[people/ms/network.git] / src / functions / functions.vpn-security-policies

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2017  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS"
VPN_SECURITY_POLICIES_READONLY="system"

VPN_DEFAULT_SECURITY_POLICY="system"

VPN_SUPPORTED_CIPHERS="AES192 AES256 AES512"
VPN_SUPPORTED_INTEGRITY="SHA512 SHA256 SHA128"
VPN_SUPPORTED_GROUP_TYPES="MODP8192 MODP4096"

# This functions checks if a policy is readonly
# returns true when yes and false when no
vpn_security_policies_check_readonly() {
	if isoneof name ${VPN_SECURITY_POLICIES_READONLY}; then
		return ${EXIT_TRUE}
	else
		return ${EXIT_FALSE}
	fi
}

# This function writes all values to a via ${name} specificated vpn security policy configuration file
vpn_security_policies_write_config() {
	assert [ $# -ge 1 ]

	local name="${1}"

	if ! vpn_security_policy_exists "${name}"; then
		log ERROR "No such vpn security policy: ${name}"
		return ${EXIT_ERROR}
	fi

	if vpn_security_policies_check_readonly "${name}"; then
		log ERROR "The ${name} vpn security policy cannot be changed."
		return ${EXIT_ERROR}
	fi

	local path="$(vpn_security_policies_path "${name}")"
	if [ ! -w ${path} ]; then
		log ERROR "${path} is not writeable"
		return ${EXIT_ERROR}
	fi

	if ! settings_write "${path}" ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}; then
		log ERROR "Could not write configuration settings for vpn security policy ${name}"
		return ${EXIT_ERROR}
	fi

	# TODO everytime we successfully write a config we should call some trigger to take the changes into effect
}

# This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file
vpn_security_policies_write_config_key() {
	assert [ $# -ge 3 ]

	local name=${1}
	local key=${2}
	shift 2

	local value="$@"

	if ! vpn_security_policy_exists "${name}"; then
		log ERROR "No such vpn security policy: ${name}"
		return ${EXIT_ERROR}
	fi

	log DEBUG "Set '${key}' to new value '${value}' in vpn security policy ${name}"

	local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}

	# Read the config settings
	if ! vpn_security_policies_read_config "${name}"; then
		return ${EXIT_ERROR}
	fi

	# Set the key to a new value
	assign "${key}" "${value}"

	if ! vpn_security_policies_write_config "${name}"; then
		return ${EXIT_ERROR}
	fi

	return ${EXIT_TRUE}
}

# Reads one or more keys out of a settings file or all if no key is provided.
vpn_security_policies_read_config() {
	assert [ $# -ge 1 ]

	local name="${1}"
	shift 1

	if ! vpn_security_policy_exists "${name}"; then
		log ERROR "No such vpn security policy: ${name}"
		return ${EXIT_ERROR}
	fi


	local args
	if [ $# -eq 0 ] && [ -n "${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}" ]; then
		list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
	else
		list_append args $@
	fi

	local path="$(vpn_security_policies_path ${name})"

	if ! settings_read "${path}" ${args}; then
		log ERROR "Could not read settings for vpn security policy ${name}"
		return ${EXIT_ERROR}
	fi
}

# Returns the path to a the configuration fora given name
vpn_security_policies_path() {
	assert [ $# -eq 1 ]

	local name=${1}

	if vpn_security_policies_check_readonly "${name}"; then
		echo "${NETWORK_SHARE_DIR}/vpn/security-policies/${name}"
	else
		echo "${NETWORK_CONFIG_DIR}/vpn/security-policies/${name}"
	fi
}

# Print the content of a vpn security policy configuration file in a nice way
vpn_security_policies_show() {
	assert [ $# -eq 1 ]

	local name=${1}

	local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
	if ! vpn_security_policies_read_config ${name}; then
		return ${EXIT_ERROR}
	fi

	cli_print_fmt1 0 "Security Policy: ${name}"
	cli_space

	# This could be done in a loop but a loop is much more complicated
	# because we print 'Group Types' but the variable is named 'GROUP_TYPES'
	cli_print_fmt1 1 "Ciphers:"
	cli_print_fmt1 2 "${CIPHER}"
	cli_space

	cli_print_fmt1 1 "Integrity:"
	cli_print_fmt1 2 "${INTEGRITY}"
	cli_space

	cli_print_fmt1 1 "Group Types:"
	cli_print_fmt1 2 "${GROUP_TYPE}"
	cli_space

	cli_print_fmt1 1 "Key Exchange:" "${KEY_EXCHANGE}"

	# Key Lifetime
	if isinteger LIFETIME && [ ${LIFETIME} -gt 0 ]; then
		cli_print_fmt1 1 "Key Lifetime:" "$(format_time ${LIFETIME})"
	else
		log ERROR "The value for Key Lifetime is not a valid integer greater zero."
	fi

