diff options
author | Christian Breunig <christian@breunig.cc> | 2024-04-02 18:52:29 +0200 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2024-04-02 19:00:45 +0200 |
commit | 3b758d870449e92fece9e29c791b950b332e6e65 (patch) | |
tree | 9a4a0abb20596baf9d991110d7892efa23d7626b /src/conf_mode/interfaces_ethernet.py | |
parent | ecdf22fee3272dedc8c1c7c6d5e95057042b48ce (diff) | |
download | vyos-1x-3b758d870449e92fece9e29c791b950b332e6e65.tar.gz vyos-1x-3b758d870449e92fece9e29c791b950b332e6e65.zip |
configverify: T6198: add common helper for PKI certificate validation
The next evolutional step after adding get_config_dict(..., with_pki=True) is
to add a common verification function for the recurring task of validating SSL
certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS.
Diffstat (limited to 'src/conf_mode/interfaces_ethernet.py')
-rwxr-xr-x | src/conf_mode/interfaces_ethernet.py | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/conf_mode/interfaces_ethernet.py b/src/conf_mode/interfaces_ethernet.py index 2c0f846c3..504d48f89 100755 --- a/src/conf_mode/interfaces_ethernet.py +++ b/src/conf_mode/interfaces_ethernet.py @@ -15,7 +15,6 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os -import pprint from glob import glob from sys import exit @@ -26,7 +25,6 @@ from vyos.configdict import get_interface_dict from vyos.configdict import is_node_changed from vyos.configverify import verify_address from vyos.configverify import verify_dhcpv6 -from vyos.configverify import verify_eapol from vyos.configverify import verify_interface_exists from vyos.configverify import verify_mirror_redirect from vyos.configverify import verify_mtu @@ -34,6 +32,8 @@ from vyos.configverify import verify_mtu_ipv6 from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.configverify import verify_bond_bridge_member +from vyos.configverify import verify_pki_certificate +from vyos.configverify import verify_pki_ca_certificate from vyos.ethtool import Ethtool from vyos.ifconfig import EthernetIf from vyos.ifconfig import BondIf @@ -263,6 +263,22 @@ def verify_allowedbond_changes(ethernet: dict): f' on interface "{ethernet["ifname"]}".' \ f' Interface is a bond member') +def verify_eapol(ethernet: dict): + """ + Common helper function used by interface implementations to perform + recurring validation of EAPoL configuration. + """ + if 'eapol' not in ethernet: + return + + if 'certificate' not in ethernet['eapol']: + raise ConfigError('Certificate must be specified when using EAPoL!') + + verify_pki_certificate(ethernet, ethernet['eapol']['certificate'], no_password_protected=True) + + if 'ca_certificate' in ethernet['eapol']: + for ca_cert in ethernet['eapol']['ca_certificate']: + verify_pki_ca_certificate(ethernet, ca_cert) def verify(ethernet): if 'deleted' in ethernet: |