diff --git a/README.md b/README.md index 51d8b30..5567219 100644 --- a/README.md +++ b/README.md @@ -18,16 +18,22 @@ Supported authentication methods: - Client certificate auth - Both of them -| Name | Description | Required when | -|----------------|-----------------------------------------------|-------------------------| -| `username` | Username | Username-password auth | -| `password` | Password | Username-password auth | -| `client_key` | Local peer's private key | Client certificate auth | -| `tls_auth_key` | Pre-shared secret for TLS-auth HMAC signature | Optional | - -**Note: It is strongly recommended that you provide all credentials +| Name | Description | Required when | +|--------------------|------------------------------------|-------------------------| +| `username` | Username | Username-password auth | +| `password` | Password | Username-password auth | +| `client_key` | Local peer's private key | Client certificate auth | +| `tls_auth_key` | Pre-shared group key for TLS Auth | Optional | +| `tls_crypt_key` | Pre-shared group key for TLS Crypt | Optional | +| `tls_crypt_v2_key` | Per-client key for TLS Crypt V2 | Optional | + +> **Note: It is strongly recommended that you provide all credentials via [encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets).** +When providing TLS keys, you should provide *only one of* either `tls_auth_key`, `tls_crypt_key` or `tls_crypt_v2_key`. +You can determine which by checking the value of your key and looking in the header line. +[See the docs for more info about TLS in OpenVPN](https://openvpn.net/vpn-server-resources/tls-control-channel-security-in-openvpn-access-server) + ## Usage - Create client configuration file based on diff --git a/action.yml b/action.yml index ce3e8d7..37dfe99 100644 --- a/action.yml +++ b/action.yml @@ -14,7 +14,13 @@ inputs: description: "Password" required: false tls_auth_key: - description: "Pre-shared secret for TLS-auth HMAC signature" + description: "Pre-shared group key for TLS Auth" + required: false + tls_crypt_key: + description: "Pre-shared group key for TLS Crypt" + required: false + tls_crypt_v2_key: + description: "Per-client key for TLS Crypt V2" required: false client_key: description: "Local peer's private key" diff --git a/dist/index.js b/dist/index.js index 9bfb4c7..203c244 100644 --- a/dist/index.js +++ b/dist/index.js @@ -2007,8 +2007,12 @@ class Tail extends events.EventEmitter { */ getPositionAtNthLine(nLines) { const { size } = fs.statSync(this.filename); - const fd = fs.openSync(this.filename, 'r'); + if (size === 0) { + return 0; + } + + const fd = fs.openSync(this.filename, 'r'); // Start from the end of the file and work backwards in specific chunks let currentReadPosition = size; const chunkSizeBytes = Math.min(1024, size); @@ -3172,6 +3176,8 @@ const run = (callback) => { const password = core.getInput("password"); const clientKey = core.getInput("client_key"); const tlsAuthKey = core.getInput("tls_auth_key"); + const tlsCryptKey = core.getInput("tls_crypt_key"); + const tlsCryptV2Key = core.getInput("tls_crypt_v2_key"); if (!fs.existsSync(configFile)) { throw new Error(`config file '${configFile}' not found`); @@ -3197,6 +3203,16 @@ const run = (callback) => { fs.appendFileSync(configFile, "tls-auth ta.key 1\n"); fs.writeFileSync("ta.key", tlsAuthKey, { mode: 0o600 }); } + + if (tlsCryptKey) { + fs.appendFileSync(configFile, "tls-crypt tc.key 1\n"); + fs.writeFileSync("tc.key", tlsCryptKey, { mode: 0o600 }); + } + + if (tlsCryptV2Key) { + fs.appendFileSync(configFile, "tls-crypt-v2 tcv2.key 1\n"); + fs.writeFileSync("tcv2.key", tlsCryptV2Key, { mode: 0o600 }); + } core.info("========== begin configuration =========="); core.info(fs.readFileSync(configFile, "utf8")); diff --git a/package-lock.json b/package-lock.json index ff54af6..1fc0c6a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "github-openvpn-connect-action", - "version": "2.0.2", + "version": "2.1.