luci/protocols/luci-proto-openfortivpn/htdocs/luci-static/resources/protocol/openfortivpn.js

'use strict';
'require rpc';
'require form';
'require network';
'require tools.widgets as widgets';

var callGetCertificateFiles = rpc.declare({
	object: 'luci.openfortivpn',
	method: 'getCertificates',
	params: [ 'interface' ],
	expect: { '': {} }
});

var callSetCertificateFiles = rpc.declare({
	object: 'luci.openfortivpn',
	method: 'setCertificates',
	params: [ 'interface', 'user_cert', 'user_key', 'ca_file' ],
	expect: { '': {} }
});

network.registerPatternVirtual(/^vpn-.+$/);

function sanitizeCert(s) {
	if (typeof(s) != 'string')
		return null;

	s = s.trim();

	if (s == '')
		return null;

	s = s.replace(/\r\n?/g, '\n');

	if (!s.match(/\n$/))
		s += '\n';

	return s;
}

function validateCert(priv, section_id, value) {
	var lines = value.trim().split(/[\r\n]/),
	    start = false,
	    i;

	if (value === null || value === '')
		return true;

	for (i = 0; i < lines.length; i++) {
		if (lines[i].match(/^-{5}BEGIN ((|RSA |DSA )PRIVATE KEY|(|TRUSTED |X509 )CERTIFICATE)-{5}$/))
			start = true;
		else if (start && !lines[i].match(/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?$/))
			break;
	}

	if (!start || i < lines.length - 1 || !lines[i].match(/^-{5}END ((|RSA |DSA )PRIVATE KEY|(|TRUSTED |X509 )CERTIFICATE)-{5}$/))
		return _('This does not look like a valid PEM file');

	return true;
}

return network.registerProtocol('openfortivpn', {
	getI18n: function() {
		return _('OpenFortivpn');
	},

	getIfname: function() {
		return this._ubus('l3_device') || 'vpn-%s'.format(this.sid);
	},

	getOpkgPackage: function() {
		return 'openfortivpn';
	},

	isFloating: function() {
		return true;
	},

	isVirtual: function() {
		return true;
	},

	getDevices: function() {
		return null;
	},

	containsDevice: function(ifname) {
		return (network.getIfnameOf(ifname) == this.getIfname());
	},

	renderFormOptions: function(s) {
		var o;

		o = s.taboption('general', form.Value, 'peeraddr', _('VPN Server'));
		o.datatype = 'host(0)';

		o = s.taboption('general', form.Value, 'port', _('VPN Server port'));
		o.placeholder = '443';
		o.datatype = 'port';
		o.optional = true;

		s.taboption("general", form.Value, "username", _("Username"));

		o = s.taboption('general', form.Value, 'password', _('Password'));
		o.password = true;

		o = s.taboption('general', form.TextValue, 'user_cert', _('User certificate (PEM encoded)'));
		o.rows = 10;
		o.monospace = true;
		o.validate = L.bind(validateCert, o, false);
		o.load = function(section_id) {
			var certLoadPromise = certLoadPromise || callGetCertificateFiles(section_id);
			return certLoadPromise.then(function(certs) { return certs.user_cert });
		};
		o.write = function(section_id, value) {
			return callSetCertificateFiles(section_id, sanitizeCert(value), null, null);
		};

		o = s.taboption('general', form.TextValue, 'user_key', _('User key (PEM encoded)'));
		o.rows = 10;
		o.monospace = true;
		o.validate = L.bind(validateCert, o, true);
		o.load = function(section_id) {
			var certLoadPromise = certLoadPromise || callGetCertificateFiles(section_id);
			return certLoadPromise.then(function(certs) { return certs.user_key });
		};
		o.write = function(section_id, value) {
			return callSetCertificateFiles(section_id, null, sanitizeCert(value), null);
		};

		o = s.taboption('general', form.TextValue, 'ca_file', _('CA certificate (PEM encoded; Use instead of system-wide store to verify the gateway certificate.'));
		o.rows = 10;
		o.monospace = true;
		o.validate = L.bind(validateCert, o, false);
		o.load = function(section_id) {
			var certLoadPromise = certLoadPromise || callGetCertificateFiles(section_id);
			return certLoadPromise.then(function(certs) { return certs.ca_file });
		};
		o.write = function(section_id, value) {
			return callSetCertificateFiles(section_id, null, null, sanitizeCert(value));
		};

		o = s.taboption('advanced', widgets.NetworkSelect, 'tunlink', _('Bind interface'), _('Bind the tunnel to this interface (optional).'));
		o.exclude = s.section;
		o.nocreate = true;
		o.optional = true;

		o = s.taboption('advanced', form.Value, 'persist_int', _('Persistent reconnect interval'), _("Optional, in seconds. If set to '0', no reconnect is attempted."));
		o.placeholder = '0';
		o.datatype = 'uinteger';
		o.optional = true;

		o = s.taboption('advanced', form.Value, 'trusted_cert', _("VPN Server certificate's SHA256 hash"));
		o.datatype = 'and(hexstring,length(64))'
		o.optional = true;

