service https: T2157: Organize server block directives as 'virtual host'

3 files changed, 114 insertions, 31 deletions

diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in
index 4f940f7f6..1d986b2b4 100644
--- a/interface-definitions/https.xml.in
+++ b/interface-definitions/https.xml.in
@@ -1,6 +1,7 @@
 <?xml version="1.0"?>
 <!-- HTTPS configuration -->
 <interfaceDefinition>
+  <syntaxVersion component='https' version='1'></syntaxVersion>
   <node name="service">
     <children>
       <node name="https" owner="${vyos_conf_scripts_dir}/https.py">
@@ -9,28 +10,37 @@
           <priority>1001</priority>
         </properties>
         <children>
-          <tagNode name="listen-address">
+          <tagNode name="virtual-host">
             <properties>
-              <help>Addresses to listen for HTTPS requests</help>
-              <valueHelp>
-                <format>ipv4</format>
-                <description>HTTPS IPv4 address</description>
-              </valueHelp>
-              <valueHelp>
-                <format>ipv6</format>
-                <description>HTTPS IPv6 address</description>
-              </valueHelp>
-              <valueHelp>
-                <format>'*'</format>
-                <description>any</description>
-              </valueHelp>
+              <help>Identifier for virtual host</help>
               <constraint>
-                <validator name="ipv4-address"/>
-                <validator name="ipv6-address"/>
-                <regex>\*$</regex>
+                <regex>[a-zA-Z0-9-_.:]{1,255}</regex>
               </constraint>
+              <constraintErrorMessage>illegal characters in identifier or identifier longer than 255 characters</constraintErrorMessage>
             </properties>
             <children>
+              <leafNode name="listen-address">
+                <properties>
+                  <help>Address to listen for HTTPS requests</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                   <description>HTTPS IPv4 address</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>HTTPS IPv6 address</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>'*'</format>
+                    <description>any</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ipv4-address"/>
+                    <validator name="ipv6-address"/>
+                    <regex>\*$</regex>
+                  </constraint>
+                </properties>
+              </leafNode>
               <leafNode name='listen-port'>
                 <properties>
                   <help>Port to listen for HTTPS requests; default 443</help>
@@ -45,7 +55,7 @@
               </leafNode>
               <leafNode name="server-name">
                 <properties>
-                  <help>Server names: exact, wildcard, regex, or '_' (any)</help>
+                  <help>Server names: exact, wildcard, or regex</help>
                   <multi/>
                 </properties>
               </leafNode>
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index fcbc3d384..a0fe9cf2f 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -18,6 +18,7 @@
 
 import sys
 import os
+from copy import deepcopy
 
 import jinja2
 
@@ -111,22 +112,22 @@ def get_config():
     else:
         conf.set_level('service https')
 
-    if conf.exists('listen-address'):
-        for addr in conf.list_nodes('listen-address'):
-            server_block = {'address' : addr}
-            server_block['port'] = '443'
-            server_block['name'] = ['_']
-            if conf.exists('listen-address {0} listen-port'.format(addr)):
-                port = conf.return_value('listen-address {0} listen-port'.format(addr))
+    if not conf.exists('virtual-host'):
+        server_block_list.append(default_server_block)
+    else:
+        for vhost in conf.list_nodes('virtual-host'):
+            server_block = deepcopy(default_server_block)
+            if conf.exists(f'virtual-host {vhost} listen-address'):
+                addr = conf.return_value(f'virtual-host {vhost} listen-address')
+                server_block['address'] = addr
+            if conf.exists(f'virtual-host {vhost} listen-port'):
+                port = conf.return_value(f'virtual-host {vhost} listen-port')
                 server_block['port'] = port
-            if conf.exists('listen-address {0} server-name'.format(addr)):
-                names = conf.return_values('listen-address {0} server-name'.format(addr))
+            if conf.exists(f'virtual-host {vhost} server-name'):
+                names = conf.return_values(f'virtual-host {vhost} server-name')
                 server_block['name'] = names[:]
             server_block_list.append(server_block)
 
-    if not server_block_list:
-        server_block_list.append(default_server_block)
-
     vyos_cert_data = {}
     if conf.exists('certificates system-generated-certificate'):
         vyos_cert_data = vyos.defaults.vyos_cert_data
@@ -170,7 +171,7 @@ def verify(https):
         for sb in https['server_block_list']:
             if sb['certbot']:
                 return None
-        raise ConfigError("At least one 'listen-address x.x.x.x server-name' "
+        raise ConfigError("At least one 'virtual-host <id> server-name' "
                           "matching the 'certbot domain-name' is required.")
     return None
 
diff --git a/src/migration-scripts/https/0-to-1 b/src/migration-scripts/https/0-to-1
new file mode 100755
index 000000000..c6ed12fae
--- /dev/null
+++ b/src/migration-scripts/https/0-to-1
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# * remove "system login user <user> group" node, Why should be add a user to a
+#   3rd party group when the system is fully managed by CLI?
+# * remove "system login user <user> level" node
+#   This is the only privilege level left and also the default, what is the
+#   sense in keeping this orphaned node?
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 2):
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+old_base = ['service', 'https', 'listen-address']
+if not config.exists(old_base):
+    # Nothing to do
+    sys.exit(0)
+else:
+    new_base = ['service', 'https', 'virtual-host']
+    config.set(new_base)
+    config.set_tag(new_base)
+
+    index = 0
+    for addr in config.list_nodes(old_base):
+        tag_name = f'vhost{index}'
+        config.set(new_base + [tag_name])
+        config.set(new_base + [tag_name, 'listen-address'], value=addr)
+
+        if config.exists(old_base + [addr, 'listen-port']):
+            port = config.return_value(old_base + [addr, 'listen-port'])
+            config.set(new_base + [tag_name, 'listen-port'], value=port)
+
+        if config.exists(old_base + [addr, 'server-name']):
+            names = config.return_values(old_base + [addr, 'server-name'])
+            for name in names:
+                config.set(new_base + [tag_name, 'server-name'], value=name,
+                           replace=False)
+
+        index += 1
+
+    config.delete(old_base)
+
+    try:
+        with open(file_name, 'w') as f:
+            f.write(config.to_string())
+    except OSError as e:
+        print("Failed to save the modified config: {}".format(e))
+        sys.exit(1)