vpn: add support for custom keys
Custom keys are created by admin and specify networks directly, bypassing AD permissions. They are intended to join managed devices into networks where users are not allowed to create keys themselves. Also comprehend a set directly.
This commit is contained in:
parent
1b26f0738a
commit
3c25cbe88a
8 changed files with 152 additions and 42 deletions
|
|
@ -77,17 +77,24 @@ def save_config():
|
|||
settings = db.read('settings')
|
||||
version = settings['version'] = int(settings.get('version') or '0') + 1
|
||||
|
||||
# Update IP sets with VPN addresses based on AD group membership.
|
||||
vpn_groups = set([e['vpn'] for e in ipsets.values() if e.get('vpn')])
|
||||
# Find networks accessible to VPN users for each AD group.
|
||||
vpn_groups = {e['vpn'] for e in ipsets.values() if e.get('vpn')}
|
||||
group_networks = {
|
||||
group: [name for name, data in ipsets.items() if data['vpn'] == group] for group in vpn_groups
|
||||
}
|
||||
|
||||
# Add VPN addresses to IP sets.
|
||||
for ip, key in wireguard.items():
|
||||
# Find all networks this IP should belong to:
|
||||
# - manually specified networks for custom keys,
|
||||
# - networks accessible to any of the user’s groups.
|
||||
key_networks = set(key.get('networks', ()))
|
||||
for group in user_groups.get(key.get('user', ''), ()):
|
||||
for network in group_networks.get(group, ()):
|
||||
ipsets[network]['ip'].append(f'{ip}/32')
|
||||
if ip6 := key.get('ip6'):
|
||||
ipsets[network]['ip6'].append(ip6)
|
||||
key_networks |= set(group_networks.get(group, ()))
|
||||
for network in key_networks:
|
||||
ipsets[network]['ip'].append(f'{ip}/32')
|
||||
if ip6 := key.get('ip6'):
|
||||
ipsets[network]['ip6'].append(ip6)
|
||||
|
||||
# Create config files.
|
||||
output = pathlib.Path.home() / 'config' / f'{version}'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue