Merge pull request #2561 from jestabro/sagitta-http-api

http-api: T5782: simplifications for config mode http-api

2 files changed, 71 insertions, 181 deletions

diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
deleted file mode 100755
index d8fe3b736..000000000
--- a/src/conf_mode/http-api.py
+++ /dev/null
@@ -1,154 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019-2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import sys
-import os
-import json
-
-from time import sleep
-from copy import deepcopy
-
-import vyos.defaults
-
-from vyos.config import Config
-from vyos.configdep import set_dependents, call_dependents
-from vyos.template import render
-from vyos.utils.process import call
-from vyos.utils.process import is_systemd_service_running
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-api_conf_file = '/etc/vyos/http-api.conf'
-systemd_service = '/run/systemd/system/vyos-http-api.service'
-
-vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode']
-
-def _translate_values_to_boolean(d: dict) -> dict:
-    for k in list(d):
-        if d[k] == {}:
-            d[k] = True
-        elif isinstance(d[k], dict):
-            _translate_values_to_boolean(d[k])
-        else:
-            pass
-
-def get_config(config=None):
-    http_api = deepcopy(vyos.defaults.api_data)
-    x = http_api.get('api_keys')
-    if x is None:
-        default_key = None
-    else:
-        default_key = x[0]
-    keys_added = False
-
-    if config:
-        conf = config
-    else:
-        conf = Config()
-
-    # reset on creation/deletion of 'api' node
-    https_base = ['service', 'https']
-    if conf.exists(https_base):
-        set_dependents("https", conf)
-
-    base = ['service', 'https', 'api']
-    if not conf.exists(base):
-        return None
-
-    api_dict = conf.get_config_dict(base, key_mangling=('-', '_'),
-                                    no_tag_node_value_mangle=True,
-                                    get_first_key=True,
-                                    with_recursive_defaults=True)
-
-    # One needs to 'flatten' the keys dict from the config into the
-    # http-api.conf format for api_keys:
-    if 'keys' in api_dict:
-        api_dict['api_keys'] = []
-        for el in list(api_dict['keys'].get('id', {})):
-            key = api_dict['keys']['id'][el].get('key', '')
-            if key:
-                api_dict['api_keys'].append({'id': el, 'key': key})
-        del api_dict['keys']
-
-    # Do we run inside a VRF context?
-    vrf_path = ['service', 'https', 'vrf']
-    if conf.exists(vrf_path):
-        http_api['vrf'] = conf.return_value(vrf_path)
-
-    if 'api_keys' in api_dict:
-        keys_added = True
-
-    if api_dict.from_defaults(['graphql']):
-        del api_dict['graphql']
-
-    http_api.update(api_dict)
-
-    if keys_added and default_key:
-        if default_key in http_api['api_keys']:
-            http_api['api_keys'].remove(default_key)
-
-    # Finally, translate entries in http_api into boolean settings for
-    # backwards compatability of JSON http-api.conf file
-    _translate_values_to_boolean(http_api)
-
-    return http_api
-
-def verify(http_api):
-    return None
-
-def generate(http_api):
-    if http_api is None:
-        if os.path.exists(systemd_service):
-            os.unlink(systemd_service)
-        return None
-
-    if not os.path.exists('/etc/vyos'):
-        os.mkdir('/etc/vyos')
-
-    with open(api_conf_file, 'w') as f:
-        json.dump(http_api, f, indent=2)
-
-    render(systemd_service, 'https/vyos-http-api.service.j2', http_api)
-    return None
-
-def apply(http_api):
-    # Reload systemd manager configuration
-    call('systemctl daemon-reload')
-    service_name = 'vyos-http-api.service'
-
-    if http_api is not None:
-        if is_systemd_service_running(f'{service_name}'):
-            call(f'systemctl reload {service_name}')
-        else:
-            call(f'systemctl restart {service_name}')
-    else:
-        call(f'systemctl stop {service_name}')
-
-    # Let uvicorn settle before restarting Nginx
-    sleep(1)
-
-    call_dependents()
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        sys.exit(1)
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 5cbdd1651..40b7de557 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -16,19 +16,24 @@
 
 import os
 import sys
+import json
 
 from copy import deepcopy
+from time import sleep
 
 import vyos.defaults
 import vyos.certbot_util
 
 from vyos.config import Config
+from vyos.configdiff import get_config_diff
 from vyos.configverify import verify_vrf
 from vyos import ConfigError
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.utils.process import call
+from vyos.utils.process import is_systemd_service_running
+from vyos.utils.process import is_systemd_service_active
 from vyos.utils.network import check_port_availability
 from vyos.utils.network import is_listen_port_bind_service
 from vyos.utils.file import write_file
@@ -42,6 +47,9 @@ cert_dir = '/etc/ssl/certs'
 key_dir = '/etc/ssl/private'
 certbot_dir = vyos.defaults.directories['certbot']
 
