diff --git a/src/services/vyos-configd b/src/services/vyos-configd
index 3674d9627..2c0244a81 100755
--- a/src/services/vyos-configd
+++ b/src/services/vyos-configd
@@ -1,327 +1,338 @@
#!/usr/bin/env python3
#
# Copyright (C) 2020-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# pylint: disable=redefined-outer-name
+
import os
import sys
import grp
import re
import json
import typing
import logging
import signal
import importlib.util
+import io
+from contextlib import redirect_stdout
+
import zmq
-from contextlib import contextmanager
from vyos.defaults import directories
from vyos.utils.boot import boot_configuration_complete
from vyos.configsource import ConfigSourceString
from vyos.configsource import ConfigSourceError
from vyos.configdiff import get_commit_scripts
from vyos.config import Config
from vyos import ConfigError
CFG_GROUP = 'vyattacfg'
script_stdout_log = '/tmp/vyos-configd-script-stdout'
debug = True
logger = logging.getLogger(__name__)
logs_handler = logging.StreamHandler()
logger.addHandler(logs_handler)
if debug:
logger.setLevel(logging.DEBUG)
else:
logger.setLevel(logging.INFO)
-SOCKET_PATH = "ipc:///run/vyos-configd.sock"
+SOCKET_PATH = 'ipc:///run/vyos-configd.sock'
+MAX_MSG_SIZE = 65535
# Response error codes
R_SUCCESS = 1
R_ERROR_COMMIT = 2
R_ERROR_DAEMON = 4
R_PASS = 8
vyos_conf_scripts_dir = directories['conf_mode']
configd_include_file = os.path.join(directories['data'], 'configd-include.json')
configd_env_set_file = os.path.join(directories['data'], 'vyos-configd-env-set')
configd_env_unset_file = os.path.join(directories['data'], 'vyos-configd-env-unset')
# sourced on entering config session
configd_env_file = '/etc/default/vyos-configd-env'
-session_out = None
-session_mode = None
-
def key_name_from_file_name(f):
return os.path.splitext(f)[0]
def module_name_from_key(k):
return k.replace('-', '_')
def path_from_file_name(f):
return os.path.join(vyos_conf_scripts_dir, f)
+
# opt-in to be run by daemon
with open(configd_include_file) as f:
try:
include = json.load(f)
except OSError as e:
- logger.critical(f"configd include file error: {e}")
+ logger.critical(f'configd include file error: {e}')
sys.exit(1)
except json.JSONDecodeError as e:
- logger.critical(f"JSON load error: {e}")
+ logger.critical(f'JSON load error: {e}')
sys.exit(1)
+
# import conf_mode scripts
(_, _, filenames) = next(iter(os.walk(vyos_conf_scripts_dir)))
filenames.sort()
load_filenames = [f for f in filenames if f in include]
imports = [key_name_from_file_name(f) for f in load_filenames]
module_names = [module_name_from_key(k) for k in imports]
paths = [path_from_file_name(f) for f in load_filenames]
to_load = list(zip(module_names, paths))
modules = []
for x in to_load:
spec = importlib.util.spec_from_file_location(x[0], x[1])
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
modules.append(module)
conf_mode_scripts = dict(zip(imports, modules))
exclude_set = {key_name_from_file_name(f) for f in filenames if f not in include}
include_set = {key_name_from_file_name(f) for f in filenames if f in include}
-@contextmanager
-def stdout_redirected(filename, mode):
- saved_stdout_fd = None
- destination_file = None
- try:
- sys.stdout.flush()
- saved_stdout_fd = os.dup(sys.stdout.fileno())
- destination_file = open(filename, mode)
- os.dup2(destination_file.fileno(), sys.stdout.fileno())
- yield
- finally:
- if saved_stdout_fd is not None:
- os.dup2(saved_stdout_fd, sys.stdout.fileno())
- os.close(saved_stdout_fd)
- if destination_file is not None:
- destination_file.close()
-
-def explicit_print(path, mode, msg):
- try:
- with open(path, mode) as f:
- f.write(f"\n{msg}\n\n")
- except OSError:
- logger.critical("error explicit_print")
-def run_script(script_name, config, args) -> int:
+def write_stdout_log(file_name, msg):
+ if boot_configuration_complete():
+ return
+ with open(file_name, 'a') as f:
+ f.write(msg)
+
+
+def run_script(script_name, config, args) -> tuple[int, str]:
+ # pylint: disable=broad-exception-caught
+
script = conf_mode_scripts[script_name]
script.argv = args
config.set_level([])
try:
c = script.get_config(config)
script.verify(c)
script.generate(c)
script.apply(c)
except ConfigError as e:
logger.error(e)
- explicit_print(session_out, session_mode, str(e))
- return R_ERROR_COMMIT
+ return R_ERROR_COMMIT, str(e)
except Exception as e:
logger.critical(e)
- return R_ERROR_DAEMON
+ return R_ERROR_DAEMON, str(e)
+
+ return R_SUCCESS, ''
- return R_SUCCESS
def initialization(socket):
- global session_out
- global session_mode
+ # pylint: disable=broad-exception-caught,too-many-locals
+
# Reset config strings:
active_string = ''
session_string = ''
# check first for resent init msg, in case of client timeout
while True:
- msg = socket.recv().decode("utf-8", "ignore")
+ msg = socket.recv().decode('utf-8', 'ignore')
try:
message = json.loads(msg)
- if message["type"] == "init":
- resp = "init"
+ if message['type'] == 'init':
+ resp = 'init'
socket.send(resp.encode())
- except:
+ except Exception:
break
# zmq synchronous for ipc from single client:
active_string = msg
- resp = "active"
+ resp = 'active'
socket.send(resp.encode())
- session_string = socket.recv().decode("utf-8", "ignore")
- resp = "session"
+ session_string = socket.recv().decode('utf-8', 'ignore')
+ resp = 'session'
socket.send(resp.encode())
- pid_string = socket.recv().decode("utf-8", "ignore")
- resp = "pid"
+ pid_string = socket.recv().decode('utf-8', 'ignore')
+ resp = 'pid'
socket.send(resp.encode())
- sudo_user_string = socket.recv().decode("utf-8", "ignore")
- resp = "sudo_user"
+ sudo_user_string = socket.recv().decode('utf-8', 'ignore')
