summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--data/configd-include.json3
-rw-r--r--interface-definitions/interfaces_wireguard.xml.in12
-rw-r--r--interface-definitions/pki.xml.in32
-rw-r--r--interface-definitions/service_aws_glb.xml.in127
-rwxr-xr-xop-mode-definitions/generate-system-login-user.xml.in12
-rw-r--r--python/vyos/system/image.py2
-rwxr-xr-xsmoketest/scripts/cli/test_pki.py26
-rwxr-xr-xsrc/conf_mode/system_login.py8
-rwxr-xr-xsrc/migration-scripts/firewall/6-to-79
-rwxr-xr-xsrc/op_mode/image_installer.py11
10 files changed, 73 insertions, 169 deletions
diff --git a/data/configd-include.json b/data/configd-include.json
index d1f9db796..fe27ae2b7 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -77,10 +77,13 @@
"service_pppoe-server.py",
"service_router-advert.py",
"service_salt-minion.py",
+"service_sla.py",
"service_ssh.py",
"service_tftp-server.py",
"service_upnp.py",
+"service_webproxy.py",
"system_acceleration.py",
+"system_config-management.py",
"system_conntrack.py",
"system_console.py",
"system_flow-accounting.py",
diff --git a/interface-definitions/interfaces_wireguard.xml.in b/interface-definitions/interfaces_wireguard.xml.in
index f3fe0f1da..fba1064ef 100644
--- a/interface-definitions/interfaces_wireguard.xml.in
+++ b/interface-definitions/interfaces_wireguard.xml.in
@@ -44,9 +44,9 @@
<properties>
<help>Base64 encoded private key</help>
<constraint>
- <regex>[0-9a-zA-Z\+/]{43}=</regex>
+ <validator name="base64"/>
</constraint>
- <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage>
+ <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
<tagNode name="peer">
@@ -64,18 +64,18 @@
<properties>
<help>base64 encoded public key</help>
<constraint>
- <regex>[0-9a-zA-Z\+/]{43}=</regex>
+ <validator name="base64"/>
</constraint>
- <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage>
+ <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="preshared-key">
<properties>
<help>base64 encoded preshared key</help>
<constraint>
- <regex>[0-9a-zA-Z\+/]{43}=</regex>
+ <validator name="base64"/>
</constraint>
- <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage>
+ <constraintErrorMessage>Key is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="allowed-ips">
diff --git a/interface-definitions/pki.xml.in b/interface-definitions/pki.xml.in
index a13a357fd..3449819be 100644
--- a/interface-definitions/pki.xml.in
+++ b/interface-definitions/pki.xml.in
@@ -14,6 +14,10 @@
<leafNode name="certificate">
<properties>
<help>CA certificate in PEM format</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ <constraintErrorMessage>CA certificate is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
@@ -25,6 +29,10 @@
<leafNode name="key">
<properties>
<help>CA private key in PEM format</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ <constraintErrorMessage>CA private key is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="password-protected">
@@ -38,6 +46,10 @@
<leafNode name="crl">
<properties>
<help>Certificate revocation list in PEM format</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ <constraintErrorMessage>CRL is not base64-encoded</constraintErrorMessage>
<multi/>
</properties>
</leafNode>
@@ -57,6 +69,10 @@
<leafNode name="certificate">
<properties>
<help>Certificate in PEM format</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ <constraintErrorMessage>Certificate is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
@@ -68,6 +84,10 @@
<leafNode name="key">
<properties>
<help>Certificate private key in PEM format</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ <constraintErrorMessage>Certificate private key is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="password-protected">
@@ -94,6 +114,10 @@
<leafNode name="parameters">
<properties>
<help>DH parameters in PEM format</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ <constraintErrorMessage>DH parameters are not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
</children>
@@ -111,6 +135,10 @@
<leafNode name="key">
<properties>
<help>Public key in PEM format</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ <constraintErrorMessage>Public key is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
</children>
@@ -123,6 +151,10 @@
<leafNode name="key">
<properties>
<help>Private key in PEM format</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ <constraintErrorMessage>Private key is not base64-encoded</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="password-protected">
diff --git a/interface-definitions/service_aws_glb.xml.in b/interface-definitions/service_aws_glb.xml.in
deleted file mode 100644
index c749fd04e..000000000