	# PFS
	if enabled PFS; then
		cli_print_fmt1 1 "Perfect Forward Secrecy:" "enabled"
	else
		cli_print_fmt1 1 "Perfect Forward Secrecy:" "disabled"
	fi
	cli_space

	# Compression
	if enabled COMPRESSION; then
		cli_print_fmt1 1 "Compression:" "enabled"
	else
		cli_print_fmt1 1 "Compression:" "disabled"
	fi
	cli_space
}

# This function checks if a vpn security policy exists
# Returns True when yes and false when not
vpn_security_policy_exists() {
	assert [ $# -eq 1 ]

	local name=${1}

	local path=$(vpn_security_policies_path "${name}")

	[ -f ${path} ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
}


# This function parses the parameters for the 'cipher' command
vpn_security_policies_cipher(){
	local name=${1}
	shift

	if [ $# -eq 0 ]; then
		log ERROR "You must pass at least one value after cipher"
		return ${EXIT_ERROR}
	fi

	local CIPHER
	if ! vpn_security_policies_read_config ${name} "CIPHER"; then
		return ${EXIT_ERROR}
	fi

	# Remove duplicated entries to proceed the list safely
	CIPHER="$(list_unique ${CIPHER})"

	while [ $# -gt 0 ]; do
		case "${1}" in
			-*)
				value=${1#-}
				# Check if the cipher is in the list of ciphers and
				# check if the list has after removing this cipher at least one valid value
				if list_match ${value} ${CIPHER}; then
					list_remove CIPHER ${value}
				else
					# We do not break here because this error does not break the processing of the next maybe valid values.
					log ERROR "Can not remove ${value} from the list of Ciphers because ${value} is not in the list."
				fi
				;;
			+*)
				value=${1#+}
				# Check if the Ciphers is in the list of supported ciphers.
				if ! isoneof value ${VPN_SUPPORTED_CIPHERS}; then
					# We do not break here because this error does not break the processing of the next maybe valid values.
					log ERROR "${value} is not a supported cipher and can thats why not added to the list of ciphers."
				else
					if list_match ${value} ${CIPHER}; then
						log WARNING "${value} is already in the list of ciphers of this policy."
					else
						list_append CIPHER ${value}
					fi
				fi
				;;
		esac
		shift
	done

	# Check if the list contain at least one valid cipher
	if [ $(list_length ${CIPHER}) -ge 1 ]; then
		if ! vpn_security_policies_write_config_key ${name} "CIPHER" ${CIPHER}; then
			log ERROR "The changes for the vpn security policy ${name} could not be written."
		fi
	else
		log ERROR "After proceding all ciphers the list is empty and thats why no changes are written."
		return ${EXIT_ERROR}
	fi
}

# This function parses the parameters for the 'compression' command
vpn_security_policies_compression(){
	local name=${1}
	local value=${2}

	# Check if we get only one argument after compression <name>
	if [ ! $# -eq 2 ]; then
		log ERROR "The number of arguments do not match. Only one argument after compression is allowed."
		return ${EXIT_ERROR}
	fi

	if ! isbool value; then
		# We suggest only two values to avoid overburding the user.
		log ERROR "Invalid Argument ${value}"
		return ${EXIT_ERROR}
	fi

	vpn_security_policies_write_config_key "${name}" "COMPRESSION" "${value}"
}

# This function parses the parameters for the 'group-type' command
vpn_security_policies_group_type(){
	local name=${1}
	shift

	if [ $# -eq 0 ]; then
		log ERROR "You must pass at least one value after group-type"
		return ${EXIT_ERROR}
	fi

	local GROUP_TYPE
	if ! vpn_security_policies_read_config ${name} "GROUP_TYPE"; then
		return ${EXIT_ERROR}
	fi

	# Remove duplicated entries to proceed the list safely
	GROUP_TYPE="$(list_unique ${GROUP_TYPE})"

	while [ $# -gt 0 ]; do
		case "${1}" in
			-*)
				value=${1#-}
				# Check if the group type is in the list of group types and
				# check if the list has after removing this group type at leatst one valid value
				if list_match ${value} ${GROUP_TYPE}; then
					list_remove GROUP_TYPE ${value}
				else
					# We do not break here because this error does not break the processing of the next maybe valid values.
					log ERROR "Can not remove ${value} from the list of group types because ${value} is not in the list."
				fi
				;;
			+*)
				value=${1#+}
				# Check if the group type is in the list of supported group types.
				if ! isoneof value ${VPN_SUPPORTED_GROUP_TYPES}; then
					# We do not break here because the processing of other maybe valid values are indepent from this error.
					log ERROR "${value} is not a supported group type and can thats why not added to the list of group types."
				else
					if list_match ${value} ${GROUP_TYPE}; then
						log WARNING "${value} is already in the list of group-types of this policy."
					else
						list_append GROUP_TYPE ${value}
					fi
				fi
				;;
		esac
		shift
	done