+ resp = 'sudo_user'
socket.send(resp.encode())
- temp_config_dir_string = socket.recv().decode("utf-8", "ignore")
- resp = "temp_config_dir"
+ temp_config_dir_string = socket.recv().decode('utf-8', 'ignore')
+ resp = 'temp_config_dir'
socket.send(resp.encode())
- changes_only_dir_string = socket.recv().decode("utf-8", "ignore")
- resp = "changes_only_dir"
+ changes_only_dir_string = socket.recv().decode('utf-8', 'ignore')
+ resp = 'changes_only_dir'
socket.send(resp.encode())
- logger.debug(f"config session pid is {pid_string}")
- logger.debug(f"config session sudo_user is {sudo_user_string}")
-
- try:
- session_out = os.readlink(f"/proc/{pid_string}/fd/1")
- session_mode = 'w'
- except FileNotFoundError:
- session_out = None
-
- # if not a 'live' session, for example on boot, write to file
- if not session_out or not boot_configuration_complete():
- session_out = script_stdout_log
- session_mode = 'a'
+ logger.debug(f'config session pid is {pid_string}')
+ logger.debug(f'config session sudo_user is {sudo_user_string}')
os.environ['SUDO_USER'] = sudo_user_string
if temp_config_dir_string:
os.environ['VYATTA_TEMP_CONFIG_DIR'] = temp_config_dir_string
if changes_only_dir_string:
os.environ['VYATTA_CHANGES_ONLY_DIR'] = changes_only_dir_string
try:
configsource = ConfigSourceString(running_config_text=active_string,
session_config_text=session_string)
except ConfigSourceError as e:
logger.debug(e)
return None
config = Config(config_source=configsource)
dependent_func: dict[str, list[typing.Callable]] = {}
setattr(config, 'dependent_func', dependent_func)
commit_scripts = get_commit_scripts(config)
logger.debug(f'commit_scripts: {commit_scripts}')
scripts_called = []
setattr(config, 'scripts_called', scripts_called)
return config
-def process_node_data(config, data, last: bool = False) -> int:
+
+def process_node_data(config, data, _last: bool = False) -> tuple[int, str]:
if not config:
- logger.critical(f"Empty config")
- return R_ERROR_DAEMON
+ out = 'Empty config'
+ logger.critical(out)
+ return R_ERROR_DAEMON, out
script_name = None
os.environ['VYOS_TAGNODE_VALUE'] = ''
args = []
config.dependency_list.clear()
res = re.match(r'^(VYOS_TAGNODE_VALUE=[^/]+)?.*\/([^/]+).py(.*)', data)
if res.group(1):
env = res.group(1).split('=')
os.environ[env[0]] = env[1]
if res.group(2):
script_name = res.group(2)
if not script_name:
- logger.critical(f"Missing script_name")
- return R_ERROR_DAEMON
+ out = 'Missing script_name'
+ logger.critical(out)
+ return R_ERROR_DAEMON, out
if res.group(3):
args = res.group(3).split()
args.insert(0, f'{script_name}.py')
tag_value = os.getenv('VYOS_TAGNODE_VALUE', '')
tag_ext = f'_{tag_value}' if tag_value else ''
script_record = f'{script_name}{tag_ext}'
scripts_called = getattr(config, 'scripts_called', [])
scripts_called.append(script_record)
if script_name not in include_set:
- return R_PASS
+ return R_PASS, ''
+
+ with redirect_stdout(io.StringIO()) as o:
+ result, err_out = run_script(script_name, config, args)
+ amb_out = o.getvalue()
+ o.close()
+
+ out = amb_out + err_out
+
+ return result, out
+
- with stdout_redirected(session_out, session_mode):
- result = run_script(script_name, config, args)
+def send_result(sock, err, msg):
+ msg_size = min(MAX_MSG_SIZE, len(msg)) if msg else 0
+
+ err_rep = err.to_bytes(1, byteorder=sys.byteorder)
+ logger.debug(f'Sending reply: {err}')
+ sock.send(err_rep)
+
+ # size req from vyshim client
+ size_req = sock.recv().decode()
+ logger.debug(f'Received request: {size_req}')
+ msg_size_rep = hex(msg_size).encode()
+ sock.send(msg_size_rep)
+ logger.debug(f'Sending reply: {msg_size}')
+
+ if msg_size > 0:
+ # send req is sent from vyshim client only if msg_size > 0
+ send_req = sock.recv().decode()
+ logger.debug(f'Received request: {send_req}')
+ sock.send(msg.encode())
+ logger.debug('Sending reply with output')
+
+ write_stdout_log(script_stdout_log, msg)
- return result
def remove_if_file(f: str):
try:
os.remove(f)
except FileNotFoundError:
pass
- except OSError:
- raise
+
def shutdown():
remove_if_file(configd_env_file)
os.symlink(configd_env_unset_file, configd_env_file)
sys.exit(0)
+
if __name__ == '__main__':
context = zmq.Context()
socket = context.socket(zmq.REP)
# Set the right permissions on the socket, then change it back
o_mask = os.umask(0)
socket.bind(SOCKET_PATH)
os.umask(o_mask)
cfg_group = grp.getgrnam(CFG_GROUP)
os.setgid(cfg_group.gr_gid)
os.environ['VYOS_CONFIGD'] = 't'
def sig_handler(signum, frame):
+ # pylint: disable=unused-argument
shutdown()
signal.signal(signal.SIGTERM, sig_handler)
signal.signal(signal.SIGINT, sig_handler)
# Define the vyshim environment variable
remove_if_file(configd_env_file)
os.symlink(configd_env_set_file, configd_env_file)
config = None
while True:
# Wait for next request from client
msg = socket.recv().decode()
- logger.debug(f"Received message: {msg}")
+ logger.debug(f'Received message: {msg}')
message = json.loads(msg)
- if message["type"] == "init":
- resp = "init"
+ if message['type'] == 'init':
+ resp = 'init'
socket.send(resp.encode())
config = initialization(socket)
- elif message["type"] == "node":
- res = process_node_data(config, message["data"], message["last"])
- response = res.to_bytes(1, byteorder=sys.byteorder)
- logger.debug(f"Sending response {res}")
- socket.send(response)
- if message["last"] and config:
+ elif message['type'] == 'node':
+ res, out = process_node_data(config, message['data'], message['last'])
+ send_result(socket, res, out)
+
+ if message['last'] and config:
scripts_called = getattr(config, 'scripts_called', [])
logger.debug(f'scripts_called: {scripts_called}')
else:
