8 files changed, 71 insertions, 39 deletions

diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
index 04113fc09..c196e272b 100755
--- a/src/conf_mode/http-api.py
+++ b/src/conf_mode/http-api.py
@@ -24,9 +24,11 @@ from copy import deepcopy
 import vyos.defaults
 
 from vyos.config import Config
+from vyos.configdict import dict_merge
 from vyos.template import render
 from vyos.util import cmd
 from vyos.util import call
+from vyos.xml import defaults
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -36,6 +38,15 @@ systemd_service = '/run/systemd/system/vyos-http-api.service'
 
 vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode']
 
+def _translate_values_to_boolean(d: dict) -> dict:
+    for k in list(d):
+        if d[k] == {}:
+            d[k] = True
+        elif isinstance(d[k], dict):
+            _translate_values_to_boolean(d[k])
+        else:
+            pass
+
 def get_config(config=None):
     http_api = deepcopy(vyos.defaults.api_data)
     x = http_api.get('api_keys')
@@ -54,48 +65,40 @@ def get_config(config=None):
     if not conf.exists(base):
         return None
 
+    api_dict = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                          no_tag_node_value_mangle=True,
+                                          get_first_key=True)
+
+    # One needs to 'flatten' the keys dict from the config into the
+    # http-api.conf format for api_keys:
+    if 'keys' in api_dict:
+        api_dict['api_keys'] = []
+        for el in list(api_dict['keys']['id']):
+            key = api_dict['keys']['id'][el]['key']
+            api_dict['api_keys'].append({'id': el, 'key': key})
+        del api_dict['keys']
+
     # Do we run inside a VRF context?
     vrf_path = ['service', 'https', 'vrf']
     if conf.exists(vrf_path):
         http_api['vrf'] = conf.return_value(vrf_path)
 
-    conf.set_level('service https api')
-    if conf.exists('strict'):
-        http_api['strict'] = True
-
-    if conf.exists('debug'):
-        http_api['debug'] = True
+    if 'api_keys' in api_dict:
+        keys_added = True
 
-    if conf.exists('gql'):
-        http_api['gql'] = True
-        if conf.exists('gql introspection'):
-            http_api['introspection'] = True
+    if 'gql' in api_dict:
+        api_dict = dict_merge(defaults(base), api_dict)
 
-    if conf.exists('socket'):
-        http_api['socket'] = True
-
-    if conf.exists('port'):
-        port = conf.return_value('port')
-        http_api['port'] = port
-
-    if conf.exists('cors'):
-        http_api['cors'] = {}
-        if conf.exists('cors allow-origin'):
-            origins = conf.return_values('cors allow-origin')
-            http_api['cors']['origins'] = origins[:]
-
-    if conf.exists('keys'):
-        for name in conf.list_nodes('keys id'):
-            if conf.exists('keys id {0} key'.format(name)):
-                key = conf.return_value('keys id {0} key'.format(name))
-                new_key = { 'id': name, 'key': key }
-                http_api['api_keys'].append(new_key)
-                keys_added = True
+    http_api.update(api_dict)
 
     if keys_added and default_key:
         if default_key in http_api['api_keys']:
             http_api['api_keys'].remove(default_key)
 
+    # Finally, translate entries in http_api into boolean settings for
+    # backwards compatability of JSON http-api.conf file
+    _translate_values_to_boolean(http_api)
+
     return http_api
 
 def verify(http_api):
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 87456f00b..ff568d470 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -159,6 +159,11 @@ def verify(bgp):
             if 'ebgp_multihop' in peer_config and 'ttl_security' in peer_config:
                 raise ConfigError('You can not set both ebgp-multihop and ttl-security hops')
 
+            # interface and ebgp-multihop can't be used in the same configration
+            if 'ebgp_multihop' in peer_config and 'interface' in peer_config:
+                raise ConfigError(f'Ebgp-multihop can not be used with directly connected '\
+                                  f'neighbor "{peer}"')
+
             # Check if neighbor has both override capability and strict capability match
             # configured at the same time.
             if 'override_capability' in peer_config and 'strict_capability_match' in peer_config:
diff --git a/src/conf_mode/service_monitoring_telegraf.py b/src/conf_mode/service_monitoring_telegraf.py
index 427cb6911..aafece47a 100755
--- a/src/conf_mode/service_monitoring_telegraf.py
+++ b/src/conf_mode/service_monitoring_telegraf.py
@@ -42,7 +42,11 @@ systemd_override = '/etc/systemd/system/telegraf.service.d/10-override.conf'
 
 def get_nft_filter_chains():
     """ Get nft chains for table filter """
-    nft = cmd('nft --json list table ip vyos_filter')
+    try:
+        nft = cmd('nft --json list table ip vyos_filter')
+    except Exception:
+        print('nft table ip vyos_filter not found')
+        return []
     nft = json.loads(nft)
     chain_list = []
 
