diff options
author | Daniil Baturin <daniil@baturin.org> | 2023-11-22 00:53:35 +0000 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2023-11-23 11:24:58 +0100 |
commit | 57ba2fa91573ad2ecd03f0c2eb89507dfc397f1e (patch) | |
tree | 53d9088a3554d4f8ccd76fdc11b5397f0b2b58a4 /src/conf_mode | |
parent | bdf0a3b288f93f2e8257106de968ddaa3fca0e21 (diff) | |
download | vyos-1x-57ba2fa91573ad2ecd03f0c2eb89507dfc397f1e.tar.gz vyos-1x-57ba2fa91573ad2ecd03f0c2eb89507dfc397f1e.zip |
https api: T5772: check if keys are configured
unless PAM auth is enabled for GraphQL
(cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/https.py | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 1e58bb1e4..f02e32cd1 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2020 VyOS maintainers and contributors +# Copyright (C) 2019-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -25,6 +25,7 @@ from vyos.config import Config from vyos.configverify import verify_vrf from vyos import ConfigError from vyos.util import call +from vyos.util import dict_search from vyos.template import render from vyos import airbag @@ -160,6 +161,30 @@ def verify(https): "matching the 'certbot domain-name' is required.") verify_vrf(https) + + # Verify API server settings, if present + if 'api' in https: + keys = dict_search('api.keys.id', https) + gql_auth_type = dict_search('api.graphql.authentication.type', https) + + # If "api graphql" is not defined and `gql_auth_type` is None, + # there's certainly no JWT auth option, and keys are required + jwt_auth = (gql_auth_type == "token") + + # Check for incomplete key configurations in every case + valid_keys_exist = False + if keys: + for k in keys: + if 'key' not in keys[k]: + raise ConfigError(f'Missing HTTPS API key string for key id "{k}"') + else: + valid_keys_exist = True + + # If only key-based methods are enabled, + # fail the commit if no valid key configurations are found + if (not valid_keys_exist) and (not jwt_auth): + raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled') + return None def generate(https): |