ipsec: support require-id-on-certificate

Signed-off-by: Íñigo Huguet <[email protected]>
Nordix · Sep 19, 2024 · 90a56cc · 90a56cc
1 parent 6740104
commit 90a56cc
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 0 deletions.
diff --git a/rust/src/lib/ifaces/ipsec.rs b/rust/src/lib/ifaces/ipsec.rs
@@ -148,6 +148,11 @@ pub struct LibreswanConfig {
     pub hostaddrfamily: Option<LibreswanAddressFamily>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub clientaddrfamily: Option<LibreswanAddressFamily>,
+    #[serde(
+        skip_serializing_if = "Option::is_none",
+        rename = "require-id-on-certificate"
+    )]
+    pub require_id_on_certificate: Option<bool>,
 }
 
 impl LibreswanConfig {
@@ -187,6 +192,7 @@ impl std::fmt::Debug for LibreswanConfig {
             .field("kind", &self.kind)
             .field("hostaddrfamily", &self.hostaddrfamily)
             .field("clientaddrfamily", &self.clientaddrfamily)
+            .field("require_id_on_certificate", &self.require_id_on_certificate)
             .finish()
     }
 }

diff --git a/rust/src/lib/nm/query_apply/vpn.rs b/rust/src/lib/nm/query_apply/vpn.rs
@@ -86,6 +86,8 @@ fn get_libreswan_conf(nm_set_vpn: &NmSettingVpn) -> LibreswanConfig {
         ret.clientaddrfamily = data
             .get("clientaddrfamily")
             .and_then(|s| nm_libreswan_addr_family_to_nmstate(s));
+        ret.require_id_on_certificate =
+            data.get("require-id-on-certificate").map(|s| s == "yes");
     }
     if let Some(secrets) = nm_set_vpn.secrets.as_ref() {
         ret.psk = secrets.get("pskvalue").cloned();

diff --git a/rust/src/lib/nm/settings/vpn.rs b/rust/src/lib/nm/settings/vpn.rs
@@ -88,6 +88,10 @@ pub(crate) fn gen_nm_ipsec_vpn_setting(
         if let Some(v) = conf.hostaddrfamily {
             vpn_data.insert("hostaddrfamily".into(), v.to_string());
         }
+        if let Some(v) = conf.require_id_on_certificate {
+            let v = if v { "yes" } else { "no" };
+            vpn_data.insert("require-id-on-certificate".into(), v.to_string());
+        }
 
         let mut nm_vpn_set = NmSettingVpn::default();
         nm_vpn_set.data = Some(vpn_data);

diff --git a/tests/integration/ipsec_test.py b/tests/integration/ipsec_test.py
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 import pytest
+import time
 import yaml
 
 import libnmstate
@@ -883,3 +884,69 @@ def test_ipsec_ipv6_host_to_site_with_dhcpv6_off(
     iface_state = show_only(["ipsec97"])[Interface.KEY][0]
     assert not iface_state[Interface.IPV6].get(InterfaceIPv6.DHCP)
     assert not iface_state[Interface.IPV6].get(InterfaceIPv6.AUTOCONF)
+
+
+@pytest.mark.xfail(
+    nm_libreswan_version_int() < version_str_to_int("1.2.23"),
+    reason="Need NetworkManager-libreswan 1.2.23+ to support "
+    "require-id-on-certificate",
+)
+def test_ipsec_require_id_on_certificate(ipsec_hosta_conn_cleanup):
+    desired_state = yaml.load(
+        f"""---
+        interfaces:
+        - name: hosta_conn
+          type: ipsec
+          ipv4:
+            enabled: true
+            dhcp: true
+          libreswan:
+            left: {IpsecTestEnv.HOSTA_IPV4_CRT}
+            leftid: '%fromcert'
+            leftcert: hosta.example.org
+            right: {IpsecTestEnv.HOSTB_IPV4_CRT}
+            rightid: '%fromcert'
+            rightcert: hostb.example.org
+            require-id-on-certificate: yes
+            ikev2: insist
+            ikelifetime: 24h
+            salifetime: 24h""",
+        Loader=yaml.SafeLoader,
+    )
+    libnmstate.apply(desired_state)
+    assert retry_till_true_or_timeout(
+        RETRY_COUNT,
+        _check_ipsec,
+        IpsecTestEnv.HOSTA_IPV4_CRT,
+        IpsecTestEnv.HOSTB_IPV4_CRT,
+    )
+    assert retry_till_true_or_timeout(
+        RETRY_COUNT,
+        _check_ipsec_ip,
+        IpsecTestEnv.HOSTB_VPN_SUBNET_PREFIX,
+        IpsecTestEnv.HOSTA_NIC,
+    )
+
+    desired_iface = desired_state[Interface.KEY][0]
+
+    desired_iface["libreswan"]["rightid"] = "other.fail"
+    libnmstate.apply(desired_state)
+    time.sleep(5)
+    assert not _check_ipsec(
+        IpsecTestEnv.HOSTA_IPV4_CRT, IpsecTestEnv.HOSTB_IPV4_CRT
+    )
+
+    desired_iface["libreswan"]["require-id-on-certificate"] = False
+    libnmstate.apply(desired_state)
+    assert retry_till_true_or_timeout(
+        RETRY_COUNT,
+        _check_ipsec,
+        IpsecTestEnv.HOSTA_IPV4_CRT,
+        IpsecTestEnv.HOSTB_IPV4_CRT,
+    )
+    assert retry_till_true_or_timeout(
+        RETRY_COUNT,
+        _check_ipsec_ip,
+        IpsecTestEnv.HOSTB_VPN_SUBNET_PREFIX,
+        IpsecTestEnv.HOSTA_NIC,
+    )