async def clean(self, tunable, schema_name, old=None):
verrors = ValidationErrors()
skip_dupe = False
tun_comment = tunable.get('comment')
tun_value = tunable['value']
tun_var = tunable['var']
if tun_comment is not None:
tunable['comment'] = tun_comment.strip()
if '"' in tun_value or "'" in tun_value:
verrors.add(f"{schema_name}.value",
'Quotes in value are not allowed')
if schema_name == 'tunable_update' and old:
old_tun_var = old['var']
if old_tun_var == tun_var:
# They aren't trying to change to a new name, just updating
skip_dupe = True
if not skip_dupe:
tun_vars = await self.middleware.call(
'datastore.query', self._config.datastore, [('tun_var', '=',
tun_var)])
if tun_vars:
verrors.add(f"{schema_name}.value",
'This variable already exists')
if verrors:
raise verrors
return tunable
async def validate(self, tunable, schema_name):
sysctl_re = \
re.compile('[a-z][a-z0-9_]+\.([a-z0-9_]+\.)*[a-z0-9_]+', re.I)
loader_re = \
re.compile('[a-z][a-z0-9_]+\.*([a-z0-9_]+\.)*[a-z0-9_]+', re.I)
verrors = ValidationErrors()
tun_var = tunable['var'].lower()
tun_type = tunable['type'].lower()
if tun_type == 'loader' or tun_type == 'rc':
err_msg = "Value can start with a letter and end with an alphanumeric. Aphanumeric and underscore" \
" characters are allowed"
else:
err_msg = 'Value can start with a letter and end with an alphanumeric. A period (.) once is a must.' \
' Alphanumeric and underscore characters are allowed'
if (
tun_type in ('loader', 'rc') and
not loader_re.match(tun_var)
) or (
tun_type == 'sysctl' and
not sysctl_re.match(tun_var)
):
verrors.add(f"{schema_name}.var", err_msg)
if verrors:
raise verrors
async def common_validation(self, data, schema_name):
verrors = ValidationErrors()
if data['authenticator'] not in self.schemas:
verrors.add(
f'{schema_name}.authenticator',
f'System does not support {data["authenticator"]} as an Authenticator'
)
else:
verrors = validate_attributes(self.schemas[data['authenticator']], data)
if verrors:
raise verrors
async def do_update(self, data):
"""
Update settings of SSH daemon service.
If `bindiface` is empty it will listen for all available addresses.
.. examples(websocket)::
Make sshd listen only to igb0 interface.
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "ssh.update",
"params": [{
"bindiface": ["igb0"]
}]
}
"""
old = await self.config()
new = old.copy()
new.update(data)
if new['bindiface']:
verrors = ValidationErrors()
iface_choices = await self.middleware.call('ssh.bindiface_choices')
invalid_ifaces = list(filter(lambda x: x not in iface_choices, new['bindiface']))
if invalid_ifaces:
verrors.add(
'ssh_update.bindiface',
f'The following interfaces are not valid: {", ".join(invalid_ifaces)}',
)
verrors.check()
await self._update_service(old, new)
keyfile = "/usr/local/etc/ssh/ssh_host_ecdsa_key.pub"
if os.path.exists(keyfile):
with open(keyfile, "rb") as f:
pubkey = f.read().strip().split(None, 3)[1]
decoded_key = base64.b64decode(pubkey)
key_digest = hashlib.sha256(decoded_key).digest()
ssh_fingerprint = (b"SHA256:" + base64.b64encode(key_digest).replace(b"=", b"")).decode("utf-8")
syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_USER)
syslog.syslog(syslog.LOG_ERR, 'ECDSA Fingerprint of the SSH KEY: ' + ssh_fingerprint)
syslog.closelog()
return new
async def validate(self, data, schema_name):
verrors = ValidationErrors()
if data['type'] == 'COMMAND':
if not data.get('command'):
verrors.add(f'{schema_name}.command', 'This field is required')
if data['type'] == 'SCRIPT':
if not data.get('script'):
verrors.add(f'{schema_name}.script', 'This field is required')
if verrors:
raise verrors
async def do_create(self, data):
data.update({
'kind': 'VolumeSnapshot',
'apiVersion': f'snapshot.storage.k8s.io/{self.VERSION}'
})
namespace = data.pop('namespace')
verrors = ValidationErrors()
if not await self.middleware.call(
'k8s.zfs.snapshotclass.query', [['metadata.name', '=', data['spec']['volumeSnapshotClassName']]]
):
verrors.add(
'zfs_snapshot_create.spec.volumeSnapshotClassName',
'Specified volumeSnapshotClassName does not exist.'