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "github-openvpn-connect-action", - "version": "2.0.2", + "version": "2.1.0", "license": "MIT", "dependencies": { "@actions/core": "1.10.1", @@ -20,7 +20,7 @@ "eslint-config-prettier": "8.10.0", "eslint-config-standard": "17.1.0", "husky": "8.0.3", - "prettier": "2.8.8" + "prettier": "3.0.3" } }, "node_modules/@aashutoshrathi/word-wrap": { @@ -1966,15 +1966,15 @@ } }, "node_modules/prettier": { - "version": "2.8.8", - "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.8.8.tgz", - "integrity": "sha512-tdN8qQGvNjw4CHbY+XXk0JgCXn9QiF21a55rBe5LJAU+kDyC4WQn4+awm2Xfk2lQMk5fKup9XgzTZtGkjBdP9Q==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.0.3.tgz", + "integrity": "sha512-L/4pUDMxcNa8R/EthV08Zt42WBO4h1rarVtK0K+QJG0X187OLo7l699jWw0GKuwzkPQ//jMFA/8Xm6Fh3J/DAg==", "dev": true, "bin": { - "prettier": "bin-prettier.js" + "prettier": "bin/prettier.cjs" }, "engines": { - "node": ">=10.13.0" + "node": ">=14" }, "funding": { "url": "https://github.com/prettier/prettier?sponsor=1" @@ -3887,9 +3887,9 @@ "dev": true }, "prettier": { - "version": "2.8.8", - "resolved": "https://registry.npmjs.org/prettier/-/prettier-2.8.8.tgz", - "integrity": "sha512-tdN8qQGvNjw4CHbY+XXk0JgCXn9QiF21a55rBe5LJAU+kDyC4WQn4+awm2Xfk2lQMk5fKup9XgzTZtGkjBdP9Q==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.0.3.tgz", + "integrity": "sha512-L/4pUDMxcNa8R/EthV08Zt42WBO4h1rarVtK0K+QJG0X187OLo7l699jWw0GKuwzkPQ//jMFA/8Xm6Fh3J/DAg==", "dev": true }, "punycode": { diff --git a/package.json b/package.json index 6182353..aa6c6a2 100644 --- a/package.json +++ b/package.json @@ -1,8 +1,11 @@ { "name": "github-openvpn-connect-action", - "version": "2.0.2", + "version": "2.1.0", "description": "GitHub Action for connecting to OpenVPN server", - "keywords": ["github", "actions"], + "keywords": [ + "github", + "actions" + ], "homepage": "https://github.com/kota65535/github-openvpn-connect-action#readme", "bugs": { "url": "https://github.com/kota65535/github-openvpn-connect-action/issues" @@ -32,6 +35,6 @@ "eslint-config-prettier": "8.10.0", "eslint-config-standard": "17.1.0", "husky": "8.0.3", - "prettier": "2.8.8" + "prettier": "3.0.3" } } diff --git a/src/main.js b/src/main.js index c5c90dc..19a557e 100644 --- a/src/main.js +++ b/src/main.js @@ -9,6 +9,8 @@ const run = (callback) => { const password = core.getInput("password"); const clientKey = core.getInput("client_key"); const tlsAuthKey = core.getInput("tls_auth_key"); + const tlsCryptKey = core.getInput("tls_crypt_key"); + const tlsCryptV2Key = core.getInput("tls_crypt_v2_key"); if (!fs.existsSync(configFile)) { throw new Error(`config file '${configFile}' not found`); @@ -34,6 +36,16 @@ const run = (callback) => { fs.appendFileSync(configFile, "tls-auth ta.key 1\n"); fs.writeFileSync("ta.key", tlsAuthKey, { mode: 0o600 }); } + + if (tlsCryptKey) { + fs.appendFileSync(configFile, "tls-crypt tc.key 1\n"); + fs.writeFileSync("tc.key", tlsCryptKey, { mode: 0o600 }); + } + + if (tlsCryptV2Key) { + fs.appendFileSync(configFile, "tls-crypt-v2 tcv2.key 1\n"); + fs.writeFileSync("tcv2.key", tlsCryptV2Key, { mode: 0o600 }); + } core.info("========== begin configuration =========="); core.info(fs.readFileSync(configFile, "utf8"));