	# Check if the list contain at least one valid group-type
	if [ $(list_length ${GROUP_TYPE}) -ge 1 ]; then
		if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_TYPE}; then
			log ERROR "The changes for the vpn security policy ${name} could not be written."
		fi
	else
		log ERROR "After proceding all group types the list is empty and thats why no changes are written."
		return ${EXIT_ERROR}
	fi
}

# This function parses the parameters for the 'integrity' command
vpn_security_policies_integrity(){
	local name=${1}
	shift

	if [ $# -eq 0 ]; then
		log ERROR "You must pass at least one value after integrity."
		return ${EXIT_ERROR}
	fi

	local INTEGRITY
	if ! vpn_security_policies_read_config ${name} "INTEGRITY"; then
		return ${EXIT_ERROR}
	fi

	# Remove duplicated entries to proceed the list safely
	INTEGRITY="$(list_unique ${INTEGRITY})"

	while [ $# -gt 0 ]; do
		case "${1}" in
			-*)
				value=${1#-}
				# Check if the integrity hash is in the list of integrity hashes and
				# check if the list has after removing this  integrity hash at least one valid value
				if list_match ${value} ${INTEGRITY}; then
					list_remove INTEGRITY ${value}
				else
					# We do not break here because the processing of other maybe valid values are indepent from this error.
					log ERROR "Can not remove ${value} from the list of integrity hashes because ${value} is not in the list."
				fi
				;;
			+*)
				value=${1#+}
				# Check if the Ciphers is in the list of supported integrity hashes.
				if ! isoneof value ${VPN_SUPPORTED_INTEGRITY}; then
					# We do not break here because the processing of other maybe valid values are indepent from this error.
					log ERROR "${value} is not a supported integrity hash and can thats why not added to the list of integrity hashes."
				else
					if list_match ${value} ${INTEGRITY}; then
						log WARNING "${value} is already in the list of integrety hashes of this policy."
					else
						list_append INTEGRITY ${value}
					fi
				fi
				;;
		esac
		shift
	done

	# Check if the list contain at least one valid group-type
	if [ $(list_length ${INTEGRITY}) -ge 1 ]; then
		if ! vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRITY}; then
			log ERROR "The changes for the vpn security policy ${name} could not be written."
		fi
	else
		log ERROR "After proceding all integrity hashes the list is empty and thats why no changes are written."
		return ${EXIT_ERROR}
	fi
}

# This function parses the parameters for the 'key-exchange' command
vpn_security_policies_key_exchange() {
	local name=${1}
	local value=${2}

	# Check if we get only one argument after key-exchange <name>
	if [ ! $# -eq 2 ]; then
		log ERROR "The number of arguments do not match. Only argument after key-exchange is allowed."
		return ${EXIT_ERROR}
	fi

	if ! isoneof value "ikev1" "ikev2" "IKEV1" "IKEV2"; then
		log ERROR "Invalid Argument ${value}"
		return ${EXIT_ERROR}
	fi

	vpn_security_policies_write_config_key "${name}" "KEY_EXCHANGE" "${value,,}"
}

# This function parses the parameters for the 'lifetime' command.
vpn_security_policies_lifetime(){
	local name=${1}
	shift

	local value=$@

	# Check if we get only one argument after lifetime <name>
	if [ ! $# -ge 1 ]; then
		log ERROR "The number of arguments do not match you must provide at least one integer value or a valid time with the format  <hours>h <minutes>m <seconds>s"
		return ${EXIT_ERROR}
	fi

	if ! isinteger value; then
		value=$(parse_time $@)
		if [ ! $? -eq 0 ]; then
			log ERROR "Parsing the passed time was not sucessful please check the passed values."
			return ${EXIT_ERROR}
		fi
	fi

	if [ ${value} -le 0 ]; then
		log ERROR "The passed time value must be in the sum greater zero seconds."
		return ${EXIT_ERROR}
	fi

	vpn_security_policies_write_config_key "${name}" "LIFETIME" "${value}"
}

# This function parses the parameters for the 'pfs' command
vpn_security_policies_pfs(){
	local name=${1}
	local value=${2}

	# Check if we get only one argument after pfs <name>
	if [ ! $# -eq 2 ]; then
		log ERROR "The number of arguments do not match. Only argument after pfs is allowed."
		return ${EXIT_ERROR}
	fi

	if [ ! $# -eq 2 ] || ! isbool value; then
		# We suggest only two values to avoid overburding the user.
		log ERROR "Invalid Argument ${value}"
		return ${EXIT_ERROR}
	fi

	vpn_security_policies_write_config_key "${name}" "PFS" "${value}"
}

# This function checks if a vpn security policy name is valid
# Allowed are only A-Za-z0-9
vpn_security_policies_check_name() {
	assert [ $# -eq 1 ]

	local name=${1}

	[[ ${name} =~ [^[:alnum:]$] ]]
}

# Function that creates based on the paramters one ore more new vpn security policies
vpn_security_policies_new() {
	if [ $# -gt 1 ]; then
		error "Too many arguments"
		return ${EXIT_ERROR}
	fi

	local name="${1}"
	if ! isset name; then
		error "Please provide a name"
		return ${EXIT_ERROR}
	fi

	# Check for duplicates
	if vpn_security_policy_exists "${name}"; then
		error "The VPN security policy with name ${name} already exists"
		return ${EXIT_ERROR}
	fi

	# Check if name is valid
	if  vpn_security_policies_check_name "${name}"; then
		error "'${name}' contains illegal characters"
		return ${EXIT_ERROR}
	fi

	# Check if we have a read-only policy with the same name
	if vpn_security_policies_check_readonly "${name}"; then
		error "The VPN security policy ${name} is read-only"
		return ${EXIT_ERROR}
	fi

	# Check if our source policy exists
	if ! vpn_security_policy_exists "${VPN_DEFAULT_SECURITY_POLICY}"; then
		error "Default VPN Security Policy '${VPN_DEFAULT_SECURITY_POLICY}' does not exist"
		return ${EXIT_ERROR}
	fi

	log DEBUG "Creating VPN Security Policy ${name}"

	if copy "$(vpn_security_policies_path "${VPN_DEFAULT_SECURITY_POLICY}")" "$(vpn_security_policies_path ${name})"; then
		log INFO "VPN Security Policy ${name} successfully created"
	else
		log ERROR "Could not create VPN Security Policy ${name}"
		return ${EXIT_ERROR}
	fi

	# Show the newly created policy
	vpn_security_policies_show "${name}"
}

# Function that deletes based on the passed parameters one ore more vpn security policies
vpn_security_policies_destroy() {
	local name
	for name in $@; do
		if ! vpn_security_policy_exists ${name}; then
			log ERROR "The vpn security policy ${name} does not exist."
			continue
		fi

		if vpn_security_policies_check_readonly ${name}; then
			log ERROR "The vpn security policy ${name} cannot be deleted."
			continue
		fi

