1 files changed, 62 insertions, 6 deletions

diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 99c472582..4279e6982 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -1,4 +1,4 @@
-# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2020-2021 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -45,6 +45,16 @@ def verify_mtu(config):
             raise ConfigError(f'Interface MTU too high, ' \
                               f'maximum supported MTU is {max_mtu}!')
 
+def verify_mtu_parent(config, parent):
+    if 'mtu' not in config or 'mtu' not in parent:
+        return
+
+    mtu = int(config['mtu'])
+    parent_mtu = int(parent['mtu'])
+    if mtu > parent_mtu:
+        raise ConfigError(f'Interface MTU ({mtu}) too high, ' \
+                          f'parent interface MTU is {parent_mtu}!')
+
 def verify_mtu_ipv6(config):
     """
     Common helper function used by interface implementations to perform
@@ -139,9 +149,38 @@ def verify_eapol(config):
     recurring validation of EAPoL configuration.
     """
     if 'eapol' in config:
-        if not {'cert_file', 'key_file'} <= set(config['eapol']):
-            raise ConfigError('Both cert and key-file must be specified '\
-                              'when using EAPoL!')
+        if 'certificate' not in config['eapol']:
+            raise ConfigError('Certificate must be specified when using EAPoL!')
+
+        if 'certificate' not in config['pki']:
+            raise ConfigError('Invalid certificate specified for EAPoL')
+
+        cert_name = config['eapol']['certificate']
+
+        if cert_name not in config['pki']['certificate']:
+            raise ConfigError('Invalid certificate specified for EAPoL')
+
+        cert = config['pki']['certificate'][cert_name]
+
+        if 'certificate' not in cert or 'private' not in cert or 'key' not in cert['private']:
+            raise ConfigError('Invalid certificate/private key specified for EAPoL')
+
+        if 'password_protected' in cert['private']:
+            raise ConfigError('Encrypted private key cannot be used for EAPoL')
+
+        if 'ca_certificate' in config['eapol']:
+            if 'ca' not in config['pki']:
+                raise ConfigError('Invalid CA certificate specified for EAPoL')
+
+            ca_cert_name = config['eapol']['ca_certificate']
+
+            if ca_cert_name not in config['pki']['ca']:
+                raise ConfigError('Invalid CA certificate specified for EAPoL')
+
+            ca_cert = config['pki']['ca'][cert_name]
+
+            if 'certificate' not in ca_cert:
+                raise ConfigError('Invalid CA certificate specified for EAPoL')
 
 def verify_mirror(config):
     """
@@ -156,6 +195,19 @@ def verify_mirror(config):
                 raise ConfigError(f'Can not mirror "{direction}" traffic back ' \
                                    'the originating interface!')
 
+def verify_authentication(config):
+    """
+    Common helper function used by interface implementations to perform
+    recurring validation of authentication for either PPPoE or WWAN interfaces.
+
+    If authentication CLI option is defined, both username and password must
+    be set!
+    """
+    if 'authentication' not in config:
+        return
+    if not {'user', 'password'} <= set(config['authentication']):
+        raise ConfigError('Authentication requires both username and ' \
+                          'password to be set!')
 
 def verify_address(config):
     """
@@ -266,6 +318,7 @@ def verify_vlan_config(config):
         verify_dhcpv6(vlan)
         verify_address(vlan)
         verify_vrf(vlan)
+        verify_mtu_parent(vlan, config)
 
     # 802.1ad (Q-in-Q) VLANs
     for s_vlan in config.get('vif_s', {}):
@@ -273,12 +326,15 @@ def verify_vlan_config(config):
         verify_dhcpv6(s_vlan)
         verify_address(s_vlan)
         verify_vrf(s_vlan)
+        verify_mtu_parent(s_vlan, config)
 
         for c_vlan in s_vlan.get('vif_c', {}):
             c_vlan = s_vlan['vif_c'][c_vlan]
             verify_dhcpv6(c_vlan)
             verify_address(c_vlan)
             verify_vrf(c_vlan)
+            verify_mtu_parent(c_vlan, config)
+            verify_mtu_parent(c_vlan, s_vlan)
 
 def verify_accel_ppp_base_service(config):
     """
@@ -288,7 +344,7 @@ def verify_accel_ppp_base_service(config):
     # vertify auth settings
     if dict_search('authentication.mode', config) == 'local':
         if not dict_search('authentication.local_users', config):
-            raise ConfigError('PPPoE local auth mode requires local users to be configured!')
+            raise ConfigError('Authentication mode local requires local users to be configured!')
 
         for user in dict_search('authentication.local_users.username', config):
             user_config = config['authentication']['local_users']['username'][user]
@@ -312,7 +368,7 @@ def verify_accel_ppp_base_service(config):
                 raise ConfigError(f'Missing RADIUS secret key for server "{server}"')
 
     if 'gateway_address' not in config:
-        raise ConfigError('PPPoE server requires gateway-address to be configured!')
+        raise ConfigError('Server requires gateway-address to be configured!')
 
     if 'name_server_ipv4' in config:
         if len(config['name_server_ipv4']) > 2: