From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jonatan Schlag <jonatan.schlag@ipfire.org>
To: network@lists.ipfire.org
Subject: [PATCH] ivpn-security-policies: fix +/- syntax handling for group
 type and integrity
Date: Wed, 16 Aug 2017 08:19:39 +0200
Message-ID: <1502864379-5736-1-git-send-email-jonatan.schlag@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0885810727574574449=="
List-Id: <network.lists.ipfire.org>

--===============0885810727574574449==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Fixes: #11445

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 src/functions/functions.vpn-security-policies | 213 +++++++++++++++++++-----=
--
 1 file changed, 154 insertions(+), 59 deletions(-)

diff --git a/src/functions/functions.vpn-security-policies b/src/functions/fu=
nctions.vpn-security-policies
index cdd4e83..d5b43b0 100644
--- a/src/functions/functions.vpn-security-policies
+++ b/src/functions/functions.vpn-security-policies
@@ -658,46 +658,87 @@ vpn_security_policies_group_type(){
 	# Remove duplicated entries to proceed the list safely
 	GROUP_TYPE=3D"$(list_unique ${GROUP_TYPE})"
=20
+	local group_types_added
+	local group_types_removed
+	local group_types_set
+
 	while [ $# -gt 0 ]; do
-		case "${1}" in
+		local arg=3D"${1}"
+
+		case "${arg}" in
+			+*)
+				list_append group_types_added "${arg:1}"
+				;;
 			-*)
-				value=3D${1#-}
-				# Check if the group type is in the list of group types and
-				# check if the list has after removing this group type at leatst one val=
id value
-				if list_match ${value} ${GROUP_TYPE}; then
-					list_remove GROUP_TYPE ${value}
-				else
-					# We do not break here because this error does not break the processing=
 of the next maybe valid values.
-					log ERROR "Can not remove ${value} from the list of group types because=
 ${value} is not in the list."
-				fi
+				list_append group_types_removed "${arg:1}"
 				;;
-			+*)
-				value=3D${1#+}
-				# Check if the group type is in the list of supported group types.
-				if ! isoneof value ${!VPN_SUPPORTED_GROUP_TYPES[@]}; then
-					# We do not break here because the processing of other maybe valid valu=
es are indepent from this error.
-					log ERROR "${value} is not a supported group type and can thats why not=
 added to the list of group types."
-				else
-					if list_match ${value} ${GROUP_TYPE}; then
-						log WARNING "${value} is already in the list of group-types of this po=
licy."
-					else
-						list_append GROUP_TYPE ${value}
-					fi
-				fi
+			[A-Z0-9]*)
+				list_append group_types_set "${arg}"
+				;;
+			*)
+				error "Invalid argument: ${arg}"
+				return ${EXIT_ERROR}
 				;;
 		esac
 		shift
 	done
=20
-	# Check if the list contain at least one valid group-type
-	if [ $(list_length ${GROUP_TYPE}) -ge 1 ]; then
-		if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_T=
YPE}; then
-			log ERROR "The changes for the vpn security policy ${name} could not be w=
ritten."
-		fi
+	# Check if the user is trying a mixed operation
+	if ! list_is_empty group_types_set && (! list_is_empty group_types_added ||=
 ! list_is_empty group_types_removed); then
+		error "You cannot reset the group type list and add or remove group types =
at the same time"
+		return ${EXIT_ERROR}
+	fi
+
+	# Set new group type list
+	if ! list_is_empty group_types_set; then
+		# Check if all group types are valid
+		local group_type
+		for group_type in ${group_types_set}; do
+			if ! vpn_security_policies_group_type_supported ${group_type}; then
+				error "Unsupported group type: ${group_type}"
+				return ${EXIT_ERROR}
+			fi
+		done
+
+		GROUP_TYPE=3D"${group_types_set}"
+
+	# Perform incremental updates
 	else
-		log ERROR "After proceding all group types the list is empty and thats why=
 no changes are written."
+		local group_type
+
+		# Perform all removals
+		for group_type in ${group_types_removed}; do
+			if ! list_remove GROUP_TYPE ${group_type}; then
+				warning "${group_type} was not on the list and could not be removed"
+			fi
+		done
+
+		for group_type in ${group_types_added}; do
+			if vpn_security_policies_group_type_supported ${group_type}; then
+				if ! list_append_unique GROUP_TYPE ${group_type}; then
+					warning "${group_type} is already on the group type list"
+				fi
+			else
+				warning "${group_type} is unknown or unsupported and could not be added"
+			fi
+		done
+	fi
+
+	# Check if the list contain at least one valid group_type
+	if list_is_empty GROUP_TYPE; then
+		error "Cannot save an empty group type list"
 		return ${EXIT_ERROR}
 	fi
+
+	# Save everything
+	if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_TY=
PE}; then
+		log ERROR "The changes for the vpn security policy ${name} could not be wr=
itten."
+	fi
+
+	cli_headline 1 "Current group type list for ${name}:"
+	for group_type in ${GROUP_TYPE}; do
+		cli_print_fmt1 1 "${group_type}" "${VPN_SUPPORTED_GROUP_TYPES[${group_type=