		log DEBUG "Deleting vpn security policy ${name}"
		settings_remove $(vpn_security_policies_path ${name})
	done
}
Commit	Line	Data
3eae7bed JS	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2017 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS"
	23	VPN_SECURITY_POLICIES_READONLY="system"
	24
6fdbda80 MT	25	VPN_DEFAULT_SECURITY_POLICY="system"
6fdbda80 MT	26
3eae7bed JS	27	VPN_SUPPORTED_CIPHERS="AES192 AES256 AES512"
	28	VPN_SUPPORTED_INTEGRITY="SHA512 SHA256 SHA128"
	29	VPN_SUPPORTED_GROUP_TYPES="MODP8192 MODP4096"
	30
6740c9c5 MT	31	# This functions checks if a policy is readonly
6740c9c5 MT	32	# returns true when yes and false when no
3eae7bed	33	vpn_security_policies_check_readonly() {
3eae7bed JS	34	if isoneof name ${VPN_SECURITY_POLICIES_READONLY}; then
	35	return ${EXIT_TRUE}
	36	else
	37	return ${EXIT_FALSE}
	38	fi
	39	}
	40
6740c9c5	41	# This function writes all values to a via ${name} specificated vpn security policy configuration file
3eae7bed	42	vpn_security_policies_write_config() {
3eae7bed JS	43	assert [ $# -ge 1 ]
	44
	45	local name="${1}"
	46
6740c9c5	47	if ! vpn_security_policy_exists "${name}"; then
3eae7bed JS	48	log ERROR "No such vpn security policy: ${name}"
	49	return ${EXIT_ERROR}
	50	fi
	51
6740c9c5	52	if vpn_security_policies_check_readonly "${name}"; then
3eae7bed JS	53	log ERROR "The ${name} vpn security policy cannot be changed."
	54	return ${EXIT_ERROR}
	55	fi
	56
6740c9c5	57	local path="$(vpn_security_policies_path "${name}")"
3eae7bed JS	58	if [ ! -w ${path} ]; then
	59	log ERROR "${path} is not writeable"
	60	return ${EXIT_ERROR}
	61	fi
	62
	63	if ! settings_write "${path}" ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}; then
	64	log ERROR "Could not write configuration settings for vpn security policy ${name}"
	65	return ${EXIT_ERROR}
	66	fi
	67
	68	# TODO everytime we successfully write a config we should call some trigger to take the changes into effect
	69	}
	70
6740c9c5	71	# This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file
3eae7bed	72	vpn_security_policies_write_config_key() {
3eae7bed	73	assert [ $# -ge 3 ]
6740c9c5	74
3eae7bed JS	75	local name=${1}
	76	local key=${2}
	77	shift 2
6740c9c5	78
3eae7bed JS	79	local value="$@"
3eae7bed JS	80
6740c9c5	81	if ! vpn_security_policy_exists "${name}"; then
3eae7bed JS	82	log ERROR "No such vpn security policy: ${name}"
	83	return ${EXIT_ERROR}
	84	fi
	85
	86	log DEBUG "Set '${key}' to new value '${value}' in vpn security policy ${name}"
	87
	88	local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
	89
	90	# Read the config settings
6740c9c5	91	if ! vpn_security_policies_read_config "${name}"; then
3eae7bed JS	92	return ${EXIT_ERROR}
	93	fi
	94
	95	# Set the key to a new value
	96	assign "${key}" "${value}"
	97
6740c9c5	98	if ! vpn_security_policies_write_config "${name}"; then
3eae7bed JS	99	return ${EXIT_ERROR}
	100	fi
	101
	102	return ${EXIT_TRUE}
3eae7bed JS	103	}
3eae7bed JS	104
6740c9c5	105	# Reads one or more keys out of a settings file or all if no key is provided.
3eae7bed	106	vpn_security_policies_read_config() {
3eae7bed JS	107	assert [ $# -ge 1 ]
	108
	109	local name="${1}"
	110	shift 1
	111
6740c9c5	112	if ! vpn_security_policy_exists "${name}"; then
3eae7bed JS	113	log ERROR "No such vpn security policy: ${name}"
	114	return ${EXIT_ERROR}
	115	fi
	116
	117
	118	local args
	119	if [ $# -eq 0 ] && [ -n "${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}" ]; then
	120	list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
	121	else
	122	list_append args $@
	123	fi
	124
	125	local path="$(vpn_security_policies_path ${name})"
	126
	127	if ! settings_read "${path}" ${args}; then
	128	log ERROR "Could not read settings for vpn security policy ${name}"
	129	return ${EXIT_ERROR}
	130	fi
	131	}
	132
6740c9c5	133	# Returns the path to a the configuration fora given name
3eae7bed	134	vpn_security_policies_path() {
3eae7bed	135	assert [ $# -eq 1 ]
6740c9c5	136
3eae7bed JS	137	local name=${1}
3eae7bed JS	138
6740c9c5	139	if vpn_security_policies_check_readonly "${name}"; then
3eae7bed JS	140	echo "${NETWORK_SHARE_DIR}/vpn/security-policies/${name}"
	141	else
	142	echo "${NETWORK_CONFIG_DIR}/vpn/security-policies/${name}"
	143	fi
	144	}
	145
6740c9c5	146	# Print the content of a vpn security policy configuration file in a nice way
3eae7bed	147	vpn_security_policies_show() {
3eae7bed	148	assert [ $# -eq 1 ]
6740c9c5	149
3eae7bed JS	150	local name=${1}
	151
	152	local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
3eae7bed JS	153	if ! vpn_security_policies_read_config ${name}; then
	154	return ${EXIT_ERROR}
	155	fi
	156
	157	cli_print_fmt1 0 "Security Policy: ${name}"
	158	cli_space
