5 files changed, 141 insertions, 13 deletions

diff --git a/src/conf_mode/service_monitoring_zabbix-agent.py b/src/conf_mode/service_monitoring_zabbix-agent.py
index 98d8a32ca..f17146a8d 100755
--- a/src/conf_mode/service_monitoring_zabbix-agent.py
+++ b/src/conf_mode/service_monitoring_zabbix-agent.py
@@ -18,6 +18,8 @@ import os
 
 from vyos.config import Config
 from vyos.template import render
+from vyos.utils.dict import dict_search
+from vyos.utils.file import write_file
 from vyos.utils.process import call
 from vyos import ConfigError
 from vyos import airbag
@@ -26,6 +28,7 @@ airbag.enable()
 
 service_name = 'zabbix-agent2'
 service_conf = f'/run/zabbix/{service_name}.conf'
+service_psk_file = f'/run/zabbix/{service_name}.psk'
 systemd_override = r'/run/systemd/system/zabbix-agent2.service.d/10-override.conf'
 
 
@@ -49,6 +52,8 @@ def get_config(config=None):
     if 'directory' in config and config['directory'].endswith('/'):
         config['directory'] = config['directory'][:-1]
 
+    config['service_psk_file'] = service_psk_file
+
     return config
 
 
@@ -60,18 +65,34 @@ def verify(config):
     if 'server' not in config:
         raise ConfigError('Server is required!')
 
+    if 'authentication' in config and dict_search("authentication.mode",
+                                                  config) == 'pre_shared_secret':
+        if 'id' not in config['authentication']['psk']:
+            raise ConfigError(
+                'PSK identity is required for pre-shared-secret authentication mode')
+
+        if 'secret' not in config['authentication']['psk']:
+            raise ConfigError(
+                'PSK secret is required for pre-shared-secret authentication mode')
+
 
 def generate(config):
     # bail out early - looks like removal from running config
     if config is None:
         # Remove old config and return
-        config_files = [service_conf, systemd_override]
+        config_files = [service_conf, systemd_override, service_psk_file]
         for file in config_files:
             if os.path.isfile(file):
                 os.unlink(file)
 
         return None
 
+    if not dict_search("authentication.psk.secret", config):
+        if os.path.isfile(service_psk_file):
+            os.unlink(service_psk_file)
+    else:
+        write_file(service_psk_file, config["authentication"]["psk"]["secret"])
+
     # Write configuration file
     render(service_conf, 'zabbix-agent/zabbix-agent.conf.j2', config)
     render(systemd_override, 'zabbix-agent/10-override.conf.j2', config)
diff --git a/src/helpers/latest-image-url.py b/src/helpers/latest-image-url.py
new file mode 100755
index 000000000..ea201ef7c
--- /dev/null
+++ b/src/helpers/latest-image-url.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+import sys
+
+from vyos.configquery import ConfigTreeQuery
+from vyos.version import get_remote_version
+
+
+if __name__ == '__main__':
+    image_path = ''
+
+    config = ConfigTreeQuery()
+    if config.exists('system update-check url'):
+        configured_url_version = config.value('system update-check url')
+        remote_url_list = get_remote_version(configured_url_version)
+        if remote_url_list:
+            image_path = remote_url_list[0].get('url')
+        else:
+            sys.exit(1)
+
+    print(image_path)
diff --git a/src/op_mode/generate_psk.py b/src/op_mode/generate_psk.py
new file mode 100644
index 000000000..d51293712
--- /dev/null
+++ b/src/op_mode/generate_psk.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import argparse
+
+from vyos.utils.process import cmd
+
+
+def validate_hex_size(value):
+    """Validate that the hex_size is between 32 and 512."""
+    try:
+        value = int(value)
+    except ValueError:
+        raise argparse.ArgumentTypeError("hex_size must be integer.")
+
+    if value < 32 or value > 512:
+        raise argparse.ArgumentTypeError("hex_size must be between 32 and 512.")
+    return value
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--hex_size",
+        type=validate_hex_size,
+        help='PKS value size in hex format. Default is 32 bytes.',
+        default=32,
+
+        required=False,
+    )
+    args = parser.parse_args()
+
+    print(cmd(f'openssl rand -hex {args.hex_size}'))
\ No newline at end of file
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index bdc16de15..1da112673 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -33,14 +33,13 @@ from errno import ENOSPC
 from psutil import disk_partitions
 