}]}"
+	done
 }
=20
 # This function parses the parameters for the 'integrity' command
@@ -706,7 +747,7 @@ vpn_security_policies_integrity(){
 	shift
=20
 	if [ $# -eq 0 ]; then
-		log ERROR "You must pass at least one value after integrity."
+		log ERROR "You must pass at least one value after integrity"
 		return ${EXIT_ERROR}
 	fi
=20
@@ -718,46 +759,87 @@ vpn_security_policies_integrity(){
 	# Remove duplicated entries to proceed the list safely
 	INTEGRITY=3D"$(list_unique ${INTEGRITY})"
=20
+	local integritys_added
+	local integritys_removed
+	local integritys_set
+
 	while [ $# -gt 0 ]; do
-		case "${1}" in
+		local arg=3D"${1}"
+
+		case "${arg}" in
+			+*)
+				list_append integritys_added "${arg:1}"
+				;;
 			-*)
-				value=3D${1#-}
-				# Check if the integrity hash is in the list of integrity hashes and
-				# check if the list has after removing this  integrity hash at least one=
 valid value
-				if list_match ${value} ${INTEGRITY}; then
-					list_remove INTEGRITY ${value}
-				else
-					# We do not break here because the processing of other maybe valid valu=
es are indepent from this error.
-					log ERROR "Can not remove ${value} from the list of integrity hashes be=
cause ${value} is not in the list."
-				fi
+				list_append integritys_removed "${arg:1}"
 				;;
-			+*)
-				value=3D${1#+}
-				# Check if the Ciphers is in the list of supported integrity hashes.
-				if ! isoneof value ${!VPN_SUPPORTED_INTEGRITY[@]}; then
-					# We do not break here because the processing of other maybe valid valu=
es are indepent from this error.
-					log ERROR "${value} is not a supported integrity hash and can thats why=
 not added to the list of integrity hashes."
-				else
-					if list_match ${value} ${INTEGRITY}; then
-						log WARNING "${value} is already in the list of integrety hashes of th=
is policy."
-					else
-						list_append INTEGRITY ${value}
-					fi
-				fi
+			[A-Z0-9]*)
+				list_append integritys_set "${arg}"
+				;;
+			*)
+				error "Invalid argument: ${arg}"
+				return ${EXIT_ERROR}
 				;;
 		esac
 		shift
 	done
=20
-	# Check if the list contain at least one valid group-type
-	if [ $(list_length ${INTEGRITY}) -ge 1 ]; then
-		if ! vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRIT=
Y}; then
-			log ERROR "The changes for the vpn security policy ${name} could not be w=
ritten."
-		fi
+	# Check if the user is trying a mixed operation
+	if ! list_is_empty integritys_set && (! list_is_empty integritys_added || !=
 list_is_empty integritys_removed); then
+		error "You cannot reset the integrity hashes list and add or remove integr=
ity hashes at the same time"
+		return ${EXIT_ERROR}
+	fi
+
+	# Set new integrity list
+	if ! list_is_empty integritys_set; then
+		# Check if all integrity hashes are valid
+		local integrity
+		for integrity in ${integritys_set}; do
+			if ! vpn_security_policies_integrity_supported ${integrity}; then
+				error "Unsupported integrity hash: ${integrity}"
+				return ${EXIT_ERROR}
+			fi
+		done
+
+		INTEGRITY=3D"${integritys_set}"
+
+	# Perform incremental updates
 	else
-		log ERROR "After proceding all integrity hashes the list is empty and that=
s why no changes are written."
+		local integrity
+
+		# Perform all removals
+		for integrity in ${integritys_removed}; do
+			if ! list_remove INTEGRITY ${integrity}; then
+				warning "${integrity} was not on the list and could not be removed"
+			fi
+		done
+
+		for integrity in ${integritys_added}; do
+			if vpn_security_policies_integrity_supported ${integrity}; then
+				if ! list_append_unique INTEGRITY ${integrity}; then
+					warning "${integrity} is already on the integrity list"
+				fi
+			else
+				warning "${integrity} is unknown or unsupported and could not be added"
+			fi
+		done
+	fi
+
+	# Check if the list contain at least one valid integrity
+	if list_is_empty INTEGRITY; then
+		error "Cannot save an empty integrity hashes list"
 		return ${EXIT_ERROR}
 	fi
+
+	# Save everything
+	if ! vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRITY=
}; then
+		log ERROR "The changes for the vpn security policy ${name} could not be wr=
itten."
+	fi
+
+	cli_headline 1 "Current integrity hashes list for ${name}:"
+	for integrity in ${INTEGRITY}; do
+		cli_print_fmt1 1 "${integrity}" "${VPN_SUPPORTED_INTEGRITY[${integrity}]}"
+	done
 }
=20
 # This function parses the parameters for the 'key-exchange' command
@@ -917,6 +999,19 @@ vpn_security_policies_cipher_supported() {
 	list_match ${cipher} ${!VPN_SUPPORTED_CIPHERS[@]}
 }
=20
+
+vpn_security_policies_group_type_supported() {
+	local group_type=3D${1}
+
+	list_match ${group_type} ${!VPN_SUPPORTED_GROUP_TYPES[@]}
+}
+
+vpn_security_policies_integrity_supported() {
+	local integrity=3D${1}
+
+	list_match ${integrity} ${!VPN_SUPPORTED_INTEGRITY[@]}
+}
+
 vpn_security_policies_cipher_is_aead() {
 	local cipher=3D${1}
=20
--=20
2.6.3


--===============0885810727574574449==--