From e2259e25029a142ba607b5865337b38ff8a482aa Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Thu, 4 Aug 2022 13:04:30 +0000
Subject: utils: T4594: Add convert_data util

Convert multiple types of data to types usable in CLI
For example 'vici' returns values in bytestring/bytes and we can
decode them all at once
---
 python/vyos/util.py | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'python/vyos/util.py')

diff --git a/python/vyos/util.py b/python/vyos/util.py
index b86b1949c..8df9ef7d6 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -800,6 +800,32 @@ def dict_search_recursive(dict_object, key, path=[]):
             for x in dict_search_recursive(j, key, new_path):
                 yield x
 
+def convert_data(data):
+    """Convert multiple types of data to types usable in CLI
+
+    Args:
+        data (str | bytes | list | OrderedDict): input data
+
+    Returns:
+        str | list | dict: converted data
+    """
+    from collections import OrderedDict
+
+    if isinstance(data, str):
+        return data
+    if isinstance(data, bytes):
+        return data.decode()
+    if isinstance(data, list):
+        list_tmp = []
+        for item in data:
+            list_tmp.append(convert_data(item))
+        return list_tmp
+    if isinstance(data, OrderedDict):
+        dict_tmp = {}
+        for key, value in data.items():
+            dict_tmp[key] = convert_data(value)
+        return dict_tmp
+
 def get_bridge_fdb(interface):
     """ Returns the forwarding database entries for a given interface """
     if not os.path.exists(f'/sys/class/net/{interface}'):
-- 
cgit v1.2.3


From c0f5d00d92667f2a45896180cd05747c3ba82782 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Sat, 20 Aug 2022 13:48:30 +0000
Subject: ocserv: T4597: Fix check bounded port by service itself

We check listen port before commit service if is port available and
not bounded, but when we start openconnect our own port starts be
bounded by "ocserv-main" process and next commit will be fail as
port is already bound
To fix it, extend check if port already bonded and it is not our
self process "ocserv-main"
---
 python/vyos/util.py              | 23 +++++++++++++++++++++++
 src/conf_mode/vpn_openconnect.py |  5 ++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

(limited to 'python/vyos/util.py')

diff --git a/python/vyos/util.py b/python/vyos/util.py
index b86b1949c..c1459f02a 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -471,6 +471,29 @@ def process_named_running(name):
             return p.pid
     return None
 
+def is_listen_port_bind_service(port: int, service: str) -> bool:
+    """Check if listen port bound to expected program name
+    :param port: Bind port
+    :param service: Program name
+    :return: bool
+
+    Example:
+        % is_listen_port_bind_service(443, 'nginx')
+        True
+        % is_listen_port_bind_service(443, 'ocservr-main')
+        False
+    """
+    from psutil import net_connections as connections
+    from psutil import Process as process
+    for connection in connections():
+        addr = connection.laddr
+        pid = connection.pid
+        pid_name = process(pid).name()
+        pid_port = addr.port
+        if service == pid_name and port == pid_port:
+            return True
+    return False
+
 def seconds_to_human(s, separator=""):
     """ Converts number of seconds passed to a human-readable
     interval such as 1w4d18h35m59s
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index a3e774678..240546817 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -25,6 +25,7 @@ from vyos.template import render
 from vyos.util import call
 from vyos.util import check_port_availability
 from vyos.util import is_systemd_service_running
+from vyos.util import is_listen_port_bind_service
 from vyos.util import dict_search
 from vyos.xml import defaults
 from vyos import ConfigError
@@ -77,8 +78,10 @@ def verify(ocserv):
     if ocserv is None:
         return None
     # Check if listen-ports not binded other services
+    # It can be only listen by 'ocserv-main'
     for proto, port in ocserv.get('listen_ports').items():
-        if check_port_availability('0.0.0.0', int(port), proto) is not True:
+        if check_port_availability('0.0.0.0', int(port), proto) is not True and \
+                not is_listen_port_bind_service(int(port), 'ocserv-main'):
             raise ConfigError(f'"{proto}" port "{port}" is used by another service')
     # Check authentication
     if "authentication" in ocserv:
-- 
cgit v1.2.3