diff options
| author | Daniil Baturin <daniil@vyos.io> | 2023-11-23 12:48:05 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-23 12:48:05 +0000 |
| commit | a54fe17d7e2bc3ab5834e439d90effc247306fc2 (patch) | |
| tree | 337fa11842302140887bfc5738ead6566829c521 | |
| parent | ed0570b31eac62a9c4f3fa794ca4b9848ae1f279 (diff) | |
| parent | 1b7e8f9ff7a86125ca7c8a2035650d5203dc54c5 (diff) | |
| download | vyos-1x-a54fe17d7e2bc3ab5834e439d90effc247306fc2.tar.gz vyos-1x-a54fe17d7e2bc3ab5834e439d90effc247306fc2.zip | |
Merge pull request #2535 from c-po/crux-pr-2522
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL (backport #2522)
| -rw-r--r-- | python/vyos/util.py | 19 | ||||
| -rwxr-xr-x | src/conf_mode/https.py | 25 |
2 files changed, 44 insertions, 0 deletions
diff --git a/python/vyos/util.py b/python/vyos/util.py index 3ffd025b9..bac327018 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -237,3 +237,22 @@ def process_named_running(name): if name in p.name(): return p.pid return None + +def dict_search(path, dict_object): + """ Traverse Python dictionary (dict_object) delimited by dot (.). + Return value of key if found, None otherwise. + This is faster implementation then jmespath.search('foo.bar', dict_object)""" + if not isinstance(dict_object, dict) or not path: + return None + + parts = path.split('.') + inside = parts[:-1] + if not inside: + if path not in dict_object: + return None + return dict_object[path] + c = dict_object + for p in parts[:-1]: + c = c.get(p, {}) + return c.get(parts[-1], None) + diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 078c2d5f5..349cec888 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -23,6 +23,7 @@ import jinja2 import vyos.defaults from vyos.config import Config +from vyos.util import dict_search from vyos import ConfigError config_file = '/etc/nginx/sites-available/default' @@ -143,8 +144,32 @@ def get_config(): return https def verify(https): + # Verify API server settings, if present + if 'api' in https: + keys = dict_search('api.keys.id', https) + gql_auth_type = dict_search('api.graphql.authentication.type', https) + + # If "api graphql" is not defined and `gql_auth_type` is None, + # there's certainly no JWT auth option, and keys are required + jwt_auth = (gql_auth_type == "token") + + # Check for incomplete key configurations in every case + valid_keys_exist = False + if keys: + for k in keys: + if 'key' not in keys[k]: + raise ConfigError(f'Missing HTTPS API key string for key id "{k}"') + else: + valid_keys_exist = True + + # If only key-based methods are enabled, + # fail the commit if no valid key configurations are found + if (not valid_keys_exist) and (not jwt_auth): + raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled') + return None + def generate(https): if https is None: return None |