Merge pull request #2571 from dmbaturin/https-api-keys-fix-crux

https: T5772: Move API key check to http-api.py
author: Viacheslav Hletenko <v.gletenko@vyos.io> 2023-12-05 12:35:41 +0200
committer: GitHub <noreply@github.com> 2023-12-05 12:35:41 +0200
commit: df9bbe008b3b4ce4df3227867f32e60a71f2703d (patch)
tree: 9eb560f4c0e407559aba0ce2854a72c09f86bd80
parent: a29aba5d92ad210b95226acfe756794d59068fc3 (diff)
parent: 692d2e362860255174076c08001ebe04b6035d3f (diff)
download: vyos-1x-df9bbe008b3b4ce4df3227867f32e60a71f2703d.tar.gz
vyos-1x-df9bbe008b3b4ce4df3227867f32e60a71f2703d.zip
5 files changed, 14 insertions, 49 deletions
diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py
index d7a4690ee..5d17b6b0c 100644
--- a/python/vyos/defaults.py
+++ b/python/vyos/defaults.py
@@ -37,7 +37,7 @@ api_data = {
     'port' : '8080',
     'strict' : 'false',
     'debug' : 'false',
-    'api_keys' : [],
+    'api_keys' : [ ]
 }
 
 vyos_cert_data = {
diff --git a/python/vyos/util.py b/python/vyos/util.py
index bac327018..3ffd025b9 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -237,22 +237,3 @@ def process_named_running(name):
         if name in p.name():
             return p.pid
     return None
-
-def dict_search(path, dict_object):
-    """ Traverse Python dictionary (dict_object) delimited by dot (.).
-    Return value of key if found, None otherwise.
-    This is faster implementation then jmespath.search('foo.bar', dict_object)"""
-    if not isinstance(dict_object, dict) or not path:
-        return None
-
-    parts = path.split('.')
-    inside = parts[:-1]
-    if not inside:
-        if path not in dict_object:
-            return None
-        return dict_object[path]
-    c = dict_object
-    for p in parts[:-1]:
-        c = c.get(p, {})
-    return c.get(parts[-1], None)
-
diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
index 9c062f0aa..7a8ca883e 100755
--- a/src/conf_mode/http-api.py
+++ b/src/conf_mode/http-api.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -59,10 +59,21 @@ def get_config():
                 key = conf.return_value('keys id {0} key'.format(name))
                 new_key = { 'id': name, 'key': key }
                 http_api['api_keys'].append(new_key)
+            else:
+                raise ConfigError('Missing HTTPS API key string for key id "{}"'.format(name))
 
     return http_api
 
 def verify(http_api):
+    if not http_api:
+        return None
+
+    # Verify API server settings, if present
+    keys = http_api['api_keys']
+
+    if not keys:
+        raise ConfigError('At least one HTTPS API key is required')
+
     return None
 
 def generate(http_api):
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index af0e85af5..078c2d5f5 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -23,7 +23,6 @@ import jinja2
 
 import vyos.defaults
 from vyos.config import Config
-from vyos.util import dict_search
 from vyos import ConfigError
 
 config_file = '/etc/nginx/sites-available/default'
@@ -136,14 +135,6 @@ def get_config():
         if conf.exists('api port'):
             port = conf.return_value('api port')
             api_data['port'] = port
-        if conf.exists('api keys id'):
-            for id in conf.list_nodes('api keys id'):
-                tmp = {"id": id}
-                if conf.exists('api keys id ' + id + ' key'):
-                    key = conf.return_value('api keys id ' + id + ' key')
-                    tmp.update({'key':key})
-                api_data['api_keys'].append(tmp)
-
     if api_data:
         for block in server_block_list:
             block['api'] = api_data
@@ -152,27 +143,8 @@ def get_config():
     return https
 
 def verify(https):
-    if https is None:
-        return None
-
-    # Verify API server settings, if present
-    if 'server_block_list' in https:
-        for server in https['server_block_list']:
-            if 'api' in server:
-                keys = dict_search('api.api_keys', server)
-
-                # Check for incomplete key configurations in every case
-                valid_keys_exist = False
-                if keys:
-                    for k in keys:
-                        if 'key' not in k:
-                            raise ConfigError('Missing HTTPS API key string for key id: ' + k['id'])
-                else:
-                    raise ConfigError('At least one HTTPS API key is required!')
-
     return None
 
-
 def generate(https):
     if https is None:
         return None
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index ecbfe670c..99de6a911 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -24,6 +24,7 @@ import traceback
 import threading
 
 import vyos.config
+import vyos.configtree
 
 import bottle
author	Viacheslav Hletenko <v.gletenko@vyos.io>	2023-12-05 12:35:41 +0200
committer	GitHub <noreply@github.com>	2023-12-05 12:35:41 +0200
commit	df9bbe008b3b4ce4df3227867f32e60a71f2703d (patch)
tree	9eb560f4c0e407559aba0ce2854a72c09f86bd80
parent	a29aba5d92ad210b95226acfe756794d59068fc3 (diff)
parent	692d2e362860255174076c08001ebe04b6035d3f (diff)
download	vyos-1x-df9bbe008b3b4ce4df3227867f32e60a71f2703d.tar.gz vyos-1x-df9bbe008b3b4ce4df3227867f32e60a71f2703d.zip