	159
	160	# This could be done in a loop but a loop is much more complicated
	161	# because we print 'Group Types' but the variable is named 'GROUP_TYPES'
	162	cli_print_fmt1 1 "Ciphers:"
	163	cli_print_fmt1 2 "${CIPHER}"
	164	cli_space
6740c9c5	165
3eae7bed JS	166	cli_print_fmt1 1 "Integrity:"
	167	cli_print_fmt1 2 "${INTEGRITY}"
	168	cli_space
6740c9c5	169
3eae7bed JS	170	cli_print_fmt1 1 "Group Types:"
	171	cli_print_fmt1 2 "${GROUP_TYPE}"
	172	cli_space
	173
	174	cli_print_fmt1 1 "Key Exchange:" "${KEY_EXCHANGE}"
6740c9c5 MT	175
6740c9c5 MT	176	# Key Lifetime
3eae7bed JS	177	if isinteger LIFETIME && [ ${LIFETIME} -gt 0 ]; then
	178	cli_print_fmt1 1 "Key Lifetime:" "$(format_time ${LIFETIME})"
	179	else
	180	log ERROR "The value for Key Lifetime is not a valid integer greater zero."
	181	fi
6740c9c5 MT	182
6740c9c5 MT	183	# PFS
3eae7bed JS	184	if enabled PFS; then
	185	cli_print_fmt1 1 "Perfect Forward Secrecy:" "enabled"
	186	else
	187	cli_print_fmt1 1 "Perfect Forward Secrecy:" "disabled"
	188	fi
	189	cli_space
6740c9c5 MT	190
6740c9c5 MT	191	# Compression
3eae7bed JS	192	if enabled COMPRESSION; then
	193	cli_print_fmt1 1 "Compression:" "enabled"
	194	else
	195	cli_print_fmt1 1 "Compression:" "disabled"
	196	fi
	197	cli_space
	198	}
	199
6740c9c5 MT	200	# This function checks if a vpn security policy exists
6740c9c5 MT	201	# Returns True when yes and false when not
3eae7bed	202	vpn_security_policy_exists() {
3eae7bed	203	assert [ $# -eq 1 ]
6740c9c5	204
3eae7bed JS	205	local name=${1}
3eae7bed JS	206
6740c9c5 MT	207	local path=$(vpn_security_policies_path "${name}")
	208
	209	[ -f ${path} ] && return ${EXIT_TRUE} \|\| return ${EXIT_FALSE}
3eae7bed JS	210	}
	211
	212
6740c9c5	213	# This function parses the parameters for the 'cipher' command
3eae7bed	214	vpn_security_policies_cipher(){
3eae7bed JS	215	local name=${1}
	216	shift
	217
	218	if [ $# -eq 0 ]; then
	219	log ERROR "You must pass at least one value after cipher"
	220	return ${EXIT_ERROR}
	221	fi
	222
	223	local CIPHER
3eae7bed JS	224	if ! vpn_security_policies_read_config ${name} "CIPHER"; then
	225	return ${EXIT_ERROR}
	226	fi
	227
	228	# Remove duplicated entries to proceed the list safely
	229	CIPHER="$(list_unique ${CIPHER})"
	230
	231	while [ $# -gt 0 ]; do
	232	case "${1}" in
	233	-*)
	234	value=${1#-}
	235	# Check if the cipher is in the list of ciphers and
	236	# check if the list has after removing this cipher at least one valid value
	237	if list_match ${value} ${CIPHER}; then
	238	list_remove CIPHER ${value}
	239	else
	240	# We do not break here because this error does not break the processing of the next maybe valid values.
	241	log ERROR "Can not remove ${value} from the list of Ciphers because ${value} is not in the list."
	242	fi
	243	;;
	244	+*)
	245	value=${1#+}
	246	# Check if the Ciphers is in the list of supported ciphers.
	247	if ! isoneof value ${VPN_SUPPORTED_CIPHERS}; then
	248	# We do not break here because this error does not break the processing of the next maybe valid values.
	249	log ERROR "${value} is not a supported cipher and can thats why not added to the list of ciphers."
	250	else
	251	if list_match ${value} ${CIPHER}; then
	252	log WARNING "${value} is already in the list of ciphers of this policy."
	253	else
	254	list_append CIPHER ${value}
	255	fi
	256	fi
	257	;;
	258	esac
	259	shift
	260	done
	261
	262	# Check if the list contain at least one valid cipher
	263	if [ $(list_length ${CIPHER}) -ge 1 ]; then
	264	if ! vpn_security_policies_write_config_key ${name} "CIPHER" ${CIPHER}; then
	265	log ERROR "The changes for the vpn security policy ${name} could not be written."
	266	fi
	267	else
	268	log ERROR "After proceding all ciphers the list is empty and thats why no changes are written."
	269	return ${EXIT_ERROR}
	270	fi
	271	}
	272
6740c9c5	273	# This function parses the parameters for the 'compression' command
3eae7bed	274	vpn_security_policies_compression(){
3eae7bed JS	275	local name=${1}
	276	local value=${2}
	277
	278	# Check if we get only one argument after compression <name>
	279	if [ ! $# -eq 2 ]; then
	280	log ERROR "The number of arguments do not match. Only one argument after compression is allowed."
	281	return ${EXIT_ERROR}
	282	fi
	283
	284	if ! isbool value; then
	285	# We suggest only two values to avoid overburding the user.
	286	log ERROR "Invalid Argument ${value}"
	287	return ${EXIT_ERROR}
	288	fi
	289
	290	vpn_security_policies_write_config_key "${name}" "COMPRESSION" "${value}"
	291	}
	292
6740c9c5	293	# This function parses the parameters for the 'group-type' command
3eae7bed	294	vpn_security_policies_group_type(){
3eae7bed JS	295	local name=${1}
	296	shift
	297
	298	if [ $# -eq 0 ]; then
