http-api: T5782: use single config-mode script for https and http-api

vyos · Dec 1, 2023 · 4fcf4ce · 4fcf4ce
1 parent 006931b
commit 4fcf4ce
Show file tree

Hide file tree

Showing 7 changed files with 122 additions and 122 deletions.
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
@@ -1,6 +1,5 @@
 {
   "firewall": {"group_resync": ["nat", "policy-route"]},
-  "http_api": {"https": ["https"]},
   "interfaces_bonding": {
            "ethernet": ["interfaces-ethernet"]
          },

diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in
@@ -54,10 +54,9 @@
               #include <include/allow-client.xml.i>
             </children>
           </tagNode>
-          <node name="api" owner="${vyos_conf_scripts_dir}/http-api.py">
+          <node name="api">
             <properties>
               <help>VyOS HTTP API configuration</help>
-              <priority>1002</priority>
             </properties>
             <children>
               <node name="keys">

diff --git a/python/vyos/configdiff.py b/python/vyos/configdiff.py
@@ -165,6 +165,30 @@ def is_node_changed(self, path=[]):
             return True
         return False
 
+    def node_changed_presence(self, path=[]) -> bool:
+        if self._diff_tree is None:
+            raise NotImplementedError("diff_tree class not available")
+
+        path = self._make_path(path)
+        before = self._diff_tree.left.exists(path)
+        after = self._diff_tree.right.exists(path)
+        return (before and not after) or (not before and after)
+
+    def node_changed_children(self, path=[]) -> list:
+        if self._diff_tree is None:
+            raise NotImplementedError("diff_tree class not available")
+
+        path = self._make_path(path)
+        add = self._diff_tree.add
+        sub = self._diff_tree.sub
+        children = set()
+        if add.exists(path):
+            children.update(add.list_nodes(path))
+        if sub.exists(path):
+            children.update(sub.list_nodes(path))
+
+        return list(children)
+
     def get_child_nodes_diff_str(self, path=[]):
         ret = {'add': {}, 'change': {}, 'delete': {}}
 

diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py
@@ -253,6 +253,35 @@ def test_api_auth(self):
         success = r.json()['data']['ShowVersion']['success']
         self.assertTrue(success)
 
+    @ignore_warning(InsecureRequestWarning)
+    def test_api_add_delete(self):
+        address = '127.0.0.1'
+        key = 'VyOS-key'
+        url = f'https://{address}/retrieve'
+        payload = {'data': '{"op": "showConfig", "path": []}', 'key': f'{key}'}
+        headers = {}
+
+        self.cli_set(base_path)
+        self.cli_commit()
+
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        # api not configured; expect 503
+        self.assertEqual(r.status_code, 503)
+
+        self.cli_set(base_path + ['api', 'keys', 'id', 'key-01', 'key', key])
+        self.cli_commit()
+
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        # api configured; expect 200
+        self.assertEqual(r.status_code, 200)
+
+        self.cli_delete(base_path + ['api'])
+        self.cli_commit()
+
+        r = request('POST', url, verify=False, headers=headers, data=payload)
+        # api deleted; expect 503
+        self.assertEqual(r.status_code, 503)
+
     @ignore_warning(InsecureRequestWarning)
     def test_api_show(self):
         address = '127.0.0.1'

diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
@@ -16,19 +16,24 @@
 
 import os
 import sys
+import json
 
 from copy import deepcopy
+from time import sleep
 
 import vyos.defaults
 import vyos.certbot_util
 
 from vyos.config import Config
+from vyos.configdiff import get_config_diff
 from vyos.configverify import verify_vrf
 from vyos import ConfigError
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.utils.process import call
+from vyos.utils.process import is_systemd_service_running
+from vyos.utils.process import is_systemd_service_active
 from vyos.utils.network import check_port_availability
 from vyos.utils.network import is_listen_port_bind_service
 from vyos.utils.file import write_file
@@ -42,6 +47,9 @@
 key_dir = '/etc/ssl/private'
 certbot_dir = vyos.defaults.directories['certbot']
 
