Merge branch 'devel' into fix/6657

inverse-inc · May 16, 2023 · 109ede8 · 109ede8
2 parents c20652c + b9e1d26
commit 109ede8
Show file tree

Hide file tree

Showing 14 changed files with 161 additions and 14 deletions.
diff --git a/NEWS.asciidoc b/NEWS.asciidoc
@@ -30,6 +30,7 @@ For a list of compatibility related changes see the <<PacketFence_Upgrade_Guide.
 === Enhancements
 
  * Upgrade coredns libraries (#7197)
+ * Added Palo Alto switch module to manage web admin login using RADIUS (#7643)
  * Allow to call a custom script from pfupdate to handle VIP in cloud environments (#7654)
 
 === Bug Fixes

diff --git a/addons/vagrant/playbooks/linux_servers/apt_update.yml b/addons/vagrant/playbooks/linux_servers/apt_update.yml
@@ -3,11 +3,28 @@
   become: True
   gather_facts: False
 
-  #  pre_tasks:
+  pre_tasks:
   #  - name: Gather min only
   #    ansible.builtin.setup:
   #      gather_subset:
   #        - "!all"
+  - name: AD Pretasks
+    block:
+    - name: AD => Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: AD => Ensure samba4ad service is in a running state
+      ansible.builtin.service:
+        name: samba-ad-dc
+        state: started
+      register: sambaDetails
+      until: sambaDetails.status.ActiveState == "active"
+      retries: 15
+      delay: 20
+      when:
+      - "'samba-ad-dc.service' in services"
+    when:
+    - inventory_hostname == 'ad'
 
   tasks:
     - name: Update APT repository cache

diff --git a/addons/vagrant/playbooks/linux_servers/samba4ad.yml b/addons/vagrant/playbooks/linux_servers/samba4ad.yml
@@ -41,7 +41,7 @@
       - python3-pexpect
 
     - name: Reboot
-      include_tasks: ./samba4ad_reboot.yml
+      include_tasks: ./tasks/samba4ad_reboot_tasks.yml
       when: disable_ipv6.changed
 
     - name: Download file with check (sha256)
@@ -171,7 +171,7 @@
       - "samba-ad-dc" 
 
     - name: Reboot
-      include_tasks: ./samba4ad_reboot.yml
+      include_tasks: ./tasks/samba4ad_reboot_tasks.yml
       when: set_samba4ad_conf.changed
 
     - name: Configure Samba "{{ packetfence_domain_account }}" user

diff --git a/...aybooks/linux_servers/samba4ad_reboot.yml → ...x_servers/tasks/samba4ad_reboot_tasks.yml b/...aybooks/linux_servers/samba4ad_reboot.yml → ...x_servers/tasks/samba4ad_reboot_tasks.yml
diff --git a/conf/template_switches.conf.defaults b/conf/template_switches.conf.defaults
@@ -235,6 +235,20 @@ Tunnel-Type = 13
 Tunnel-Private-Group-Id = $switch._voiceVlan
 EOT
 
+[PaloAlto::PanOS]
+# tested on 10.1.9 OS
+description=Palo Alto PAN-OS (template based)
+coa=
+cliAuthorizeWrite=PaloAlto-Admin-Role = read_write_role
+reject=
+disconnect=
+cliAuthorizeRead=PaloAlto-Admin-Role = read_only_role
+voip=
+acceptRole=
+bounce=
+acceptVlan=
+snmpDisconnect=disabled
+
 [Ruckus::SmartZone_v2]
 # Do not edit.
 # Any changes will be lost on upgrade.

diff --git a/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc b/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
@@ -61,6 +61,10 @@ include::network/wireless_controllers_and_access_point_configuration.asciidoc[]
 
 include::network/vpn_configuration.asciidoc[]
 
+== Firewall Configuration
+
+include::network/firewall_configuration.asciidoc[]
+
 // INCLUDES
 
 include::includes/additional-info.asciidoc[]

diff --git a/docs/network/firewall_configuration.asciidoc b/docs/network/firewall_configuration.asciidoc
@@ -0,0 +1,25 @@
+// to display images directly on GitHub
+ifdef::env-github[]
+:encoding: UTF-8
+:lang: en
+:doctype: book
+:toc: left
+:imagesdir: ../images
+endif::[]
+
+////
+
+    This file is part of the PacketFence project.
+
+    See PacketFence_Network_Devices_Configuration_Guide.asciidoc
+    for authors, copyright and license information.
+
+////
+
+//== Firewall configuration
+
+=== Palo Alto firewall
+
+include::networkdevice/palo_alto.asciidoc[]
+
+
diff --git a/docs/network/networkdevice/palo_alto.asciidoc b/docs/network/networkdevice/palo_alto.asciidoc
@@ -0,0 +1,51 @@
+// to display images directly on GitHub
+ifdef::env-github[]
+:encoding: UTF-8
+:lang: en
+:doctype: book
+:toc: left
+:imagesdir: ../../images
+endif::[]
+
+////
+
+    This file is part of the PacketFence project.
+
+    See PacketFence_Network_Devices_Configuration_Guide.asciidoc
+    for authors, copyright and license information.
+
+////
+
+
+//=== Palo Alto firewall
+
+==== Palo Alto (PAN-OS) web admin access
+
+You can manage administrator access (through web admin) to Palo Alto firewalls using RADIUS.
+
+===== Palo Alto
+
+You can follow link:https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentication[Palo Alto official documentation]
+with following adjustments to integrate with PacketFence:
+
+* Administrator Use only: `enabled`
+* Authentication Protocol: `PAP`
+* Retrieve user group from RADIUS: `disabled`. You need to speficy `all` in the Allow List of the authentication profile.
+
+At some point, you will need to configure two admin role profiles (which are preconfigured in PacketFence):
+
+* `read_only_role`: you need to adjust permissions to provide read only access to firewall configuration
+* `read_write_role`: you need to adjust permissions to provide read-write access to firewall configuration
+
+
+===== PacketFence
+
+You need to declare your Palo Alto firewall as a switch with:
+
+* Management IP address of firewall as `Identifier`
+* Palo Alto PAN-OS (template based) as `Type`
+* CLI/VPN Access enabled: `Yes`
+
+===== Troubleshooting
+
+On Palo Alto, you can see how RADIUS replies are handled using _Monitor -> Logs -> System_
diff --git a/html/captive-portal/content/captiveportal.js b/html/captive-portal/content/captiveportal.js
@@ -134,16 +134,26 @@ document.addEventListener('DOMContentLoaded', function () {
 