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index dbd346fe4..e26b81e3d 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -257,6 +257,15 @@ def apply(login):
             except Exception as e:
                 raise ConfigError(f'Adding user "{user}" raised exception: "{e}"')
 
+            # Generate 2FA/MFA One-Time-Pad configuration
+            if dict_search('authentication.otp.key', user_config):
+                render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
+                       user_config, permission=0o400, user=user, group='users')
+            else:
+                # delete configuration as it's not enabled for the user
+                if os.path.exists(f'{home_dir}/.google_authenticator'):
+                    os.remove(f'{home_dir}/.google_authenticator')
+
     if 'rm_users' in login:
         for user in login['rm_users']:
             try:
diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos
index f760b417f..e0fd8cb0b 100644
--- a/src/etc/sudoers.d/vyos
+++ b/src/etc/sudoers.d/vyos
@@ -40,10 +40,13 @@ Cmnd_Alias PCAPTURE = /usr/bin/tcpdump
 Cmnd_Alias HWINFO   = /usr/bin/lspci
 Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
                            /usr/share/heartbeat/hb_standby
+Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \
+                         /bin/ip vrf exec * /bin/traceroute *, \
+                         /usr/libexec/vyos/op_mode/*
 %operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
 			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
                         DMIDECODE, DISK, CONNTRACK, IP6TABLES,  \
-                        FORCE_CLUSTER
+                        FORCE_CLUSTER, DIAGNOSTICS
 
 # Allow any user to run files in sudo-users
 %users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/
diff --git a/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py b/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py
index cbc2bfe6b..d7eca5894 100755
--- a/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py
+++ b/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py
@@ -11,7 +11,10 @@ def get_nft_filter_chains():
     """
     Get list of nft chains for table filter
     """
-    nft = cmd('/usr/sbin/nft --json list table ip vyos_filter')
+    try:
+        nft = cmd('/usr/sbin/nft --json list table ip vyos_filter')
+    except Exception:
+        return []
     nft = json.loads(nft)
     chain_list = []
 
diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py
index a4d1b4cb1..7ec35d7bd 100755
--- a/src/op_mode/ipsec.py
+++ b/src/op_mode/ipsec.py
@@ -133,14 +133,13 @@ def _get_formatted_output_sas(sas):
 
 
 def get_peer_connections(peer, tunnel, return_all = False):
-    peer = peer.replace(':', '-')
-    search = rf'^[\s]*(peer_{peer}_(tunnel_[\d]+|vti)).*'
+    search = rf'^[\s]*({peer}-(tunnel-[\d]+|vti)).*'
     matches = []
     with open(SWANCTL_CONF, 'r') as f:
         for line in f.readlines():
             result = re.match(search, line)
             if result:
-                suffix = f'tunnel_{tunnel}' if tunnel.isnumeric() else tunnel
+                suffix = f'tunnel-{tunnel}' if tunnel.isnumeric() else tunnel
                 if return_all or (result[2] == suffix):
                     matches.append(result[1])
     return matches
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 190f3409d..4ace981ca 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -686,10 +686,16 @@ if __name__ == '__main__':
     app.state.vyos_keys = server_config['api_keys']
 
     app.state.vyos_debug = server_config['debug']
-    app.state.vyos_gql = server_config['gql']
-    app.state.vyos_introspection = server_config['introspection']
     app.state.vyos_strict = server_config['strict']
-    app.state.vyos_origins = server_config.get('cors', {}).get('origins', [])
+    app.state.vyos_origins = server_config.get('cors', {}).get('allow_origin', [])
+    if 'gql' in server_config:
+        app.state.vyos_gql = True
+        if isinstance(server_config['gql'], dict) and 'introspection' in server_config['gql']:
+            app.state.vyos_introspection = True
+        else:
+            app.state.vyos_introspection = False
+    else:
+        app.state.vyos_gql = False
 
     if app.state.vyos_gql:
         graphql_init(app)