 from vyos.configtree import ConfigTree
-from vyos.configquery import ConfigTreeQuery
 from vyos.remote import download
 from vyos.system import disk, grub, image, compat, raid, SYSTEM_CFG_VER
 from vyos.template import render
 from vyos.utils.io import ask_input, ask_yes_no, select_entry
 from vyos.utils.file import chmod_2775
-from vyos.utils.process import cmd, run
-from vyos.version import get_remote_version, get_version_data
+from vyos.utils.process import cmd, run, rc_cmd
+from vyos.version import get_version_data
 
 # define text messages
 MSG_ERR_NOT_LIVE: str = 'The system is already installed. Please use "add system image" instead.'
@@ -99,6 +98,7 @@ FILE_ROOTFS_SRC: str = '/usr/lib/live/mount/medium/live/filesystem.squashfs'
 ISO_DOWNLOAD_PATH: str = '/tmp/vyos_installation.iso'
 
 external_download_script = '/usr/libexec/vyos/simple-download.py'
+external_latest_image_url_script = '/usr/libexec/vyos/latest-image-url.py'
 
 # default boot variables
 DEFAULT_BOOT_VARS: dict[str, str] = {
@@ -532,10 +532,10 @@ def download_file(local_file: str, remote_path: str, vrf: str,
         download(local_file, remote_path, progressbar=progressbar,
                  check_space=check_space, raise_error=True)
     else:
-        vrf_cmd = f'REMOTE_USERNAME={username} REMOTE_PASSWORD={password} \
-                ip vrf exec {vrf} {external_download_script} \
-                --local-file {local_file} --remote-path {remote_path}'
-        cmd(vrf_cmd)
+        remote_auth = f'REMOTE_USERNAME={username} REMOTE_PASSWORD={password}'
+        vrf_cmd = f'ip vrf exec {vrf} {external_download_script} \
+                    --local-file {local_file} --remote-path {remote_path}'
+        cmd(vrf_cmd, auth=remote_auth)
 
 def image_fetch(image_path: str, vrf: str = None,
                 username: str = '', password: str = '',
@@ -550,11 +550,15 @@ def image_fetch(image_path: str, vrf: str = None,
     """
     # Latest version gets url from configured "system update-check url"
     if image_path == 'latest':
-        config = ConfigTreeQuery()
-        if config.exists('system update-check url'):
-            configured_url_version = config.value('system update-check url')
-            remote_url_list = get_remote_version(configured_url_version)
-            image_path = remote_url_list[0].get('url')
+        command = external_latest_image_url_script
+        if vrf:
+            command = f'REMOTE_USERNAME={username} REMOTE_PASSWORD={password} \
+                        ip vrf exec {vrf} ' + command
+        code, output = rc_cmd(command)
+        if code:
+            print(output)
+            exit(MSG_INFO_INSTALL_EXIT)
+        image_path = output if output else image_path
 
     try:
         # check a type of path
diff --git a/src/validators/ether-type b/src/validators/ether-type
new file mode 100644
index 000000000..926db26d3
--- /dev/null
+++ b/src/validators/ether-type
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+from sys import argv,exit
+
+if __name__ == '__main__':
+    if len(argv) != 2:
+        exit(1)
+
+    input = argv[1]
+    try:
+        # ethertype can be in the range 1 - 65535
+        if int(input) in range(1, 65536):
+            exit(0)
+    except ValueError:
+        pass
+
+    pattern = "!?\\b(all|ip|ipv6|ipx|802.1Q|802_2|802_3|aarp|aoe|arp|atalk|dec|lat|localtalk|rarp|snap|x25)\\b"
+    if re.match(pattern, input):
+        exit(0)
+
+    print(f'Error: {input} is not a valid ether type or protocol.')
+    exit(1)