summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--python/vyos/defaults.py2
-rwxr-xr-xsrc/conf_mode/https.py43
2 files changed, 21 insertions, 24 deletions
diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py
index d7a4690ee..f51e4ddda 100644
--- a/python/vyos/defaults.py
+++ b/python/vyos/defaults.py
@@ -37,7 +37,7 @@ api_data = {
'port' : '8080',
'strict' : 'false',
'debug' : 'false',
- 'api_keys' : [],
+ 'api_keys' : [ {"id": "testapp", "key": "qwerty"} ]
}
vyos_cert_data = {
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index af0e85af5..349cec888 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -136,14 +136,6 @@ def get_config():
if conf.exists('api port'):
port = conf.return_value('api port')
api_data['port'] = port
- if conf.exists('api keys id'):
- for id in conf.list_nodes('api keys id'):
- tmp = {"id": id}
- if conf.exists('api keys id ' + id + ' key'):
- key = conf.return_value('api keys id ' + id + ' key')
- tmp.update({'key':key})
- api_data['api_keys'].append(tmp)
-
if api_data:
for block in server_block_list:
block['api'] = api_data
@@ -152,23 +144,28 @@ def get_config():
return https
def verify(https):
- if https is None:
- return None
-
# Verify API server settings, if present
- if 'server_block_list' in https:
- for server in https['server_block_list']:
- if 'api' in server:
- keys = dict_search('api.api_keys', server)
-
- # Check for incomplete key configurations in every case
- valid_keys_exist = False
- if keys:
- for k in keys:
- if 'key' not in k:
- raise ConfigError('Missing HTTPS API key string for key id: ' + k['id'])
+ if 'api' in https:
+ keys = dict_search('api.keys.id', https)
+ gql_auth_type = dict_search('api.graphql.authentication.type', https)
+
+ # If "api graphql" is not defined and `gql_auth_type` is None,
+ # there's certainly no JWT auth option, and keys are required
+ jwt_auth = (gql_auth_type == "token")
+
+ # Check for incomplete key configurations in every case
+ valid_keys_exist = False
+ if keys:
+ for k in keys:
+ if 'key' not in keys[k]:
+ raise ConfigError(f'Missing HTTPS API key string for key id "{k}"')
else:
- raise ConfigError('At least one HTTPS API key is required!')
+ valid_keys_exist = True
+
+ # If only key-based methods are enabled,
+ # fail the commit if no valid key configurations are found
+ if (not valid_keys_exist) and (not jwt_auth):
+ raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled')
return None