)
if not await self.middleware.call(
'k8s.pvc.query', [
['metadata.name', '=', data['spec']['source']['persistentVolumeClaimName']],
['metadata.namespace', '=', namespace]
]
):
verrors.add(
'zfs_snapshot_create.spec.source.persistentVolumeClaimName',
f'Specified persistentVolumeClaimName does not exist in {namespace}.'
)
verrors.check()
async with api_client() as (api, context):
await context['custom_object_api'].create_namespaced_custom_object(
group=self.GROUP, version=self.VERSION, plural=self.PLURAL, namespace=namespace, body=data
)
return data
async def do_create(self, data):
verrors = ValidationErrors()
# We normalize the label
data['label'] = data['label'].upper()
if await self.query([['id', '=', data['label']]]):
verrors.add('catalog_create.label', 'A catalog with specified label already exists', errno=errno.EEXIST)
if await self.query([['repository', '=', data['repository']], ['branch', '=', data['branch']]]):
for k in ('repository', 'branch'):
verrors.add(
f'catalog_create.{k}', 'A catalog with same repository/branch already exists', errno=errno.EEXIST
)
verrors.check()
if not data.pop('force'):
# We will validate the catalog now to ensure it's valid wrt contents / format
path = os.path.join(
TMP_IX_APPS_DIR, 'validate_catalogs', convert_repository_to_path(data['repository'], data['branch'])
)
try:
await self.middleware.call('catalog.update_git_repository', {**data, 'location': path}, True)
await self.middleware.call('catalog.validate_catalog_from_path', path)
finally:
await self.middleware.run_in_thread(shutil.rmtree, path, ignore_errors=True)
await self.middleware.call('datastore.insert', self._config.datastore, data)
asyncio.ensure_future(self.middleware.call('catalog.sync', data['label']))
return await self.get_instance(data['label'])
async def do_create(self, data):
"""
Create a Tunable.
"""
verrors = ValidationErrors()
if await self.middleware.call('tunable.query',
[('var', '=', data['var'])]):
verrors.add(
'tunable.create',
f'Tunable {data["var"]!r} already exists in database.',
errno.EEXIST)
if data['var'] not in await self.middleware.call(
'tunable.get_system_tunables'):
verrors.add('tunable.create',
f'Tunable {data["var"]!r} does not exist in kernel.',
errno.ENOENT)
verrors.check()
data['orig_value'] = await self.middleware.call(
'tunable.get_or_set', data['var'])
if (comment := data.get('comment', '').strip()):
data['comment'] = comment
async def common_validation(middleware, data, schema, mode):
verrors = ValidationErrors()
if data['cipher'] and data['cipher'] not in OpenVPN.ciphers():
verrors.add(f'{schema}.cipher', 'Please specify a valid cipher.')
if data['authentication_algorithm'] and data[
'authentication_algorithm'] not in OpenVPN.digests():
verrors.add(f'{schema}.authentication_algorithm',
'Please specify a valid authentication_algorithm.')
if data['root_ca']:
verrors = await OpenVPN.cert_validation(middleware, data, schema,
mode, verrors)
if data['tls_crypt_auth_enabled'] and not data['tls_crypt_auth']:
verrors.add(
f'{schema}.tls_crypt_auth',
'Please provide static key for authentication/encryption of all control '
'channel packets when tls_crypt_auth_enabled is enabled.')
