http api: T2160: move 'api virtual-host' to 'api-restrict virtual-host'

Restriction of api proxy should be owned by https.py, not http-api.py.

3 files changed, 64 insertions, 3 deletions

diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in
index 49bd25b82..9bb96f1f0 100644
--- a/interface-definitions/https.xml.in
+++ b/interface-definitions/https.xml.in
@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!-- HTTPS configuration -->
 <interfaceDefinition>
-  <syntaxVersion component='https' version='1'></syntaxVersion>
+  <syntaxVersion component='https' version='2'></syntaxVersion>
   <node name="service">
     <children>
       <node name="https" owner="${vyos_conf_scripts_dir}/https.py">
@@ -111,6 +111,13 @@
                   <hidden/>
                 </properties>
               </leafNode>
+            </children>
+          </node>
+          <node name="api-restrict">
+            <properties>
+              <help>Restrict api proxy to subset of virtual hosts</help>
+            </properties>
+            <children>
               <leafNode name="virtual-host">
                 <properties>
                   <help>Restrict proxy to virtual host(s)</help>
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index e46f1a4e7..90e34cedd 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -94,8 +94,8 @@ def get_config():
         if conf.exists('api port'):
             port = conf.return_value('api port')
             api_data['port'] = port
-        if conf.exists('api virtual-host'):
-            vhosts = conf.return_values('api virtual-host')
+        if conf.exists('api-restrict virtual-host'):
+            vhosts = conf.return_values('api-restrict virtual-host')
             api_data['vhost'] = vhosts[:]
 
     if api_data:
diff --git a/src/migration-scripts/https/1-to-2 b/src/migration-scripts/https/1-to-2
new file mode 100755
index 000000000..b1cf37ea6
--- /dev/null
+++ b/src/migration-scripts/https/1-to-2
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# * Move 'api virtual-host' list to 'api-restrict virtual-host' so it
+#   is owned by https.py instead of http-api.py
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 2):
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+old_base = ['service', 'https', 'api', 'virtual-host']
+if not config.exists(old_base):
+    # Nothing to do
+    sys.exit(0)
+else:
+    new_base = ['service', 'https', 'api-restrict', 'virtual-host']
+    config.set(new_base)
+
+    names = config.return_values(old_base)
+    for name in names:
+        config.set(new_base, value=name, replace=False)
+
+    config.delete(old_base)
+
+    try:
+        with open(file_name, 'w') as f:
+            f.write(config.to_string())
+    except OSError as e:
+        print("Failed to save the modified config: {}".format(e))
+        sys.exit(1)