5 files changed, 212 insertions, 8 deletions

diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py
index f558c18b7..77f38992b 100755
--- a/src/op_mode/dhcp.py
+++ b/src/op_mode/dhcp.py
@@ -338,10 +338,12 @@ def _get_formatted_client_leases(lease_data, family):
     from time import localtime
     from time import strftime
 
-    from vyos.validate import is_intf_addr_assigned
+    from vyos.utils.network import is_intf_addr_assigned
 
     data_entries = []
     for lease in lease_data:
+        if not lease.get('new_ip_address'):
+            continue
         data_entries.append(["Interface", lease['interface']])
         if 'new_ip_address' in lease:
             tmp = '[Active]' if is_intf_addr_assigned(lease['interface'], lease['new_ip_address']) else '[Inactive]'
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 581710b31..23b4b8459 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -127,7 +127,15 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
                     if not source_addr:
                         source_addr = dict_search_args(rule_conf, 'source', 'group', 'domain_group')
                         if not source_addr:
-                            source_addr = '::/0' if ipv6 else '0.0.0.0/0'
+                            source_addr = dict_search_args(rule_conf, 'source', 'fqdn')
+                            if not source_addr:
+                                source_addr = dict_search_args(rule_conf, 'source', 'geoip', 'country_code')
+                                if source_addr:
+                                    source_addr = str(source_addr)[1:-1].replace('\'','')
+                                    if 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'):
+                                        source_addr = 'NOT ' + str(source_addr)
+                                if not source_addr:
+                                    source_addr = 'any'
 
             # Get destination
             dest_addr = dict_search_args(rule_conf, 'destination', 'address')
@@ -138,7 +146,15 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
                     if not dest_addr:
                         dest_addr = dict_search_args(rule_conf, 'destination', 'group', 'domain_group')
                         if not dest_addr:
-                            dest_addr = '::/0' if ipv6 else '0.0.0.0/0'
+                            dest_addr = dict_search_args(rule_conf, 'destination', 'fqdn')
+                            if not dest_addr:
+                                dest_addr = dict_search_args(rule_conf, 'destination', 'geoip', 'country_code')
+                                if dest_addr:
+                                    dest_addr = str(dest_addr)[1:-1].replace('\'','')
+                                    if 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'):
+                                        dest_addr = 'NOT ' + str(dest_addr)
+                                if not dest_addr:
+                                    dest_addr = 'any'
 
             # Get inbound interface
             iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_name')
@@ -169,7 +185,22 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
             row.append(oiface)
             rows.append(row)
 
-    if 'default_action' in prior_conf and not single_rule_id:
+
+    if hook in ['input', 'forward', 'output']:
+        row = ['default']
+        row.append('N/A')
+        row.append('N/A')
+        if 'default_action' in prior_conf:
+            row.append(prior_conf['default_action'])
+        else:
+            row.append('accept')
+        row.append('any')
+        row.append('any')
+        row.append('any')
+        row.append('any')
+        rows.append(row)
+
+    elif 'default_action' in prior_conf and not single_rule_id:
         row = ['default']
         if 'default-action' in details:
             rule_details = details['default-action']
@@ -179,8 +210,10 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
             row.append('0')
             row.append('0')
         row.append(prior_conf['default_action'])
-        row.append('0.0.0.0/0') # Source
-        row.append('0.0.0.0/0') # Dest
+        row.append('any') # Source
+        row.append('any') # Dest
+        row.append('any')   # inbound-interface
+        row.append('any')   # outbound-interface
         rows.append(row)
 
     if rows:
@@ -303,7 +336,7 @@ def show_firewall_group(name=None):
                 continue
 
             references = find_references(group_type, group_name)
-            row = [group_name, group_type, '\n'.join(references) or 'N/A']
+            row = [group_name, group_type, '\n'.join(references) or 'N/D']
             if 'address' in group_conf:
                 row.append("\n".join(sorted(group_conf['address'])))
             elif 'network' in group_conf:
@@ -315,7 +348,7 @@ def show_firewall_group(name=None):
             elif 'interface' in group_conf:
                 row.append("\n".join(sorted(group_conf['interface'])))
             else:
-                row.append('N/A')
+                row.append('N/D')
             rows.append(row)
 
     if rows:
diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py
index 57d3cfed9..44d41219e 100755
--- a/src/op_mode/ipsec.py
+++ b/src/op_mode/ipsec.py
@@ -779,6 +779,45 @@ def show_ra_summary(raw: bool):
     return _get_formatted_output_ra_summary(list_sa)
 