- logger.critical(f"Unexpected message: {message}")
+ logger.critical(f'Unexpected message: {message}')
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 97633577d..91100410c 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -1,1034 +1,1036 @@
#!/usr/share/vyos-http-api-tools/bin/python3
#
# Copyright (C) 2019-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import sys
import grp
import copy
import json
import logging
import signal
import traceback
import threading
from enum import Enum
from time import sleep
from typing import List, Union, Callable, Dict, Self
from fastapi import FastAPI, Depends, Request, Response, HTTPException
from fastapi import BackgroundTasks
from fastapi.responses import HTMLResponse
from fastapi.exceptions import RequestValidationError
from fastapi.routing import APIRoute
from pydantic import BaseModel, StrictStr, validator, model_validator
from starlette.middleware.cors import CORSMiddleware
from starlette.datastructures import FormData
from starlette.formparsers import FormParser, MultiPartParser
from multipart.multipart import parse_options_header
from uvicorn import Config as UvicornConfig
from uvicorn import Server as UvicornServer
from ariadne.asgi import GraphQL
from vyos.config import Config
from vyos.configtree import ConfigTree
from vyos.configdiff import get_config_diff
from vyos.configsession import ConfigSession
from vyos.configsession import ConfigSessionError
from vyos.defaults import api_config_state
import api.graphql.state
CFG_GROUP = 'vyattacfg'
debug = True
logger = logging.getLogger(__name__)
logs_handler = logging.StreamHandler()
logger.addHandler(logs_handler)
if debug:
logger.setLevel(logging.DEBUG)
else:
logger.setLevel(logging.INFO)
# Giant lock!
lock = threading.Lock()
def load_server_config():
with open(api_config_state) as f:
config = json.load(f)
return config
def check_auth(key_list, key):
key_id = None
for k in key_list:
if k['key'] == key:
key_id = k['id']
return key_id
def error(code, msg):
resp = {"success": False, "error": msg, "data": None}
resp = json.dumps(resp)
return HTMLResponse(resp, status_code=code)
def success(data):
resp = {"success": True, "data": data, "error": None}
resp = json.dumps(resp)
return HTMLResponse(resp)
# Pydantic models for validation
# Pydantic will cast when possible, so use StrictStr
# validators added as needed for additional constraints
# schema_extra adds anotations to OpenAPI, to add examples
class ApiModel(BaseModel):
key: StrictStr
class BasePathModel(BaseModel):
op: StrictStr
path: List[StrictStr]
@validator("path")
def check_non_empty(cls, path):
if not len(path) > 0:
raise ValueError('path must be non-empty')
return path
class BaseConfigureModel(BasePathModel):
value: StrictStr = None
class ConfigureModel(ApiModel, BaseConfigureModel):
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "set | delete | comment",
"path": ['config', 'mode', 'path'],
}
}
class ConfigureListModel(ApiModel):
commands: List[BaseConfigureModel]
class Config:
schema_extra = {
"example": {
"key": "id_key",
"commands": "list of commands",
}
}
class BaseConfigSectionModel(BasePathModel):
section: Dict
class ConfigSectionModel(ApiModel, BaseConfigSectionModel):
pass
class ConfigSectionListModel(ApiModel):
commands: List[BaseConfigSectionModel]
class BaseConfigSectionTreeModel(BaseModel):
op: StrictStr
mask: Dict
config: Dict
class ConfigSectionTreeModel(ApiModel, BaseConfigSectionTreeModel):
pass
class RetrieveModel(ApiModel):
op: StrictStr
path: List[StrictStr]
configFormat: StrictStr = None
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "returnValue | returnValues | exists | showConfig",
"path": ['config', 'mode', 'path'],
"configFormat": "json (default) | json_ast | raw",
}
}
class ConfigFileModel(ApiModel):
op: StrictStr
file: StrictStr = None
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "save | load",
"file": "filename",
}
}
class ImageOp(str, Enum):
add = "add"
delete = "delete"
show = "show"
set_default = "set_default"
class ImageModel(ApiModel):
op: ImageOp
url: StrictStr = None
name: StrictStr = None
@model_validator(mode='after')
def check_data(self) -> Self:
if self.op == 'add':
if not self.url:
raise ValueError("Missing required field \"url\"")
elif self.op in ['delete', 'set_default']:
if not self.name:
raise ValueError("Missing required field \"name\"")
return self
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "add | delete | show | set_default",
"url": "imagelocation",
"name": "imagename",
}
}
class ImportPkiModel(ApiModel):
op: StrictStr
path: List[StrictStr]
passphrase: StrictStr = None
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "import_pki",
"path": ["op", "mode", "path"],
"passphrase": "passphrase",
}
}
class ContainerImageModel(ApiModel):
op: StrictStr
name: StrictStr = None
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "add | delete | show",
"name": "imagename",
}
}
class GenerateModel(ApiModel):
op: StrictStr
path: List[StrictStr]
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "generate",
"path": ["op", "mode", "path"],
}
}
class ShowModel(ApiModel):
op: StrictStr
path: List[StrictStr]
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "show",
"path": ["op", "mode", "path"],
}
}
class RebootModel(ApiModel):
op: StrictStr
path: List[StrictStr]
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "reboot",
"path": ["op", "mode", "path"],
}
}
class ResetModel(ApiModel):
op: StrictStr
path: List[StrictStr]
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "reset",
"path": ["op", "mode", "path"],
}
}
class PoweroffModel(ApiModel):
op: StrictStr
path: List[StrictStr]
class Config:
schema_extra = {
"example": {
