diff --git a/docker/routlin-dash/app/factory.py b/docker/routlin-dash/app/factory.py index 8cd84dc..543e2a7 100644 --- a/docker/routlin-dash/app/factory.py +++ b/docker/routlin-dash/app/factory.py @@ -38,9 +38,10 @@ VALIDATION_FLAGS = { 'VALIDATION_DOMAIN_NAME': 1 << 9, 'VALIDATION_TIME24H': 1 << 10, 'VALIDATION_RANGE_INT': 1 << 11, - 'VALIDATION_ENDPOINT': 1 << 12, - 'VALIDATION_IPV4_CIDR': 1 << 13, - 'VALIDATION_UNRESTRICTED': 1 << 14, + 'VALIDATION_IPV4_CIDR': 1 << 12, + 'VALIDATION_IPV4_CIDRFLEX': 1 << 13, + 'VALIDATION_UNRESTRICTED': 1 << 14, + 'VALIDATION_IP_OR_DOMAIN_NAME': 1 << 15, } def _restricted_vlan_subnets(): @@ -200,9 +201,10 @@ function _checkLine(s){ if(validation&512){t=_acc(_checkDomain(s));if(t)return t;} if(validation&1024){t=_acc(function(){if(!s)return _par('');if(/[^0-9:]/.test(s))return _err('Digits and colon only');if(s.length<5)return _par('');return /^([01]\d|2[0-3]):[0-5]\d$/.test(s)?_ok():_err('Must be HH:MM in 24-hour format (e.g. 02:30)');}());if(t)return t;} if(validation&2048){t=_acc(function(){if(s===''||s===null||s===undefined)return _par('');if(/[^0-9]/.test(s))return _err('Digits only');var n=parseInt(s,10);var mn=(arg1!==''&&arg1!=null)?parseInt(arg1,10):0;var mx=(arg2!==''&&arg2!=null)?parseInt(arg2,10):null;if(nmx)){if(mn!=null&&mx!==null)return _err('Must be between '+mn+' and '+mx);return mn!=null?_err('Must be >= '+mn):_err('Must be <= '+mx);}return _ok();}());if(t)return t;} - if(validation&4096){t=_acc(function(){if(!s)return _par('');if(/^[0-9.]+$/.test(s)){var rv=_ipv4(s);return rv==='ok'?_ok():(rv==='partial'||rv==='empty')?_par(''):_err('Invalid character');}if(s.indexOf(':')!==-1){var cc=(s.match(/:/g)||[]).length;if(cc>1){if(/:::/.test(s)||(s.match(/::/g)||[]).length>1)return _err('Invalid hostname or IP');if(/[^0-9a-fA-F:.]/.test(s))return _err('Invalid character');var col=s.replace(/[^:]/g,'').length;return(s.indexOf('::')!==-1||col===7)?_ok():_par('');}return _checkDomain(s.slice(0,s.lastIndexOf(':')));}return _checkDomain(s);}());if(t)return t;} - if(validation&8192){t=_acc(function(){if(!s)return _par('');var slash=s.indexOf('/');if(slash===-1){var rv=_ipv4(s);return rv==='ok'?_ok():(rv==='partial'||rv==='empty')?_par(''):(rv==='badchar'?_err('Invalid character'):rv==='badrange'?_err('Octet out of range'):_err('Invalid format'));}var rv=_ipv4(s.slice(0,slash));if(rv!=='ok')return rv==='badchar'?_err('Invalid character'):rv==='badrange'?_err('Octet out of range'):_par('');var pfx=s.slice(slash+1);if(!pfx)return _par('');if(/[^0-9]/.test(pfx))return _err('Invalid character');var n=parseInt(pfx,10);if(n<0||n>32)return _err('Prefix must be 0-32');var ip=s.slice(0,slash).split('.').map(Number);var ipN=((ip[0]<<24)|(ip[1]<<16)|(ip[2]<<8)|ip[3])>>>0;var mB=n===0?0:((0xFFFFFFFF<<(32-n))>>>0);return((ipN&(~mB>>>0))!==0)?_err('Host bits must be zero'):_ok();}());if(t)return t;} + if(validation&4096){t=_acc(function(){if(!s)return _par('');var slash=s.indexOf('/');if(slash===-1){var rv=_ipv4(s);return(rv==='ok'||rv==='partial'||rv==='empty')?_par(''):(rv==='badchar'?_err('Invalid character'):rv==='badrange'?_err('Octet out of range'):_err('Invalid format'));}var rv=_ipv4(s.slice(0,slash));if(rv!=='ok')return rv==='badchar'?_err('Invalid character'):rv==='badrange'?