strongTNC is a Trusted Network Connect (TNC) extension for the strongSwan VPN solution. It allows the definition and enforcement of TNC policies that apply to all VPN clients and must be fulfilled with each connection attempt.
strongTNC uses Django (currently version 3.2.15) requiring Python 3. It is recommended to use the pip and virtualenv tools to ease the dependency management. They can be installed via your package manager on most Linux distributions.
If you're new to these tools: Pip is the de-facto Python package manager (similar to apt-get or yum). And virtualenv is a tool that allows you to have multiple Python installations side-by-side, inside a directory. A quickstart guide can be found here.
Non-Python Dependencies
You need to install the following packages in order to be able to build all the needed Python dependencies:
- python headers (Debian:
python-dev
) - libxml (Debian:
libxml2-dev
) - libxslt (Debian:
libxslt-dev
)
Environment, Dependencies
First, create a virtualenv:
cd /path/to/strongTNC/ virtualenv --no-site-packages VIRTUAL source VIRTUAL/bin/activate
Then install the dependencies:
pip install -r requirements.txt
Configuration
Create a local settings.ini file:
cp config/settings.sample.ini config/settings.ini $EDITOR config/settings.ini
If this is not a production setup, change the DEBUG
setting in
settings.ini
from 0 to 1.
Create the databases:
./manage.py migrate --database meta ./manage.py migrate
Set the default passwords:
./manage.py setpassword
If you want to use the Django-Admin view (/admin
), create a superuser account:
./manage.py createsuperuser --database meta
In case you want to change the password of a user:
./manage.py changepassword admin-user --database meta
Development
Now you can start the development server.
./manage.py runserver
The web interface should be available on http://localhost:8000/
.
Debugging
If you want to use the django debug toolbar, install it via pip:
pip install django-debug-toolbar
Then start the server with the setting [debug] DEBUG_TOOLBAR = 1
(in
settings.ini
).
To print all executed SQL queries to stdout, start the server with the setting
[debug] SQL_DEBUG = 1
(in settings.ini
).
Install pytest & dependencies:
pip install -r requirements-tests.txt
Run the tests:
./runtests.py
Run a specific test file:
./runtests.py tests/<filename>
Run only tests matching a specific pattern:
./runtests.py -k <pattern>
Run only tests that failed the last time:
./runtests.py --lf
Run tests without coverage:
./runtests.py --no-cov
strongTNC can publish real-time information on new SWID tags:
Published item strongswan.org__Debian_7.11-armv7l-smbclient-2~3.6.6-6~deb7u15 to sacm/swidtags: { "tagId": "Debian_7.11-armv7l-smbclient-2~3.6.6-6~deb7u15", "versionStr": "2:3.6.6-6+deb7u15", "packageName": "smbclient", "uri": "https://tnc.strongswan.org/api/swid-tags/10550/" }
and push create
(action: 1) or remove
(action: 2) SWIMA events received from endpoints:
Published item 270aea08-d972-478c-b414-23abb0e82f1d332 to sacm/events: { "device": { "description": "Raspi 3", "value": "565feb9e8462870dba884ce540a0768d68829873" }, "action": 1, "tag": { "recordId": 1413, "sourceId": 1, "softwareId": "strongswan.org__Debian_7.11-armv7l-smbclient-2~3.6.6-6~deb7u15" }, "event": { "timestamp": "2017-11-22T15:04:35Z", "epoch": "1594045818", "eid": "82" } }
in JSON format to an XMPP-Grid by setting [xmpp] USE_XMPP = 1
and configuring
various parameters (in settings.ini
). Here is an example configuration:
[xmpp] USE_XMPP = 1 jid: [email protected] password: <password> pubsub_server: pubsub.strongswan.org cacert: /etc/swanctl/x509ca/strongswanCaCert.pem use_ipv6: 0 node_events: sacm/events node_swidtags: sacm/swidtags rest_uri: https://tnc.strongswan.org
Copyright (C) 2013 Marco Tanner, Stefan Rohner Copyright (C) 2014 Christian Fässler, Danilo Bargen, Jonas Furrer Copyright (C) 2013-2019 Tobias Brunner Copyright (C) 2013-2020 Andreas Steffen HSR University of Applied Sciences Rapperswil Copyright (C) 2021-2022 Andreas Steffen, strongSec GmbH Copyright (C) 2021 Tobias Brunner, codelabs GmbH This file is part of strongTNC. strongTNC is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. strongTNC is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with strongTNC. If not, see <http://www.gnu.org/licenses/>.
TLDR: This project is distributed under the AGPLv3, see LICENSE
file.