"key": "id_key",
"op": "poweroff",
"path": ["op", "mode", "path"],
}
}
class Success(BaseModel):
success: bool
data: Union[str, bool, Dict]
error: str
class Error(BaseModel):
success: bool = False
data: Union[str, bool, Dict]
error: str
responses = {
200: {'model': Success},
400: {'model': Error},
422: {'model': Error, 'description': 'Validation Error'},
500: {'model': Error}
}
def auth_required(data: ApiModel):
key = data.key
api_keys = app.state.vyos_keys
key_id = check_auth(api_keys, key)
if not key_id:
raise HTTPException(status_code=401, detail="Valid API key is required")
app.state.vyos_id = key_id
# override Request and APIRoute classes in order to convert form request to json;
# do all explicit validation here, for backwards compatability of error messages;
# the explicit validation may be dropped, if desired, in favor of native
# validation by FastAPI/Pydantic, as is used for application/json requests
class MultipartRequest(Request):
_form_err = ()
@property
def form_err(self):
return self._form_err
@form_err.setter
def form_err(self, val):
if not self._form_err:
self._form_err = val
@property
def orig_headers(self):
self._orig_headers = super().headers
return self._orig_headers
@property
def headers(self):
self._headers = super().headers.mutablecopy()
self._headers['content-type'] = 'application/json'
return self._headers
async def form(self) -> FormData:
if self._form is None:
assert (
parse_options_header is not None
), "The `python-multipart` library must be installed to use form parsing."
content_type_header = self.orig_headers.get("Content-Type")
content_type, options = parse_options_header(content_type_header)
if content_type == b"multipart/form-data":
multipart_parser = MultiPartParser(self.orig_headers, self.stream())
self._form = await multipart_parser.parse()
elif content_type == b"application/x-www-form-urlencoded":
form_parser = FormParser(self.orig_headers, self.stream())
self._form = await form_parser.parse()
else:
self._form = FormData()
return self._form
async def body(self) -> bytes:
if not hasattr(self, "_body"):
forms = {}
merge = {}
body = await super().body()
self._body = body
form_data = await self.form()
if form_data:
endpoint = self.url.path
logger.debug("processing form data")
for k, v in form_data.multi_items():
forms[k] = v
if 'data' not in forms:
self.form_err = (422, "Non-empty data field is required")
return self._body
else:
try:
tmp = json.loads(forms['data'])
except json.JSONDecodeError as e:
self.form_err = (400, f'Failed to parse JSON: {e}')
return self._body
if isinstance(tmp, list):
merge['commands'] = tmp
else:
merge = tmp
if 'commands' in merge:
cmds = merge['commands']
else:
cmds = copy.deepcopy(merge)
cmds = [cmds]
for c in cmds:
if not isinstance(c, dict):
self.form_err = (400,
f"Malformed command '{c}': any command must be JSON of dict")
return self._body
if 'op' not in c:
self.form_err = (400,
f"Malformed command '{c}': missing 'op' field")
if endpoint not in ('/config-file', '/container-image',
'/image', '/configure-section'):
if 'path' not in c:
self.form_err = (400,
f"Malformed command '{c}': missing 'path' field")
elif not isinstance(c['path'], list):
self.form_err = (400,
f"Malformed command '{c}': 'path' field must be a list")
elif not all(isinstance(el, str) for el in c['path']):
self.form_err = (400,
f"Malformed command '{0}': 'path' field must be a list of strings")
if endpoint in ('/configure'):
if not c['path']:
self.form_err = (400,
f"Malformed command '{c}': 'path' list must be non-empty")
if 'value' in c and not isinstance(c['value'], str):
self.form_err = (400,
f"Malformed command '{c}': 'value' field must be a string")
if endpoint in ('/configure-section'):
if 'section' not in c and 'config' not in c:
self.form_err = (400,
f"Malformed command '{c}': missing 'section' or 'config' field")
if 'key' not in forms and 'key' not in merge:
self.form_err = (401, "Valid API key is required")
if 'key' in forms and 'key' not in merge:
merge['key'] = forms['key']
new_body = json.dumps(merge)
new_body = new_body.encode()
self._body = new_body
return self._body
class MultipartRoute(APIRoute):
def get_route_handler(self) -> Callable:
original_route_handler = super().get_route_handler()
async def custom_route_handler(request: Request) -> Response:
request = MultipartRequest(request.scope, request.receive)
try:
response: Response = await original_route_handler(request)
except HTTPException as e:
return error(e.status_code, e.detail)
except Exception as e:
form_err = request.form_err
if form_err:
return error(*form_err)
raise e
return response
return custom_route_handler
app = FastAPI(debug=True,
title="VyOS API",
version="0.1.0",
responses={**responses},
dependencies=[Depends(auth_required)])
app.router.route_class = MultipartRoute
@app.exception_handler(RequestValidationError)
async def validation_exception_handler(request, exc):
return error(400, str(exc.errors()[0]))
self_ref_msg = "Requested HTTP API server configuration change; commit will be called in the background"
def call_commit(s: ConfigSession):
try:
s.commit()
except ConfigSessionError as e:
s.discard()
if app.state.vyos_debug:
logger.warning(f"ConfigSessionError:\n {traceback.format_exc()}")
else:
logger.warning(f"ConfigSessionError: {e}")
def _configure_op(data: Union[ConfigureModel, ConfigureListModel,
ConfigSectionModel, ConfigSectionListModel,
ConfigSectionTreeModel],
request: Request, background_tasks: BackgroundTasks):
session = app.state.vyos_session
env = session.get_session_env()
endpoint = request.url.path
# Allow users to pass just one command
if not isinstance(data, (ConfigureListModel, ConfigSectionListModel)):
data = [data]
else:
data = data.commands
# We don't want multiple people/apps to be able to commit at once,
# or modify the shared session while someone else is doing the same,
# so the lock is really global
lock.acquire()
config = Config(session_env=env)
status = 200
msg = None
error_msg = None
try:
for c in data:
op = c.op
if not isinstance(c, BaseConfigSectionTreeModel):
path = c.path
if isinstance(c, BaseConfigureModel):
if c.value:
value = c.value
else:
value = ""
# For vyos.configsession calls that have no separate value arguments,
# and for type checking too
cfg_path = " ".join(path + [value]).strip()
elif isinstance(c, BaseConfigSectionModel):
section = c.section
elif isinstance(c, BaseConfigSectionTreeModel):
mask = c.mask
config = c.config
if isinstance(c, BaseConfigureModel):
if op == 'set':
session.set(path, value=value)
elif op == 'delete':
if app.state.vyos_strict and not config.exists(cfg_path):
raise ConfigSessionError(f"Cannot delete [{cfg_path}]: path/value does not exist")
session.delete(path, value=value)
elif op == 'comment':
session.comment(path, value=value)
else:
raise ConfigSessionError(f"'{op}' is not a valid operation")
elif isinstance(c, BaseConfigSectionModel):
if op == 'set':
session.set_section(path, section)
elif op == 'load':
session.load_section(path, section)
else:
raise ConfigSessionError(f"'{op}' is not a valid operation")
elif isinstance(c, BaseConfigSectionTreeModel):
if op == 'set':
session.set_section_tree(config)
elif op == 'load':
session.load_section_tree(mask, config)
else:
raise ConfigSessionError(f"'{op}' is not a valid operation")
# end for
config = Config(session_env=env)
d = get_config_diff(config)
if d.is_node_changed(['service', 'https']):
background_tasks.add_task(call_commit, session)
msg = self_ref_msg
else:
- session.commit()
+ # capture non-fatal warnings
+ out = session.commit()
+ msg = out if out else msg
logger.info(f"Configuration modified via HTTP API using key '{app.state.vyos_id}'")
except ConfigSessionError as e:
session.discard()
status = 400
if app.state.vyos_debug:
logger.critical(f"ConfigSessionError:\n {traceback.format_exc()}")
error_msg = str(e)
except Exception as e:
session.discard()
logger.critical(traceback.format_exc())
status = 500
# Don't give the details away to the outer world
error_msg = "An internal error occured. Check the logs for details."
finally:
lock.release()
if status != 200:
return error(status, error_msg)
return success(msg)
def create_path_import_pki_no_prompt(path):
correct_paths = ['ca', 'certificate', 'key-pair']
if path[1] not in correct_paths:
return False
path[1] = '--' + path[1].replace('-', '')
path[3] = '--key-filename'
return path[1:]
@app.post('/configure')
def configure_op(data: Union[ConfigureModel,
ConfigureListModel],
request: Request, background_tasks: BackgroundTasks):
return _configure_op(data, request, background_tasks)
@app.post('/configure-section')
def configure_section_op(data: Union[ConfigSectionModel,
ConfigSectionListModel,
ConfigSectionTreeModel],
request: Request, background_tasks: BackgroundTasks):
return _configure_op(data, request, background_tasks)
@app.post("/retrieve")
async def retrieve_op(data: RetrieveModel):
session = app.state.vyos_session
env = session.get_session_env()
config = Config(session_env=env)
op = data.op
path = " ".join(data.path)
try:
if op == 'returnValue':
res = config.return_value(path)
elif op == 'returnValues':
res = config.return_values(path)
elif op == 'exists':
res = config.exists(path)
elif op == 'showConfig':
config_format = 'json'
if data.configFormat:
config_format = data.configFormat
res = session.show_config(path=data.path)
if config_format == 'json':
config_tree = ConfigTree(res)
res = json.loads(config_tree.to_json())
elif config_format == 'json_ast':
config_tree = ConfigTree(res)
res = json.loads(config_tree.to_json_ast())
elif config_format == 'raw':
pass
else:
return error(400, f"'{config_format}' is not a valid config format")
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(res)
@app.post('/config-file')
def config_file_op(data: ConfigFileModel, background_tasks: BackgroundTasks):
session = app.state.vyos_session
env = session.get_session_env()
op = data.op
msg = None
try:
if op == 'save':
if data.file:
path = data.file
else:
path = '/config/config.boot'
msg = session.save_config(path)
elif op == 'load':
if data.file:
path = data.file
else:
return error(400, "Missing required field \"file\"")
session.migrate_and_load_config(path)
config = Config(session_env=env)
d = get_config_diff(config)
if d.is_node_changed(['service', 'https']):
background_tasks.add_task(call_commit, session)
msg = self_ref_msg
else:
session.commit()
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(msg)
@app.post('/image')
def image_op(data: ImageModel):
session = app.state.vyos_session
op = data.op
try:
if op == 'add':
res = session.install_image(data.url)
elif op == 'delete':
res = session.remove_image(data.name)
elif op == 'show':
res = session.show(["system", "image"])
elif op == 'set_default':
res = session.set_default_image(data.name)
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(res)
@app.post('/container-image')
def container_image_op(data: ContainerImageModel):
session = app.state.vyos_session
op = data.op
try:
if op == 'add':
if data.name:
name = data.name
else:
return error(400, "Missing required field \"name\"")
res = session.add_container_image(name)
elif op == 'delete':
if data.name:
name = data.name
else:
return error(400, "Missing required field \"name\"")
res = session.delete_container_image(name)
elif op == 'show':
res = session.show_container_image()
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(res)
@app.post('/generate')
def generate_op(data: GenerateModel):
session = app.state.vyos_session
op = data.op
path = data.path
try:
if op == 'generate':
res = session.generate(path)
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(res)
@app.post('/show')
def show_op(data: ShowModel):
session = app.state.vyos_session
op = data.op
path = data.path
try:
if op == 'show':
res = session.show(path)
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(res)
@app.post('/reboot')
def reboot_op(data: RebootModel):
session = app.state.vyos_session
op = data.op
path = data.path
try:
if op == 'reboot':
res = session.reboot(path)
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(res)
@app.post('/reset')
def reset_op(data: ResetModel):
session = app.state.vyos_session
op = data.op
path = data.path
try:
if op == 'reset':
res = session.reset(path)
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(res)
@app.post('/import-pki')
def import_pki(data: ImportPkiModel):
session = app.state.vyos_session
op = data.op
path = data.path
lock.acquire()
try:
if op == 'import-pki':
# need to get rid or interactive mode for private key
if len(path) == 5 and path[3] in ['key-file', 'private-key']:
path_no_prompt = create_path_import_pki_no_prompt(path)
if not path_no_prompt:
return error(400, f"Invalid command: {' '.join(path)}")
if data.passphrase:
path_no_prompt += ['--passphrase', data.passphrase]
res = session.import_pki_no_prompt(path_no_prompt)
else:
res = session.import_pki(path)
if not res[0].isdigit():
return error(400, res)
# commit changes
session.commit()
res = res.split('. ')[0]
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
finally:
lock.release()
return success(res)
@app.post('/poweroff')
def poweroff_op(data: PoweroffModel):
session = app.state.vyos_session
op = data.op
path = data.path
try:
if op == 'poweroff':
res = session.poweroff(path)
else:
return error(400, f"'{op}' is not a valid operation")
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
logger.critical(traceback.format_exc())
return error(500, "An internal error occured. Check the logs for details.")
return success(res)
###
# GraphQL integration
###
def graphql_init(app: FastAPI = app):
from api.graphql.libs.token_auth import get_user_context
api.graphql.state.init()
api.graphql.state.settings['app'] = app
# import after initializaion of state
from api.graphql.bindings import generate_schema
schema = generate_schema()
in_spec = app.state.vyos_introspection
if app.state.vyos_origins:
origins = app.state.vyos_origins
app.add_route('/graphql', CORSMiddleware(GraphQL(schema,
context_value=get_user_context,
debug=True,
introspection=in_spec),
allow_origins=origins,
allow_methods=("GET", "POST", "OPTIONS"),
allow_headers=("Authorization",)))
else:
app.add_route('/graphql', GraphQL(schema,
context_value=get_user_context,
debug=True,
introspection=in_spec))
###
# Modify uvicorn to allow reloading server within the configsession
###
server = None
shutdown = False
class ApiServerConfig(UvicornConfig):
pass
class ApiServer(UvicornServer):
def install_signal_handlers(self):
pass
def reload_handler(signum, frame):
global server
logger.debug('Reload signal received...')
if server is not None:
server.handle_exit(signum, frame)
server = None
logger.info('Server stopping for reload...')
else:
logger.warning('Reload called for non-running server...')
def shutdown_handler(signum, frame):
global shutdown
logger.debug('Shutdown signal received...')
server.handle_exit(signum, frame)
logger.info('Server shutdown...')
shutdown = True
def flatten_keys(d: dict) -> list[dict]:
keys_list = []
for el in list(d['keys'].get('id', {})):
key = d['keys']['id'][el].get('key', '')
if key:
keys_list.append({'id': el, 'key': key})
return keys_list
def initialization(session: ConfigSession, app: FastAPI = app):
global server
try:
server_config = load_server_config()
except Exception as e:
logger.critical(f'Failed to load the HTTP API server config: {e}')
sys.exit(1)
app.state.vyos_session = session
app.state.vyos_keys = []
if 'keys' in server_config:
app.state.vyos_keys = flatten_keys(server_config)
app.state.vyos_debug = bool('debug' in server_config)
app.state.vyos_strict = bool('strict' in server_config)
app.state.vyos_origins = server_config.get('cors', {}).get('allow_origin', [])
if 'graphql' in server_config:
app.state.vyos_graphql = True
if isinstance(server_config['graphql'], dict):
if 'introspection' in server_config['graphql']:
app.state.vyos_introspection = True
else:
app.state.vyos_introspection = False
# default values if not set explicitly
app.state.vyos_auth_type = server_config['graphql']['authentication']['type']
app.state.vyos_token_exp = server_config['graphql']['authentication']['expiration']
app.state.vyos_secret_len = server_config['graphql']['authentication']['secret_length']
else:
app.state.vyos_graphql = False
if app.state.vyos_graphql:
graphql_init(app)
config = ApiServerConfig(app, uds="/run/api.sock", proxy_headers=True)
server = ApiServer(config)
def run_server():
try:
server.run()
except OSError as e:
logger.critical(e)
sys.exit(1)
if __name__ == '__main__':
# systemd's user and group options don't work, do it by hand here,
# else no one else will be able to commit
cfg_group = grp.getgrnam(CFG_GROUP)
os.setgid(cfg_group.gr_gid)
# Need to set file permissions to 775 too so that every vyattacfg group member
# has write access to the running config
os.umask(0o002)
signal.signal(signal.SIGHUP, reload_handler)
signal.signal(signal.SIGTERM, shutdown_handler)
config_session = ConfigSession(os.getpid())
while True:
logger.debug('Enter main loop...')
