Permission 'VPN: IPsec: Edit Pre-Shared Keys' not working as expected

Started by hasp, March 28, 2025, 10:42:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 28, 2025, 10:42:07 AM Last Edit: March 28, 2025, 11:00:11 AM by hasp
Hi there,

i want to allow a limited user to just setup ipsec tunnels.
The permission to edit Pre-Shared-Keys is granted, but the menu item is missing.

using the direct link (ui/ipsec/pre_shared_keys/) is not working, the user is redirected to the dashboard.
If i remove the trailing slash an empty pages shows up, but no existing keys are shown or new keys could be setup.

after searching in the forums i found an hint that there could be an issue with the ACLs.
So i modified the relating ACL.xml to match with the urls involved to resolve this problem - but my changes got killed by the last update :(

IPSec/ACL/ACL.xml
Code Select
        <name>VPN: IPsec: Edit Pre-Shared Keys</name>
        <patterns>
            <pattern>ui/ipsec/pre_shared_keys</pattern>
            <pattern>api/ipsec/pre_shared_keys</pattern>
        </patterns>

vs. url in the menu with trailing slash

IPsec/Menu/Menu.xml
Code Select
            <Keys order="30" VisibleName="Pre-Shared Keys" url="/ui/ipsec/pre_shared_keys/"/>
            <KeyPairs order="40" VisibleName="Key Pairs" url="/ui/ipsec/key_pairs" />
            <Settings order="50" VisibleName="Mobile &amp; Advanced Settings" url="/ui/ipsec/connections/settings"/>
            <Status order="60" VisibleName="Status Overview" url="/ui/ipsec/sessions"/>

my changes
Code Select
        <name>VPN: IPsec: Edit Pre-Shared Keys</name>
        <patterns>
            <pattern>ui/ipsec/pre_shared_keys/*</pattern>
            <pattern>api/ipsec/pre_shared_keys/*</pattern>
        </patterns>

Maybe this behavior is related to outstanding changes regarding old MVC (https://github.com/opnsense/core/issues/8306#issuecomment-2649006697)

Thanks in advance!

March 28, 2025, 12:22:18 PM #1
Hi hasp,

Thanks for the report. To me it looks like this is what you're looking for?

https://github.com/opnsense/core/commit/51a5118d6e2


Cheers,
Franco
April 11, 2025, 01:57:33 AM #2
Hi again,

i think i hit another one ...
my limited user is not able to apply changes after a new connection is created or an existing is modified.
the relevant api endpoint seems to be `api/ipsec/service/reconfigure` but there is no ACL for that at all.

imho that should/could be added to the `VPN: IPsec: Connections` permission.

What do you think?!

PS: is there a cli command to reload the ACLs after manual modification - atm i just restart the system.
April 11, 2025, 08:23:38 AM #3
> PS: is there a cli command to reload the ACLs after manual modification - atm i just restart the system.

# rm /tmp/opnsense_acl_cache.json

I'll take a look at the other thing.


Cheers,
Franco
April 11, 2025, 08:46:40 AM #4
# opnsense-patch https://github.com/opnsense/core/commit/54fed30c

(opnsense-patch takes care of clearing the cache files for you)


Cheers,
Franco
April 11, 2025, 09:04:12 AM #5
One more

# opnsense-patch https://github.com/opnsense/core/commit/5a2e399586


Cheers,
Franco
April 11, 2025, 09:41:29 AM #6 Last Edit: April 11, 2025, 09:55:24 AM by hasp
Thanks Franco,

i'll will check/test.

Apply changes works now - Perfect!

Best regards from Merseburg ;)
April 11, 2025, 11:20:55 AM #7
Hehe, greetings from a neighbour then :)

PS: Apparently very few people use IPsec in role-based setups, but no reason not to fix it.
Print
Go Up Pages1
User actions