--- a/interface-definitions/service_aws_glb.xml.in
+++ /dev/null
@@ -1,127 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
- <node name="service">
- <children>
- <node name="aws">
- <properties>
- <help>Amazon Web Service</help>
- <priority>1280</priority>
- </properties>
- <children>
- <node name="glb" owner="${vyos_conf_scripts_dir}/service_aws_glb.py">
- <properties>
- <help>Gateway load-balancer tunnel handler</help>
- </properties>
- <children>
- <node name="script">
- <properties>
- <help>Script executed on create or destroy tunnel</help>
- </properties>
- <children>
- <leafNode name="on-create">
- <properties>
- <help>Script to run when interface is created</help>
- <constraint>
- <validator name="script"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="on-destroy">
- <properties>
- <help>Script to run when interface is destroyed</help>
- <constraint>
- <validator name="script"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </node>
- <node name="status">
- <properties>
- <help>Status</help>
- </properties>
- <children>
- <leafNode name="format">
- <properties>
- <help>Statistic format</help>
- <completionHelp>
- <list>simple full</list>
- </completionHelp>
- <valueHelp>
- <format>simple</format>
- <description>Simple format</description>
- </valueHelp>
- <valueHelp>
- <format>full</format>
- <description>Full format</description>
- </valueHelp>
- <constraint>
- <regex>(simple|full)</regex>
- </constraint>
- </properties>
- </leafNode>
- #include <include/port-number.xml.i>
- </children>
- </node>
- <node name="threads">
- <properties>
- <help>Threads settings</help>
- </properties>
- <children>
- <leafNode name="tunnel">
- <properties>
- <help>Number of threads for each tunnel processor</help>
- <valueHelp>
- <format>u32:1-256</format>
- <description>Number of threads</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-256"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="tunnel-affinity">
- <properties>
- <help>List of cores worker threads</help>
- <valueHelp>
- <format>&lt;idN&gt;-&lt;idM&gt;</format>
- <description>CPU core id range (use '-' as delimiter)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--allow-range --range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="udp">
- <properties>
- <help>Number of threads for UDP receiver</help>
- <valueHelp>
- <format>u32:1-256</format>
- <description>Number of threads</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-256"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="udp-affinity">
- <properties>
- <help>List of cores worker threads</help>
- <valueHelp>
- <format>&lt;idN&gt;-&lt;idM&gt;</format>
- <description>CPU core id range (use '-' as delimiter)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--allow-range --range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
-</interfaceDefinition>
diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in
index bd80840df..6f65c12b3 100755
--- a/op-mode-definitions/generate-system-login-user.xml.in
+++ b/op-mode-definitions/generate-system-login-user.xml.in
@@ -35,19 +35,19 @@
<properties>
<help>Duration of single time interval</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9"</command>
<children>
<tagNode name="rate-time">
<properties>
<help>The number of digits in the one-time password</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" </command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" </command>
<children>
<tagNode name="window-size">
<properties>
<help>The number of digits in the one-time password</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" --window-size "${13}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" --window_size "${13}"</command>
</tagNode>
</children>
</tagNode>
@@ -57,19 +57,19 @@
<properties>
<help>The number of digits in the one-time password</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window-size "${9}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window_size "${9}"</command>
<children>
<tagNode name="rate-limit">
<properties>
<help>Duration of single time interval</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --window-size "${9}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --window_size "${9}"</command>
<children>
<tagNode name="rate-time">
<properties>
<help>Duration of single time interval</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --rate-time "${13}" --window-size "${9}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --rate_time "${13}" --window_size "${9}"</command>
</tagNode>
</children>
</tagNode>
diff --git a/python/vyos/system/image.py b/python/vyos/system/image.py
index c03ce02d5..514275654 100644
--- a/python/vyos/system/image.py