if shutdown:
break
if server is None:
initialization(config_session)
server.run()
sleep(1)
diff --git a/src/shim/vyshim.c b/src/shim/vyshim.c
index a78f62a7b..68e6c4015 100644
--- a/src/shim/vyshim.c
+++ b/src/shim/vyshim.c
@@ -1,344 +1,371 @@
/*
* Copyright (C) 2020-2024 VyOS maintainers and contributors
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 or later as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <string.h>
#include <sys/time.h>
#include <time.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <zmq.h>
#include "mkjson.h"
/*
*
*
*/
#if DEBUG
#define DEBUG_ON 1
#else
#define DEBUG_ON 0
#endif
#define debug_print(fmt, ...) \
do { if (DEBUG_ON) fprintf(stderr, fmt, ##__VA_ARGS__); } while (0)
#define debug_call(f) \
do { if (DEBUG_ON) f; } while (0)
#define SOCKET_PATH "ipc:///run/vyos-configd.sock"
#define GET_ACTIVE "cli-shell-api --show-active-only --show-show-defaults --show-ignore-edit showConfig"
#define GET_SESSION "cli-shell-api --show-working-only --show-show-defaults --show-ignore-edit showConfig"
#define COMMIT_MARKER "/var/tmp/initial_in_commit"
#define QUEUE_MARKER "/var/tmp/last_in_queue"
enum {
SUCCESS = 1 << 0,
ERROR_COMMIT = 1 << 1,
ERROR_DAEMON = 1 << 2,
PASS = 1 << 3
};
volatile int init_alarm = 0;
volatile int timeout = 0;
int initialization(void *);
int pass_through(char **, int);
void timer_handler(int);
double get_posix_clock_time(void);
+static char * s_recv_string (void *, int);
+
int main(int argc, char* argv[])
{
// string for node data: conf_mode script and tagnode, if applicable
char string_node_data[256];
string_node_data[0] = '\0';
void *context = zmq_ctx_new();
void *requester = zmq_socket(context, ZMQ_REQ);
int ex_index;
int init_timeout = 0;
int last = 0;
debug_print("Connecting to vyos-configd ...\n");
zmq_connect(requester, SOCKET_PATH);
for (int i = 1; i < argc ; i++) {
strncat(&string_node_data[0], argv[i], 127);
}
debug_print("data to send: %s\n", string_node_data);
char *test = strstr(string_node_data, "VYOS_TAGNODE_VALUE");
ex_index = test ? 2 : 1;
if (access(COMMIT_MARKER, F_OK) != -1) {
init_timeout = initialization(requester);
if (!init_timeout) remove(COMMIT_MARKER);
}
// if initial communication failed, pass through execution of script
if (init_timeout) {
int ret = pass_through(argv, ex_index);
return ret;
}
if (access(QUEUE_MARKER, F_OK) != -1) {
last = 1;
remove(QUEUE_MARKER);
}
char error_code[1];
debug_print("Sending node data ...\n");
char *string_node_data_msg = mkjson(MKJSON_OBJ, 3,
MKJSON_STRING, "type", "node",
MKJSON_BOOL, "last", last,
MKJSON_STRING, "data", &string_node_data[0]);
zmq_send(requester, string_node_data_msg, strlen(string_node_data_msg), 0);
zmq_recv(requester, error_code, 1, 0);
debug_print("Received node data receipt\n");
- int err = (int)error_code[0];
+ char msg_size_str[7];
+ zmq_send(requester, "msg_size", 8, 0);
+ zmq_recv(requester, msg_size_str, 6, 0);
+ msg_size_str[6] = '\0';
+ int msg_size = (int)strtol(msg_size_str, NULL, 16);
+ debug_print("msg_size: %d\n", msg_size);
+
+ if (msg_size > 0) {
+ zmq_send(requester, "send", 4, 0);
+ char *msg = s_recv_string(requester, msg_size);
+ printf("%s", msg);
+ free(msg);
+ }
free(string_node_data_msg);
- zmq_close(requester);
- zmq_ctx_destroy(context);
+ int err = (int)error_code[0];
+ int ret = 0;
if (err & PASS) {
debug_print("Received PASS\n");
- int ret = pass_through(argv, ex_index);
- return ret;
+ ret = pass_through(argv, ex_index);
}
if (err & ERROR_DAEMON) {
debug_print("Received ERROR_DAEMON\n");
- int ret = pass_through(argv, ex_index);
- return ret;
+ ret = pass_through(argv, ex_index);
}
if (err & ERROR_COMMIT) {
debug_print("Received ERROR_COMMIT\n");
- return -1;
+ ret = -1;
}
- return 0;
+ zmq_close(requester);
+ zmq_ctx_destroy(context);
+
+ return ret;
}
int initialization(void* Requester)
{
char *active_str = NULL;
size_t active_len = 0;
char *session_str = NULL;
size_t session_len = 0;
char *empty_string = "\n";
char buffer[16];
struct sigaction sa;
struct itimerval timer, none_timer;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = &timer_handler;
sigaction(SIGALRM, &sa, NULL);
timer.it_value.tv_sec = 0;
timer.it_value.tv_usec = 10000;
timer.it_interval.tv_sec = timer.it_interval.tv_usec = 0;
none_timer.it_value.tv_sec = none_timer.it_value.tv_usec = 0;
none_timer.it_interval.tv_sec = none_timer.it_interval.tv_usec = 0;
