summaryrefslogtreecommitdiff
path: root/python/vyos/config.py
AgeCommit message (Collapse)Author
2024-02-02configdict: T5894: preserve old behavior when dealing with PKIChristian Breunig
Commit b152b5202 ("configdict: T5894: add get_config_dict() flag with_pki") added the generic PKI flag but if there was no PKI subsystem available in the configuration, no pki dict key ever manifested in the resulting dictionary requested by the caller. This is different to the old behavior (which each caller implementing the call itself) where there always was a pki key present - even if it was empty. This triggered a bug in the IPSec script Traceback (most recent call last): File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 600, in <module> verify(ipsec) File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 372, in verify verify_pki_rsa(ipsec['pki'], rsa) ~~~~~^^^^^^^ KeyError: 'pki' As it wanted to verify keys, but there was no pki dictionary key available. This commit restores the previous behavior.
2024-01-06pki: T5886: add support for ACME protocol (LetsEncrypt)Christian Breunig
The "idea" of this PR is to add new CLI nodes under the pki subsystem to activate ACME for any given certificate. vyos@vyos# set pki certificate NAME acme Possible completions: + domain-name Domain Name email Email address to associate with certificate listen-address Local IPv4 addresses to listen on rsa-key-size Size of the RSA key (default: 2048) url Remote URL (default: https://acme-v02.api.letsencrypt.org/directory) Users choose if the CLI based custom certificates are used set pki certificate EXAMPLE acme certificate <base64> or if it should be generated via ACME. The ACME server URL defaults to LetsEncrypt but can be changed to their staging API for testing to not get blacklisted. set pki certificate EXAMPLE acme url https://acme-staging-v02.api.letsencrypt.org/directory Certificate retrieval has a certbot --dry-run stage in verify() to see if it can be generated. After successful generation, the certificate is stored in under /config/auth/letsencrypt. Once a certificate is referenced in the CLI (e.g. set interfaces ethernet eth0 eapol certificate EXAMPLE) we call vyos.config.get_config_dict() which will (if with_pki=True is set) blend in the base64 encoded certificate into the JSON data structure normally used when using a certificate set by the CLI. Using this "design" does not need any change to any other code referencing the PKI system, as the base64 encoded certificate is already there. certbot renewal will call the PKI python script to trigger dependency updates.
2024-01-04configdict: T5894: add get_config_dict() flag with_pkiChristian Breunig
VyOS has several services relaying on the PKI CLI tree to retrieve certificates. Consuming services like ethernet, openvpn or ipsec all re-implemented the same code to retrieve the certificates from the CLI. This commit extends the signature of get_config_dict() with a new option with_pki that defaults to false. If this option is set, the PKI CLI tree will be blended into the resulting dictionary.
2023-08-23save-config: T4292: rewrite vyatta-save-config.pl to PythonJohn Estabrook
2023-08-07config: T5443: add config merge_defaults methodJohn Estabrook
Drop low-level merge_defaults function in favor of Config method for a middle-grained level of control when merging defaults.
2023-07-20config: T5228: add missing check of argsJohn Estabrook
2023-07-07config: T5330: add subclass ConfigDict to preserve merge dataJohn Estabrook
2023-06-22config: T5228: add get_config_defaults options to match get_config_dictJohn Estabrook
For those cases not covered by automatic merging of defaults in get_config_dict(..., with_defaults=True), get_config_defaults should take arguments consistent with those of get_config_dict, for ease of merging results.
2023-06-22config: T5228: add arg with_defaults to get_config_dictJohn Estabrook
2022-04-21T4361: refactor and simplify vyos.config.exists()Daniil Baturin
2022-04-14config: T4361: correct exists()/exists_effective() on value(s)John Estabrook
The check for existence of value(s) in config.exists relied solely on return_value, causing the return of a false negative on multi-valued nodes; this is corrected. Also, config.exists_effective did no check for existence of values; this is added.
