Age | Commit message (Collapse) | Author |
|
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki")
added the generic PKI flag but if there was no PKI subsystem available
in the configuration, no pki dict key ever manifested in the resulting
dictionary requested by the caller.
This is different to the old behavior (which each caller implementing the call
itself) where there always was a pki key present - even if it was empty.
This triggered a bug in the IPSec script
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module>
verify(ipsec)
File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify
verify_pki_rsa(ipsec['pki'], rsa)
~~~~~^^^^^^^
KeyError: 'pki'
As it wanted to verify keys, but there was no pki dictionary key available.
This commit restores the previous behavior.
|
|
The "idea" of this PR is to add new CLI nodes under the pki subsystem to
activate ACME for any given certificate.
vyos@vyos# set pki certificate NAME acme
Possible completions:
+ domain-name Domain Name
email Email address to associate with certificate
listen-address Local IPv4 addresses to listen on
rsa-key-size Size of the RSA key (default: 2048)
url Remote URL (default:
https://acme-v02.api.letsencrypt.org/directory)
Users choose if the CLI based custom certificates are used
set pki certificate EXAMPLE acme certificate <base64>
or if it should be generated via ACME.
The ACME server URL defaults to LetsEncrypt but can be changed to their staging
API for testing to not get blacklisted.
set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory
Certificate retrieval has a certbot --dry-run stage in verify() to see if it
can be generated.
After successful generation, the certificate is stored in under
/config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set
interfaces ethernet eth0 eapol certificate EXAMPLE) we call
vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the
base64 encoded certificate into the JSON data structure normally used when
using a certificate set by the CLI.
Using this "design" does not need any change to any other code referencing the
PKI system, as the base64 encoded certificate is already there.
certbot renewal will call the PKI python script to trigger dependency updates.
|
|
VyOS has several services relaying on the PKI CLI tree to retrieve certificates.
Consuming services like ethernet, openvpn or ipsec all re-implemented the same
code to retrieve the certificates from the CLI.
This commit extends the signature of get_config_dict() with a new option with_pki
that defaults to false. If this option is set, the PKI CLI tree will be blended
into the resulting dictionary.
|
|
|
|
Drop low-level merge_defaults function in favor of Config method for
a middle-grained level of control when merging defaults.
|
|
|
|
|
|
For those cases not covered by automatic merging of defaults in
get_config_dict(..., with_defaults=True), get_config_defaults should
take arguments consistent with those of get_config_dict, for ease of
merging results.
|
|
|
|
|
|
The check for existence of value(s) in config.exists relied solely on
return_value, causing the return of a false negative on multi-valued
nodes; this is corrected. Also, config.exists_effective did no check for
existence of values; this is added.
|
|
This reverts commit c4d389488970c8510200cac96a67182e9333b891.
Revert while investigating failure in vyos-configtest.
|
|
|
|
|
|
Unless no_multi_convert is True, a single valued multi node will be
returned as a list by get_config_dict(). Modification of Thomas Mangin's
version.
|
|
|
|
This is a minor modification of the implementation by Thomas Mangin.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Since lists in python are assigned by reference, taking the return value
from these functions and modifying it will modify all other return values
of functions that called the function before and did not explicitly copy
it.
To be safe, always make a copy of lists before returning them.
|
|
|
|
when there are uncommitted changes.
|
|
Without closing the communication channel to the subprocess, Python will
complain e.g. when executing vyos-smoketest binary.
/usr/lib/python3/dist-packages/vyos/configsession.py:110: ResourceWarning:
unclosed file <_io.BufferedReader name=3>
self.__run_command([CLI_SHELL_API, 'setupSession'])
ResourceWarning: Enable tracemalloc to get the object allocation traceback
|
|
|
|
In addition to ignoring edit level for the session config (12a21a4b),
the running config should be parsed from the top level.
|
|
|
|
* 'current' of github.com:vyos/vyos-1x:
T1855, T1826: Restore support for reboot/poweroff in M minutes.
vyos.config: T1764: allow for list argument to exists, in value case
vyos.config: T1846: ignore edit level when obtaining working config
T1843: use include files for interface proxy-arp-pvlan option
T1843: use include files for interface proxy-arp configuration
T1843: use include files for interface arp-cache-timeout configuration
T1843: use include files for interface link-detect feature
T1843: use include files for interface MTU size
T1843: use include files for interface MAC address
T1843: use include files to disable interface (admin down)
T1843: use include files for interface description
T1843: use include files for DHCP/DHCPv6 options
T1843: recursively include IP address definitions in VIF/VIF-S definitions
T1843: add support for recursive includes
T1843: use include files for VIF/VIF-S interfaces
T1843: use include files for IPv4/IPv6 interface address configuration
T1843: run interface-definitions though GCC preprocessor
|
|
|
|
|
|
|
|
* 'current' of github.com:vyos/vyos-1x:
openvpn: bridge: T1556: remove obsolete bridge-group definition
ifconfig: T1849: fix DHCPv6 startup
Python/VyOS validate: T1849: handle is_ipv6()/is_ipv6() exceptions
ifconfig: T1793: remove dhcpv6 client debug output
ddclient: T1853: bugfix TypeError exception
syslog: T1845: syslog host no longer accepts a port
syslog: code formatting
syslog: T1845: syslog host no longer accepts a port
syslog: renaming files and conf script to fit new scheme
T1855, T1826: clean up the reboot/shutdown script.
wireguard: T1853: disable peer doesn't work
Revert "syslog: T1845: syslog host no longer accepts a port"
dmvpn: T1784: Add swanctl load call
syslog: T1845: syslog host no longer accepts a port
[vyos.config] T1847: correctly set_level for path given as empty string
|
|
|
|
* 'current' of github.com:vyos/vyos-1x:
shutdown: T1826: Modify cancel reboot msg
T1801: move escaping of backslashes into configtree
vxlan: T1636: remove unused import statements
geneve: T1799: remove unused import statements
|
|
|
|
* 'current' of github.com:vyos/vyos-1x:
dns: T1786: add proper processing of 'system disable-dhcp-nameservers'
openvpn: fix typo in op-mode command on display rx bytes
T1801: escape isolated backslashes before passing to ConfigTree()
wireless: T1627: fix interface names for list_interfaces.py
[service https] T1443: add setting of HTTPS listen port
|
|
|
|
* 'current' of github.com:vyos/vyos-1x:
[conf completion]: T1779: Add tunnels to completion
[XML templates] T1772: Changed old hacks to proper regex, according to the fix
Add a function for retrieving config dicts.
snmp: make script extension code more readable
snmp: use proper stat literals on chmod()
snmp: fix verify() indent on script extensions
snmp: fix verify() bail out early order
snmp: T1738: cleanup import statements
T1759: Fixing dependency bug from previous commit
T1773, T1774: add a show config operation with JSON and raw options.
T1759: Merging interface.py into ifconfig.py
Allow list arguments in the vyos.config show_config() function.
Replace the try and wait for segfault approach with explicit inSession check.
T1773: add a script for converting the config to JSON. It also exposes those functions in vyos.configtree
[XML templates] T1772: Add escaping of `\` symbol in `<regex>`
|
|
|
|
|
|
|
|
Python 3.7 considers r'\s*' an empty pattern match, instead of the
previous behaviour of matching whitespace characters.
|
|
|
|
calling showConfig, else, default to config.boot
|