T6732: added same as vyos 1x

6 files changed, 317 insertions, 0 deletions

diff --git a/src/migration-scripts/https/0-to-1 b/src/migration-scripts/https/0-to-1
new file mode 100644
index 0000000..52fe3f2
--- /dev/null
+++ b/src/migration-scripts/https/0-to-1
@@ -0,0 +1,50 @@
+# Copyright 202-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# * Move server block directives under 'virtual-host' tag node, instead of
+#   relying on 'listen-address' tag node
+
+from vyos.configtree import ConfigTree
+
+old_base = ['service', 'https', 'listen-address']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(old_base):
+        # Nothing to do
+        return
+
+    new_base = ['service', 'https', 'virtual-host']
+    config.set(new_base)
+    config.set_tag(new_base)
+
+    index = 0
+    for addr in config.list_nodes(old_base):
+        tag_name = f'vhost{index}'
+        config.set(new_base + [tag_name])
+        config.set(new_base + [tag_name, 'listen-address'], value=addr)
+
+        if config.exists(old_base + [addr, 'listen-port']):
+            port = config.return_value(old_base + [addr, 'listen-port'])
+            config.set(new_base + [tag_name, 'listen-port'], value=port)
+
+        if config.exists(old_base + [addr, 'server-name']):
+            names = config.return_values(old_base + [addr, 'server-name'])
+            for name in names:
+                config.set(new_base + [tag_name, 'server-name'], value=name,
+                           replace=False)
+
+        index += 1
+
+    config.delete(old_base)
diff --git a/src/migration-scripts/https/1-to-2 b/src/migration-scripts/https/1-to-2
new file mode 100644
index 0000000..dad7ac1
--- /dev/null
+++ b/src/migration-scripts/https/1-to-2
@@ -0,0 +1,35 @@
+# Copyright 2020-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# * Move 'api virtual-host' list to 'api-restrict virtual-host' so it
+#   is owned by service_https.py
+
+from vyos.configtree import ConfigTree
+
+old_base = ['service', 'https', 'api', 'virtual-host']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(old_base):
+        # Nothing to do
+        return
+
+    new_base = ['service', 'https', 'api-restrict', 'virtual-host']
+    config.set(new_base)
+
+    names = config.return_values(old_base)
+    for name in names:
+        config.set(new_base, value=name, replace=False)
+
+    config.delete(old_base)
diff --git a/src/migration-scripts/https/2-to-3 b/src/migration-scripts/https/2-to-3
new file mode 100644
index 0000000..1125cae
--- /dev/null
+++ b/src/migration-scripts/https/2-to-3
@@ -0,0 +1,66 @@
+# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# * Migrate system signed certificate to use PKI
+
+from vyos.configtree import ConfigTree
+from vyos.pki import create_certificate
+from vyos.pki import create_certificate_request
+from vyos.pki import create_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_private_key
+
+base = ['service', 'https', 'certificates']
+pki_base = ['pki']
+
+def wrapped_pem_to_config_value(pem):
+    out = []
+    for line in pem.strip().split("\n"):
+        if not line or line.startswith("-----") or line[0] == '#':
+            continue
+        out.append(line)
+    return "".join(out)
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base + ['system-generated-certificate']):
+        return
+
+    if not config.exists(pki_base + ['certificate']):
+        config.set(pki_base + ['certificate'])
+        config.set_tag(pki_base + ['certificate'])
+
+    valid_days = 365
+    if config.exists(base + ['system-generated-certificate', 'lifetime']):
+        valid_days = int(config.return_value(base + ['system-generated-certificate', 'lifetime']))
+
+    key = create_private_key('rsa', 2048)
+    subject = {'country': 'GB', 'state': 'N/A', 'locality': 'N/A', 'organization': 'VyOS', 'common_name': 'vyos'}
+    cert_req = create_certificate_request(subject, key, ['vyos'])
+    cert = create_certificate(cert_req, cert_req, key, valid_days)
+
+    if cert:
+        cert_pem = encode_certificate(cert)
+        config.set(pki_base + ['certificate', 'generated_https', 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+
+    if key:
+        key_pem = encode_private_key(key)
+        config.set(pki_base + ['certificate', 'generated_https', 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+
+    if cert and key:
+        config.set(base + ['certificate'], value='generated_https')
+    else:
+        print('Failed to migrate system-generated-certificate from https service')
+
+    config.delete(base + ['system-generated-certificate'])
diff --git a/src/migration-scripts/https/3-to-4 b/src/migration-scripts/https/3-to-4
new file mode 100644
index 0000000..c01236c
--- /dev/null
+++ b/src/migration-scripts/https/3-to-4
@@ -0,0 +1,34 @@
+# Copyright 2022-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T4768 rename node 'gql' to 'graphql'.
