Enhancement #3195

Event trusted-networks-modify

Added by Davide Principi over 3 years ago. Updated over 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:<multiple packages>
Target version:v6.6
Resolution: NEEDINFO:No

Description

  • Templates and service reloads occurs in networks-create and networks-delete events, and consider only networks records.
    A new event, trusted-networks-modify must occur whenever VPN or network records are changed.
    networks-* event must be deprecated.
  • The method NetworksDB::local_access_spec returns green networks and records of type network from networks DB.
    NetworksDB::local_access_spec must be modified to take into account VPN networks.

To provide a smooth transition to the new event, trusted-networks-modify must invoke the deprecated networks-create event. RPMs should quickly migrate to the new event.


Related issues

Related to NethServer 6 - Feature #2919: mail-server: configure IP-based access policy from UI CLOSED

Associated revisions

Revision 22d74aac
Added by Davide Principi over 3 years ago

Moved /esmith source directory into lib/perl/esmith. Refs #3195

Revision bd76d3b6
Added by Davide Principi over 3 years ago

NethServer::TrustedNetworks perl Module. Refs #3195

Extensible module to link multiple TrustedNetworks provider, like
VPNs.

Revision c9b8aed6
Added by Davide Principi over 3 years ago

TrustedNetworks.pm: added POD documentation. Refs #3195

Revision cfe679ad
Added by Davide Principi over 3 years ago

TrustedNetworks perl module: added list_full() function. Refs #3195

Changed $results format to list of hash references.

Revision f3ee743f
Added by Davide Principi over 3 years ago

trusted-networks helper: prints a JSON object. Refs #3195

Revision e69a70cd
Added by Davide Principi over 3 years ago

trusted-networks-modify event. Refs #3195

This events obsoletes network-create network-modify and network-delete
events.

The network-create event is still invoked for backward compatibility.

Revision feb4e504
Added by Davide Principi over 3 years ago

LocalNetwork UI module: use trusted-networks helper. Refs #3195

Revision 09204863
Added by Davide Principi over 3 years ago

nethserver-samba: bind to trusted-networks-modify event. Refs #3195

Revision 00b3fdb7
Added by Davide Principi over 3 years ago

Merge branch 'b3195'. Refs #3195

Revision ae44624d
Added by Davide Principi over 3 years ago

nethserver-firewall-base: new trusted-networks-modify event performs firewall-adjust, removed here. Refs #3195

Revision 8d2e69cc
Added by Davide Principi over 3 years ago

nethserver-mail-common: bind new trusted-networks-modify event. Refs #3195

Revision f3357eeb
Added by Davide Principi over 3 years ago

nethserver-cups: bind new trusted-networks-modify event. Refs #3195

Revision acbe5829
Added by Davide Principi over 3 years ago

nethserver-httpd: bind new trusted-networks-modify event. Refs #3195

Revision 8fb2dd8b
Added by Davide Principi over 3 years ago

nethserver-hylafax: bind new trusted-networks-modify event. Refs #3195

Revision bf9269b1
Added by Davide Principi over 3 years ago

LocalNetworks UI: invoke new trusted-networks-modify event. Refs #3195

Revision 43b5436d
Added by Davide Principi over 3 years ago

nethserver-openvpn: trusted-networks provider implementation. Refs #3195

Revision 260c52cd
Added by Davide Principi over 3 years ago

nethserver-ipsec: trusted-networks provider implementation. Refs #3195

Revision 932f1632
Added by Davide Principi over 3 years ago

.spec: add NethServer::TrustedNetworks Perl module. Refs #3195

Revision ec1196fb
Added by Davide Principi over 3 years ago

nethserver-hylafax: trusted-networks-modify event is not required at all! Refs #3195

Revision c98784e9
Added by Davide Principi over 3 years ago

admin docs: trusted networks include VPNs automatically. Refs #3195

Revision 1a8cfe70
Added by Davide Principi over 3 years ago

NetworksDB (local_access_spec): fixed trusted networks list building. Refs #3195

The method returned only the local address.

Fixed also INIT warning.

Revision 7d0aa232
Added by Davide Principi over 3 years ago

Don't die if roadwarrior network parameters are missing. Refs #3195

In TrustedNetworks::OpenVPN (openvpn_networks) provider.

