summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--interface-definitions/snmp.xml4
-rw-r--r--interface-definitions/ssh.xml16
-rwxr-xr-xsrc/conf_mode/snmp.py105
-rwxr-xr-xsrc/helpers/commands-pipe.py3
-rwxr-xr-xsrc/op_mode/cpu_summary.py2
-rwxr-xr-xsrc/op_mode/dns_forwarding_restart.sh2
-rw-r--r--src/utils/initial-setup40
-rwxr-xr-xsrc/validators/numeric8
8 files changed, 131 insertions, 49 deletions
diff --git a/interface-definitions/snmp.xml b/interface-definitions/snmp.xml
index 76885a02a..103aa39d7 100644
--- a/interface-definitions/snmp.xml
+++ b/interface-definitions/snmp.xml
@@ -13,9 +13,9 @@
<properties>
<help>Community name [REQUIRED]</help>
<constraint>
- <regex>^[^%]+$</regex>
+ <regex>^[a-zA-Z0-9\-_]{1,100}</regex>
</constraint>
- <constraintErrorMessage>Community string may not contain '%'</constraintErrorMessage>
+ <constraintErrorMessage>Community string is limited to alphanumerical characters only with a total lenght of 100</constraintErrorMessage>
</properties>
<children>
<leafNode name="authorization">
diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
index 9b3a2fddc..e8786d202 100644
--- a/interface-definitions/ssh.xml
+++ b/interface-definitions/ssh.xml
@@ -21,12 +21,20 @@
<leafNode name="group">
<properties>
<help>Allow members of a group to login</help>
+ <constraint>
+ <regex>^[a-z_][a-z0-9_-]{1,31}[$]?</regex>
+ </constraint>
+ <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage>
<multi/>
</properties>
</leafNode>
<leafNode name="user">
<properties>
<help>Allow specific users to login</help>
+ <constraint>
+ <regex>^[a-z_][a-z0-9_-]{1,31}[$]?</regex>
+ </constraint>
+ <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage>
<multi/>
</properties>
</leafNode>
@@ -37,12 +45,20 @@
<leafNode name="group">
<properties>
<help>Disallow members of a group to login</help>
+ <constraint>
+ <regex>^[a-z_][a-z0-9_-]{1,31}[$]?</regex>
+ </constraint>
+ <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage>
<multi/>
</properties>
</leafNode>
<leafNode name="user">
<properties>
<help>Disallow specific users to login</help>
+ <constraint>
+ <regex>^[a-z_][a-z0-9_-]{1,31}[$]?</regex>
+ </constraint>
+ <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage>
<multi/>
</properties>
</leafNode>
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index 863f7e2e2..001e6c6b4 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -74,7 +74,9 @@ user_config_tmpl = """
# user
{% if v3_users %}
{% for u in v3_users %}
-{% if u.authPassword %}
+{% if u.authOID == 'none' %}
+createUser {{ u.name }}
+{% elif u.authPassword %}
createUser {{ u.name }} {{ u.authProtocol | upper }} "{{ u.authPassword }}" {{ u.privProtocol | upper }} {{ u.privPassword }}
{% else %}
usmUser 1 3 {{ u.engineID }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} {{ u.authMasterKey }} {{ u.privOID }} {{ u.privMasterKey }} 0x
@@ -83,6 +85,7 @@ usmUser 1 3 {{ u.engineID }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }}
{% endif %}
createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES
+oldEngineID {{ v3_engineid }}
"""
# SNMPS template - be careful if you edit the template.
@@ -135,13 +138,13 @@ SysDescr {{ description }}
# Listen
agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},udp:161,udp6:161{% endif %}{% if v3_tsm_key %},tlstcp:{{ v3_tsm_port }},dtlsudp::{{ v3_tsm_port }}{% endif %}
-
# SNMP communities
{% if communities -%}
{% for c in communities %}
{% if c.network -%}
{% for network in c.network %}
{{ c.authorization }}community {{ c.name }} {{ network }}
+{{ c.authorization }}community6 {{ c.name }} {{ network }}
{% endfor %}
{% else %}
{{ c.authorization }}community {{ c.name }}
@@ -468,8 +471,8 @@ def get_config():
'name': user,
'authMasterKey': '',
'authPassword': '',
- 'authProtocol': '',
- 'authOID': '',
+ 'authProtocol': 'md5',
+ 'authOID': 'none',
'engineID': '',
'group': '',
'mode': 'ro',
@@ -477,7 +480,7 @@ def get_config():
'privPassword': '',
'privOID': '',
'privTsmKey': '',
- 'privProtocol': ''
+ 'privProtocol': 'des'
}
#
@@ -489,10 +492,14 @@ def get_config():
if conf.exists('v3 user {0} auth plaintext-key'.format(user)):
user_cfg['authPassword'] = conf.return_value('v3 user {0} auth plaintext-key'.format(user))
+ # load default value
+ type = user_cfg['authProtocol']
if conf.exists('v3 user {0} auth type'.format(user)):
type = conf.return_value('v3 user {0} auth type'.format(user))
- user_cfg['authProtocol'] = type
- user_cfg['authOID'] = OIDs[type]
+
+ # (re-)update with either default value or value from CLI
+ user_cfg['authProtocol'] = type
+ user_cfg['authOID'] = OIDs[type]
#
# v3 user {0} engineid
@@ -524,10 +531,14 @@ def get_config():
if conf.exists('v3 user {0} privacy tsm-key'.format(user)):
user_cfg['privTsmKey'] = conf.return_value('v3 user {0} privacy tsm-key'.format(user))
+ # load default value
+ type = user_cfg['privProtocol']
if conf.exists('v3 user {0} privacy type'.format(user)):
type = conf.return_value('v3 user {0} privacy type'.format(user))
- user_cfg['privProtocol'] = type
- user_cfg['privOID'] = OIDs[type]
+
+ # (re-)update with either default value or value from CLI
+ user_cfg['privProtocol'] = type
+ user_cfg['privOID'] = OIDs[type]
snmp['v3_users'].append(user_cfg)
@@ -625,45 +636,52 @@ def verify(snmp):
if 'v3_users' in snmp.keys():
for user in snmp['v3_users']:
- if user['authPassword'] and user['authMasterKey']:
- raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
+ #
+ # Group must exist prior to mapping it into a group
+ # seclevel will be extracted from group
+ #
+ error = True
+ if user['group']:
+ if 'v3_groups' in snmp.keys():
+ for group in snmp['v3_groups']:
+ if group['name'] == user['group']:
+ seclevel = group['seclevel']
+ error = False
- if user['privPassword'] and user['privMasterKey']:
- raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
+ if error:
+ raise ConfigError('You must create group "{0}" first'.format(user['group']))
- if user['privPassword'] == '' and user['privMasterKey'] == '':
- raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
+ # Depending on the configured security level
+ # the user has to provide additional info
+ if seclevel in ('auth', 'priv'):
+ if user['authPassword'] and user['authMasterKey']:
+ raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
- if user['privMasterKey'] and user['engineID'] == '':
- raise ConfigError('Can not have "encrypted-key" without engineid')
+ if (not user['authPassword'] and not user['authMasterKey']):
+ raise ConfigError('Must specify encrypted-key or plaintext-key for user auth')
- if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '':
- raise ConfigError('Must specify auth or tsm-key for user auth')
+ # seclevel 'priv' is more restrictive
+ if seclevel in ('priv'):
+ if user['privPassword'] and user['privMasterKey']:
+ raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
- if user['privProtocol'] == '':
- raise ConfigError('Must specify privacy type')
+ if user['privPassword'] == '' and user['privMasterKey'] == '':
+ raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
- if user['mode'] == '':
- raise ConfigError('Must specify user mode ro/rw')
+ if user['privMasterKey'] and user['engineID'] == '':
+ raise ConfigError('Can not have "encrypted-key" without engineid')
- if user['privTsmKey']:
- if not tsmKeyPattern.match(snmp['v3_tsm_key']):
- if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']):
- if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']):
- raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder')
+ if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '':
+ raise ConfigError('Must specify auth or tsm-key for user auth')
- if user['group']:
- #
- # Group must exist prior to mapping it into a group
- #
- error = True
- if 'v3_groups' in snmp.keys():
- for group in snmp['v3_groups']:
- if group['name'] == user['group']:
- error = False
- if error:
- raise ConfigError('You must create group "{0}" first'.format(user['group']))
+ if user['mode'] == '':
+ raise ConfigError('Must specify user mode ro/rw')
+ if user['privTsmKey']:
+ if not tsmKeyPattern.match(snmp['v3_tsm_key']):
+ if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']):
+ if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']):
+ raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder')
if 'v3_views' in snmp.keys():
for view in snmp['v3_views']:
@@ -750,13 +768,16 @@ def apply(snmp):
# plaintext password inside the configuration was replaced by
# the encrypted one which can be found in 'config_file_user'
with open(config_file_user, 'r') as f:
+ engineID = ''
for line in f:
- # we are only interested in the user database
+ if line.startswith('oldEngineID'):
+ string = line.split(' ')
+ engineID = string[1]
+
if line.startswith('usmUser'):
string = line.split(' ')
cfg = {
'user': string[4].replace(r'"', ''),
- 'engineID': string[3],
'auth_pw': string[8],
'priv_pw': string[10]
}
@@ -767,7 +788,7 @@ def apply(snmp):
# Now update the running configuration
#
# Currently when executing os.system() the environment does not have the vyos_libexec_dir variable set, see T685
- os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_set service snmp v3 user "{0}" engineid {1} > /dev/null'.format(cfg['user'], cfg['engineID']))
+ os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_set service snmp v3 user "{0}" engineid {1} > /dev/null'.format(cfg['user'], engineID))
os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_set service snmp v3 user "{0}" auth encrypted-key {1} > /dev/null'.format(cfg['user'], cfg['auth_pw']))
os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_set service snmp v3 user "{0}" privacy encrypted-key {1} > /dev/null'.format(cfg['user'], cfg['priv_pw']))
os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_delete service snmp v3 user "{0}" auth plaintext-key > /dev/null'.format(cfg['user']))
diff --git a/src/helpers/commands-pipe.py b/src/helpers/commands-pipe.py
index 3ffc64545..1120bb09e 100755
--- a/src/helpers/commands-pipe.py
+++ b/src/helpers/commands-pipe.py
@@ -8,7 +8,6 @@ from vyos.configtree import ConfigTree
signal(SIGPIPE,SIG_DFL)
-
config_string = sys.stdin.read().strip()
if not config_string:
@@ -21,7 +20,7 @@ if not config_string:
# __root__ is hygienic enough.
config_string = "__root__ {{ {0} \n }}".format(config_string)
-config_re = re.compile("(set|comment)\s+__root__\s+(.*)")
+config_re = re.compile(r'(set|comment)\s+__root__\s+(.*)')
config = ConfigTree(config_string)
commands = config.to_commands()
diff --git a/src/op_mode/cpu_summary.py b/src/op_mode/cpu_summary.py
index 3da5835e9..7324c75ad 100755
--- a/src/op_mode/cpu_summary.py
+++ b/src/op_mode/cpu_summary.py
@@ -18,7 +18,7 @@ cpu_data['cpu_number'] = len(data['processor'])
cpu_data['models'] = list(set(data['model name']))
# Strip extra whitespace from CPU model names, /proc/cpuinfo is prone to that
-cpu_data['models'] = map(lambda s: re.sub('\s+', ' ', s), cpu_data['models'])
+cpu_data['models'] = map(lambda s: re.sub(r'\s+', ' ', s), cpu_data['models'])
print("CPU(s): {0}".format(cpu_data['cpu_number']))
print("CPU model(s): {0}".format(",".join(cpu_data['models'])))
diff --git a/src/op_mode/dns_forwarding_restart.sh b/src/op_mode/dns_forwarding_restart.sh
index 12106fcc1..8e556f2f0 100755
--- a/src/op_mode/dns_forwarding_restart.sh
+++ b/src/op_mode/dns_forwarding_restart.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-if cli-shell-api exists service dns forwarding; then
+if cli-shell-api existsEffective service dns forwarding; then
echo "Restarting the DNS forwarding service"
systemctl restart pdns-recursor
else
diff --git a/src/utils/initial-setup b/src/utils/initial-setup
new file mode 100644
index 000000000..37fc45751
--- /dev/null
+++ b/src/utils/initial-setup
@@ -0,0 +1,40 @@
+#!/usr/bin/env python3
+
+import argparse
+
+import vyos.configtree
+
+
+parser = argparse.ArgumentParser()
+
+parser.add_argument("--ssh", help="Enable SSH", action="store_true")
+parser.add_argument("--ssh-port", help="SSH port", type=int, action="store", default=22)
+
+parser.add_argument("--intf-address", help="Set interface address", type=str, action="append")
+
+parser.add_argument("config_file", help="Configuration file to modify", type=str)
+
+args = parser.parse_args()
+
+# Load the config file
+with open(args.config_file, 'r') as f:
+ config_file = f.read()
+
+config = vyos.configtree.ConfigTree(config_file)
+
+
+# Interface names and addresses are comma-separated,
+# we need to split them
+intf_addrs = list(map(lambda s: s.split(","), args.intf_address))
+
+# Enable SSH, if requested
+if args.ssh:
+ config.set(["service", "ssh", "port"], value=str(args.ssh_port))
+
+# Assign addresses to interfaces
+if intf_addrs:
+ for a in intf_addrs:
+ config.set(["interfaces", "ethernet", a[0], "address"], value=a[1])
+ config.set_tag(["interfaces", "ethernet"])
+
+print( config.to_string() )
diff --git a/src/validators/numeric b/src/validators/numeric
index 58a4fac38..ffe84a234 100755
--- a/src/validators/numeric
+++ b/src/validators/numeric
@@ -25,7 +25,8 @@ parser = argparse.ArgumentParser()
parser.add_argument("-f", "--float", action="store_true", help="Accept floating point values")
group = parser.add_mutually_exclusive_group()
group.add_argument("-r", "--range", type=str, help="Check if the number is within range (inclusive), example: 1024-65535")
-group.add_argument("-n", "--non-negative", action="store_true", help="")
+group.add_argument("-n", "--non-negative", action="store_true", help="Check if the number is non-negative (>= 0)")
+group.add_argument("-p", "--positive", action="store_true", help="Check if the number is positive (> 0)")
parser.add_argument("number", type=str, help="Number to validate")
args = parser.parse_args()
@@ -60,3 +61,8 @@ elif args.non_negative:
if number < 0:
print("Number should be non-negative", file=sys.stderr)
sys.exit(1)
+elif args.positive:
+ if number <= 0:
+ print("Number should be positive", file=sys.stderr)
+ sys.exit(1)
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-22 16:33:10 +0000