diff options
| -rw-r--r-- | python/vyos/http_api_client.py | 14 | ||||
| -rw-r--r-- | src/op_mode/config_sync.py | 10 |
2 files changed, 20 insertions, 4 deletions
diff --git a/python/vyos/http_api_client.py b/python/vyos/http_api_client.py index ae16cfa54..c40621bc7 100644 --- a/python/vyos/http_api_client.py +++ b/python/vyos/http_api_client.py @@ -19,6 +19,7 @@ import json import urllib3 import requests from typing import Optional +from typing import Union from dataclasses import dataclass from vyos.version import get_version @@ -51,7 +52,11 @@ class ApiClientConfig: key: str port: int = 443 timeout: Optional[int] = None - verify_tls: bool = False + # TLS peer verification, forwarded verbatim to requests' ``verify``: + # True - verify against the system CA store (secure default) + # False - disable verification (insecure; opt-in only) + # "<path>" - verify against a custom CA bundle file/dir + verify_tls: Union[bool, str] = True class ApiClient: @@ -60,7 +65,8 @@ class ApiClient: Design goals: - minimal surface area (thin wrapper around requests) - consistent error handling + typed exceptions - - safe defaults for VyOS typical self-signed HTTPS usage (verify_tls=False) + - secure defaults (verify_tls=True); deployments using self-signed + certificates opt into verify_tls=False or supply a CA bundle path """ _DEFAULT_HEADERS = { @@ -77,7 +83,9 @@ class ApiClient: self._session = requests.Session() self._session.headers.update(self._DEFAULT_HEADERS) - if not config.verify_tls: + # Only silence the insecure-request warning when verification has been + # explicitly disabled. A CA bundle path or True must keep warnings on. + if config.verify_tls is False: urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) @property diff --git a/src/op_mode/config_sync.py b/src/op_mode/config_sync.py index d6eff7cd2..2cce972e8 100644 --- a/src/op_mode/config_sync.py +++ b/src/op_mode/config_sync.py @@ -68,13 +68,21 @@ def _load_config_sync_settings() -> dict: key = secondary.get('key') port = int(secondary.get('port', 443)) timeout = int(secondary.get('timeout')) if secondary.get('timeout') else None + # config-sync talks to a remote secondary over HTTPS. TLS verification is + # off by default because secondary nodes typically present a self-signed + # certificate; an operator can opt in (True, or a CA bundle path) once the + # runtime config exposes it. TODO: surface as a proper CLI knob + # (set service config-sync secondary verify-tls / ca-certificate). + verify_tls = secondary.get('verify_tls', False) if not address or not key: raise opmode.UnconfiguredObject( 'Config-sync is not fully configured: missing secondary address/key' ) - return dict(host=address, key=key, port=port, timeout=timeout) + return dict( + host=address, key=key, port=port, timeout=timeout, verify_tls=verify_tls + ) class ConfigSyncDiffManager: |