		o = s.taboption('advanced', form.Flag, 'defaultroute', _('Use default gateway'), _('If unchecked, no default route is configured'));
		o.default = o.enabled;
		o.optional = true;

		o = s.taboption('advanced', form.Flag, 'peerdns', _('Use DNS servers advertised by peer'), _('If unchecked, the advertised DNS server addresses are ignored'));
		o.default = o.enabled;
		o.optional = true;

		o = s.taboption('advanced', form.Value, 'metric', _('Use gateway metric'));
		o.placeholder = '0';
		o.datatype = 'uinteger';
		o.optional = true;

		o = s.taboption("advanced", form.Value, 'local_ip', _("Local IP address"));
		o.placeholder = '192.168.0.5'
		o.dataype = 'ipaddr'
		o.optional = true;

	}
});
luci-proto-openfortivpn: add luci interface for openfortivpn Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-06-14 15:59:15 +00:00			`'use strict';`
			`'require rpc';`
			`'require form';`
			`'require network';`
			`'require tools.widgets as widgets';`

luci-proto-openfortivpn: add user, key, CA PEM support Add PEM inputs and file handling for user cert, key and CA cert. This handling is largely based upon that used in luci-proto-openconnect. Signed-off-by: Matthew Hagan <mnhagan88@gmail.com> 2021-10-14 19:05:31 +00:00			`var callGetCertificateFiles = rpc.declare({`
			`object: 'luci.openfortivpn',`
			`method: 'getCertificates',`
			`params: [ 'interface' ],`
			`expect: { '': {} }`
			`});`

			`var callSetCertificateFiles = rpc.declare({`
			`object: 'luci.openfortivpn',`
			`method: 'setCertificates',`
			`params: [ 'interface', 'user_cert', 'user_key', 'ca_file' ],`
			`expect: { '': {} }`
			`});`

luci-proto-openfortivpn: add luci interface for openfortivpn Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-06-14 15:59:15 +00:00			`network.registerPatternVirtual(/^vpn-.+$/);`

luci-proto-openfortivpn: add user, key, CA PEM support Add PEM inputs and file handling for user cert, key and CA cert. This handling is largely based upon that used in luci-proto-openconnect. Signed-off-by: Matthew Hagan <mnhagan88@gmail.com> 2021-10-14 19:05:31 +00:00			`function sanitizeCert(s) {`
			`if (typeof(s) != 'string')`
			`return null;`

			`s = s.trim();`

			`if (s == '')`
			`return null;`

			`s = s.replace(/\r\n?/g, '\n');`

			`if (!s.match(/\n$/))`
			`s += '\n';`

			`return s;`
			`}`

			`function validateCert(priv, section_id, value) {`
			`var lines = value.trim().split(/[\r\n]/),`
			`start = false,`
			`i;`

			`if (value === null \|\| value === '')`
			`return true;`

			`for (i = 0; i < lines.length; i++) {`
			`if (lines[i].match(/^-{5}BEGIN ((\|RSA \|DSA )PRIVATE KEY\|(\|TRUSTED \|X509 )CERTIFICATE)-{5}$/))`
			`start = true;`
			`else if (start && !lines[i].match(/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==\|[A-Za-z0-9+\/]{3}=)?$/))`
			`break;`
			`}`

			`if (!start \|\| i < lines.length - 1 \|\| !lines[i].match(/^-{5}END ((\|RSA \|DSA )PRIVATE KEY\|(\|TRUSTED \|X509 )CERTIFICATE)-{5}$/))`
			`return _('This does not look like a valid PEM file');`

			`return true;`
			`}`
luci-proto-openfortivpn: add luci interface for openfortivpn Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-06-14 15:59:15 +00:00
			`return network.registerProtocol('openfortivpn', {`
			`getI18n: function() {`
			`return _('OpenFortivpn');`
			`},`

			`getIfname: function() {`
			`return this._ubus('l3_device') \|\| 'vpn-%s'.format(this.sid);`
			`},`

			`getOpkgPackage: function() {`
			`return 'openfortivpn';`
			`},`

			`isFloating: function() {`
			`return true;`
			`},`

			`isVirtual: function() {`
			`return true;`
			`},`

			`getDevices: function() {`
			`return null;`
			`},`

			`containsDevice: function(ifname) {`
			`return (network.getIfnameOf(ifname) == this.getIfname());`
			`},`

			`renderFormOptions: function(s) {`
			`var o;`

luci-proto-openfortivpn: update config option names update config option names for openfortivpn version 1.14-1-8 Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-08-27 01:54:06 +00:00			`o = s.taboption('general', form.Value, 'peeraddr', _('VPN Server'));`
luci-proto-openfortivpn: add luci interface for openfortivpn Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-06-14 15:59:15 +00:00			`o.datatype = 'host(0)';`

			`o = s.taboption('general', form.Value, 'port', _('VPN Server port'));`
			`o.placeholder = '443';`
			`o.datatype = 'port';`
			`o.optional = true;`

			`s.taboption("general", form.Value, "username", _("Username"));`

			`o = s.taboption('general', form.Value, 'password', _('Password'));`
			`o.password = true;`

luci-proto-openfortivpn: add user, key, CA PEM support Add PEM inputs and file handling for user cert, key and CA cert. This handling is largely based upon that used in luci-proto-openconnect. Signed-off-by: Matthew Hagan <mnhagan88@gmail.com> 2021-10-14 19:05:31 +00:00			`o = s.taboption('general', form.TextValue, 'user_cert', _('User certificate (PEM encoded)'));`
			`o.rows = 10;`
			`o.monospace = true;`
			`o.validate = L.bind(validateCert, o, false);`
			`o.load = function(section_id) {`
			`var certLoadPromise = certLoadPromise \|\| callGetCertificateFiles(section_id);`
			`return certLoadPromise.then(function(certs) { return certs.user_cert });`
			`};`
			`o.write = function(section_id, value) {`
			`return callSetCertificateFiles(section_id, sanitizeCert(value), null, null);`
			`};`

			`o = s.taboption('general', form.TextValue, 'user_key', _('User key (PEM encoded)'));`
			`o.rows = 10;`
			`o.monospace = true;`
			`o.validate = L.bind(validateCert, o, true);`
			`o.load = function(section_id) {`
			`var certLoadPromise = certLoadPromise \|\| callGetCertificateFiles(section_id);`
			`return certLoadPromise.then(function(certs) { return certs.user_key });`
			`};`
			`o.write = function(section_id, value) {`
			`return callSetCertificateFiles(section_id, null, sanitizeCert(value), null);`
			`};`

			`o = s.taboption('general', form.TextValue, 'ca_file', _('CA certificate (PEM encoded; Use instead of system-wide store to verify the gateway certificate.'));`
			`o.rows = 10;`
			`o.monospace = true;`
			`o.validate = L.bind(validateCert, o, false);`
			`o.load = function(section_id) {`
			`var certLoadPromise = certLoadPromise \|\| callGetCertificateFiles(section_id);`
			`return certLoadPromise.then(function(certs) { return certs.ca_file });`
			`};`
			`o.write = function(section_id, value) {`
			`return callSetCertificateFiles(section_id, null, null, sanitizeCert(value));`
			`};`

luci-proto-openfortivpn: update config option names update config option names for openfortivpn version 1.14-1-8 Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-08-27 01:54:06 +00:00			`o = s.taboption('advanced', widgets.NetworkSelect, 'tunlink', _('Bind interface'), _('Bind the tunnel to this interface (optional).'));`
luci-proto-openfortivpn: add luci interface for openfortivpn Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-06-14 15:59:15 +00:00			`o.exclude = s.section;`
			`o.nocreate = true;`
			`o.optional = true;`

luci-proto-openfortivpn: add persistent reconnect option Add ability to specify persistent reconnection interval. Signed-off-by: Matthew Hagan <mnhagan88@gmail.com> 2021-10-16 12:28:46 +00:00			`o = s.taboption('advanced', form.Value, 'persist_int', _('Persistent reconnect interval'), _("Optional, in seconds. If set to '0', no reconnect is attempted."));`
			`o.placeholder = '0';`
			`o.datatype = 'uinteger';`
			`o.optional = true;`

luci-proto-openfortivpn: Correct server certificate SHA label According to the documentation[1], the SHA256 hash is used for the trusted-cert option, not SHA1. [1] https://github.com/adrienverge/openfortivpn/blob/master/doc/openfortivpn.1.in Signed-off-by: Matthew Hagan <mnhagan88@gmail.com> 2021-10-16 17:12:20 +00:00			`o = s.taboption('advanced', form.Value, 'trusted_cert', _("VPN Server certificate's SHA256 hash"));`
luci-proto-openfortivpn: add luci interface for openfortivpn Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-06-14 15:59:15 +00:00			`o.datatype = 'and(hexstring,length(64))'`
			`o.optional = true;`

luci-proto-openfortivpn: add default route, remove disabled, update text Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-07-29 04:43:05 +00:00			`o = s.taboption('advanced', form.Flag, 'defaultroute', _('Use default gateway'), _('If unchecked, no default route is configured'));`
			`o.default = o.enabled;`
			`o.optional = true;`

			`o = s.taboption('advanced', form.Flag, 'peerdns', _('Use DNS servers advertised by peer'), _('If unchecked, the advertised DNS server addresses are ignored'));`
luci-proto-openfortivpn: add luci interface for openfortivpn Signed-off-by: Aaron Goodman <aaronjg@stanford.edu> 2020-06-14 15:59:15 +00:00			`o.default = o.enabled;`
			`o.optional = true;`

			`o = s.taboption('advanced', form.Value, 'metric', _('Use gateway metric'));`
			`o.placeholder = '0';`
			`o.datatype = 'uinteger';`
			`o.optional = true;`

			`o = s.taboption("advanced", form.Value, 'local_ip', _("Local IP address"));`
			`o.placeholder = '192.168.0.5'`
			`o.dataype = 'ipaddr'`
			`o.optional = true;`

			`}`
			`});`