4 files changed, 52 insertions, 31 deletions

diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
index 04113fc09..c196e272b 100755
--- a/src/conf_mode/http-api.py
+++ b/src/conf_mode/http-api.py
@@ -24,9 +24,11 @@ from copy import deepcopy
 import vyos.defaults
 
 from vyos.config import Config
+from vyos.configdict import dict_merge
 from vyos.template import render
 from vyos.util import cmd
 from vyos.util import call
+from vyos.xml import defaults
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -36,6 +38,15 @@ systemd_service = '/run/systemd/system/vyos-http-api.service'
 
 vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode']
 
+def _translate_values_to_boolean(d: dict) -> dict:
+    for k in list(d):
+        if d[k] == {}:
+            d[k] = True
+        elif isinstance(d[k], dict):
+            _translate_values_to_boolean(d[k])
+        else:
+            pass
+
 def get_config(config=None):
     http_api = deepcopy(vyos.defaults.api_data)
     x = http_api.get('api_keys')
@@ -54,48 +65,40 @@ def get_config(config=None):
     if not conf.exists(base):
         return None
 
+    api_dict = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                          no_tag_node_value_mangle=True,
+                                          get_first_key=True)
+
+    # One needs to 'flatten' the keys dict from the config into the
+    # http-api.conf format for api_keys:
+    if 'keys' in api_dict:
+        api_dict['api_keys'] = []
+        for el in list(api_dict['keys']['id']):
+            key = api_dict['keys']['id'][el]['key']
+            api_dict['api_keys'].append({'id': el, 'key': key})
+        del api_dict['keys']
+
     # Do we run inside a VRF context?
     vrf_path = ['service', 'https', 'vrf']
     if conf.exists(vrf_path):
         http_api['vrf'] = conf.return_value(vrf_path)
 
-    conf.set_level('service https api')
-    if conf.exists('strict'):
-        http_api['strict'] = True
-
-    if conf.exists('debug'):
-        http_api['debug'] = True
+    if 'api_keys' in api_dict:
+        keys_added = True
 
-    if conf.exists('gql'):
-        http_api['gql'] = True
-        if conf.exists('gql introspection'):
-            http_api['introspection'] = True
+    if 'gql' in api_dict:
+        api_dict = dict_merge(defaults(base), api_dict)
 
-    if conf.exists('socket'):
-        http_api['socket'] = True
-
-    if conf.exists('port'):
-        port = conf.return_value('port')
-        http_api['port'] = port
-
-    if conf.exists('cors'):
-        http_api['cors'] = {}
-        if conf.exists('cors allow-origin'):
-            origins = conf.return_values('cors allow-origin')
-            http_api['cors']['origins'] = origins[:]
-
-    if conf.exists('keys'):
-        for name in conf.list_nodes('keys id'):
-            if conf.exists('keys id {0} key'.format(name)):
-                key = conf.return_value('keys id {0} key'.format(name))
-                new_key = { 'id': name, 'key': key }
-                http_api['api_keys'].append(new_key)
-                keys_added = True
+    http_api.update(api_dict)
 
     if keys_added and default_key:
         if default_key in http_api['api_keys']:
             http_api['api_keys'].remove(default_key)
 
+    # Finally, translate entries in http_api into boolean settings for
+    # backwards compatability of JSON http-api.conf file
+    _translate_values_to_boolean(http_api)
+
     return http_api
 
 def verify(http_api):
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 87456f00b..ff568d470 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -159,6 +159,11 @@ def verify(bgp):
             if 'ebgp_multihop' in peer_config and 'ttl_security' in peer_config:
                 raise ConfigError('You can not set both ebgp-multihop and ttl-security hops')
 
+            # interface and ebgp-multihop can't be used in the same configration
+            if 'ebgp_multihop' in peer_config and 'interface' in peer_config:
+                raise ConfigError(f'Ebgp-multihop can not be used with directly connected '\
+                                  f'neighbor "{peer}"')
+
             # Check if neighbor has both override capability and strict capability match
             # configured at the same time.
             if 'override_capability' in peer_config and 'strict_capability_match' in peer_config:
diff --git a/src/conf_mode/service_monitoring_telegraf.py b/src/conf_mode/service_monitoring_telegraf.py
index 427cb6911..aafece47a 100755
--- a/src/conf_mode/service_monitoring_telegraf.py
+++ b/src/conf_mode/service_monitoring_telegraf.py
@@ -42,7 +42,11 @@ systemd_override = '/etc/systemd/system/telegraf.service.d/10-override.conf'
 
 def get_nft_filter_chains():
     """ Get nft chains for table filter """
-    nft = cmd('nft --json list table ip vyos_filter')
+    try:
+        nft = cmd('nft --json list table ip vyos_filter')
+    except Exception:
+        print('nft table ip vyos_filter not found')
+        return []
     nft = json.loads(nft)
     chain_list = []
 
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index dbd346fe4..e26b81e3d 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -257,6 +257,15 @@ def apply(login):
             except Exception as e:
                 raise ConfigError(f'Adding user "{user}" raised exception: "{e}"')
 
+            # Generate 2FA/MFA One-Time-Pad configuration
+            if dict_search('authentication.otp.key', user_config):
+                render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
+                       user_config, permission=0o400, user=user, group='users')
+            else:
+                # delete configuration as it's not enabled for the user
+                if os.path.exists(f'{home_dir}/.google_authenticator'):
+                    os.remove(f'{home_dir}/.google_authenticator')
+
     if 'rm_users' in login:
         for user in login['rm_users']:
             try: