T5735: Stunnel CLI and configuration

Add CLI commands
Add config
Add conf_mode
Add systemd config
Add stunnel smoketests
Add log level config

data/configd-include.json

@@ -80,6 +80,7 @@
 "service_salt-minion.py",
 "service_sla.py",
 "service_ssh.py",
+"service_stunnel.py",
 "service_tftp-server.py",
 "service_webproxy.py",
 "system_acceleration.py",

data/templates/stunnel/stunnel_config.j2

@@ -0,0 +1,118 @@
+; Autogenerated by service_stunnel.py
+
+; Example https://www.stunnel.org/config_unix.html#
+; **************************************************************************
+; * Global options                                                         *
+; **************************************************************************
+
+; PID file is created inside the chroot jail (if enabled)
+pid = {{ config_file | replace('.conf', '.pid') }}
+
+; Debugging stuff (may be useful for troubleshooting)
+;foreground = yes
+
+{% if log is vyos_defined %}
+debug = {{ log.level }}
+{% endif %}
+
+;output = /usr/local/var/log/stunnel.log
+
+
+; **************************************************************************
+; * Service definitions                                                    *
+; **************************************************************************
+
+; ***************************************** Client mode services ***********
+
+{% if client is vyos_defined %}
+{%     for name, config in client.items() %}
+[{{ name }}]
+client = yes
+{%         if config.listen.address is vyos_defined %}
+accept = {{ config.listen.address }}:{{ config.listen.port }}
+{%         else %}
+accept = {{ config.listen.port }}
+{%         endif %}
+{%         if config.connect is vyos_defined %}
+{%             if config.connect.address is vyos_defined %}
+connect = {{ config.connect.address }}:{{ config.connect.port }}
+{%             else %}
+connect = {{ config.connect.port }}
+{%             endif %}
+{%         endif %}
+{%         if config.protocol is vyos_defined %}
+protocol = {{ config.protocol }}
+{%         endif %}
+{%         if config.options is vyos_defined %}
+{%             if config.options.authentication is vyos_defined %}
+protocolAuthentication = {{ config.options.authentication }}
+{%             endif %}
+{%             if config.options.domain is vyos_defined %}
+protocolDomain = {{ config.options.domain }}
+{%             endif %}
+{%             if config.options.host is vyos_defined %}
+protocolHost = {{ config.options.host.address }}:{{ config.options.host.port }}
+{%             endif %}
+{%             if config.options.password is vyos_defined %}
+protocolPassword = {{ config.options.password }}
+{%             endif %}
+{%             if config.options.username is vyos_defined %}
+protocolUsername = {{ config.options.username }}
+{%             endif %}
+{%         endif %}
+{%         if config.ssl.ca_path is vyos_defined %}
+CApath = {{ config.ssl.ca_path }}
+{%         endif %}
+{%         if config.ssl.ca_file is vyos_defined %}
+CAfile = {{ config.ssl.ca_file }}
+{%         endif %}
+{%         if config.ssl.cert is vyos_defined %}
+cert = {{ config.ssl.cert }}
+{%         endif %}
+{%         if config.ssl.cert_key is vyos_defined %}
+key = {{ config.ssl.cert_key }}
+{%         endif %}
+{%         if config.psk.file is vyos_defined %}
+PSKsecrets = {{ config.psk.file }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
+
+
+; ***************************************** Server mode services ***********
+
+{% if server is vyos_defined %}
+{%     for name, config in server.items() %}
+[{{ name }}]
+{%         if config.listen.address is vyos_defined %}
+accept = {{ config.listen.address }}:{{ config.listen.port }}
+{%         else %}
+accept = {{ config.listen.port }}
+{%         endif %}
+{%         if config.connect is vyos_defined %}
+{%             if config.connect.address is vyos_defined %}
+connect = {{ config.connect.address }}:{{ config.connect.port }}
+{%             else %}
+connect = {{ config.connect.port }}
+{%             endif %}
+{%         endif %}
+{%         if config.protocol is vyos_defined %}
+protocol = {{ config.protocol }}
+{%         endif %}
+{%         if config.ssl.ca_path is vyos_defined %}
+CApath = {{ config.ssl.ca_path }}
+{%         endif %}
+{%         if config.ssl.ca_file is vyos_defined %}
+CAfile = {{ config.ssl.ca_file }}
+{%         endif %}
+{%         if config.ssl.cert is vyos_defined %}
+cert = {{ config.ssl.cert }}
+{%         endif %}
+{%         if config.ssl.cert_key is vyos_defined %}
+key = {{ config.ssl.cert_key }}
+{%         endif %}
+{%         if config.psk.file is vyos_defined %}
+PSKsecrets = {{ config.psk.file }}
+{%         endif %}
+{%     endfor %}
+{% endif %}

interface-definitions/include/stunnel/address.xml.i

@@ -0,0 +1,20 @@
+<!-- include start from stunnel/address.xml.i -->
+<leafNode name="address">
+  <properties>
+    <help>Hostname or IP address</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 address</description>
+    </valueHelp>
+    <valueHelp>
+      <format>hostname</format>
+      <description>hostname</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-address"/>
+      <validator name="fqdn"/>
+    </constraint>
+    <constraintErrorMessage>Invalid FQDN or IP address</constraintErrorMessage>
+  </properties>
+</leafNode>
+<!-- include end -->

interface-definitions/include/stunnel/connect.xml.i

@@ -0,0 +1,11 @@
+<!-- include start from stunnel/connect.xml.i -->
+<node name="connect">
+  <properties>
+    <help>Connect to a remote address</help>
+  </properties>
+  <children>
+    #include <include/stunnel/address.xml.i>
+    #include <include/port-number.xml.i>
+  </children>
+</node>
+<!-- include end -->

interface-definitions/include/stunnel/listen.xml.i

@@ -0,0 +1,11 @@
+<!-- include start from stunnel/listen.xml.i -->
+<node name="listen">
+  <properties>
+    <help>Accept connections on specified address</help>
+  </properties>
+  <children>
+    #include <include/stunnel/address.xml.i>
+    #include <include/port-number.xml.i>
+  </children>
+</node>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-options.xml.i