_err('Octet out of range'):_par('');var pfx=s.slice(slash+1);if(!pfx)return _par('');if(/[^0-9]/.test(pfx))return _err('Invalid character');var n=parseInt(pfx,10);if(n<0||n>32)return _err('Prefix must be 0-32');var ip=s.slice(0,slash).split('.').map(Number);var ipN=((ip[0]<<24)|(ip[1]<<16)|(ip[2]<<8)|ip[3])>>>0;var mB=n===0?0:((0xFFFFFFFF<<(32-n))>>>0);return((ipN&(~mB>>>0))!==0)?_err('Host bits must be zero'):_ok();}());if(t)return t;} + if(validation&8192){t=_acc(function(){if(!s)return _par('');var slash=s.indexOf('/');if(slash===-1){var rv=_ipv4(s);if(rv==='ok'){var lo=parseInt(s.split('.')[3],10);return lo===0?_par(''):_ok();}return(rv==='partial'||rv==='empty')?_par(''):(rv==='badchar'?_err('Invalid character'):rv==='badrange'?_err('Octet out of range'):_err('Invalid format'));}var rv=_ipv4(s.slice(0,slash));if(rv!=='ok')return rv==='badchar'?_err('Invalid character'):rv==='badrange'?_err('Octet out of range'):_par('');var pfx=s.slice(slash+1);if(!pfx)return _par('');if(/[^0-9]/.test(pfx))return _err('Invalid character');var n=parseInt(pfx,10);if(n<0||n>32)return _err('Prefix must be 0-32');var ip=s.slice(0,slash).split('.').map(Number);var ipN=((ip[0]<<24)|(ip[1]<<16)|(ip[2]<<8)|ip[3])>>>0;var mB=n===0?0:((0xFFFFFFFF<<(32-n))>>>0);return((ipN&(~mB>>>0))!==0)?_err('Host bits must be zero'):_ok();}());if(t)return t;} if(validation&16384){t=_acc(function(){if(!s)return _par('');var rv=_ipv4(s);if(rv!=='ok')return _par('');if(!collisions||!collisions.length)return _ok();var ip=s.split('.').map(Number);var ipN=((ip[0]<<24)|(ip[1]<<16)|(ip[2]<<8)|ip[3])>>>0;for(var i=0;i>>0;var pfx=parseInt(sp[1],10);var mB=pfx===0?0:((0xFFFFFFFF<<(32-pfx))>>>0);if((ipN&mB)===(netN&mB))return _err('IP is on a restricted VLAN');}return _ok();}());if(t)return t;} + if(validation&32768){t=_acc(function(){if(!s)return _par('');if(/^[0-9.]+$/.test(s)){var rv=_ipv4(s);return rv==='ok'?_ok():(rv==='partial'||rv==='empty')?_par(''):_err('Invalid character');}if(s.indexOf(':')!==-1){var cc=(s.match(/:/g)||[]).length;if(cc>1){if(/:::/.test(s)||(s.match(/::/g)||[]).length>1)return _err('Invalid hostname or IP');if(/[^0-9a-fA-F:.]/.test(s))return _err('Invalid character');var col=s.replace(/[^:]/g,'').length;return(s.indexOf('::')!==-1||col===7)?_ok():_par('');}return _checkDomain(s.slice(0,s.lastIndexOf(':')));}return _checkDomain(s);}());if(t)return t;} return anyPartial?_par(''):_err(firstMsg||'Invalid'); } var lines=value.split('\n'),hasPartial=false,seen={},hasContent=false; diff --git a/docker/routlin-dash/app/license.py b/docker/routlin-dash/app/license.py index 9afbfde..5b6c1b9 100644 --- a/docker/routlin-dash/app/license.py +++ b/docker/routlin-dash/app/license.py @@ -1,2 +1,2 @@ def is_pro(): - return False + return True diff --git a/docker/routlin-dash/app/pages/intervlan/content.json b/docker/routlin-dash/app/pages/intervlan/content.json index 59c6108..1c4348f 100644 --- a/docker/routlin-dash/app/pages/intervlan/content.json +++ b/docker/routlin-dash/app/pages/intervlan/content.json @@ -103,7 +103,7 @@ "label": "Source", "name": "src_ip_or_subnet", "input_type": "text", - "validate": "VALIDATION_IPV4_CIDR", + "validate": "VALIDATION_IPV4_CIDRFLEX", "placeholder": "e.g. 192.168.20.100 or 192.168.20.0/24", "hint": "You may allow either a single device IP or an entire subnet to contact dest." }, @@ -112,7 +112,7 @@ "label": "Destination", "name": "dst_ip_or_subnet", "input_type": "text", - "validate": "VALIDATION_IPV4_CIDR", + "validate": "VALIDATION_IPV4_CIDRFLEX", "placeholder": "e.g. 192.168.10.200 