summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2023-11-23 12:48:50 +0000
committerGitHub <noreply@github.com>2023-11-23 12:48:50 +0000
commite942d0d1dde2959f4f9441ac70f3929bc583b6ed (patch)
tree53d9088a3554d4f8ccd76fdc11b5397f0b2b58a4 /src/conf_mode
parentbdf0a3b288f93f2e8257106de968ddaa3fca0e21 (diff)
parent57ba2fa91573ad2ecd03f0c2eb89507dfc397f1e (diff)
downloadvyos-1x-e942d0d1dde2959f4f9441ac70f3929bc583b6ed.tar.gz
vyos-1x-e942d0d1dde2959f4f9441ac70f3929bc583b6ed.zip
Merge pull request #2531 from vyos/mergify/bp/equuleus/pr-2522
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL (backport #2522)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/https.py27
1 files changed, 26 insertions, 1 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 1e58bb1e4..f02e32cd1 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -25,6 +25,7 @@ from vyos.config import Config
from vyos.configverify import verify_vrf
from vyos import ConfigError
from vyos.util import call
+from vyos.util import dict_search
from vyos.template import render
from vyos import airbag
@@ -160,6 +161,30 @@ def verify(https):
"matching the 'certbot domain-name' is required.")
verify_vrf(https)
+
+ # Verify API server settings, if present
+ if 'api' in https:
+ keys = dict_search('api.keys.id', https)
+ gql_auth_type = dict_search('api.graphql.authentication.type', https)
+
+ # If "api graphql" is not defined and `gql_auth_type` is None,
+ # there's certainly no JWT auth option, and keys are required
+ jwt_auth = (gql_auth_type == "token")
+
+ # Check for incomplete key configurations in every case
+ valid_keys_exist = False
+ if keys:
+ for k in keys:
+ if 'key' not in keys[k]:
+ raise ConfigError(f'Missing HTTPS API key string for key id "{k}"')
+ else:
+ valid_keys_exist = True
+
+ # If only key-based methods are enabled,
+ # fail the commit if no valid key configurations are found
+ if (not valid_keys_exist) and (not jwt_auth):
+ raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled')
+
return None
def generate(https):