+
+from vyos.configtree import ConfigTree
+
+old_base = ['service', 'https', 'api', 'gql']
+new_base = ['service', 'https', 'api', 'graphql']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(old_base):
+        # Nothing to do
+        return
+
+    config.set(new_base)
+
+    nodes = config.list_nodes(old_base)
+    for node in nodes:
+        config.copy(old_base + [node], new_base + [node])
+
+    config.delete(old_base)
diff --git a/src/migration-scripts/https/4-to-5 b/src/migration-scripts/https/4-to-5
new file mode 100644
index 0000000..0f1c790
--- /dev/null
+++ b/src/migration-scripts/https/4-to-5
@@ -0,0 +1,43 @@
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5762: http: api: smoketests fail as they can not establish IPv6 connection
+#        to uvicorn backend server, always make the UNIX domain socket the
+#        default way of communication
+
+from vyos.configtree import ConfigTree
+
+base = ['service', 'https']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    # Delete "socket" CLI option - we always use UNIX domain sockets for
+    # NGINX <-> API server communication
+    if config.exists(base + ['api', 'socket']):
+        config.delete(base + ['api', 'socket'])
+
+    # There is no need for an API service port, as UNIX domain sockets
+    # are used
+    if config.exists(base + ['api', 'port']):
+        config.delete(base + ['api', 'port'])
+
+    # rename listen-port -> port ver virtual-host
+    if config.exists(base + ['virtual-host']):
+        for vhost in config.list_nodes(base + ['virtual-host']):
+            if config.exists(base + ['virtual-host', vhost, 'listen-port']):
+                config.rename(base + ['virtual-host', vhost, 'listen-port'], 'port')
diff --git a/src/migration-scripts/https/5-to-6 b/src/migration-scripts/https/5-to-6
new file mode 100644
index 0000000..6ef6976
--- /dev/null
+++ b/src/migration-scripts/https/5-to-6
@@ -0,0 +1,89 @@
+# Copyright 2024 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5886: Add support for ACME protocol (LetsEncrypt), migrate https certbot
+#        to new "pki certificate" CLI tree
+# T5902: Remove virtual-host
+
+import os
+
+from vyos.configtree import ConfigTree
+from vyos.defaults import directories
+from vyos.utils.process import cmd
+
+vyos_certbot_dir = directories['certbot']
+
+base = ['service', 'https']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    if config.exists(base + ['certificates', 'certbot']):
+        # both domain-name and email must be set on CLI - ensured by previous verify()
+        domain_names = config.return_values(base + ['certificates', 'certbot', 'domain-name'])
+        email = config.return_value(base + ['certificates', 'certbot', 'email'])
+        config.delete(base + ['certificates', 'certbot'])
+
+        # Set default certname based on domain-name
+        cert_name = 'https-' + domain_names[0].split('.')[0]
+        # Overwrite certname from previous certbot calls if available
+        # We can not use python code like os.scandir due to filesystem permissions.
+        # This must be run as root
+        certbot_live = f'{vyos_certbot_dir}/live/' # we need the trailing /
+        if os.path.exists(certbot_live):
+            tmp = cmd(f'sudo find {certbot_live} -maxdepth 1 -type d')
+            tmp = tmp.split() # tmp = ['/config/auth/letsencrypt/live', '/config/auth/letsencrypt/live/router.vyos.net']
+            tmp.remove(certbot_live)
+            cert_name = tmp[0].replace(certbot_live, '')
+
+        config.set(['pki', 'certificate', cert_name, 'acme', 'email'], value=email)
+        config.set_tag(['pki', 'certificate'])
+        for domain in domain_names:
+            config.set(['pki', 'certificate', cert_name, 'acme', 'domain-name'], value=domain, replace=False)
+
+        # Update Webserver certificate
+        config.set(base + ['certificates', 'certificate'], value=cert_name)
+
+    if config.exists(base + ['virtual-host']):
+        allow_client = []
+        listen_port = []
+        listen_address = []
+        for virtual_host in config.list_nodes(base + ['virtual-host']):
+            allow_path = base + ['virtual-host', virtual_host, 'allow-client', 'address']
+            if config.exists(allow_path):
+                tmp = config.return_values(allow_path)
+                allow_client.extend(tmp)
+
+            port_path = base + ['virtual-host', virtual_host, 'port']
+            if config.exists(port_path):
+                tmp = config.return_value(port_path)
+                listen_port.append(tmp)
+
+            listen_address_path = base + ['virtual-host', virtual_host, 'listen-address']
+            if config.exists(listen_address_path):
+                tmp = config.return_value(listen_address_path)
+                listen_address.append(tmp)
+
+        config.delete(base + ['virtual-host'])
+        for client in allow_client:
+            config.set(base + ['allow-client', 'address'], value=client, replace=False)
+
+        #  clear listen-address if "all" were specified
+        if '*' in listen_address:
+            listen_address = []
+        for address in listen_address:
+            config.set(base + ['listen-address'], value=address, replace=False)