 
+# PSK block
+def _get_raw_psk():
+    conf: ConfigTreeQuery = ConfigTreeQuery()
+    config_path = ['vpn', 'ipsec', 'authentication', 'psk']
+    psk_config = conf.get_config_dict(config_path, key_mangling=('-', '_'),
+                                       get_first_key=True,
+                                       no_tag_node_value_mangle=True)
+
+    psk_list = []
+    for psk, psk_data in psk_config.items():
+        psk_data['psk'] = psk
+        psk_list.append(psk_data)
+
+    return psk_list
+
+
+def _get_formatted_psk(psk_list):
+    headers = ["PSK", "Id", "Secret"]
+    formatted_data = []
+
+    for psk_data in psk_list:
+        formatted_data.append([psk_data["psk"], "\n".join(psk_data["id"]), psk_data["secret"]])
+
+    return tabulate(formatted_data, headers=headers)
+
+
+def show_psk(raw: bool):
+    config = ConfigTreeQuery()
+    if not config.exists('vpn ipsec authentication psk'):
+        raise vyos.opmode.UnconfiguredSubsystem('VPN ipsec psk authentication is not configured')
+
+    psk = _get_raw_psk()
+    if raw:
+        return psk
+    return _get_formatted_psk(psk)
+
+# PSK block end
+
+
 if __name__ == '__main__':
     try:
         res = vyos.opmode.run(sys.modules[__name__])
diff --git a/src/op_mode/otp.py b/src/op_mode/otp.py
new file mode 100755
index 000000000..6d4298894
--- /dev/null
+++ b/src/op_mode/otp.py
@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+
+# Copyright 2017, 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+
+import sys
+import os
+import vyos.opmode
+from jinja2 import Template
+from vyos.configquery import ConfigTreeQuery
+from vyos.xml import defaults
+from vyos.configdict import dict_merge
+from vyos.utils.process import popen
+
+
+users_otp_template = Template("""
+{% if info == "full" %}
+# You can share it with the user, he just needs to scan the QR in his OTP app
+# username: {{username}}
+# OTP KEY: {{key_base32}}
+# OTP URL: {{otp_url}}
+{{qrcode}}
+# To add this OTP key to configuration, run the following commands:
+set system login user {{username}} authentication otp key '{{key_base32}}'
+{% if rate_limit != "3" %}
+set system login user {{username}} authentication otp rate-limit '{{rate_limit}}'
+{% endif %}
+{% if rate_time != "30" %}
+set system login user {{username}} authentication otp rate-time '{{rate_time}}'
+{% endif %}
+{% if window_size != "3" %}
+set system login user {{username}} authentication otp window-size '{{window_size}}'
+{% endif %}
+{% elif info == "key-b32" %}
+# OTP key in Base32 for system user {{username}}:
+{{key_base32}}
+{% elif info == "qrcode" %}
+# QR code for system user '{{username}}'
+{{qrcode}}
+{% elif info == "uri" %}
+# URI for system user '{{username}}'
+{{otp_url}}
+{% endif %}
+""", trim_blocks=True, lstrip_blocks=True)
+
+
+def _check_uname_otp(username:str):
+    """
+    Check if "username" exists and have an OTP key
+    """
+    config = ConfigTreeQuery()
+    base_key = ['system', 'login', 'user', username, 'authentication', 'otp', 'key']
+    if not config.exists(base_key):
+        return None
+    return True
+
+def _get_login_otp(username: str, info:str):
+    """
+    Retrieve user settings from configuration and set some defaults
+    """
+    config = ConfigTreeQuery()
+    base = ['system', 'login', 'user', username]
+    if not config.exists(base):
+        return None
+    user_otp = config.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+    # We have gathered the dict representation of the CLI, but there are default
+    # options which we need to update into the dictionary retrived.
+    default_values = defaults(['system', 'login', 'user'])
+    user_otp = dict_merge(default_values, user_otp)
+    result = user_otp['authentication']['otp']
+    # Filling in the system and default options
+    result['info'] = info
+    result['hostname'] = os.uname()[1]
+    result['username'] = username
+    result['key_base32'] = result['key']
+    result['otp_length'] = '6'
+    result['interval'] = '30'
+    result['token_type'] = 'hotp-time'
+    if result['token_type'] == 'hotp-time':
+        token_type_acrn = 'totp'
+    result['otp_url'] = ''.join(["otpauth://",token_type_acrn,"/",username,"@",\
+        result['hostname'],"?secret=",result['key_base32'],"&digits=",\
+        result['otp_length'],"&period=",result['interval']])
+    result['qrcode'],err = popen('qrencode -t ansiutf8', input=result['otp_url'])
+    return result
+
+def show_login(raw: bool, username: str, info:str):
+    '''
+    Display OTP parameters for <username>
+    '''
+    check_otp = _check_uname_otp(username)
+    if check_otp:
+        user_otp_params = _get_login_otp(username, info)
+    else:
+        print(f'There is no such user ("{username}") with an OTP key configured')
+        print('You can use the following command to generate a key for a user:\n')
+        print(f'generate system login username {username} otp-key hotp-time')
+        sys.exit(0)
+    if raw:
+        return user_otp_params
+    return users_otp_template.render(user_otp_params)
+
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
diff --git a/src/op_mode/vyos-op-cmd-wrapper.sh b/src/op_mode/vyos-op-cmd-wrapper.sh
new file mode 100755
index 000000000..a89211b2b
--- /dev/null
+++ b/src/op_mode/vyos-op-cmd-wrapper.sh
@@ -0,0 +1,6 @@
+#!/bin/vbash
+shopt -s expand_aliases
+source /etc/default/vyatta
+source /etc/bash_completion.d/vyatta-op
+_vyatta_op_init
+_vyatta_op_run "$@"