summaryrefslogtreecommitdiff
path: root/src/conf_mode/load-balancing_reverse-proxy.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-04-02 18:52:29 +0200
committerChristian Breunig <christian@breunig.cc>2024-04-02 19:00:45 +0200
commit3b758d870449e92fece9e29c791b950b332e6e65 (patch)
tree9a4a0abb20596baf9d991110d7892efa23d7626b /src/conf_mode/load-balancing_reverse-proxy.py
parentecdf22fee3272dedc8c1c7c6d5e95057042b48ce (diff)
downloadvyos-1x-3b758d870449e92fece9e29c791b950b332e6e65.tar.gz
vyos-1x-3b758d870449e92fece9e29c791b950b332e6e65.zip
configverify: T6198: add common helper for PKI certificate validation
The next evolutional step after adding get_config_dict(..., with_pki=True) is to add a common verification function for the recurring task of validating SSL certificate existance in e.g. EAPoL, OpenConnect, SSTP or HTTPS.
Diffstat (limited to 'src/conf_mode/load-balancing_reverse-proxy.py')
-rwxr-xr-xsrc/conf_mode/load-balancing_reverse-proxy.py38
1 files changed, 8 insertions, 30 deletions
diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index 2a0acd84a..694a4e1ea 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -20,6 +20,9 @@ from sys import exit
from shutil import rmtree
from vyos.config import Config
+from vyos.configverify import verify_pki_certificate
+from vyos.configverify import verify_pki_ca_certificate
+from vyos.utils.dict import dict_search
from vyos.utils.process import call
from vyos.utils.network import check_port_availability
from vyos.utils.network import is_listen_port_bind_service
@@ -33,8 +36,7 @@ airbag.enable()
load_balancing_dir = '/run/haproxy'
load_balancing_conf_file = f'{load_balancing_dir}/haproxy.cfg'
systemd_service = 'haproxy.service'
-systemd_override = r'/run/systemd/system/haproxy.service.d/10-override.conf'
-
+systemd_override = '/run/systemd/system/haproxy.service.d/10-override.conf'
def get_config(config=None):
if config:
@@ -54,30 +56,6 @@ def get_config(config=None):
return lb
-
-def _verify_cert(lb: dict, config: dict) -> None:
- if 'ca_certificate' in config['ssl']:
- ca_name = config['ssl']['ca_certificate']
- pki_ca = lb['pki'].get('ca')
- if pki_ca is None:
- raise ConfigError(f'CA certificates does not exist in PKI')
- else:
- ca = pki_ca.get(ca_name)
- if ca is None:
- raise ConfigError(f'CA certificate "{ca_name}" does not exist')
-
- elif 'certificate' in config['ssl']:
- cert_names = config['ssl']['certificate']
- pki_certs = lb['pki'].get('certificate')
- if pki_certs is None:
- raise ConfigError(f'Certificates does not exist in PKI')
-
- for cert_name in cert_names:
- pki_cert = pki_certs.get(cert_name)
- if pki_cert is None:
- raise ConfigError(f'Certificate "{cert_name}" does not exist')
-
-
def verify(lb):
if not lb:
return None
@@ -107,12 +85,12 @@ def verify(lb):
raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"')
for front, front_config in lb['service'].items():
- if 'ssl' in front_config:
- _verify_cert(lb, front_config)
+ for cert in dict_search('ssl.certificate', front_config) or []:
+ verify_pki_certificate(lb, cert)
for back, back_config in lb['backend'].items():
- if 'ssl' in back_config:
- _verify_cert(lb, back_config)
+ tmp = dict_search('ssl.ca_certificate', front_config)
+ if tmp: verify_pki_ca_certificate(lb, tmp)
def generate(lb):