data['tls_crypt_auth'] = None if not data.pop(
'tls_crypt_auth_enabled') else data['tls_crypt_auth']
return verrors, data
async def validate_data(self, data, schema):
verrors = ValidationErrors()
path = data.get('path')
if not path:
verrors.add(
f'{schema}.path',
'This field is required'
)
else:
await check_path_resides_within_volume(verrors, self.middleware, f'{schema}.path', data['path'])
name = data.get('name')
if not name:
verrors.add(
f'{schema}.name',
'This field is required'
)
else:
if not name.isalnum():
verrors.add(
f'{schema}.name',
'Only AlphaNumeric characters are allowed'
)
if verrors:
raise verrors
if not os.path.exists(path):
os.makedirs(path)
async def validate(self, data, schema_name):
verrors = ValidationErrors()
if data.get('protocol') == 'httphttps' and data.get('tcpport') == data.get('tcpportssl'):
verrors.add(
f"{schema_name}.tcpportssl",
'The HTTP and HTTPS ports cannot be the same!'
)
cert_ssl = data.get('certssl') or 0
if data.get('protocol') != 'http':
if not cert_ssl:
verrors.add(
f"{schema_name}.certssl",
'WebDAV SSL protocol specified without choosing a certificate'
)
else:
verrors.extend((await self.middleware.call(
'certificate.cert_services_validation', cert_ssl, f'{schema_name}.certssl', False
)))
if verrors:
raise verrors
return data
async def do_create(self, data):
"""
Create a Virtual Machine (VM).
`grubconfig` may either be a path for the grub.cfg file or the actual content
of the file to be used with GRUB bootloader.
`devices` is a list of virtualized hardware to add to the newly created Virtual Machine.
Failure to attach a device destroys the VM and any resources allocated by the VM devices.
Maximum of 16 guest virtual CPUs are allowed. By default, every virtual CPU is configured as a
separate package. Multiple cores can be configured per CPU by specifying `cores` attributes.
`vcpus` specifies total number of CPU sockets. `cores` specifies number of cores per socket. `threads`
specifies number of threads per core.
`shutdown_timeout` indicates the time in seconds the system waits for the VM to cleanly shutdown. During system
shutdown, if the VM hasn't exited after a hardware shutdown signal has been sent by the system within
`shutdown_timeout` seconds, system initiates poweroff for the VM to stop it.
SCALE Angelfish: Specifying `devices` is deprecated and will be removed in next major release.
"""
async with LIBVIRT_LOCK:
await self.middleware.run_in_thread(self._check_setup_connection)
if data.get('devices'):
warnings.warn(
'SCALE Angelfish: Specifying "devices" in "vm.create" is deprecated and will be '
'removed in next major release.', DeprecationWarning)
verrors = ValidationErrors()
await self.__common_validation(verrors, 'vm_create', data)
verrors.check()
devices = data.pop('devices')
vm_id = await self.middleware.call('datastore.insert', 'vm.vm', data)
try:
await self.safe_devices_updates(devices)
except Exception as e:
await self.middleware.call('vm.delete', vm_id)
raise e
else:
for device in devices:
await self.middleware.call('vm.device.create', {
'vm': vm_id,
**device
})
await self.middleware.run_in_thread(self._add, vm_id)
return await self.get_instance(vm_id)
async def validate(self, data, schema_name):
verrors = ValidationErrors()
if data['type'] == 'COMMAND':
if not data.get('command'):
verrors.add(f'{schema_name}.command', 'This field is required')
else:
data['script_text'] = ''
data['script'] = ''
if data['type'] == 'SCRIPT':
if data.get('script') and data.get('script_text'):
verrors.add(f'{schema_name}.script',
'Only one of two fields should be provided')
elif not data.get('script') and not data.get('script_text'):
# IDEA may be it's worth putting both fields validations errors to verrors
# e.g.
# verrors.add(f'{schema_name}.script', 'This field is required')
# verrors.add(f'{schema_name}.script_text', 'This field is required')
verrors.add(
f'{schema_name}.script',
"Either 'script' or 'script_text' field is required")
elif data.get('script') and not data.get('script_text'):
data['command'] = ''
data['script_text'] = ''
else:
data['command'] = ''
data['script'] = ''
if verrors:
raise verrors
async def validate_data(self, data, schema):
verrors = ValidationErrors()
path = data.get('path')
if not path:
verrors.add(
f'{schema}.path',
'This field is required'
)
else:
await check_path_resides_within_volume(verrors, self.middleware, f'{schema}.path', data['path'])
name = data.get('name')
if not name:
verrors.add(
f'{schema}.name',
'This field is required'
)
else:
if not name.isalnum():
verrors.add(
f'{schema}.name',
'Only AlphaNumeric characters are allowed'
)
if verrors:
raise verrors
async def validate(self, data, schema_name):
verrors = ValidationErrors()
if data.get('protocol') == 'httphttps' and data.get('tcpport') == data.get('tcpportssl'):
verrors.add(
f"{schema_name}.tcpportssl",
'The HTTP and HTTPS ports cannot be the same!'
