Merge pull request #4266 from takehaya/T6013-trusted-ca-keys

T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key

4 files changed, 59 insertions, 9 deletions

diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index d5f443f15..07eb29a68 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -527,6 +527,25 @@ def verify_pki_dh_parameters(config: dict, dh_name: str, min_key_size: int=0):
         if dh_bits < min_key_size:
             raise ConfigError(f'Minimum DH key-size is {min_key_size} bits!')
 
+def verify_pki_openssh_key(config: dict, key_name: str):
+    """
+    Common helper function user by PKI consumers to perform recurring
+    validation functions on OpenSSH keys
+    """
+    if 'pki' not in config:
+        raise ConfigError('PKI is not configured!')
+
+    if 'openssh' not in config['pki']:
+        raise ConfigError('PKI does not contain any OpenSSH keys!')
+
+    if key_name not in config['pki']['openssh']:
+        raise ConfigError(f'OpenSSH key "{key_name}" not found in configuration!')
+
+    if 'public' in config['pki']['openssh'][key_name]:
+        if not {'key', 'type'} <= set(config['pki']['openssh'][key_name]['public']):
+            raise ConfigError('Both public key and type must be defined for '\
+                              f'OpenSSH public key "{key_name}"!')
+
 def verify_eapol(config: dict):
     """
     Common helper function used by interface implementations to perform
diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py
index fbde0298b..e42d92112 100644
--- a/python/vyos/defaults.py
+++ b/python/vyos/defaults.py
@@ -53,6 +53,10 @@ internal_ports = {
     'certbot_haproxy' : 65080, # Certbot running behing haproxy
 }
 
+config_files = {
+    'sshd_user_ca' : '/run/sshd/trusted_user_ca',
+}
+
 config_status = '/tmp/vyos-config-status'
 api_config_state = '/run/http-api-state'
 frr_debug_enable = '/tmp/vyos.frr.debug'
@@ -69,8 +73,8 @@ config_default = os.path.join(directories['data'], 'config.boot.default')
 
 rt_symbolic_names = {
   # Standard routing tables for Linux & reserved IDs for VyOS
-  'default': 253, # Confusingly, a final fallthru, not the default. 
-  'main': 254,    # The actual global table used by iproute2 unless told otherwise. 
+  'default': 253, # Confusingly, a final fallthru, not the default.
+  'main': 254,    # The actual global table used by iproute2 unless told otherwise.
   'local': 255,   # Special kernel loopback table.
 }
 
diff --git a/python/vyos/template.py b/python/vyos/template.py
index aa215db95..bf7928914 100755
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -1079,7 +1079,7 @@ def vyos_defined(value, test_value=None, var_type=None):
 def get_default_port(service):
     """
     Jinja2 plugin to retrieve common service port number from vyos.defaults
-    class form a Jinja2 template. This removes the need to hardcode, or pass in
+    class from a Jinja2 template. This removes the need to hardcode, or pass in
     the data using the general dictionary.
 
     Added to remove code complexity and make it easier to read.
@@ -1092,3 +1092,21 @@ def get_default_port(service):
         raise RuntimeError(f'Service "{service}" not found in internal ' \
                            'vyos.defaults.internal_ports dict!')
     return internal_ports[service]
+
+@register_clever_function('get_default_config_file')
+def get_default_config_file(filename):
+    """
+    Jinja2 plugin to retrieve a common configuration file path from
+    vyos.defaults class from a Jinja2 template. This removes the need to
+    hardcode, or pass in the data using the general dictionary.
+
+    Added to remove code complexity and make it easier to read.
+
+    Example:
+    {{ get_default_config_file('certbot_haproxy') }}
+    """
+    from vyos.defaults import config_files
+    if filename not in config_files:
+        raise RuntimeError(f'Configuration file "{filename}" not found in '\
+                           'internal vyos.defaults.config_files dict!')
+    return config_files[filename]
diff --git a/python/vyos/utils/file.py b/python/vyos/utils/file.py
index eaebb57a3..cc46d77d1 100644
--- a/python/vyos/utils/file.py
+++ b/python/vyos/utils/file.py
@@ -28,22 +28,28 @@ def file_is_persistent(path):
     absolute = os.path.abspath(os.path.dirname(path))
     return re.match(location,absolute)
 
-def read_file(fname, defaultonfailure=None):
+def read_file(fname, defaultonfailure=None, sudo=False):
     """
     read the content of a file, stripping any end characters (space, newlines)
     should defaultonfailure be not None, it is returned on failure to read
     """
     try:
-        """ Read a file to string """
-        with open(fname, 'r') as f:
-            data = f.read().strip()
-        return data
+        # Some files can only be read by root - emulate sudo cat call
+        if sudo:
+            from vyos.utils.process import cmd
+            data = cmd(['sudo', 'cat', fname])
+        else:
+            # If not sudo, just read the file
+            with open(fname, 'r') as f:
+                data = f.read()
+        return data.strip()
     except Exception as e:
         if defaultonfailure is not None:
             return defaultonfailure
         raise e
 
-def write_file(fname, data, defaultonfailure=None, user=None, group=None, mode=None, append=False):
+def write_file(fname, data, defaultonfailure=None, user=None, group=None,
+               mode=None, append=False, trailing_newline=False):
     """
     Write content of data to given fname, should defaultonfailure be not None,
     it is returned on failure to read.
@@ -60,6 +66,9 @@ def write_file(fname, data, defaultonfailure=None, user=None, group=None, mode=N
         bytes = 0
         with open(fname, 'w' if not append else 'a') as f:
             bytes = f.write(data)
+            if trailing_newline and not data.endswith('\n'):
+                f.write('\n')
+                bytes += 1
         chown(fname, user, group)
         chmod(fname, mode)
         return bytes