summaryrefslogtreecommitdiff
path: root/src/conf_mode/https.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-11-22 16:07:00 +0100
committerGitHub <noreply@github.com>2023-11-22 16:07:00 +0100
commitc1e170c88cd2222f5ec65764e1559b99efa6a862 (patch)
tree2d6deb64db1edd1f7ef9063cbc9c7b39e838a605 /src/conf_mode/https.py
parent8f853daa22fe2f822dae0574bf0bb35607d460a8 (diff)
parent8c450ea7f538beb0b2cd21d35c05d18db49a1802 (diff)
downloadvyos-1x-c1e170c88cd2222f5ec65764e1559b99efa6a862.tar.gz
vyos-1x-c1e170c88cd2222f5ec65764e1559b99efa6a862.zip
Merge pull request #2522 from dmbaturin/require-api-keys
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL
Diffstat (limited to 'src/conf_mode/https.py')
-rwxr-xr-xsrc/conf_mode/https.py26
1 files changed, 26 insertions, 0 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 26c4343a0..5cbdd1651 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -76,6 +76,8 @@ def get_config(config=None):
return https
def verify(https):
+ from vyos.utils.dict import dict_search
+
if https is None:
return None
@@ -135,6 +137,30 @@ def verify(https):
raise ConfigError(f'"{proto}" port "{_port}" is used by another service')
verify_vrf(https)
+
+ # Verify API server settings, if present
+ if 'api' in https:
+ keys = dict_search('api.keys.id', https)
+ gql_auth_type = dict_search('api.graphql.authentication.type', https)
+
+ # If "api graphql" is not defined and `gql_auth_type` is None,
+ # there's certainly no JWT auth option, and keys are required
+ jwt_auth = (gql_auth_type == "token")
+
+ # Check for incomplete key configurations in every case
+ valid_keys_exist = False
+ if keys:
+ for k in keys:
+ if 'key' not in keys[k]:
+ raise ConfigError(f'Missing HTTPS API key string for key id "{k}"')
+ else:
+ valid_keys_exist = True
+
+ # If only key-based methods are enabled,
+ # fail the commit if no valid key configurations are found
+ if (not valid_keys_exist) and (not jwt_auth):
+ raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled')
+
return None
def generate(https):