summaryrefslogtreecommitdiff
path: root/src/conf_mode/https.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/https.py')
-rwxr-xr-xsrc/conf_mode/https.py133
1 files changed, 99 insertions, 34 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 010490c7e..40b7de557 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -16,19 +16,24 @@
import os
import sys
+import json
from copy import deepcopy
+from time import sleep
import vyos.defaults
import vyos.certbot_util
from vyos.config import Config
+from vyos.configdiff import get_config_diff
from vyos.configverify import verify_vrf
from vyos import ConfigError
from vyos.pki import wrap_certificate
from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.utils.process import call
+from vyos.utils.process import is_systemd_service_running
+from vyos.utils.process import is_systemd_service_active
from vyos.utils.network import check_port_availability
from vyos.utils.network import is_listen_port_bind_service
from vyos.utils.file import write_file
@@ -42,6 +47,9 @@ cert_dir = '/etc/ssl/certs'
key_dir = '/etc/ssl/private'
certbot_dir = vyos.defaults.directories['certbot']
+api_config_state = '/run/http-api-state'
+systemd_service = '/run/systemd/system/vyos-http-api.service'
+
# https config needs to coordinate several subsystems: api, certbot,
# self-signed certificate, as well as the virtual hosts defined within the
# https config definition itself. Consequently, one needs a general dict,
@@ -52,7 +60,7 @@ default_server_block = {
'address' : '*',
'port' : '443',
'name' : ['_'],
- 'api' : {},
+ 'api' : False,
'vyos_cert' : {},
'certbot' : False
}
@@ -67,15 +75,41 @@ def get_config(config=None):
if not conf.exists(base):
return None
+ diff = get_config_diff(conf)
+
https = conf.get_config_dict(base, get_first_key=True)
if https:
https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ no_tag_node_value_mangle=True,
+ get_first_key=True)
+
+ https['children_changed'] = diff.node_changed_children(base)
+ https['api_add_or_delete'] = diff.node_changed_presence(base + ['api'])
+
+ if 'api' not in https:
+ return https
+
+ http_api = conf.get_config_dict(base + ['api'], key_mangling=('-', '_'),
+ no_tag_node_value_mangle=True,
+ get_first_key=True,
+ with_recursive_defaults=True)
+
+ if http_api.from_defaults(['graphql']):
+ del http_api['graphql']
+
+ # Do we run inside a VRF context?
+ vrf_path = ['service', 'https', 'vrf']
+ if conf.exists(vrf_path):
+ http_api['vrf'] = conf.return_value(vrf_path)
+
+ https['api'] = http_api
return https
def verify(https):
+ from vyos.utils.dict import dict_search
+
if https is None:
return None
@@ -101,7 +135,7 @@ def verify(https):
if 'certbot' in https['certificates']:
vhost_names = []
- for vh, vh_conf in https.get('virtual-host', {}).items():
+ for _, vh_conf in https.get('virtual-host', {}).items():
vhost_names += vh_conf.get('server-name', [])
domains = https['certificates']['certbot'].get('domain-name', [])
domains_found = [domain for domain in domains if domain in vhost_names]
@@ -122,7 +156,7 @@ def verify(https):
server_block = deepcopy(default_server_block)
data = vhost_dict.get(vhost, {})
server_block['address'] = data.get('listen-address', '*')
- server_block['port'] = data.get('listen-port', '443')
+ server_block['port'] = data.get('port', '443')
server_block_list.append(server_block)
for entry in server_block_list:
@@ -135,12 +169,44 @@ def verify(https):
raise ConfigError(f'"{proto}" port "{_port}" is used by another service')
verify_vrf(https)
+
+ # Verify API server settings, if present
+ if 'api' in https:
+ keys = dict_search('api.keys.id', https)
+ gql_auth_type = dict_search('api.graphql.authentication.type', https)
+
+ # If "api graphql" is not defined and `gql_auth_type` is None,