+api_config_state = '/run/http-api-state'
+systemd_service = '/run/systemd/system/vyos-http-api.service'
+
 # https config needs to coordinate several subsystems: api, certbot,
 # self-signed certificate, as well as the virtual hosts defined within the
 # https config definition itself. Consequently, one needs a general dict,
@@ -67,11 +75,35 @@ def get_config(config=None):
     if not conf.exists(base):
         return None
 
+    diff = get_config_diff(conf)
+
     https = conf.get_config_dict(base, get_first_key=True)
 
     if https:
         https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                get_first_key=True, no_tag_node_value_mangle=True)
+                                            no_tag_node_value_mangle=True,
+                                            get_first_key=True)
+
+    https['children_changed'] = diff.node_changed_children(base)
+    https['api_add_or_delete'] = diff.node_changed_presence(base + ['api'])
+
+    if 'api' not in https:
+        return https
+
+    http_api = conf.get_config_dict(base + ['api'], key_mangling=('-', '_'),
+                                    no_tag_node_value_mangle=True,
+                                    get_first_key=True,
+                                    with_recursive_defaults=True)
+
+    if http_api.from_defaults(['graphql']):
+        del http_api['graphql']
+
+    # Do we run inside a VRF context?
+    vrf_path = ['service', 'https', 'vrf']
+    if conf.exists(vrf_path):
+        http_api['vrf'] = conf.return_value(vrf_path)
+
+    https['api'] = http_api
 
     return https
 
@@ -103,7 +135,7 @@ def verify(https):
 
         if 'certbot' in https['certificates']:
             vhost_names = []
-            for vh, vh_conf in https.get('virtual-host', {}).items():
+            for _, vh_conf in https.get('virtual-host', {}).items():
                 vhost_names += vh_conf.get('server-name', [])
             domains = https['certificates']['certbot'].get('domain-name', [])
             domains_found = [domain for domain in domains if domain in vhost_names]
@@ -167,6 +199,14 @@ def generate(https):
     if https is None:
         return None
 
+    if 'api' not in https:
+        if os.path.exists(systemd_service):
+            os.unlink(systemd_service)
+    else:
+        render(systemd_service, 'https/vyos-http-api.service.j2', https['api'])
+        with open(api_config_state, 'w') as f:
+            json.dump(https['api'], f, indent=2)
+
     server_block_list = []
 
     # organize by vhosts
@@ -254,10 +294,31 @@ def generate(https):
 def apply(https):
     # Reload systemd manager configuration
     call('systemctl daemon-reload')
-    if https is not None:
-        call('systemctl restart nginx.service')
-    else:
-        call('systemctl stop nginx.service')
+    http_api_service_name = 'vyos-http-api.service'
+    https_service_name = 'nginx.service'
+
+    if https is None:
+        if is_systemd_service_active(f'{http_api_service_name}'):
+            call(f'systemctl stop {http_api_service_name}')
+        call(f'systemctl stop {https_service_name}')
+        return
+
+    if 'api' in https['children_changed']:
+        if 'api' in https:
+            if is_systemd_service_running(f'{http_api_service_name}'):
+                call(f'systemctl reload {http_api_service_name}')
+            else:
+                call(f'systemctl restart {http_api_service_name}')
+            # Let uvicorn settle before (possibly) restarting nginx
+            sleep(1)
+        else:
+            if is_systemd_service_active(f'{http_api_service_name}'):
+                call(f'systemctl stop {http_api_service_name}')
+
+    if (not is_systemd_service_running(f'{https_service_name}') or
+        https['api_add_or_delete'] or
+        set(https['children_changed']) - set(['api'])):
+        call(f'systemctl restart {https_service_name}')
 
 if __name__ == '__main__':
     try:

diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
@@ -50,7 +50,7 @@ from vyos.configsession import ConfigSession, ConfigSessionError
 
 import api.graphql.state
 
-api_config_state = '/tmp/api-config-state'
+api_config_state = '/run/http-api-state'
 CFG_GROUP = 'vyattacfg'
 
 debug = True