schema: extend ieee802.1x schema support

Signed-off-by: John Crispin <john@phrozen.org>

renderer/templates/services/ieee8021x.uc

@@ -6,6 +6,19 @@
 
 # IEEE8021x service configuration
 
+add ieee8021x certificates
+{% if (ieee8021x.use_local_certificates): %}
+{%   cursor.load("system") %}
+{%   let certs = cursor.get_all("system", "@certificates[-1]") %}
+set ieee8021x.@certificates[-1].ca={{ s(certs.ca) }}
+set ieee8021x.@certificates[-1].cert={{ s(certs.cert) }}
+set ieee8021x.@certificates[-1].key={{ s(certs.key) }}
+{% else %}
+set ieee8021x.@certificates[-1].ca={{ s(ieee8021x.ca_certificate) }}
+set ieee8021x.@certificates[-1].cert={{ s(ieee8021x.server_certificate) }}
+set ieee8021x.@certificates[-1].key={{ s(ieee8021x.private_key) }}
+{% endif %}
+
 {% for (let interface in interfaces): %}
 {%   let name = ethernet.calculate_name(interface) %}
 add ieee8021x network
@@ -20,3 +33,8 @@ set network.@device[-1].name={{ s(port) }}
 set network.@device[-1].auth='1'
 {%  endfor %}
 {% endfor %}
+{% let user_file = fs.open("/var/run/hostapd-ieee8021x.eap_user", "w");
+   for (let user in ieee8021x.users)
+     user_file.write('"' + user.user_name + '"\tPWD\t"' + user.password + '"\n');
+   user_file.write('* TLS,TTLS\n');
+   user_file.close();%}

schema/service.ieee8021x.yml

@@ -2,8 +2,27 @@ description:
   This section allows enabling wired ieee802.1X
 type: object
 properties:
-  enable:
+  ca-certificate:
     description:
-      This option defines if ieee8021x shall be enabled on the device.
+       The local servers CA bundle.
+    type: string
+  use-local-certificates:
+    description:
+      The device will use its local certificate bundle for the Radius server and
+      ignore all other certificate options in this section.
     type: boolean
     default: false
+  server-certificate:
+    description:
+       The local servers certificate.
+    type: string
+  private-key:
+    description:
+      The local servers private key/
+    type: string
+  users:
+    description:
+      Specifies a collection of local EAP user/psk/vid triplets.
+    type: array
+    items:
+      $ref: "https://ucentral.io/schema/v1/interface/ssid/radius/local-user/"

schemareader.uc

@@ -3649,18 +3649,66 @@ function instantiateServiceIeee8021x(location, value, errors) {
 	if (type(value) == "object") {
 		let obj = {};
 
-		function parseEnable(location, value, errors) {
+		function parseCaCertificate(location, value, errors) {
+			if (type(value) != "string")
+				push(errors, [ location, "must be of type string" ]);
+
+			return value;
+		}
+
+		if (exists(value, "ca-certificate")) {
+			obj.ca_certificate = parseCaCertificate(location + "/ca-certificate", value["ca-certificate"], errors);
+		}
+
+		function parseUseLocalCertificates(location, value, errors) {
 			if (type(value) != "bool")
 				push(errors, [ location, "must be of type boolean" ]);
 
 			return value;
 		}
 
-		if (exists(value, "enable")) {
-			obj.enable = parseEnable(location + "/enable", value["enable"], errors);
+		if (exists(value, "use-local-certificates")) {
+			obj.use_local_certificates = parseUseLocalCertificates(location + "/use-local-certificates", value["use-local-certificates"], errors);
 		}
 		else {
-			obj.enable = false;
+			obj.use_local_certificates = false;
+		}
+
+		function parseServerCertificate(location, value, errors) {
+			if (type(value) != "string")
+				push(errors, [ location, "must be of type string" ]);
+
+			return value;
+		}
+
+		if (exists(value, "server-certificate")) {
+			obj.server_certificate = parseServerCertificate(location + "/server-certificate", value["server-certificate"], errors);
+		}
+
+		function parsePrivateKey(location, value, errors) {
+			if (type(value) != "string")
+				push(errors, [ location, "must be of type string" ]);
+
+			return value;
+		}
+
+		if (exists(value, "private-key")) {
+			obj.private_key = parsePrivateKey(location + "/private-key", value["private-key"], errors);
+		}
+
+		function parseUsers(location, value, errors) {
+			if (type(value) == "array") {
+				return map(value, (item, i) => instantiateInterfaceSsidRadiusLocalUser(location + "/" + i, item, errors));
+			}
+
+			if (type(value) != "array")
+				push(errors, [ location, "must be of type array" ]);
+
+			return value;
+		}
+
+		if (exists(value, "users")) {
+			obj.users = parseUsers(location + "/users", value["users"], errors);
 		}
 
 		return obj;

ucentral.schema.json

@@ -1428,9 +1428,24 @@
         "service.ieee8021x": {
             "type": "object",
             "properties": {
-                "enable": {
+                "ca-certificate": {
+                    "type": "string"
+                },
+                "use-local-certificates": {
                     "type": "boolean",
                     "default": false
+                },
+                "server-certificate": {
+                    "type": "string"
+                },
+                "private-key": {
+                    "type": "string"
+                },
+                "users": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/$defs/interface.ssid.radius.local-user"
+                    }
                 }
             }
         },