Start splitting supplicant logic

src/Commands/GenDuid.php

@@ -61,7 +61,7 @@ final class GenDuid extends Command
         return implode(':', $bytes);
     }
 
-    private function getInstructions($id): string
+    private function getInstructions(string $id): string
     {
         return <<<EOF
 

src/Commands/Startup.php

@@ -8,6 +8,7 @@ use Pfatt\Service\Config;
 use Pfatt\Service\IfConfig;
 use Pfatt\Service\KldLoad;
 use Pfatt\Service\NgCtl;
+use Pfatt\Service\WpaCli;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
@@ -18,18 +19,20 @@ final class Startup extends Command
 {
     protected static $defaultName = 'startup';
     protected static $defaultDescription = 'Start netgraph connetion';
-    protected Config $config;
+    private Config $config;
-    protected LoggerInterface $logger;
+    private LoggerInterface $logger;
-    protected NgCtl $ngControl;
+    private NgCtl $ngControl;
     private IfConfig $ifConfig;
     private KldLoad $kldLoad;
+    private WpaCli $wpaCli;
 
     public function __construct(
         Config $config,
         LoggerInterface $logger,
         NgCtl $ngControl,
         IfConfig $ifConfig,
-        KldLoad $kldLoad
+        KldLoad $kldLoad,
+        WpaCli $wpaCli
     ) {
         parent::__construct('startup');
         $this->config = $config;
@@ -37,6 +40,7 @@ final class Startup extends Command
         $this->ngControl = $ngControl;
         $this->ifConfig = $ifConfig;
         $this->kldLoad = $kldLoad;
+        $this->wpaCli = $wpaCli;
     }
 
     /**
@@ -74,6 +78,19 @@ final class Startup extends Command
                 $this->logger->info('OK!');
                 break;
         }
+        if ($this->config->getAuthMode() === 'bridge') {
+            $this->setupBridge();
+        }
+        else {
+            $this->setupSupplicant();
+        }
+        $this->logger->info("ngeth0 should now be available to configure as your pfSense WAN");
+        $this->logger->info("Done");
+        return Command::SUCCESS;
+    }
+
+    private function setupBridge(): void
+    {
         $this->ngControl->createBridge(
             $this->config->getOntInterface(),
             $this->config->getRgInterface(),
@@ -83,9 +100,34 @@ final class Startup extends Command
             $this->config->getOntInterface(),
             $this->config->getRgInterface()
         );
-        $this->logger->info("ngeth0 should now be available to configure as your pfSense WAN");
+    }
-        $this->logger->info("Done");
+
-        return Command::SUCCESS;
+    private function setupSupplicant(): void
+    {
+        $this->ngControl->setupWpaSupplicant(
+            $this->config->getOntInterface(),
+            $this->config->getRgInterface(),
+            $this->config->getRgEthernetMac()
+        );
+        $this->ifConfig->start(
+            $this->config->getOntInterface()
+        );
+        // @todo startup wpa_supplicant
+        $this->wpaCli->configureSupplicant($this->config->getRgEthernetMac());
+        // TODO do supplicant things. So many things.
+        $this->logger->notice('Waiting for EAP authorization...');
+        while ($this->wpaCli->status() !== 'Authorized') {
+            sleep(1);
+        }
+        $this->logger->notice('EAP authorization completed');
+        $ip = $this->ifConfig->getIp('ngeth0');
+        if ($ip === '0.0.0.0') {
+            // @todo restart DHCP?
+            // Is this really necessary or dhcpd resolve resolve itself?
+        }
+        $this->logger->info('IP address is ' . $ip);
+        $this->logger->info('ngeth0 should now be available to configure as your WAN');
+
     }
 
     /**

src/Service/Config.php

@@ -71,4 +71,15 @@ class Config
     {
         return $this->rgEthernetMac;
     }
+
+    /**
+     * Get authorization mode.
+     *
+     * @return string
+     */
+    public function getAuthMode(): string
+    {
+        // @todo detect the variant to trigger different behaviors.
+        return 'bridge';
+    }
 }

src/Service/IfConfig.php

@@ -16,23 +16,14 @@ class IfConfig
         $this->logger = $logger;
     }
 
-    public function start(string $ont, string $rg): void
+    public function start(string ...$interfaces): void
     {
-        $this->logger->info("   enabling $rg interface...");
+        foreach ($interfaces as $interface) {
-        $this->exec([$rg, 'up']);
+            $this->logger->info("   enabling $interface interface...");
-        $this->logger->info('OK!');
+            $this->exec([$interface, 'up']);
-
+            $this->exec([$interface, 'promisc']);
-        $this->logger->info("   enabling $ont interface...");
+            $this->logger->info('OK!');
-        $this->exec([$ont, 'up"']);
+        }
-        $this->logger->info('OK!');
-
-        $this->logger->info("   enabling promiscuous mode on $rg...");
-        $this->exec([$rg, 'promisc']);
-        $this->logger->info('OK!');
-
-        $this->logger->info("   enabling promiscuous mode on $ont...");
-        $this->exec([$ont, 'promisc']);
-        $this->logger->info('OK!');
     }
 
     public function stop(string $ont, string $rg): void
@@ -49,9 +40,21 @@ class IfConfig
      * @return bool
      *   True on success, false on failure.
      */
-    private function exec(array $args): bool
+    private function exec(array $args, ?callable $callback = null): bool
     {
         $process = new Process(['/sbin/ifconfig', ...$args], '/tmp');
-        return !$process->run();
+        return !$process->run($callback);
+    }
+
+    public function getIp(string $interface): string
+    {
+        $ip = '';
+        $this->exec([$interface], function (string $type, string $buffer) use (&$ip) {
+            if ($type === Process::OUT
+                && str_contains($buffer, 'inet ')) {
+                [, $ip] = explode(' ', $buffer);
+            }
+        });
+        return $ip;
     }
 }

src/Service/NgCtl.php

@@ -4,11 +4,10 @@ declare(strict_types=1);
 
 namespace Pfatt\Service;
 
-use Psr\Log\LoggerAwareInterface;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\Process\Process;
 
-class NgCtl implements LoggerAwareInterface
+class NgCtl
 {
     private LoggerInterface $logger;
 
@@ -42,7 +41,13 @@ class NgCtl implements LoggerAwareInterface
     public function ngConnect(): void
     {
         $this->logger->info('Connecting netgraph node ...');
-        $this->exec(['connect', 'waneapfilter:', 'laneapfilter:', 'eapout', 'eapout']) ?
+        $this->exec([
+            'connect',
+            'waneapfilter:',
+            'laneapfilter:',
+            'eapout',
+            'eapout'
+        ]) ?
             $this->logger->info('OK!') :
             $this->logger->error('ERROR!');
     }
@@ -56,7 +61,6 @@ class NgCtl implements LoggerAwareInterface
      *   Residential Gateway network connection interface.
      * @param string $rgMac
      *   Residential Gateway MAC address.
-     * @return void
      */
     public function createBridge(string $ont, string $rg, string $rgMac): void
     {
@@ -140,6 +144,14 @@ class NgCtl implements LoggerAwareInterface
         $this->logger->info('OK!');
     }
 
+    /**
+     * Remove nodes.
+     *
+     * @param string $ont
+     *   ONT network connection interface.
+     * @param string $rg
+     *   Residential Gateway network connection interface.
+     */
     public function removeNodes(string $ont, string $rg): void
     {
         $this->exec(['shutdown', 'waneapfilter:']);
@@ -151,6 +163,30 @@ class NgCtl implements LoggerAwareInterface
         $this->exec(['shutdown', 'ngeth0:']);
     }
 