@@ -0,0 +1,75 @@
+<!-- include start from stunel/protocol-options.xml.i -->
+<node name="options">
+  <properties>
+    <help>Advanced protocol options</help>
+  </properties>
+  <children>
+    <leafNode name="authentication">
+      <properties>
+        <help>Authentication type for the protocol negotiations</help>
+          <completionHelp>
+            <list>basic ntlm plain login</list>
+          </completionHelp>
+          <valueHelp>
+            <format>basic</format>
+            <description>The default 'connect' authentication type</description>
+          </valueHelp>
+          <valueHelp>
+            <format>ntlm</format>
+            <description>Supported authentication types for the 'connect' protocol</description>
+          </valueHelp>
+          <valueHelp>
+            <format>plain</format>
+            <description>The default 'smtp' authentication type</description>
+          </valueHelp>
+          <valueHelp>
+            <format>login</format>
+            <description>Supported authentication types for the 'smtp' protocol</description>
+          </valueHelp>
+          <constraint>
+            <regex>(basic|ntlm|plain|login)</regex>
+          </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="domain">
+      <properties>
+        <help>Domain for the 'connect' protocol.</help>
+        <valueHelp>
+          <format>domain</format>
+          <description>domain</description>
+        </valueHelp>
+        <constraint>
+          <validator name="fqdn"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <node name="host">
+      <properties>
+        <help>Destination address for the 'connect' protocol</help>
+      </properties>
+      <children>
+        #include <include/stunnel/address.xml.i>
+        #include <include/port-number.xml.i>
+      </children>
+    </node>
+    <leafNode name="password">
+      <properties>
+        <help>Password for the protocol negotiations</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Authentication password</description>
+        </valueHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="username">
+      <properties>
+        <help>Username for the protocol negotiations</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Authentication username</description>
+        </valueHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-cifs.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-cifs.xml.i -->
+<valueHelp>
+  <format>cifs</format>
+  <description>Proprietary (undocummented) extension of CIFS protocol</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-connect.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-connect.xml.i -->
+<valueHelp>
+  <format>connect</format>
+  <description>Based on RFC 2817 - Upgrading to TLS Within HTTP/1.1, section 5.2 - Requesting a Tunnel with CONNECT</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-imap.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-imap.xml.i -->
+<valueHelp>
+  <format>imap</format>
+  <description>Based on RFC 2595 - Using TLS with IMAP, POP3 and ACAP</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-nntp.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-nntp.xml.i -->
+<valueHelp>
+  <format>nntp</format>
+  <description>Based on RFC 4642 - Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-pgsql.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-pgsql.xml.i -->
+<valueHelp>
+  <format>pgsql</format>
+  <description>Based on PostgreSQL frontend/backend protocol</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-pop3.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-pop3.xml.i -->
+<valueHelp>
+  <format>pop3</format>
+  <description>Based on RFC 2449 - POP3 Extension Mechanism</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-proxy.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-proxy.xml.i -->
+<valueHelp>
+  <format>proxy</format>
+  <description>Passing of the original client IP address with HAProxy PROXY protocol version 1</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-smtp.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-smtp.xml.i -->
+<valueHelp>
+  <format>smtp</format>
+  <description>Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/protocol-value-socks.xml.i

@@ -0,0 +1,6 @@
+<!-- include start from stunnel/protocol-value-socks.xml.i -->
+<valueHelp>
+  <format>socks</format>
+  <description>SOCKS versions 4, 4a, and 5 are supported</description>
+</valueHelp>
+<!-- include end -->

interface-definitions/include/stunnel/psk.xml.i

@@ -0,0 +1,30 @@
+<!-- include start from stunnel/psk.xml.i -->
+<tagNode name="psk">
+  <properties>
+    <help>Pre-shared key name</help>
+  </properties>
+  <children>
+    <leafNode name="id">
+      <properties>
+        <help>ID for authentication</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>ID used for authentication</description>
+        </valueHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="secret">
+      <properties>
+        <help>pre-shared secret key</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>pre-shared secret key are required to be at least 16 bytes long, which implies at least 32 characters for hexadecimal key</description>
+        </valueHelp>
+        <constraint>
+          <validator name="psk-secret"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</tagNode>
+<!-- include end -->

interface-definitions/include/stunnel/ssl.xml.i

@@ -0,0 +1,11 @@
+<!-- include start from stunnel/ssl.xml.i -->
+<node name="ssl">
+  <properties>
+    <help>SSL Certificate, SSL Key and CA</help>
+  </properties>
+  <children>
+    #include <include/pki/ca-certificate.xml.i>
+    #include <include/pki/certificate.xml.i>
+  </children>
+</node>
+<!-- include end -->