \OPNsense\HAProxy\HAProxy(); $backend = new Backend(); // Get current status of HAProxy integration by running various checks. diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml index 561bb9244..65afd3a4f 100644 --- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml +++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml @@ -21,7 +21,7 @@ acmeclient.settings.haproxyIntegration checkbox - NOTE:This will only work for HTTP-01 validation and HAProxy frontends running in http mode; TCP frontends are not supported.]]> + Requires that the OPNsense HAProxy plugin is installed. This will automatically add the required backend, server, action and ACL for you. You just need to select your HAProxy frontend when configuration the certificate or validation method.
NOTE:This will only work for HTTP-01 validation and HAProxy frontends running in http mode; TCP frontends are not supported.
]]> acmeclient.settings.challengePort diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php index e1403431a..16452ee88 100644 --- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php +++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php @@ -30,6 +30,7 @@ namespace OPNsense\AcmeClient; use OPNsense\Base\BaseModel; +use OPNsense\Core\Backend; /** * Class AcmeClient @@ -88,4 +89,52 @@ class AcmeClient extends BaseModel return null; } + /** + * check if the specfied plugin is installed + * @param $name plugin/package name + * @return bool is the plugin installed + */ + public function isPluginInstalled($name) + { + // NOTE: Based on infoAction() from Core/Api/FirmwareController.php + // FIXME: Should be replaced by a Core function sooner or later. + + $backend = new Backend(); + $keys = array('name', 'version', 'comment', 'flatsize', 'locked', 'license'); + $plugins = array(); + + // Only check local package data for performance reasons + $current = $backend->configdRun("firmware local"); + $current = explode("\n", trim($current)); + + foreach ($current as $line) { + /* package infos are flat lists with 3 pipes as delimiter */ + $expanded = explode('|||', $line); + $translated = array(); + $index = 0; + if (count($expanded) != count($keys)) { + continue; + } + foreach ($keys as $key) { + $translated[$key] = $expanded[$index++]; + } + + /* mark local packages as "installed" */ + $translated['installed'] = "1"; + + /* figure out local and remote plugins */ + $plugin = explode('-', $translated['name']); + if (count($plugin)) { + if ($plugin[0] == 'os' || $plugin[0] == 'ospriv') { + $plugins[$translated['name']] = $translated; + } + } + } + + if (isset($plugins[$name]) and $plugins[$name]['installed'] == "1") { + return 1; // TRUE, is installed + } else { + return 0; // FALSE, is not installed + } + } } diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml index e6eec8acf..dd011e54a 100644 --- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml +++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml @@ -44,7 +44,7 @@ Y - 1 + 0 N