From 6b138fe680c9dc97bddbf981fe0c747ede55f660 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 25 Sep 2018 20:09:22 +0200 Subject: T855: fix SNMP python verify() to allow non group assignment VyOS 1.1.8 support SNMPv3 without a group beeing assigned to a user. This was yet not supported in VyOS 1.2.0. Use for testing: ================ set service snmp v3 user testsnmpv3 auth plain 'authkey12345' set service snmp v3 user testsnmpv3 auth type sha set service snmp v3 user testsnmpv3 mode ro set service snmp v3 user testsnmpv3 privacy plain 'privkey12345' set service snmp v3 user testsnmpv3 privacy type aes --- src/conf_mode/snmp.py | 47 ++++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 25 deletions(-) (limited to 'src') diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 69952e5e2..cbca72a85 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -669,48 +669,45 @@ def verify(snmp): # Group must exist prior to mapping it into a group # seclevel will be extracted from group # - error = True if user['group']: + error = True if 'v3_groups' in snmp.keys(): for group in snmp['v3_groups']: if group['name'] == user['group']: seclevel = group['seclevel'] error = False - if error: - raise ConfigError('You must create group "{0}" first'.format(user['group'])) + if error: + raise ConfigError('You must create group "{0}" first'.format(user['group'])) # Depending on the configured security level # the user has to provide additional info - if seclevel in ('auth', 'priv'): - if user['authPassword'] and user['authMasterKey']: - raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth') + if user['authPassword'] and user['authMasterKey']: + raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth') - if (not user['authPassword'] and not user['authMasterKey']): - raise ConfigError('Must specify encrypted-key or plaintext-key for user auth') + if (not user['authPassword'] and not user['authMasterKey']): + raise ConfigError('Must specify encrypted-key or plaintext-key for user auth') - # seclevel 'priv' is more restrictive - if seclevel in ('priv'): - if user['privPassword'] and user['privMasterKey']: - raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy') + if user['privPassword'] and user['privMasterKey']: + raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy') - if user['privPassword'] == '' and user['privMasterKey'] == '': - raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy') + if user['privPassword'] == '' and user['privMasterKey'] == '': + raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy') - if user['privMasterKey'] and user['engineID'] == '': - raise ConfigError('Can not have "encrypted-key" without engineid') + if user['privMasterKey'] and user['engineID'] == '': + raise ConfigError('Can not have "encrypted-key" without engineid') - if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '': - raise ConfigError('Must specify auth or tsm-key for user auth') + if user['authPassword'] == '' and user['authMasterKey'] == '' and user['privTsmKey'] == '': + raise ConfigError('Must specify auth or tsm-key for user auth') - if user['mode'] == '': - raise ConfigError('Must specify user mode ro/rw') + if user['mode'] == '': + raise ConfigError('Must specify user mode ro/rw') - if user['privTsmKey']: - if not tsmKeyPattern.match(snmp['v3_tsm_key']): - if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']): - if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']): - raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder') + if user['privTsmKey']: + if not tsmKeyPattern.match(snmp['v3_tsm_key']): + if not os.path.isfile('/etc/snmp/tls/certs/' + snmp['v3_tsm_key']): + if not os.path.isfile('/config/snmp/tls/certs/' + snmp['v3_tsm_key']): + raise ConfigError('User TSM key must be fingerprint or filename in "/config/snmp/tls/certs/" folder') if 'v3_views' in snmp.keys(): for view in snmp['v3_views']: -- cgit v1.2.3 From fe8f4813e6fb008aede29d3e1cba337930907931 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 2 Oct 2018 16:36:31 +0200 Subject: T866: add a post-upgrade script for setting correct /config ownership in case GIDs change. --- src/system/post-upgrade | 3 +++ 1 file changed, 3 insertions(+) create mode 100755 src/system/post-upgrade (limited to 'src') diff --git a/src/system/post-upgrade b/src/system/post-upgrade new file mode 100755 index 000000000..41b7c01ba --- /dev/null +++ b/src/system/post-upgrade @@ -0,0 +1,3 @@ +#!/bin/sh + +chown -R root:vyattacfg /config -- cgit v1.2.3 From 0d57cba02d6fe64ec9a1f3d6243a8de3bb925c4c Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 2 Oct 2018 19:32:03 +0200 Subject: T414: remove "service telnet" from configs on upgrade. --- src/migration-scripts/system/8-to-9 | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/migration-scripts/system/8-to-9 b/src/migration-scripts/system/8-to-9 index db3fefdea..cd92f3023 100755 --- a/src/migration-scripts/system/8-to-9 +++ b/src/migration-scripts/system/8-to-9 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# Deletes "system package" option as it is deprecated +# Deletes the deprecated "system package" and "service telnet" options import sys @@ -17,12 +17,16 @@ with open(file_name, 'r') as f: config = ConfigTree(config_file) -if not config.exists(['system', 'package']): +if (not config.exists(['system', 'package'])) and (not config.exists(['service', 'telnet'])): # Nothing to do sys.exit(0) else: - # Delete the node with the old syntax - config.delete(['system', 'package']) + # Delete the "system package" subtree + if config.exists(['system', 'package']): + config.delete(['system', 'package']) + + if config.exists(['service', 'telnet']): + config.delete(['service', 'telnet']) try: with open(file_name, 'w') as f: -- cgit v1.2.3