+api_config_state = '/run/http-api-state'
+systemd_service = '/run/systemd/system/vyos-http-api.service'
+
 # https config needs to coordinate several subsystems: api, certbot,
 # self-signed certificate, as well as the virtual hosts defined within the
 # https config definition itself. Consequently, one needs a general dict,
@@ -52,7 +60,7 @@ default_server_block = {
     'address'   : '*',
     'port'      : '443',
     'name'      : ['_'],
-    'api'       : {},
+    'api'       : False,
     'vyos_cert' : {},
     'certbot'   : False
 }
@@ -67,11 +75,35 @@ def get_config(config=None):
     if not conf.exists(base):
         return None
 
+    diff = get_config_diff(conf)
+
     https = conf.get_config_dict(base, get_first_key=True)
 
     if https:
         https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                get_first_key=True, no_tag_node_value_mangle=True)
+                                            no_tag_node_value_mangle=True,
+                                            get_first_key=True)
+
+    https['children_changed'] = diff.node_changed_children(base)
+    https['api_add_or_delete'] = diff.node_changed_presence(base + ['api'])
+
+    if 'api' not in https:
+        return https
+
+    http_api = conf.get_config_dict(base + ['api'], key_mangling=('-', '_'),
+                                    no_tag_node_value_mangle=True,
+                                    get_first_key=True,
+                                    with_recursive_defaults=True)
+
+    if http_api.from_defaults(['graphql']):
+        del http_api['graphql']
+
+    # Do we run inside a VRF context?
+    vrf_path = ['service', 'https', 'vrf']
+    if conf.exists(vrf_path):
+        http_api['vrf'] = conf.return_value(vrf_path)
+
+    https['api'] = http_api
 
     return https
 
@@ -103,7 +135,7 @@ def verify(https):
 
         if 'certbot' in https['certificates']:
             vhost_names = []
-            for vh, vh_conf in https.get('virtual-host', {}).items():
+            for _, vh_conf in https.get('virtual-host', {}).items():
                 vhost_names += vh_conf.get('server-name', [])
             domains = https['certificates']['certbot'].get('domain-name', [])
             domains_found = [domain for domain in domains if domain in vhost_names]
@@ -167,6 +199,14 @@ def generate(https):
     if https is None:
         return None
 
+    if 'api' not in https:
+        if os.path.exists(systemd_service):
+            os.unlink(systemd_service)
+    else:
+        render(systemd_service, 'https/vyos-http-api.service.j2', https['api'])
+        with open(api_config_state, 'w') as f:
+            json.dump(https['api'], f, indent=2)
+
     server_block_list = []
 
     # organize by vhosts
@@ -232,35 +272,18 @@ def generate(https):
                     # certbot organizes certificates by first domain
                     sb['certbot_domain_dir'] = cert_domains[0]
 
-    # get api data
-
-    api_set = False
-    api_data = {}
     if 'api' in list(https):
-        api_set = True
-        api_data = vyos.defaults.api_data
-    api_settings = https.get('api', {})
-    if api_settings:
-        vhosts = https.get('api-restrict', {}).get('virtual-host', [])
-        if vhosts:
-            api_data['vhost'] = vhosts[:]
-
-    if api_data:
-        vhost_list = api_data.get('vhost', [])
+        vhost_list = https.get('api-restrict', {}).get('virtual-host', [])
         if not vhost_list:
             for block in server_block_list:
-                block['api'] = api_data
+                block['api'] = True
         else:
             for block in server_block_list:
                 if block['id'] in vhost_list:
-                    block['api'] = api_data
-
-    if 'server_block_list' not in https or not https['server_block_list']:
-        https['server_block_list'] = [default_server_block]
+                    block['api'] = True
 
     data = {
         'server_block_list': server_block_list,
-        'api_set': api_set,
         'certbot': certbot
     }
 
@@ -271,10 +294,31 @@ def generate(https):
 def apply(https):
     # Reload systemd manager configuration
     call('systemctl daemon-reload')
-    if https is not None:
-        call('systemctl restart nginx.service')
-    else:
-        call('systemctl stop nginx.service')
+    http_api_service_name = 'vyos-http-api.service'
+    https_service_name = 'nginx.service'
+
+    if https is None:
+        if is_systemd_service_active(f'{http_api_service_name}'):
+            call(f'systemctl stop {http_api_service_name}')
+        call(f'systemctl stop {https_service_name}')
+        return
+
+    if 'api' in https['children_changed']:
+        if 'api' in https:
+            if is_systemd_service_running(f'{http_api_service_name}'):
+                call(f'systemctl reload {http_api_service_name}')
+            else:
+                call(f'systemctl restart {http_api_service_name}')
+            # Let uvicorn settle before (possibly) restarting nginx
+            sleep(1)
+        else:
+            if is_systemd_service_active(f'{http_api_service_name}'):
+                call(f'systemctl stop {http_api_service_name}')
+
+    if (not is_systemd_service_running(f'{https_service_name}') or
+        https['api_add_or_delete'] or
+        set(https['children_changed']) - set(['api'])):
+        call(f'systemctl restart {https_service_name}')
 
 if __name__ == '__main__':
     try: