diff options
author | Christian Breunig <christian@breunig.cc> | 2023-11-22 16:07:00 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-22 16:07:00 +0100 |
commit | c1e170c88cd2222f5ec65764e1559b99efa6a862 (patch) | |
tree | 2d6deb64db1edd1f7ef9063cbc9c7b39e838a605 /src/conf_mode/https.py | |
parent | 8f853daa22fe2f822dae0574bf0bb35607d460a8 (diff) | |
parent | 8c450ea7f538beb0b2cd21d35c05d18db49a1802 (diff) | |
download | vyos-1x-c1e170c88cd2222f5ec65764e1559b99efa6a862.tar.gz vyos-1x-c1e170c88cd2222f5ec65764e1559b99efa6a862.zip |
Merge pull request #2522 from dmbaturin/require-api-keys
https api: T5772: check if keys are configured unless PAM auth is enabled for GraphQL
Diffstat (limited to 'src/conf_mode/https.py')
-rwxr-xr-x | src/conf_mode/https.py | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 26c4343a0..5cbdd1651 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -76,6 +76,8 @@ def get_config(config=None): return https def verify(https): + from vyos.utils.dict import dict_search + if https is None: return None @@ -135,6 +137,30 @@ def verify(https): raise ConfigError(f'"{proto}" port "{_port}" is used by another service') verify_vrf(https) + + # Verify API server settings, if present + if 'api' in https: + keys = dict_search('api.keys.id', https) + gql_auth_type = dict_search('api.graphql.authentication.type', https) + + # If "api graphql" is not defined and `gql_auth_type` is None, + # there's certainly no JWT auth option, and keys are required + jwt_auth = (gql_auth_type == "token") + + # Check for incomplete key configurations in every case + valid_keys_exist = False + if keys: + for k in keys: + if 'key' not in keys[k]: + raise ConfigError(f'Missing HTTPS API key string for key id "{k}"') + else: + valid_keys_exist = True + + # If only key-based methods are enabled, + # fail the commit if no valid key configurations are found + if (not valid_keys_exist) and (not jwt_auth): + raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled') + return None def generate(https): |