	299	log ERROR "You must pass at least one value after group-type"
	300	return ${EXIT_ERROR}
	301	fi
	302
	303	local GROUP_TYPE
3eae7bed JS	304	if ! vpn_security_policies_read_config ${name} "GROUP_TYPE"; then
	305	return ${EXIT_ERROR}
	306	fi
	307
	308	# Remove duplicated entries to proceed the list safely
	309	GROUP_TYPE="$(list_unique ${GROUP_TYPE})"
	310
	311	while [ $# -gt 0 ]; do
	312	case "${1}" in
	313	-*)
	314	value=${1#-}
	315	# Check if the group type is in the list of group types and
	316	# check if the list has after removing this group type at leatst one valid value
	317	if list_match ${value} ${GROUP_TYPE}; then
	318	list_remove GROUP_TYPE ${value}
	319	else
	320	# We do not break here because this error does not break the processing of the next maybe valid values.
	321	log ERROR "Can not remove ${value} from the list of group types because ${value} is not in the list."
	322	fi
	323	;;
	324	+*)
	325	value=${1#+}
	326	# Check if the group type is in the list of supported group types.
	327	if ! isoneof value ${VPN_SUPPORTED_GROUP_TYPES}; then
	328	# We do not break here because the processing of other maybe valid values are indepent from this error.
	329	log ERROR "${value} is not a supported group type and can thats why not added to the list of group types."
	330	else
	331	if list_match ${value} ${GROUP_TYPE}; then
	332	log WARNING "${value} is already in the list of group-types of this policy."
	333	else
	334	list_append GROUP_TYPE ${value}
	335	fi
	336	fi
	337	;;
	338	esac
	339	shift
	340	done
	341
	342	# Check if the list contain at least one valid group-type
	343	if [ $(list_length ${GROUP_TYPE}) -ge 1 ]; then
	344	if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_TYPE}; then
	345	log ERROR "The changes for the vpn security policy ${name} could not be written."
	346	fi
	347	else
	348	log ERROR "After proceding all group types the list is empty and thats why no changes are written."
	349	return ${EXIT_ERROR}
	350	fi
	351	}
6740c9c5 MT	352
6740c9c5 MT	353	# This function parses the parameters for the 'integrity' command
3eae7bed	354	vpn_security_policies_integrity(){
3eae7bed JS	355	local name=${1}
	356	shift
	357
	358	if [ $# -eq 0 ]; then
	359	log ERROR "You must pass at least one value after integrity."
	360	return ${EXIT_ERROR}
	361	fi
	362
	363	local INTEGRITY
3eae7bed JS	364	if ! vpn_security_policies_read_config ${name} "INTEGRITY"; then
	365	return ${EXIT_ERROR}
	366	fi
	367
	368	# Remove duplicated entries to proceed the list safely
	369	INTEGRITY="$(list_unique ${INTEGRITY})"
	370
	371	while [ $# -gt 0 ]; do
	372	case "${1}" in
	373	-*)
	374	value=${1#-}
	375	# Check if the integrity hash is in the list of integrity hashes and
	376	# check if the list has after removing this integrity hash at least one valid value
	377	if list_match ${value} ${INTEGRITY}; then
	378	list_remove INTEGRITY ${value}
	379	else
	380	# We do not break here because the processing of other maybe valid values are indepent from this error.
	381	log ERROR "Can not remove ${value} from the list of integrity hashes because ${value} is not in the list."
	382	fi
	383	;;
	384	+*)
	385	value=${1#+}
	386	# Check if the Ciphers is in the list of supported integrity hashes.
	387	if ! isoneof value ${VPN_SUPPORTED_INTEGRITY}; then
	388	# We do not break here because the processing of other maybe valid values are indepent from this error.
	389	log ERROR "${value} is not a supported integrity hash and can thats why not added to the list of integrity hashes."
	390	else
	391	if list_match ${value} ${INTEGRITY}; then
	392	log WARNING "${value} is already in the list of integrety hashes of this policy."
	393	else
	394	list_append INTEGRITY ${value}
	395	fi
	396	fi
	397	;;
	398	esac
	399	shift
	400	done
	401
	402	# Check if the list contain at least one valid group-type
	403	if [ $(list_length ${INTEGRITY}) -ge 1 ]; then
	404	if ! vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRITY}; then
	405	log ERROR "The changes for the vpn security policy ${name} could not be written."
	406	fi
	407	else
	408	log ERROR "After proceding all integrity hashes the list is empty and thats why no changes are written."
	409	return ${EXIT_ERROR}
	410	fi
3eae7bed JS	411	}
3eae7bed JS	412
6740c9c5	413	# This function parses the parameters for the 'key-exchange' command
3eae7bed	414	vpn_security_policies_key_exchange() {
3eae7bed JS	415	local name=${1}
3eae7bed JS	416	local value=${2}
6740c9c5	417
3eae7bed JS	418	# Check if we get only one argument after key-exchange <name>
	419	if [ ! $# -eq 2 ]; then
	420	log ERROR "The number of arguments do not match. Only argument after key-exchange is allowed."
	421	return ${EXIT_ERROR}
	422	fi
	423
3eae7bed JS	424	if ! isoneof value "ikev1" "ikev2" "IKEV1" "IKEV2"; then
	425	log ERROR "Invalid Argument ${value}"
	426	return ${EXIT_ERROR}
	427	fi
	428
	429	vpn_security_policies_write_config_key "${name}" "KEY_EXCHANGE" "${value,,}"
	430	}
	431
6740c9c5	432	# This function parses the parameters for the 'lifetime' command.
3eae7bed	433	vpn_security_policies_lifetime(){
3eae7bed JS	434	local name=${1}
3eae7bed JS	435	shift
6740c9c5	436
3eae7bed JS	437	local value=$@
	438
	439	# Check if we get only one argument after lifetime <name>
	440	if [ ! $# -ge 1 ]; then
	441	log ERROR "The number of arguments do not match you must provide at least one integer value or a valid time with the format <hours>h <minutes>m <seconds>s"
	442	return ${EXIT_ERROR}
	443	fi
	444
	445	if ! isinteger value; then
	446	value=$(parse_time $@)
	447	if [ ! $? -eq 0 ]; then
	448	log ERROR "Parsing the passed time was not sucessful please check the passed values."
	449	return ${EXIT_ERROR}
	450	fi
	451	fi
	452
	453	if [ ${value} -le 0 ]; then
	454	log ERROR "The passed time value must be in the sum greater zero seconds."
	455	return ${EXIT_ERROR}
	456	fi
	457
	458	vpn_security_policies_write_config_key "${name}" "LIFETIME" "${value}"
	459	}
	460
6740c9c5	461	# This function parses the parameters for the 'pfs' command
3eae7bed	462	vpn_security_policies_pfs(){
3eae7bed JS	463	local name=${1}
	464	local value=${2}
	465
	466	# Check if we get only one argument after pfs <name>
	467	if [ ! $# -eq 2 ]; then
	468	log ERROR "The number of arguments do not match. Only argument after pfs is allowed."
	469	return ${EXIT_ERROR}
	470	fi
	471
	472	if [ ! $# -eq 2 ] \|\| ! isbool value; then
	473	# We suggest only two values to avoid overburding the user.
	474	log ERROR "Invalid Argument ${value}"
	475	return ${EXIT_ERROR}
	476	fi
	477
	478	vpn_security_policies_write_config_key "${name}" "PFS" "${value}"
	479	}
	480
6740c9c5 MT	481	# This function checks if a vpn security policy name is valid
6740c9c5 MT	482	# Allowed are only A-Za-z0-9
3eae7bed	483	vpn_security_policies_check_name() {
3eae7bed	484	assert [ $# -eq 1 ]
6740c9c5	485
3eae7bed	486	local name=${1}
6740c9c5	487
3eae7bed JS	488	[[ ${name} =~ [^[:alnum:]$] ]]
	489	}
	490
6740c9c5	491	# Function that creates based on the paramters one ore more new vpn security policies
3eae7bed	492	vpn_security_policies_new() {
58aa0edf MT	493	if [ $# -gt 1 ]; then
58aa0edf MT	494	error "Too many arguments"
3eae7bed JS	495	return ${EXIT_ERROR}
	496	fi
	497
58aa0edf MT	498	local name="${1}"
	499	if ! isset name; then
	500	error "Please provide a name"
	501	return ${EXIT_ERROR}
	502	fi
3eae7bed	503
58aa0edf MT	504	# Check for duplicates
	505	if vpn_security_policy_exists "${name}"; then
	506	error "The VPN security policy with name ${name} already exists"
	507	return ${EXIT_ERROR}
	508	fi
3eae7bed	509
58aa0edf MT	510	# Check if name is valid
	511	if vpn_security_policies_check_name "${name}"; then
	512	error "'${name}' contains illegal characters"
	513	return ${EXIT_ERROR}
	514	fi
3eae7bed	515
58aa0edf MT	516	# Check if we have a read-only policy with the same name
	517	if vpn_security_policies_check_readonly "${name}"; then
	518	error "The VPN security policy ${name} is read-only"
	519	return ${EXIT_ERROR}
	520	fi
	521
6fdbda80 MT	522	# Check if our source policy exists
	523	if ! vpn_security_policy_exists "${VPN_DEFAULT_SECURITY_POLICY}"; then
	524	error "Default VPN Security Policy '${VPN_DEFAULT_SECURITY_POLICY}' does not exist"
	525	return ${EXIT_ERROR}
	526	fi
	527
58aa0edf MT	528	log DEBUG "Creating VPN Security Policy ${name}"
58aa0edf MT	529
6fdbda80	530	if copy "$(vpn_security_policies_path "${VPN_DEFAULT_SECURITY_POLICY}")" "$(vpn_security_policies_path ${name})"; then
58aa0edf MT	531	log INFO "VPN Security Policy ${name} successfully created"
	532	else
	533	log ERROR "Could not create VPN Security Policy ${name}"
	534	return ${EXIT_ERROR}
	535	fi
c787fea5 MT	536
	537	# Show the newly created policy
	538	vpn_security_policies_show "${name}"
3eae7bed JS	539	}
3eae7bed JS	540
6740c9c5	541	# Function that deletes based on the passed parameters one ore more vpn security policies
3eae7bed	542	vpn_security_policies_destroy() {
3eae7bed JS	543	local name
	544	for name in $@; do
	545	if ! vpn_security_policy_exists ${name}; then
	546	log ERROR "The vpn security policy ${name} does not exist."
	547	continue
	548	fi
	549
	550	if vpn_security_policies_check_readonly ${name}; then
	551	log ERROR "The vpn security policy ${name} cannot be deleted."
	552	continue
	553	fi
	554
	555	log DEBUG "Deleting vpn security policy ${name}"
	556	settings_remove $(vpn_security_policies_path ${name})
	557	done
	558	}