or 192.168.10.0/24", "hint": "You may allow either a single device IP or an entire subnet to be reached by source." } diff --git a/docker/routlin-dash/app/pages/radius/action.py b/docker/routlin-dash/app/pages/radius/action.py index 688ece8..61c56e9 100644 --- a/docker/routlin-dash/app/pages/radius/action.py +++ b/docker/routlin-dash/app/pages/radius/action.py @@ -66,9 +66,17 @@ def auth_mode_save(): flash('This authentication mode requires a Routlin Pro license.', 'error') return redirect(f'/{_PAGE}') + eap_protocol = request.form.get('eap_protocol', 'eap_peap') + if eap_protocol not in ('eap_peap', 'eap_ttls', 'eap_md5'): + eap_protocol = 'eap_peap' + cfg = load_config() before = copy.deepcopy(cfg.get('radius', {}).get('options', {})) after = {**before, 'auth_mode': auth_mode} + if auth_mode == 'eap_password': + after['eap_protocol'] = eap_protocol + else: + after.pop('eap_protocol', None) cfg.setdefault('radius', {})['options'] = after changes = diff_fields(before, after) diff --git a/docker/routlin-dash/app/pages/radius/content.json b/docker/routlin-dash/app/pages/radius/content.json index e0b70d6..a842d16 100644 --- a/docker/routlin-dash/app/pages/radius/content.json +++ b/docker/routlin-dash/app/pages/radius/content.json @@ -201,7 +201,7 @@ }, { "type": "card", - "label": "Extensible Authentication Protocol (EAP)", + "label": "Authentication Mode", "client_requirement": "client_is_administrator+", "items": [ { @@ -225,6 +225,23 @@ "options": "%RADIUS_AUTH_MODE_OPTIONS%", "hint": "_" }, + { + "type": "raw_html", + "html": "
" + }, + { + "type": "field", + "label": "Username/Password Protocol", + "name": "eap_protocol", + "input_type": "select", + "value": "%RADIUS_EAP_PROTOCOL%", + "options": "%RADIUS_EAP_PROTOCOL_OPTIONS%", + "hint": "_" + }, + { + "type": "raw_html", + "html": "
" + }, { "type": "button_row", "items": [ diff --git a/docker/routlin-dash/app/pages/radius/view.py b/docker/routlin-dash/app/pages/radius/view.py index 9c23a92..52b886a 100644 --- a/docker/routlin-dash/app/pages/radius/view.py +++ b/docker/routlin-dash/app/pages/radius/view.py @@ -68,7 +68,13 @@ def collect_tokens(cfg): fr_opts = fr.get('options', {}) fr_gen = fr.get('general', {}) tokens['RADIUS_MAC_FORMAT'] = fr_opts.get('mac_format', 'aabbccddeeff') - tokens['RADIUS_AUTH_MODE'] = fr_opts.get('auth_mode', 'mab') + tokens['RADIUS_AUTH_MODE'] = fr_opts.get('auth_mode', 'mab') + tokens['RADIUS_EAP_PROTOCOL'] = fr_opts.get('eap_protocol', 'eap_peap') + tokens['RADIUS_EAP_PROTOCOL_OPTIONS'] = json.dumps([ + {'value': 'eap_peap', 'label': 'EAP-PEAP'}, + {'value': 'eap_ttls', 'label': 'EAP-TTLS'}, + {'value': 'eap_md5', 'label': 'EAP-MD5'}, + ]) pro_suffix = '' if PRO_LICENSE else ' (PRO REQUIRED)' pro_disabled = not PRO_LICENSE tokens['RADIUS_AUTH_MODE_OPTIONS'] = json.dumps([ diff --git a/docker/routlin-dash/app/pages/vpn/content.json b/docker/routlin-dash/app/pages/vpn/content.json index ccd6946..1259d84 100644 --- a/docker/routlin-dash/app/pages/vpn/content.json +++ b/docker/routlin-dash/app/pages/vpn/content.json @@ -208,7 +208,7 @@ "label": "Server Endpoint", "name": "vpn_server_endpoint", "input_type": "text", - "validate": "VALIDATION_ENDPOINT", + "validate": "VALIDATION_IP_OR_DOMAIN_NAME", "value": "%VPN_SERVER_ENDPOINT%", "placeholder": "e.g. vpn.example.com", "hint": "Publicly reachable hostname or IP of this server, embedded in client config files."