+    /**
+     * Setup connections fo WPA supplicant.
+     *
+     * @param string $ont
+     *   ONT network connection interface.
+     * @param string $rg
+     *   Residential Gateway network connection interface.
+     * @param string $rgMac
+     *   Residential Gateway MAC address.
+     */
+    public function setupWpaSupplicant(
+        string $ont,
+        string $rg,
+        string $rgMac
+    ): void {
+        $this->logger->info('Creating vlan node and ngeth0 interface.');
+        $this->exec(['mkpeer', $ont . ':', 'vlan', 'lower', 'donstream']);
+        $this->exec(['name', $ont . ':lower', 'vlan0']);
+        $this->exec(['mkpeer', 'vlan0:', 'eiface', 'vlan0', 'ether']);
+        $this->exec(['msg vlan: \'addfilter { vlan=0 hook="vlan0" }']);
+        $this->exec(['msg', 'ngeth0:', 'set', $rgMac]);
+        $this->logger->info('OK!');
+    }
+
     /**
      * Run a ngctl command.
      *
@@ -165,12 +201,4 @@ class NgCtl implements LoggerAwareInterface
         $process = new Process(['/usr/sbin/ngctl', ...$args], '/tmp');
         return !$process->run();
     }
-
-    /**
-     * {@inheritDoc}
-     */
-    public function setLogger(LoggerInterface $logger): void
-    {
-        $this->logger = $logger;
-    }
 }

src/Service/WpaCli.php

@@ -0,0 +1,78 @@
+<?php
+
+namespace Pfatt\Service;
+
+use Symfony\Component\Process\Process;
+
+class WpaCli
+{
+    const CA_LOCATION = '/conf/pfatt/wpa/ca.pem';
+    const CLIENT_CERT_LOCATION = '/conf/pfatt/wpa/client.pem';
+    const PRIVATE_KEY_LOCATION = '/conf/pfatt/wpa/private.pem';
+
+    /**
+     * Setup configuration of wpa_supplicant.
+     *
+     * @param string $rgMac
+     *   Residential Gateway MAC address.
+     */
+    public function configureSupplicant(string $rgMac): void
+    {
+        $this->exec(['set', 'eapol_version', '2']);
+        $this->exec(['set', 'fast_reauth', '1']);
+        $this->exec(['ap_scan', '0']);
+        $this->exec(['add_network']);
+        $this->exec([
+            'set_network',
+            '0',
+            'ca_cert',
+            '"' . self::CA_LOCATION . '"'
+        ]);
+        $this->exec([
+            'set_network',
+            '0',
+            'client_cert',
+            '"' . self::CLIENT_CERT_LOCATION . '"'
+        ]);
+        $this->exec(['set_network', '0', 'eap', 'TLS']);
+        $this->exec(['set_network', '0', 'eapol_flags', '0']);
+        $this->exec(['set_network', '0', 'identity', '"' . $rgMac . '"']);
+        $this->exec(['set_network', '0', 'key_mgmt', 'IEEE8021X']);
+        $this->exec(['set_network', '0', 'phase1', '"allow_canned_success=1"']);
+        $this->exec([
+            'set_network',
+            '0',
+            'private_key',
+            '"' . self::PRIVATE_KEY_LOCATION . '"'
+        ]);
+        $this->exec(['enable_network', '0']);
+    }
+
+    public function status(): string
+    {
+        $status = '';
+        $this->exec(['status'],
+            function (string $type, string $buffer) use (&$status) {
+                if ($type === Process::OUT
+                    && str_contains($buffer, 'suppPortStatus')) {
+                    [, $status] = explode('=', $buffer);
+                }
+            });
+        return $status;
+    }
+
+    /**
+     * Run a wpa_cli command.
+     *
+     * @param array<int, string> $args
+     *   Additional arguments to pass to ngctl.
+     *
+     * @return bool
+     *   True on success, false on failure.
+     */
+    private function exec(array $args, ?callable $callback = null): bool
+    {
+        $process = new Process(['/usr/sbin/wpa_cli', ...$args], '/tmp');
+        return !$process->run($callback);
+    }
+}