double prev_time_value, time_value;
double time_diff;
char *pid_val = getenv("VYATTA_CONFIG_TMP");
strsep(&pid_val, "_");
debug_print("config session pid: %s\n", pid_val);
char *sudo_user = getenv("SUDO_USER");
if (!sudo_user) {
char nobody[] = "nobody";
sudo_user = nobody;
}
debug_print("sudo_user is %s\n", sudo_user);
char *temp_config_dir = getenv("VYATTA_TEMP_CONFIG_DIR");
if (!temp_config_dir) {
char none[] = "";
temp_config_dir = none;
}
debug_print("temp_config_dir is %s\n", temp_config_dir);
char *changes_only_dir = getenv("VYATTA_CHANGES_ONLY_DIR");
if (!changes_only_dir) {
char none[] = "";
changes_only_dir = none;
}
debug_print("changes_only_dir is %s\n", changes_only_dir);
debug_print("Sending init announcement\n");
char *init_announce = mkjson(MKJSON_OBJ, 1,
MKJSON_STRING, "type", "init");
// check for timeout on initial contact
while (!init_alarm) {
debug_call(prev_time_value = get_posix_clock_time());
setitimer(ITIMER_REAL, &timer, NULL);
zmq_send(Requester, init_announce, strlen(init_announce), 0);
zmq_recv(Requester, buffer, 16, 0);
setitimer(ITIMER_REAL, &none_timer, &timer);
debug_call(time_value = get_posix_clock_time());
debug_print("Received init receipt\n");
debug_call(time_diff = time_value - prev_time_value);
debug_print("time elapse %f\n", time_diff);
break;
}
free(init_announce);
if (timeout) return -1;
FILE *fp_a = popen(GET_ACTIVE, "r");
getdelim(&active_str, &active_len, '\0', fp_a);
int ret = pclose(fp_a);
if (!ret) {
debug_print("Sending active config\n");
zmq_send(Requester, active_str, active_len - 1, 0);
zmq_recv(Requester, buffer, 16, 0);
debug_print("Received active receipt\n");
} else {
debug_print("Sending empty active config\n");
zmq_send(Requester, empty_string, 0, 0);
zmq_recv(Requester, buffer, 16, 0);
debug_print("Received active receipt\n");
}
free(active_str);
FILE *fp_s = popen(GET_SESSION, "r");
getdelim(&session_str, &session_len, '\0', fp_s);
pclose(fp_s);
debug_print("Sending session config\n");
zmq_send(Requester, session_str, session_len - 1, 0);
zmq_recv(Requester, buffer, 16, 0);
debug_print("Received session receipt\n");
free(session_str);
debug_print("Sending config session pid\n");
zmq_send(Requester, pid_val, strlen(pid_val), 0);
zmq_recv(Requester, buffer, 16, 0);
debug_print("Received pid receipt\n");
debug_print("Sending config session sudo_user\n");
zmq_send(Requester, sudo_user, strlen(sudo_user), 0);
zmq_recv(Requester, buffer, 16, 0);
debug_print("Received sudo_user receipt\n");
debug_print("Sending config session temp_config_dir\n");
zmq_send(Requester, temp_config_dir, strlen(temp_config_dir), 0);
zmq_recv(Requester, buffer, 16, 0);
debug_print("Received temp_config_dir receipt\n");
debug_print("Sending config session changes_only_dir\n");
zmq_send(Requester, changes_only_dir, strlen(changes_only_dir), 0);
zmq_recv(Requester, buffer, 16, 0);
debug_print("Received changes_only_dir receipt\n");
return 0;
}
int pass_through(char **argv, int ex_index)
{
char **newargv = NULL;
pid_t child_pid;
newargv = &argv[ex_index];
if (ex_index > 1) {
putenv(argv[ex_index - 1]);
}
debug_print("pass-through invoked\n");
if ((child_pid=fork()) < 0) {
debug_print("fork() failed\n");
return -1;
} else if (child_pid == 0) {
if (-1 == execv(argv[ex_index], newargv)) {
debug_print("pass_through execve failed %s: %s\n",
argv[ex_index], strerror(errno));
return -1;
}
} else if (child_pid > 0) {
int status;
pid_t wait_pid = waitpid(child_pid, &status, 0);
if (wait_pid < 0) {
debug_print("waitpid() failed\n");
return -1;
} else if (wait_pid == child_pid) {
if (WIFEXITED(status)) {
debug_print("child exited with code %d\n",
WEXITSTATUS(status));
return WEXITSTATUS(status);
}
}
}
return 0;
}
void timer_handler(int signum)
{
debug_print("timer_handler invoked\n");
timeout = 1;
init_alarm = 1;
return;
}
#ifdef _POSIX_MONOTONIC_CLOCK
double get_posix_clock_time(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) {
return (double) (ts.tv_sec + ts.tv_nsec / 1000000000.0);
} else {
return 0;
}
}
#else
double get_posix_clock_time(void)
{return (double)0;}
#endif
+
+// Receive string from socket and convert into C string
+static char * s_recv_string (void *socket, int bufsize) {
+ char * buffer = (char *)malloc(bufsize+1);
+ int size = zmq_recv(socket, buffer, bufsize, 0);
+ if (size == -1)
+ return NULL;
+ if (size > bufsize)
+ size = bufsize;
+ buffer[size] = '\0';
+ return buffer;
+}