Revision 3cb85671
Added by Davide Principi over 3 years ago

legacy-call-network-create: fixed command path. Refs #3195

Revision 868f3389
Added by Davide Principi over 3 years ago

Reviewed Italian translation. Refs #3195

Revision cb3d0d62
Added by Davide Principi over 3 years ago

Check for network-create event existence. Refs #3195

Revision ac8bb3dc
Added by Davide Principi over 3 years ago

LocalNetwork: fixed network in use validation. Refs #3195

Check the new network is not a subnet of an existing one, and
vice-versa.

Revision 9c6590fa
Added by Davide Principi over 3 years ago

Raise trusted-networks-modify when interfaces are modified. Refs #3195

Note: the firewall-adjust sub-event call in trusted-networks-modify is
required by lokkit-save event.

Revision 1c2f80b1
Added by Davide Principi over 3 years ago

Unbind interface-update event. Refs #3195

The interface-update event invokes trusted-networks-modify, so
cupsd.conf expansion and daemon restart is not required in
interface-update itself.

Revision 59a6af29
Added by Davide Principi over 3 years ago

openvpn: bind trusted-networks-modify event. Refs #3195

Revision 76ca3b65
Added by Davide Principi over 3 years ago

ipsec: bind trusted-networks-modify event. Refs #3195

Revision ae278e3f
Added by Davide Principi over 3 years ago

openvpn: bind trusted-networks-modify event to nethserver-openvpn-save event. Refs #3195

Revision 182f6e45
Added by Giacomo Sanchietti over 3 years ago

trusted-networks-modify: add tunnel networks. Refs #3195

Revision b45799e8
Added by Giacomo Sanchietti over 3 years ago

trusted-networks-modify: add networks from green aliases. Refs #3195

Revision b3e743d4
Added by Giacomo Sanchietti over 3 years ago

trusted-networks-modify: add tunnel networks. Refs #3195

Revision fc29184b
Added by Giacomo Sanchietti over 3 years ago

Merge pull request #71 from NethServer/trusted-networks-update-event

New trusted-networks-update event. Refs #3195

Revision 7e614e8e
Added by Davide Principi about 3 years ago

samba: unbind interface-update event. Refs #3195

Use trusted-networks-modify event.

History

#1 Updated by Davide Principi over 3 years ago

  • Description updated (diff)

#2 Updated by Davide Principi over 3 years ago

  • Related to Feature #2919: mail-server: configure IP-based access policy from UI added

#4 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#5 Updated by Davide Principi over 3 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#6 Updated by Davide Principi over 3 years ago

  • Subject changed from Event trusted-networks-update to Event trusted-networks-modify
  • Description updated (diff)

The -update suffix is generally used by packagename-update events. Here we are similar to record-modify semantics.

#7 Updated by Davide Principi over 3 years ago

Known legacy event consumers are

  • nethserver-samba
  • nethserver-firewall-base
  • nethserver-mail-common
  • nethserver-cups
  • nethserver-httpd
  • nethserver-hylafax
  • ...

Known providers:

  • nethserver-ipsec
  • nethserver-openvpn
  • green networks
  • network records in networks DB

#8 Updated by Davide Principi over 3 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

MODIFIED

The following packages have been modified:

nethserver-base
nethserver-hylafax
nethserver-samba
nethserver-firewall-base
nethserver-mail-common
nethserver-cups
nethserver-httpd
nethserver-ipsec (provider)
nethserver-openvpn (provider)

API DOCUMENTATION

perldoc NethServer::TrustedNetworks

PACKAGER NOTE

Pull requests on documentation

Test case

Update all the packages to the modified version. Changes on Trusted Networks page must be applied on the system as before.

  • nethserver-samba
    check hosts allow directive in smb.conf has also IPsec and OpenVPN networks
  • nethserver-mail-common
    check /etc/postfix/mynetworks.cidr has also IPsec and OpenVPN networks
  • nethserver-cups
    check /etc/cups/cupsd.conf has also IPsec and OpenVPN networks
  • nethserver-httpd
    to test, install also nethserver-ibays and create a new ibay. Under web settings enable Allow access from trusted networks only. Check the .ibay file under /etc/httpd/nethserver.d/ has also IPsec and OpenVPN networks in Allow from directive.
  • nethserver-hylafax, just test install
  • nethserver-firewall-base, just test install
  • nethserver-base
    check Trusted Networks page works correctly and changes are applied to underlying packages (see above).