+++ b/python/vyos/system/image.py
@@ -241,7 +241,7 @@ def validate_name(image_name: str) -> bool:
Returns:
bool: validation result
"""
- regex_filter = re_compile(r'^[\w\.+-]{1,32}$')
+ regex_filter = re_compile(r'^[\w\.+-]{1,64}$')
if regex_filter.match(image_name):
return True
return False
diff --git a/smoketest/scripts/cli/test_pki.py b/smoketest/scripts/cli/test_pki.py
index b18b0b039..2ccc63b2c 100755
--- a/smoketest/scripts/cli/test_pki.py
+++ b/smoketest/scripts/cli/test_pki.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -186,30 +186,6 @@ class TestPKI(VyOSUnitTestSHIM.TestCase):
with self.assertRaises(ConfigSessionError):
self.cli_commit()
- def test_invalid_certificate(self):
- self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', 'invalidcertdata'])
-
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
-
- def test_invalid_public_key(self):
- self.cli_set(base_path + ['key-pair', 'smoketest', 'public', 'key', 'invalidkeydata'])
-
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
-
- def test_invalid_private_key(self):
- self.cli_set(base_path + ['key-pair', 'smoketest', 'private', 'key', 'invalidkeydata'])
-
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
-
- def test_invalid_dh_parameters(self):
- self.cli_set(base_path + ['dh', 'smoketest', 'parameters', 'thisisinvalid'])
-
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
-
def test_certificate_in_use(self):
self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', valid_ca_cert.replace('\n','')])
self.cli_set(base_path + ['certificate', 'smoketest', 'private', 'key', valid_ca_private_key.replace('\n','')])
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index 95021c8fd..30e823bd4 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -20,6 +20,7 @@ from passlib.hosts import linux_context
from psutil import users
from pwd import getpwall
from pwd import getpwnam
+from pwd import getpwuid
from sys import exit
from time import sleep
@@ -342,8 +343,11 @@ def apply(login):
# XXX: Should we deny using root at all?
home_dir = getpwnam(user).pw_dir
# T5875: ensure UID is properly set on home directory if user is re-added
- if os.path.exists(home_dir):
- chown(home_dir, user=user, recursive=True)
+ # the home directory will always exist, as it's created above by --create-home,
+ # retrieve current owner of home directory and adjust it on demand
+ dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name
+ if dir_owner != user:
+ chown(home_dir, user=user, recursive=True)
render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2',
user_config, permission=0o600,
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
index 9ad887acc..b918833e9 100755
--- a/src/migration-scripts/firewall/6-to-7
+++ b/src/migration-scripts/firewall/6-to-7
@@ -73,6 +73,7 @@ icmp_translations = {
# Time Exceeded
'ttl-zero-during-transit': [11, 0],
'ttl-zero-during-reassembly': [11, 1],
+ 'ttl-exceeded': 'time-exceeded',
# Parameter Problem
'ip-header-bad': [12, 0],
'required-option-missing': [12, 1]
@@ -87,8 +88,14 @@ icmpv6_translations = {
'communication-prohibited': [1, 1],
'address-unreachble': [1, 3],
'port-unreachable': [1, 4],
- # Redirect
+ # nd
'redirect': 'nd-redirect',
+ 'router-solicitation': 'nd-router-solicit',
+ 'router-advertisement': 'nd-router-advert',
+ 'neighbour-solicitation': 'nd-neighbor-solicit',
+ 'neighbor-solicitation': 'nd-neighbor-solicit',
+ 'neighbour-advertisement': 'nd-neighbor-advert',
+ 'neighbor-advertisement': 'nd-neighbor-advert',
# Time Exceeded
'ttl-zero-during-transit': [3, 0],
'ttl-zero-during-reassembly': [3, 1],
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 6a8797aec..5e2af2d97 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -257,6 +257,15 @@ def search_previous_installation(disks: list[str]) -> None:
disk.partition_umount(image_drive)
+def copy_preserve_owner(src: str, dst: str, *, follow_symlinks=True):
+ if not Path(src).is_file():
+ return
+ if Path(dst).is_dir():
+ dst = Path(dst).joinpath(Path(src).name)
+ st = Path(src).stat()
+ copy(src, dst, follow_symlinks=follow_symlinks)
+ chown(dst, user=st.st_uid)
+
def copy_previous_installation_data(target_dir: str) -> None:
if Path('/mnt/config').exists():
@@ -814,7 +823,7 @@ def add_image(image_path: str, vrf: str = None, username: str = '',
chown(target_config_dir, group='vyattacfg')
chmod_2775(target_config_dir)
copytree('/opt/vyatta/etc/config/', target_config_dir,
- dirs_exist_ok=True)
+ copy_function=copy_preserve_owner, dirs_exist_ok=True)
else:
Path(target_config_dir).mkdir(parents=True)
chown(target_config_dir, group='vyattacfg')
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-22 06:41:00 +0000