diff options
author | Christian Breunig <christian@breunig.cc> | 2023-11-23 13:44:30 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-23 13:44:30 +0100 |
commit | 11d531ece3e06dc68349d8ea1fd3bf39d5d857f3 (patch) | |
tree | 53023218fe525c617fc0a09d6cc6c5fe14e266cd | |
parent | 319e1bf7f23c33c202271efda2187f086b79e0c0 (diff) | |
parent | 1ba7d4e3e91b7e29447aca50295efda550239652 (diff) | |
download | vyos-1x-11d531ece3e06dc68349d8ea1fd3bf39d5d857f3.tar.gz vyos-1x-11d531ece3e06dc68349d8ea1fd3bf39d5d857f3.zip |
Merge pull request #2534 from c-po/backport-pr-2522
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL (backport #2522)
-rwxr-xr-x | smoketest/scripts/cli/test_service_https.py | 17 | ||||
-rwxr-xr-x | src/conf_mode/https.py | 26 |
2 files changed, 39 insertions, 4 deletions
diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py index 901a1857e..24e1f1299 100755 --- a/smoketest/scripts/cli/test_service_https.py +++ b/smoketest/scripts/cli/test_service_https.py @@ -25,6 +25,8 @@ from base_vyostest_shim import ignore_warning from vyos.utils.file import read_file from vyos.utils.process import process_named_running +from vyos.configsession import ConfigSessionError + base_path = ['service', 'https'] pki_base = ['pki'] @@ -62,9 +64,6 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase): cls.cli_delete(cls, pki_base) def tearDown(self): - # Check for running process - self.assertTrue(process_named_running(PROCESS_NAME)) - self.cli_delete(base_path) self.cli_delete(pki_base) self.cli_commit() @@ -89,6 +88,7 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase): nginx_config = read_file('/etc/nginx/sites-enabled/default') self.assertIn(f'listen {address}:{port} ssl;', nginx_config) self.assertIn(f'ssl_protocols TLSv1.2 TLSv1.3;', nginx_config) + self.assertTrue(process_named_running(PROCESS_NAME)) def test_certificate(self): self.cli_set(pki_base + ['certificate', 'test_https', 'certificate', cert_data.replace('\n','')]) @@ -97,6 +97,15 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['certificates', 'certificate', 'test_https']) self.cli_commit() + self.assertTrue(process_named_running(PROCESS_NAME)) + + def test_api_missing_keys(self): + self.cli_set(base_path + ['api']) + self.assertRaises(ConfigSessionError, self.cli_commit) + + def test_api_incomplete_key(self): + self.cli_set(base_path + ['api', 'keys', 'id', 'key-01']) + self.assertRaises(ConfigSessionError, self.cli_commit) @ignore_warning(InsecureRequestWarning) def test_api_auth(self): @@ -339,4 +348,4 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase): if __name__ == '__main__': - unittest.main(verbosity=2) + unittest.main(verbosity=5) diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 26c4343a0..5cbdd1651 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -76,6 +76,8 @@ def get_config(config=None): return https def verify(https): + from vyos.utils.dict import dict_search + if https is None: return None @@ -135,6 +137,30 @@ def verify(https): raise ConfigError(f'"{proto}" port "{_port}" is used by another service') verify_vrf(https) + + # Verify API server settings, if present + if 'api' in https: + keys = dict_search('api.keys.id', https) + gql_auth_type = dict_search('api.graphql.authentication.type', https) + + # If "api graphql" is not defined and `gql_auth_type` is None, + # there's certainly no JWT auth option, and keys are required + jwt_auth = (gql_auth_type == "token") + + # Check for incomplete key configurations in every case + valid_keys_exist = False + if keys: + for k in keys: + if 'key' not in keys[k]: + raise ConfigError(f'Missing HTTPS API key string for key id "{k}"') + else: + valid_keys_exist = True + + # If only key-based methods are enabled, + # fail the commit if no valid key configurations are found + if (not valid_keys_exist) and (not jwt_auth): + raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled') + return None def generate(https): |