diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-04 21:48:32 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-05 17:22:57 +0200 |
| commit | c05edd62cf1120fb14b66ca0377061a59a9d00db (patch) | |
| tree | 7ba192112e1b7f9b73abd543cbd65232a62e40fb /src | |
| parent | 40a99b1d00d822ef6f1a3772768919d14c3500d9 (diff) | |
| download | vyos-1x-c05edd62cf1120fb14b66ca0377061a59a9d00db.tar.gz vyos-1x-c05edd62cf1120fb14b66ca0377061a59a9d00db.zip | |
pki: T7122: extend ca/certificate removal check to lists
Some VyOS CLI nodes support defining multiple certificates. The previous check
when removing a certificate from the CLI only performed a string comparison,
which failed in cases where the underlying data was a list (CLI <multi/> node).
This update extends the check to handle both cases:
- If the datum is a string, perform a string comparison.
- If the datum is a list, check whether the target certificate is part of the
list.
This ensures proper removal behavior regardless of the data type used in the
CLI node.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/pki.py | 30 |
1 files changed, 19 insertions, 11 deletions
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 6957248d2..f53e5db8b 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -413,27 +413,35 @@ def verify(pki): for search in sync_search: for key in search['keys']: changed_key = sync_translate[key] - if changed_key not in pki['changed']: continue - for item_name in pki['changed'][changed_key]: node_present = False if changed_key == 'openvpn': node_present = dict_search_args(pki, 'openvpn', 'shared_secret', item_name) else: node_present = dict_search_args(pki, changed_key, item_name) + # If the node is still present, we can skip the check + # as we are not deleting it + if node_present: + continue - if not node_present: - search_dict = dict_search_args(pki['system'], *search['path']) - - if not search_dict: - continue + search_dict = dict_search_args(pki['system'], *search['path']) + if not search_dict: + continue - for found_name, found_path in dict_search_recursive(search_dict, key): - if found_name == item_name: - path_str = " ".join(search['path'] + found_path) - raise ConfigError(f'PKI object "{item_name}" still in use by "{path_str}"') + for found_name, found_path in dict_search_recursive(search_dict, key): + # Check if the name matches either by string compare, or beeing + # part of a list + if ((isinstance(found_name, str) and found_name == item_name) or + (isinstance(found_name, list) and item_name in found_name)): + # We do not support _ in CLI paths - this is only a convenience + # as we mangle all - to _, now it's time to reverse this! + path_str = ' '.join(search['path'] + found_path).replace('_','-') + object = changed_key.replace('_','-') + tmp = f'Embedded PKI {object} with name "{item_name}" is still '\ + f'in use by CLI path "{path_str}"' + raise ConfigError(tmp) return None |