+ # there's certainly no JWT auth option, and keys are required
+ jwt_auth = (gql_auth_type == "token")
+
+ # Check for incomplete key configurations in every case
+ valid_keys_exist = False
+ if keys:
+ for k in keys:
+ if 'key' not in keys[k]:
+ raise ConfigError(f'Missing HTTPS API key string for key id "{k}"')
+ else:
+ valid_keys_exist = True
+
+ # If only key-based methods are enabled,
+ # fail the commit if no valid key configurations are found
+ if (not valid_keys_exist) and (not jwt_auth):
+ raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled')
+
return None
def generate(https):
if https is None:
return None
+ if 'api' not in https:
+ if os.path.exists(systemd_service):
+ os.unlink(systemd_service)
+ else:
+ render(systemd_service, 'https/vyos-http-api.service.j2', https['api'])
+ with open(api_config_state, 'w') as f:
+ json.dump(https['api'], f, indent=2)
+
server_block_list = []
# organize by vhosts
@@ -156,7 +222,7 @@ def generate(https):
server_block['id'] = vhost
data = vhost_dict.get(vhost, {})
server_block['address'] = data.get('listen-address', '*')
- server_block['port'] = data.get('listen-port', '443')
+ server_block['port'] = data.get('port', '443')
name = data.get('server-name', ['_'])
server_block['name'] = name
allow_client = data.get('allow-client', {})
@@ -206,40 +272,18 @@ def generate(https):
# certbot organizes certificates by first domain
sb['certbot_domain_dir'] = cert_domains[0]
- # get api data
-
- api_set = False
- api_data = {}
if 'api' in list(https):
- api_set = True
- api_data = vyos.defaults.api_data
- api_settings = https.get('api', {})
- if api_settings:
- port = api_settings.get('port', '')
- if port:
- api_data['port'] = port
- vhosts = https.get('api-restrict', {}).get('virtual-host', [])
- if vhosts:
- api_data['vhost'] = vhosts[:]
- if 'socket' in list(api_settings):
- api_data['socket'] = True
-
- if api_data:
- vhost_list = api_data.get('vhost', [])
+ vhost_list = https.get('api-restrict', {}).get('virtual-host', [])
if not vhost_list:
for block in server_block_list:
- block['api'] = api_data
+ block['api'] = True
else:
for block in server_block_list:
if block['id'] in vhost_list:
- block['api'] = api_data
-
- if 'server_block_list' not in https or not https['server_block_list']:
- https['server_block_list'] = [default_server_block]
+ block['api'] = True
data = {
'server_block_list': server_block_list,
- 'api_set': api_set,
'certbot': certbot
}
@@ -250,10 +294,31 @@ def generate(https):
def apply(https):
# Reload systemd manager configuration
call('systemctl daemon-reload')
- if https is not None:
- call('systemctl restart nginx.service')
- else:
- call('systemctl stop nginx.service')
+ http_api_service_name = 'vyos-http-api.service'
+ https_service_name = 'nginx.service'
+
+ if https is None:
+ if is_systemd_service_active(f'{http_api_service_name}'):
+ call(f'systemctl stop {http_api_service_name}')
+ call(f'systemctl stop {https_service_name}')
+ return
+
+ if 'api' in https['children_changed']:
+ if 'api' in https:
+ if is_systemd_service_running(f'{http_api_service_name}'):
+ call(f'systemctl reload {http_api_service_name}')
+ else:
+ call(f'systemctl restart {http_api_service_name}')
+ # Let uvicorn settle before (possibly) restarting nginx
+ sleep(1)
+ else:
+ if is_systemd_service_active(f'{http_api_service_name}'):
+ call(f'systemctl stop {http_api_service_name}')
+
+ if (not is_systemd_service_running(f'{https_service_name}') or
+ https['api_add_or_delete'] or
+ set(https['children_changed']) - set(['api'])):
+ call(f'systemctl restart {https_service_name}')
if __name__ == '__main__':
try:
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-21 12:24:42 +0000