bond: T6709: add EAPoL support (backport #4069) (#4076)

* ethernet: T6709: move EAPoL support to common framework

Instead of having EAPoL (Extensible Authentication Protocol over Local Area
Network) support only available for ethernet interfaces, move this to common
ground at vyos.ifconfig.interface making it available for all sorts of
interfaces by simply including the XML portion

  #include <include/interface/eapol.xml.i>

(cherry picked from commit 0ee8d5e35044e7480dac6a23e92d43744b8c5d36)

* bond: T6709: add EAPoL support

(cherry picked from commit 8eeb1bdcdfc104ffa77531f270a38cda2aee7f82)

---------

Co-authored-by: Christian Breunig <christian@breunig.cc>

2 files changed, 4 insertions, 78 deletions

diff --git a/src/conf_mode/interfaces_bonding.py b/src/conf_mode/interfaces_bonding.py
index 5e5d5fba1..bbbfb0385 100755
--- a/src/conf_mode/interfaces_bonding.py
+++ b/src/conf_mode/interfaces_bonding.py
@@ -25,6 +25,7 @@ from vyos.configdict import is_source_interface
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_eapol
 from vyos.configverify import verify_mirror_redirect
 from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_vlan_config
@@ -73,7 +74,7 @@ def get_config(config=None):
     else:
         conf = Config()
     base = ['interfaces', 'bonding']
-    ifname, bond = get_interface_dict(conf, base)
+    ifname, bond = get_interface_dict(conf, base, with_pki=True)
 
     # To make our own life easier transfor the list of member interfaces
     # into a dictionary - we will use this to add additional information
@@ -196,6 +197,7 @@ def verify(bond):
     verify_dhcpv6(bond)
     verify_vrf(bond)
     verify_mirror_redirect(bond)
+    verify_eapol(bond)
 
     # use common function to verify VLAN configuration
     verify_vlan_config(bond)
diff --git a/src/conf_mode/interfaces_ethernet.py b/src/conf_mode/interfaces_ethernet.py
index afc48ead8..34ce7bc47 100755
--- a/src/conf_mode/interfaces_ethernet.py
+++ b/src/conf_mode/interfaces_ethernet.py
@@ -31,32 +31,20 @@ from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_vlan_config
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_bond_bridge_member
-from vyos.configverify import verify_pki_certificate
-from vyos.configverify import verify_pki_ca_certificate
+from vyos.configverify import verify_eapol
 from vyos.ethtool import Ethtool
 from vyos.ifconfig import EthernetIf
 from vyos.ifconfig import BondIf
-from vyos.pki import find_chain
-from vyos.pki import encode_certificate
-from vyos.pki import load_certificate
-from vyos.pki import wrap_private_key
-from vyos.template import render
 from vyos.template import render_to_string
-from vyos.utils.process import call
 from vyos.utils.dict import dict_search
 from vyos.utils.dict import dict_to_paths_values
 from vyos.utils.dict import dict_set
 from vyos.utils.dict import dict_delete
-from vyos.utils.file import write_file
 from vyos import ConfigError
 from vyos import frr
 from vyos import airbag
 airbag.enable()
 
-# XXX: wpa_supplicant works on the source interface
-cfg_dir = '/run/wpa_supplicant'
-wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf'
-
 def update_bond_options(conf: Config, eth_conf: dict) -> list:
     """
     Return list of blocked options if interface is a bond member
@@ -277,23 +265,6 @@ def verify_allowedbond_changes(ethernet: dict):
                               f' on interface "{ethernet["ifname"]}".' \
                               f' Interface is a bond member')
 
-def verify_eapol(ethernet: dict):
-    """
-    Common helper function used by interface implementations to perform
-    recurring validation of EAPoL configuration.
-    """
-    if 'eapol' not in ethernet:
-        return
-
-    if 'certificate' not in ethernet['eapol']:
-        raise ConfigError('Certificate must be specified when using EAPoL!')
-
-    verify_pki_certificate(ethernet, ethernet['eapol']['certificate'], no_password_protected=True)
-
-    if 'ca_certificate' in ethernet['eapol']:
-        for ca_cert in ethernet['eapol']['ca_certificate']:
-            verify_pki_ca_certificate(ethernet, ca_cert)
-
 def verify(ethernet):
     if 'deleted' in ethernet:
         return None
@@ -346,51 +317,10 @@ def verify_ethernet(ethernet):
     verify_vlan_config(ethernet)
     return None
 
-
 def generate(ethernet):
-    # render real configuration file once
-    wpa_supplicant_conf = wpa_suppl_conf.format(**ethernet)
-
     if 'deleted' in ethernet:
-        # delete configuration on interface removal
-        if os.path.isfile(wpa_supplicant_conf):
-            os.unlink(wpa_supplicant_conf)
         return None
 
-    if 'eapol' in ethernet:
-        ifname = ethernet['ifname']
-
-        render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', ethernet)
-
-        cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem')
-        cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key')
-
-        cert_name = ethernet['eapol']['certificate']
-        pki_cert = ethernet['pki']['certificate'][cert_name]
-
-        loaded_pki_cert = load_certificate(pki_cert['certificate'])
-        loaded_ca_certs = {load_certificate(c['certificate'])
-            for c in ethernet['pki']['ca'].values()} if 'ca' in ethernet['pki'] else {}
-
-        cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
-
-        write_file(cert_file_path,
-                   '\n'.join(encode_certificate(c) for c in cert_full_chain))
-        write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
-
-        if 'ca_certificate' in ethernet['eapol']:
-            ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem')
-            ca_chains = []
-
-            for ca_cert_name in ethernet['eapol']['ca_certificate']:
-                pki_ca_cert = ethernet['pki']['ca'][ca_cert_name]
-                loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
-                ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
-                ca_chains.append(
-                    '\n'.join(encode_certificate(c) for c in ca_full_chain))
-
-            write_file(ca_cert_file_path, '\n'.join(ca_chains))
-
     ethernet['frr_zebra_config'] = ''
     if 'deleted' not in ethernet:
         ethernet['frr_zebra_config'] = render_to_string('frr/evpn.mh.frr.j2', ethernet)
@@ -399,8 +329,6 @@ def generate(ethernet):
 
 def apply(ethernet):
     ifname = ethernet['ifname']
-    # take care about EAPoL supplicant daemon
-    eapol_action='stop'
 
     e = EthernetIf(ifname)
     if 'deleted' in ethernet:
@@ -408,10 +336,6 @@ def apply(ethernet):
         e.remove()
     else:
         e.update(ethernet)
-        if 'eapol' in ethernet:
-            eapol_action='reload-or-restart'
-
-    call(f'systemctl {eapol_action} wpa_supplicant-wired@{ifname}')
 
     zebra_daemon = 'zebra'
     # Save original configuration prior to starting any commit actions