2022-03-10Revert "save-config: T4292: rewrite vyatta-save-config.pl to Python"John Estabrook
This reverts commit c4d389488970c8510200cac96a67182e9333b891. Revert while investigating failure in vyos-configtest.
2022-03-08save-config: T4292: rewrite vyatta-save-config.pl to PythonJohn Estabrook
2021-04-16config: T3481: add switch to prevent mangling of tag node valuesJohn Estabrook
2020-08-30config: T2636: get_config_dict() returns a list on multi node by defaultJohn Estabrook
Unless no_multi_convert is True, a single valued multi node will be returned as a list by get_config_dict(). Modification of Thomas Mangin's version.
2020-07-22config: T2707: use ConfigSource and refactor Config methodsJohn Estabrook
2020-07-17config: T2689: cache config_dictJohn Estabrook
This is a minor modification of the implementation by Thomas Mangin.
2020-07-03config_dict: update docstringJohn Estabrook
2020-07-03config_dict: T2670: remove dependency on show_configJohn Estabrook
2020-07-01config_dict: T2668: move keyword arg get_first_key into get_sub_dictJohn Estabrook
2020-07-01config: T2667: add missing checkJohn Estabrook
2020-07-01config: T2667: use get_sub_dict for get_config_dict(path, ...)John Estabrook
2020-06-18T2614: add a key mangling option to vyos.config.get_config_dict()Daniil Baturin
2020-06-16config: T2568: add missing error checkingJohn Estabrook
2020-05-17config: T2409: effective config should be empty at boot initializationJohn Estabrook
2020-05-17config: return empty dict if configuration under path is emptyJohn Estabrook
2020-05-05config: T2427: always return copies of listsJernej Jakob
Since lists in python are assigned by reference, taking the return value from these functions and modifying it will modify all other return values of functions that called the function before and did not explicitly copy it. To be safe, always make a copy of lists before returning them.
2020-03-29vyos.config: T2180: ignore CLI edit level in show_configJohn Estabrook
2020-01-29T1989: use explicit active/working showConfig options to prevent getting diffsDaniil Baturin
when there are uncommitted changes.
2020-01-24Python: T1986: close subprocess channelChristian Poessinger
Without closing the communication channel to the subprocess, Python will complain e.g. when executing vyos-smoketest binary. /usr/lib/python3/dist-packages/vyos/configsession.py:110: ResourceWarning: unclosed file <_io.BufferedReader name=3> self.__run_command([CLI_SHELL_API, 'setupSession']) ResourceWarning: Enable tracemalloc to get the object allocation traceback
2019-12-16Merge branch 'current' into equuleushagbard
2019-12-11vyos.config: T1846: ignore edit level when obtaining running configJohn Estabrook
In addition to ignoring edit level for the session config (12a21a4b), the running config should be parsed from the top level.
2019-12-10vyos.config: T1862: restore regex after mergeJohn Estabrook
2019-12-10Merge branch 'current' of github.com:vyos/vyos-1x into equuleusChristian Poessinger
* 'current' of github.com:vyos/vyos-1x: T1855, T1826: Restore support for reboot/poweroff in M minutes. vyos.config: T1764: allow for list argument to exists, in value case vyos.config: T1846: ignore edit level when obtaining working config T1843: use include files for interface proxy-arp-pvlan option T1843: use include files for interface proxy-arp configuration T1843: use include files for interface arp-cache-timeout configuration T1843: use include files for interface link-detect feature T1843: use include files for interface MTU size T1843: use include files for interface MAC address T1843: use include files to disable interface (admin down) T1843: use include files for interface description T1843: use include files for DHCP/DHCPv6 options T1843: recursively include IP address definitions in VIF/VIF-S definitions T1843: add support for recursive includes T1843: use include files for VIF/VIF-S interfaces T1843: use include files for IPv4/IPv6 interface address configuration T1843: run interface-definitions though GCC preprocessor
2019-12-09vyos.config: T1764: allow for list argument to exists, in value caseJohn Estabrook
2019-12-09vyos.config: T1846: ignore edit level when obtaining working configJohn Estabrook
2019-12-06equuleus: T1862: Use regex pattern \s+ to split strings on whitespaceJohn Estabrook
2019-12-06Merge branch 'current' of github.com:vyos/vyos-1x into equuleusChristian Poessinger
* 'current' of github.com:vyos/vyos-1x: openvpn: bridge: T1556: remove obsolete bridge-group definition ifconfig: T1849: fix DHCPv6 startup Python/VyOS validate: T1849: handle is_ipv6()/is_ipv6() exceptions ifconfig: T1793: remove dhcpv6 client debug output ddclient: T1853: bugfix TypeError exception syslog: T1845: syslog host no longer accepts a port syslog: code formatting syslog: T1845: syslog host no longer accepts a port syslog: renaming files and conf script to fit new scheme T1855, T1826: clean up the reboot/shutdown script. wireguard: T1853: disable peer doesn't work Revert "syslog: T1845: syslog host no longer accepts a port" dmvpn: T1784: Add swanctl load call syslog: T1845: syslog host no longer accepts a port [vyos.config] T1847: correctly set_level for path given as empty string
2019-12-04[vyos.config] T1847: correctly set_level for path given as empty stringJohn Estabrook
2019-12-04Merge branch 'current' of github.com:vyos/vyos-1x into equuleusChristian Poessinger
* 'current' of github.com:vyos/vyos-1x: shutdown: T1826: Modify cancel reboot msg T1801: move escaping of backslashes into configtree vxlan: T1636: remove unused import statements geneve: T1799: remove unused import statements
2019-12-03T1801: move escaping of backslashes into configtreeJohn Estabrook
2019-11-17Merge branch 'current' of github.com:vyos/vyos-1x into equuleusChristian Poessinger
* 'current' of github.com:vyos/vyos-1x: dns: T1786: add proper processing of 'system disable-dhcp-nameservers' openvpn: fix typo in op-mode command on display rx bytes T1801: escape isolated backslashes before passing to ConfigTree() wireless: T1627: fix interface names for list_interfaces.py [service https] T1443: add setting of HTTPS listen port
2019-11-17T1801: escape isolated backslashes before passing to ConfigTree()John Estabrook
2019-10-31Merge branch 'current' of github.com:vyos/vyos-1x into equuleusChristian Poessinger
* 'current' of github.com:vyos/vyos-1x: [conf completion]: T1779: Add tunnels to completion [XML templates] T1772: Changed old hacks to proper regex, according to the fix Add a function for retrieving config dicts. snmp: make script extension code more readable snmp: use proper stat literals on chmod() snmp: fix verify() indent on script extensions snmp: fix verify() bail out early order snmp: T1738: cleanup import statements T1759: Fixing dependency bug from previous commit T1773, T1774: add a show config operation with JSON and raw options. T1759: Merging interface.py into ifconfig.py Allow list arguments in the vyos.config show_config() function. Replace the try and wait for segfault approach with explicit inSession check. T1773: add a script for converting the config to JSON. It also exposes those functions in vyos.configtree [XML templates] T1772: Add escaping of `\` symbol in `<regex>`
2019-10-28Add a function for retrieving config dicts.Daniil Baturin
2019-10-27Allow list arguments in the vyos.config show_config() function.Daniil Baturin
2019-10-27Replace the try and wait for segfault approach with explicit inSession check.Daniil Baturin
2019-10-25[vyos.config] T1758: adjust regex for change in Python 3.7John Estabrook
Python 3.7 considers r'\s*' an empty pattern match, instead of the previous behaviour of matching whitespace characters.
2019-10-24[vyos.config] T1764: support both string and list arguments in config functions.Daniil Baturin
2019-10-23[vyos.config] T1758: check that config setup has completed beforeJohn Estabrook
calling showConfig, else, default to config.boot