#9 Updated by Davide Principi over 3 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:

nethserver-openvpn-1.2.1-1.1.g43b5436.ns6.noarch.rpm
nethserver-openvpn-1.2.1-1.3.g59a6af2.ns6.noarch.rpm
nethserver-openvpn-1.2.1-1.4.gae278e3.ns6.noarch.rpm
nethserver-ipsec-1.0.3-1.10.g260c52c.ns6.noarch.rpm
nethserver-ipsec-1.0.3-1.11.g76ca3b6.ns6.noarch.rpm
nethserver-httpd-2.4.1-1.1.gacbe582.ns6.noarch.rpm
nethserver-cups-1.1.1-1.noarch.rpm
nethserver-cups-1.1.1-1.4.g315783b.ns6.noarch.rpm
nethserver-mail-common-1.5.0-1.1.g8d2e69c.ns6.noarch.rpm
nethserver-firewall-base-2.6.3-1.4.gae44624.ns6.noarch.rpm
nethserver-samba-1.5.1-1.1.g0920486.ns6.noarch.rpm
nethserver-samba-1.5.1-1.2.ge5c9553.ns6.noarch.rpm
nethserver-hylafax-1.1.1-1.2.gec1196f.ns6.noarch.rpm
nethserver-base-2.7.2-1.10.g932f163.ns6.noarch.rpm
nethserver-base-2.7.2-1.15.g9c6590f.ns6.noarch.rpm

#10 Updated by Davide Principi over 3 years ago

  • Category changed from nethserver-base to <multiple packages>

#11 Updated by dz0 0te over 3 years ago

  • Assignee set to dz0 0te

#12 Updated by dz0 0te over 3 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (dz0 0te)
  • % Done changed from 70 to 20

System and Package Version installed
VM KVM - Clean install of Nethserver 6.6 fully updated
VM ip: 192.168.100.73
Package Installed: nethserver-base-2.7.2-1.ns6.noarch
nethserver-samba-1.5.1-1.ns6.noarch
nethserver-firewall-base-2.6.3-1.ns6.noarch
nethserver-hylafax-1.1.1-1.ns6.noarch
nethserver-openvpn-1.2.1-1.ns6.noarch
nethserver-mail-common-1.5.0-1.ns6.noarch
nethserver-cups-1.1.1-1.ns6.noarch
nethserver-ipsec-1.0.3-1.ns6.noarch
nethserver-httpd-2.4.1-1.ns6.noarch
Other Package installed: Basic firewall,Email,Fax server,File server,MySQL server,POP3 connector,Print server,SMTP proxy,VPN,Web filter,Web server

Test Original Problem
Enhancement
enabled/configured openvpn and ipsec

Install Updated Package

yum --enablerepo=nethserver-testing install nethserver-base nethserver-hylafax nethserver-samba nethserver-firewall-base nethserver-mail-common nethserver-cups nethserver-httpd nethserver-ipsec nethserver-openvpn 

Test Results after update
disappeared existing trusted newtork (including the local LAN) from various config files

1. $ cat /etc/samba/smb.conf | grep allow
hosts allow = 127.0.0.1

2. $ cat /etc/postfix/mynetworks.cidr
  1. 10trustednetworks #
    127.0.0.1/32 OK
3. cups: same as pre-upgrade:
ex:
  1. Restrict access to configuration files...
    <Location /admin/conf>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
    Allow From 127.0.0.1
    Allow From 192.168.100.0/255.255.255.0
    Allow From 10.100.100.0/255.255.255.0
    </Location>

4. $ cat /etc/httpd/nethserver.d/bayone.ibay | grep Allow
Order Deny,Allow
Allow from 127.0.0.1
AllowOverride None

5. add/del a new net from UI Trusting Network:
Task completed with errors
S10legacy-call-network-create #2 (exit status 32512)

Note
Disabling/re-enabling openvpn with other ip range, update the data in Trusted Networks ma still the same results from the previous test 1-4

2nd test on another clean vm with no pakachges installed.
After installing new packages, in Trusted Network: Empty Table
add/del new net same problem as before.
Enabling vpn still leaves various config with only 127.0.0.1

#14 Updated by Filippo Carletti over 3 years ago

Giacomo Sanchietti wrote:

See also: http://community.nethserver.org/t/allow-access-from-green-and-trusted-network

The page you requested doesn't exist or is private.