   function initForm() {
     var form = false;
-
-    Array.prototype.slice.call(document.querySelectorAll('form input, form select'))
-      .forEach(function (input) {
+    var inputs = Array.prototype.slice.call(document.querySelectorAll('form input, form select'));
+    if (inputs.length) {
+      inputs.forEach(function (input) {
         form = closest(input, function (el) { return el.tagName.toLowerCase() === 'form' });
         var inputHandler = function () { checkForm(form); };
         input.addEventListener('keyup', inputHandler);
         input.addEventListener('change', inputHandler);
       });
-    if (form)
-      checkForm(form);
+      if (form) {
+        checkForm(form);
+      }
+    }
+    else {
+      // no input/select
+      var buttons = Array.prototype.slice.call(document.querySelectorAll('button[type="submit"]'));
+      if (buttons.length == 1) {
+        // single button, enable it
+        buttons[0].removeAttribute('disabled');
+      }
+    }
 
     // Add show/hide button to password field if the 'password-button' template is loaded
     Array.prototype.slice.call(document.querySelectorAll('input[type="password"]')).forEach(function (input) {

diff --git a/html/pfappserver/root/src/composables/useMeta.js b/html/pfappserver/root/src/composables/useMeta.js
@@ -166,6 +166,7 @@ export const useFormMetaSchema = (meta, schema) => {
 
         break
 
+      case 'integer':
       case 'string':
         schema = yup.string().nullable()
 

diff --git a/lib/pf/Switch/Juniper/Mist.def b/lib/pf/Switch/Juniper/Mist.def
@@ -17,6 +17,7 @@ EOT
 disconnect=<<EOT
 Calling-Station-Id = ${macToEUI48($mac)}
 NAS-IP-Address = $disconnectIp
+Acct-Session-Id = $last_accounting.acctsessionid
 EOT
 voip = <<EOT
 Tunnel-Medium-Type  = 6

diff --git a/lib/pf/Switch/PaloAlto/PanOS.def b/lib/pf/Switch/PaloAlto/PanOS.def
@@ -0,0 +1,12 @@
+# tested on 10.1.9 OS
+description=Palo Alto PAN-OS (template based)
+coa=
+cliAuthorizeWrite=PaloAlto-Admin-Role = read_write_role
+reject=
+disconnect=
+cliAuthorizeRead=PaloAlto-Admin-Role = read_only_role
+voip=
+acceptRole=
+bounce=
+acceptVlan=
+snmpDisconnect=disabled
diff --git a/lib/pf/Switch/Ubiquiti/Unifi.pm b/lib/pf/Switch/Ubiquiti/Unifi.pm
@@ -190,7 +190,7 @@ sub _connect {
     my $password = $self->{_wsPwd};
 
     my $ua = LWP::UserAgent->new();
-    $ua->cookie_jar({ file => "$var_dir/run/.ubiquiti.cookies.txt" });
+    $ua->cookie_jar({ file => "$var_dir/run/.ubiquiti.cookies.txt", autosave => 1, ignore_discard => 1});
     $ua->ssl_opts(verify_hostname => 0);
     $ua->timeout(10);
     $ua->default_header('Content-Type' => "application/json");
@@ -208,11 +208,18 @@ sub _connect {
         $base_url .= ":8443";
     }
 
-    $response = $ua->post($base_url.$login_path, Content => '{"username":"'.$username.'", "password":"'.$password.'"}');
+    my $cache = $self->cache;
 
-    unless($response->is_success) {
-        $logger->error("Can't login on the Unifi controller: ".$response->status_line);
-        die;
+    my $auth = $cache->get("Ubiquiti-" . $controllerIp ."-auth");
+    if (!defined($auth) || $auth == $FALSE) {
+        $response = $ua->post($base_url.$login_path, Content => '{"username":"'.$username.'", "password":"'.$password.'", "remember": "true"}');
+
+        unless($response->is_success) {
+            $logger->error("Can't login on the Unifi controller: ".$response->status_line);
+            $cache->set("Ubiquiti-" . $controllerIp ."-auth" , $FALSE );
+            die;
+        }
+        $cache->set("Ubiquiti-" . $controllerIp ."-auth" , $TRUE ,{ expires_in => "10m" } );
     }
     return ($ua, $base_url.$api_prefix);
 }

diff --git a/lib/pf/UnifiedApi/Controller/Translations.pm b/lib/pf/UnifiedApi/Controller/Translations.pm
@@ -40,7 +40,11 @@ sub list {
 sub resource {
     my ($self) = @_;
     my $translation_id = $self->stash('translation_id');
-    return exists $languages_list->{$translation_id};
+    if (exists $languages_list->{$translation_id}) {
+        return 1;
+    }
+
+    return $self->render_error(404, "Item ($translation_id) not found");
 }
 
 sub get {