From 1ba7d4e3e91b7e29447aca50295efda550239652 Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Wed, 22 Nov 2023 00:53:35 +0000
Subject: https api: T5772: check if keys are configured unless PAM auth is
enabled for GraphQL
(cherry picked from commit 8c450ea7f538beb0b2cd21d35c05d18db49a1802)
---
smoketest/scripts/cli/test_service_https.py | 17 +++++++++++++----
src/conf_mode/https.py | 26 ++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py
index 901a1857e..24e1f1299 100755
--- a/smoketest/scripts/cli/test_service_https.py
+++ b/smoketest/scripts/cli/test_service_https.py
@@ -25,6 +25,8 @@ from base_vyostest_shim import ignore_warning
from vyos.utils.file import read_file
from vyos.utils.process import process_named_running
+from vyos.configsession import ConfigSessionError
+
base_path = ['service', 'https']
pki_base = ['pki']
@@ -62,9 +64,6 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
cls.cli_delete(cls, pki_base)
def tearDown(self):
- # Check for running process
- self.assertTrue(process_named_running(PROCESS_NAME))
-
self.cli_delete(base_path)
self.cli_delete(pki_base)
self.cli_commit()
@@ -89,6 +88,7 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
nginx_config = read_file('/etc/nginx/sites-enabled/default')
self.assertIn(f'listen {address}:{port} ssl;', nginx_config)
self.assertIn(f'ssl_protocols TLSv1.2 TLSv1.3;', nginx_config)
+ self.assertTrue(process_named_running(PROCESS_NAME))
def test_certificate(self):
self.cli_set(pki_base + ['certificate', 'test_https', 'certificate', cert_data.replace('\n','')])
@@ -97,6 +97,15 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['certificates', 'certificate', 'test_https'])
self.cli_commit()
+ self.assertTrue(process_named_running(PROCESS_NAME))
+
+ def test_api_missing_keys(self):
+ self.cli_set(base_path + ['api'])
+ self.assertRaises(ConfigSessionError, self.cli_commit)
+
+ def test_api_incomplete_key(self):
+ self.cli_set(base_path + ['api', 'keys', 'id', 'key-01'])
+ self.assertRaises(ConfigSessionError, self.cli_commit)
@ignore_warning(InsecureRequestWarning)
def test_api_auth(self):
@@ -339,4 +348,4 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
if __name__ == '__main__':
- unittest.main(verbosity=2)
+ unittest.main(verbosity=5)
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 26c4343a0..5cbdd1651 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -76,6 +76,8 @@ def get_config(config=None):
return https
def verify(https):
+ from vyos.utils.dict import dict_search
+
if https is None:
return None
@@ -135,6 +137,30 @@ def verify(https):
raise ConfigError(f'"{proto}" port "{_port}" is used by another service')
verify_vrf(https)
+
+ # Verify API server settings, if present
+ if 'api' in https:
+ keys = dict_search('api.keys.id', https)
+ gql_auth_type = dict_search('api.graphql.authentication.type', https)
+
+ # If "api graphql" is not defined and `gql_auth_type` is None,
+ # there's certainly no JWT auth option, and keys are required
+ jwt_auth = (gql_auth_type == "token")
+
+ # Check for incomplete key configurations in every case
+ valid_keys_exist = False
+ if keys:
+ for k in keys:
+ if 'key' not in keys[k]:
+ raise ConfigError(f'Missing HTTPS API key string for key id "{k}"')
+ else:
+ valid_keys_exist = True
+
+ # If only key-based methods are enabled,
+ # fail the commit if no valid key configurations are found
+ if (not valid_keys_exist) and (not jwt_auth):
+ raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled')
+
return None
def generate(https):
--
cgit v1.2.3