diff options
Diffstat (limited to 'python/vyos/configverify.py')
| -rw-r--r-- | python/vyos/configverify.py | 134 |
1 files changed, 84 insertions, 50 deletions
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index 6508ccdd9..18642877a 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -23,8 +23,6 @@ from vyos import ConfigError from vyos.utils.dict import dict_search -from vyos.utils.dict import dict_search_recursive - # pattern re-used in ipsec migration script dynamic_interface_pattern = r'(ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+' @@ -99,10 +97,17 @@ def verify_vrf(config): Common helper function used by interface implementations to perform recurring validation of VRF configuration. """ - from netifaces import interfaces - if 'vrf' in config and config['vrf'] != 'default': - if config['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**config)) + from vyos.utils.network import interface_exists + if 'vrf' in config: + vrfs = config['vrf'] + if isinstance(vrfs, str): + vrfs = [vrfs] + + for vrf in vrfs: + if vrf == 'default': + continue + if not interface_exists(vrf): + raise ConfigError(f'VRF "{vrf}" does not exist!') if 'is_bridge_member' in config: raise ConfigError( @@ -162,43 +167,6 @@ def verify_tunnel(config): if 'source_address' in config and is_ipv6(config['source_address']): raise ConfigError('Can not use local IPv6 address is for mGRE tunnels') -def verify_eapol(config): - """ - Common helper function used by interface implementations to perform - recurring validation of EAPoL configuration. - """ - if 'eapol' in config: - if 'certificate' not in config['eapol']: - raise ConfigError('Certificate must be specified when using EAPoL!') - - if 'pki' not in config or 'certificate' not in config['pki']: - raise ConfigError('Invalid certificate specified for EAPoL') - - cert_name = config['eapol']['certificate'] - if cert_name not in config['pki']['certificate']: - raise ConfigError('Invalid certificate specified for EAPoL') - - cert = config['pki']['certificate'][cert_name] - - if 'certificate' not in cert or 'private' not in cert or 'key' not in cert['private']: - raise ConfigError('Invalid certificate/private key specified for EAPoL') - - if 'password_protected' in cert['private']: - raise ConfigError('Encrypted private key cannot be used for EAPoL') - - if 'ca_certificate' in config['eapol']: - if 'ca' not in config['pki']: - raise ConfigError('Invalid CA certificate specified for EAPoL') - - for ca_cert_name in config['eapol']['ca_certificate']: - if ca_cert_name not in config['pki']['ca']: - raise ConfigError('Invalid CA certificate specified for EAPoL') - - ca_cert = config['pki']['ca'][ca_cert_name] - - if 'certificate' not in ca_cert: - raise ConfigError('Invalid CA certificate specified for EAPoL') - def verify_mirror_redirect(config): """ Common helper function used by interface implementations to perform @@ -206,13 +174,13 @@ def verify_mirror_redirect(config): It makes no sense to mirror traffic back at yourself! """ - import os + from vyos.utils.network import interface_exists if {'mirror', 'redirect'} <= set(config): raise ConfigError('Mirror and redirect can not be enabled at the same time!') if 'mirror' in config: for direction, mirror_interface in config['mirror'].items(): - if not os.path.exists(f'/sys/class/net/{mirror_interface}'): + if not interface_exists(mirror_interface): raise ConfigError(f'Requested mirror interface "{mirror_interface}" '\ 'does not exist!') @@ -222,7 +190,7 @@ def verify_mirror_redirect(config): if 'redirect' in config: redirect_ifname = config['redirect'] - if not os.path.exists(f'/sys/class/net/{redirect_ifname}'): + if not interface_exists(redirect_ifname): raise ConfigError(f'Requested redirect interface "{redirect_ifname}" '\ 'does not exist!') @@ -276,10 +244,10 @@ def verify_interface_exists(ifname, warning_only=False): if the interface is defined on the CLI, if it's not found we try if it exists at the OS level. """ - import os from vyos.base import Warning from vyos.configquery import ConfigTreeQuery from vyos.utils.dict import dict_search_recursive + from vyos.utils.network import interface_exists # Check if interface is present in CLI config config = ConfigTreeQuery() @@ -288,7 +256,7 @@ def verify_interface_exists(ifname, warning_only=False): return True # Interface not found on CLI, try Linux Kernel - if os.path.exists(f'/sys/class/net/{ifname}'): + if interface_exists(ifname): return True message = f'Interface "{ifname}" does not exist!' @@ -304,7 +272,7 @@ def verify_source_interface(config): required by e.g. peth/MACvlan, MACsec ... """ import re - from netifaces import interfaces + from vyos.utils.network import interface_exists ifname = config['ifname'] if 'source_interface' not in config: @@ -316,7 +284,7 @@ def verify_source_interface(config): if tmp.match(src_ifname): raise ConfigError(f'Can not source "{ifname}" from dynamic interface "{src_ifname}"!') - if src_ifname not in interfaces(): + if not interface_exists(src_ifname): raise ConfigError(f'Specified source-interface {src_ifname} does not exist') if 'source_interface_is_bridge_member' in config: @@ -487,3 +455,69 @@ def verify_access_list(access_list, config, version=''): # Check if the specified ACL exists, if not error out if dict_search(f'policy.access-list{version}.{access_list}', config) == None: raise ConfigError(f'Specified access-list{version} "{access_list}" does not exist!') + +def verify_pki_certificate(config: dict, cert_name: str, no_password_protected: bool=False): + """ + Common helper function user by PKI consumers to perform recurring + validation functions for PEM based certificates + """ + if 'pki' not in config: + raise ConfigError('PKI is not configured!') + + if 'certificate' not in config['pki']: + raise ConfigError('PKI does not contain any certificates!') + + if cert_name not in config['pki']['certificate']: + raise ConfigError(f'Certificate "{cert_name}" not found in configuration!') + + pki_cert = config['pki']['certificate'][cert_name] + if 'certificate' not in pki_cert: + raise ConfigError(f'PEM certificate for "{cert_name}" missing in configuration!') + + if 'private' not in pki_cert or 'key' not in pki_cert['private']: + raise ConfigError(f'PEM private key for "{cert_name}" missing in configuration!') + + if no_password_protected and 'password_protected' in pki_cert['private']: + raise ConfigError('Password protected PEM private key is not supported!') + +def verify_pki_ca_certificate(config: dict, ca_name: str): + """ + Common helper function user by PKI consumers to perform recurring + validation functions for PEM based CA certificates + """ + if 'pki' not in config: + raise ConfigError('PKI is not configured!') + + if 'ca' not in config['pki']: + raise ConfigError('PKI does not contain any CA certificates!') + + if ca_name not in config['pki']['ca']: + raise ConfigError(f'CA Certificate "{ca_name}" not found in configuration!') + + pki_cert = config['pki']['ca'][ca_name] + if 'certificate' not in pki_cert: + raise ConfigError(f'PEM CA certificate for "{cert_name}" missing in configuration!') + +def verify_pki_dh_parameters(config: dict, dh_name: str, min_key_size: int=0): + """ + Common helper function user by PKI consumers to perform recurring + validation functions on DH parameters + """ + from vyos.pki import load_dh_parameters + + if 'pki' not in config: + raise ConfigError('PKI is not configured!') + + if 'dh' not in config['pki']: + raise ConfigError('PKI does not contain any DH parameters!') + + if dh_name not in config['pki']['dh']: + raise ConfigError(f'DH parameter "{dh_name}" not found in configuration!') + + if min_key_size: + pki_dh = config['pki']['dh'][dh_name] + dh_params = load_dh_parameters(pki_dh['parameters']) + dh_numbers = dh_params.parameter_numbers() + dh_bits = dh_numbers.p.bit_length() + if dh_bits < min_key_size: + raise ConfigError(f'Minimum DH key-size is {min_key_size} bits!') |