#15 Updated by Giacomo Sanchietti over 3 years ago

The page you requested doesn't exist or is private.

Here is the correct link:
http://community.nethserver.org/t/allow-access-from-green-and-trusted-networks/1182/2

#16 Updated by Davide Principi over 3 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#17 Updated by Davide Principi over 3 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

MODIFIED

#18 Updated by Davide Principi over 3 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Davide Principi)
  • % Done changed from 60 to 70

In nethserver-testing:

nethserver-openvpn-1.2.1-1.2.g7d0aa23.ns6.noarch.rpm
nethserver-base-2.7.2-1.11.g1a8cfe7.ns6.noarch.rpm
nethserver-base-2.7.2-1.12.g3cb8567.ns6.noarch.rpm

#19 Updated by Vasco Castelo Branco over 3 years ago

  • Assignee set to Vasco Castelo Branco

#20 Updated by Davide Principi over 3 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (Vasco Castelo Branco)
  • % Done changed from 70 to 20
Implement also
  • VPN ipsec net2net networks
  • VPN openvpn user account networks
  • bind trusted-networks-modify to the above item changes and packages installation
  • UI subnet checks (generic case of already-existing items)

#21 Updated by Davide Principi over 3 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#22 Updated by Davide Principi over 3 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case (additional)

  • changes on VPN > IPSec/L2TP page, in Network address/mask must be reflected into config files (see previous test case)
  • changes on VPN > OpenVPN page, in Network/mask, under Routed mode must be reflected into config files (see previous test case)
  • changes on Network page must be reflected in config files for green interfaces.
  • Create a new item in Trusted networks page: the validator must refuse to create an already existing network, or a subnet or supernet of an existing network.

#23 Updated by Davide Principi over 3 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
see the note 9

#24 Updated by Vasco Castelo Branco over 3 years ago

  • Assignee set to Vasco Castelo Branco

#25 Updated by Vasco Castelo Branco over 3 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Vasco Castelo Branco)
  • % Done changed from 70 to 90

Verified with:

nethserver-base-2.7.2-1.ns6.noarch

#26 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from VERIFIED to ON_QA
  • % Done changed from 90 to 70

Good verification so far, but I just added a couple of minor features.
We need just to test these ones.

Packages in nethserver-testing:
  • nethserver-openvpn-1.2.1-1.5.gb3e743d.ns6.noarch.rpm
  • nethserver-ipsec-1.0.3-1.12.g182f6e4.ns6.noarch.rpm
  • nethserver-base-2.7.2-1.16.gb45799e.ns6.noarch.rpm
Test case 1
  • Create an alias for a green network
  • Check the alias network is inside the trusted networks, you can use this command:
    grep "hosts allow" /etc/samba/smb.conf
    
Test case 2
  • Create an IPSec tunnel
  • Check the right subnet is inside the trusted networks (use command from test case 1)
Test case 3
  • Create a VPN account with an associated network and netmask
  • Check the network is inside the trusted networks (use command from test case 1)

#27 Updated by Vasco Castelo Branco over 3 years ago

  • Assignee set to Vasco Castelo Branco

#28 Updated by Vasco Castelo Branco over 3 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Vasco Castelo Branco)
  • % Done changed from 70 to 90

#29 Updated by Giacomo Sanchietti over 3 years ago

  • Assignee set to Giacomo Sanchietti

#30 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from VERIFIED to CLOSED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-firewall-base-2.6.4-1.ns6.noarch.rpm
  • nethserver-base-2.7.4-1.ns6.noarch.rpm
  • nethserver-hylafax-1.1.2-1.ns6.noarch.rpm
  • nethserver-samba-1.5.2-1.ns6.noarch.rpm
  • nethserver-mail-common-1.5.1-1.ns6.noarch.rpm
  • nethserver-cups-1.1.2-1.ns6.noarch.rpm
  • nethserver-httpd-2.4.2-1.ns6.noarch.rpm
  • nethserver-openvpn-1.2.2-1.ns6.noarch.rpm

Release of nethserver-ipsec is postponed until documentation will be ready.

Also available in: Atom PDF