Merge pull request #3314 from vyos/mergify/bp/sagitta/pr-3311

pki: T6241: Fix dependency updates on PKI changes (backport #3311)
vyos · Apr 15, 2024 · 131bb13 · 131bb13
2 parents 534a037 + c976d71
commit 131bb13
Showing 1 changed file with 22 additions and 16 deletions.
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
@@ -24,6 +24,7 @@
 from vyos.configdep import set_dependents
 from vyos.configdep import call_dependents
 from vyos.configdict import node_changed
+from vyos.configdiff import Diff
 from vyos.defaults import directories
 from vyos.pki import is_ca_certificate
 from vyos.pki import load_certificate
@@ -136,32 +137,32 @@ def get_config(config=None):
     if len(argv) > 1 and argv[1] == 'certbot_renew':
         pki['certbot_renew'] = {}
 
-    tmp = node_changed(conf, base + ['ca'], recursive=True)
+    tmp = node_changed(conf, base + ['ca'], recursive=True, expand_nodes=Diff.DELETE | Diff.ADD)
     if tmp:
         if 'changed' not in pki: pki.update({'changed':{}})
         pki['changed'].update({'ca' : tmp})
 
-    tmp = node_changed(conf, base + ['certificate'], recursive=True)
+    tmp = node_changed(conf, base + ['certificate'], recursive=True, expand_nodes=Diff.DELETE | Diff.ADD)
     if tmp:
         if 'changed' not in pki: pki.update({'changed':{}})
         pki['changed'].update({'certificate' : tmp})
 
-    tmp = node_changed(conf, base + ['dh'], recursive=True)
+    tmp = node_changed(conf, base + ['dh'], recursive=True, expand_nodes=Diff.DELETE | Diff.ADD)
     if tmp:
         if 'changed' not in pki: pki.update({'changed':{}})
         pki['changed'].update({'dh' : tmp})
 
-    tmp = node_changed(conf, base + ['key-pair'], recursive=True)
+    tmp = node_changed(conf, base + ['key-pair'], recursive=True, expand_nodes=Diff.DELETE | Diff.ADD)
     if tmp:
         if 'changed' not in pki: pki.update({'changed':{}})
         pki['changed'].update({'key_pair' : tmp})
 
-    tmp = node_changed(conf, base + ['openssh'], recursive=True)
+    tmp = node_changed(conf, base + ['openssh'], recursive=True, expand_nodes=Diff.DELETE | Diff.ADD)
     if tmp:
         if 'changed' not in pki: pki.update({'changed':{}})
         pki['changed'].update({'openssh' : tmp})
 
-    tmp = node_changed(conf, base + ['openvpn', 'shared-secret'], recursive=True)
+    tmp = node_changed(conf, base + ['openvpn', 'shared-secret'], recursive=True, expand_nodes=Diff.DELETE | Diff.ADD)
     if tmp:
         if 'changed' not in pki: pki.update({'changed':{}})
         pki['changed'].update({'openvpn' : tmp})
@@ -217,16 +218,21 @@ def get_config(config=None):
                     if not search_dict:
                         continue
                     for found_name, found_path in dict_search_recursive(search_dict, key):
-                        if found_name == item_name:
-                            path = search['path']
-                            path_str = ' '.join(path + found_path)
-                            print(f'PKI: Updating config: {path_str} {found_name}')
-
-                            if path[0] == 'interfaces':
-                                ifname = found_path[0]
-                                set_dependents(path[1], conf, ifname)
-                            else:
-                                set_dependents(path[1], conf)
+                        if isinstance(found_name, list) and item_name not in found_name:
+                            continue
+
+                        if isinstance(found_name, str) and found_name != item_name:
+                            continue
+
+                        path = search['path']
+                        path_str = ' '.join(path + found_path)
+                        print(f'PKI: Updating config: {path_str} {item_name}')
+
+                        if path[0] == 'interfaces':
+                            ifname = found_path[0]
+                            set_dependents(path[1], conf, ifname)
+                        else:
+                            set_dependents(path[1], conf)
 
     return pki