)
cert_ssl = data.get('certssl') or 0
if data.get('protocol') != 'http':
if not cert_ssl:
verrors.add(
f"{schema_name}.certssl",
'WebDAV SSL protocol specified without choosing a certificate'
)
else:
verrors.extend((await self.middleware.call(
'certificate.cert_services_validation', cert_ssl, f'{schema_name}.certssl', False
)))
if verrors:
raise verrors
return data
async def validate(self, data, schema_name):
verrors = ValidationErrors()
if (data.get('protocol') == 'httphttps' and data.get(
'tcpport') == data.get('tcpportssl')):
verrors.add(f"{schema_name}.tcpportssl",
'The HTTP and HTTPS ports cannot be the same!')
if (data.get('protocol') != 'http' and data.get('certssl') is None):
verrors.add(
f"{schema_name}.certssl",
'WebDAV SSL protocol specified without choosing a certificate'
)
if verrors:
raise verrors
return data
def send_event(self, event_type, **kwargs):
if conf.debug_mode and event_type in ('ADDED', 'CHANGED'):
verrors = ValidationErrors()
clean_and_validate_arg(verrors, self.RETURNS[0],
kwargs.get('fields'))
if verrors:
asyncio.ensure_future(self.unsubscribe_all(verrors))
return
self.send_event_internal(event_type, **kwargs)
async def do_create(self, data):
"""
Create a Virtual Machine (VM).
Maximum of 16 guest virtual CPUs are allowed. By default, every virtual CPU is configured as a
separate package. Multiple cores can be configured per CPU by specifying `cores` attributes.
`vcpus` specifies total number of CPU sockets. `cores` specifies number of cores per socket. `threads`
specifies number of threads per core.
`ensure_display_device` when set ( the default ) will ensure that the guest always has access to a video device.
For headless installations like ubuntu server this is required for the guest to operate properly. However
for cases where consumer would like to use GPU passthrough and does not want a display device added should set
this to `false`.
`arch_type` refers to architecture type and can be specified for the guest. By default the value is `null` and
system in this case will choose a reasonable default based on host.
`machine_type` refers to machine type of the guest based on the architecture type selected with `arch_type`.
By default the value is `null` and system in this case will choose a reasonable default based on `arch_type`
configuration.
`shutdown_timeout` indicates the time in seconds the system waits for the VM to cleanly shutdown. During system
shutdown, if the VM hasn't exited after a hardware shutdown signal has been sent by the system within
`shutdown_timeout` seconds, system initiates poweroff for the VM to stop it.
`hide_from_msr` is a boolean which when set will hide the KVM hypervisor from standard MSR based discovery and
is useful to enable when doing GPU passthrough.
`hyperv_enlightenments` can be used to enable subset of predefined Hyper-V enlightenments for Windows guests. These
enlightenments improve performance and enable otherwise missing features.
"""
async with LIBVIRT_LOCK:
await self.middleware.run_in_thread(self._check_setup_connection)
verrors = ValidationErrors()
await self.__common_validation(verrors, 'vm_create', data)
verrors.check()
vm_id = await self.middleware.call('datastore.insert', 'vm.vm', data)
await self.middleware.run_in_thread(self._add, vm_id)
await self.middleware.call('etc.generate', 'libvirt_guests')
return await self.get_instance(vm_id)
async def _validate(self, schema_name, data, id=None):
verrors = ValidationErrors()
await self._ensure_unique(verrors, schema_name, "name", data["name"], id)
if data["type"] not in TYPES:
verrors.add(f"{schema_name}.type", "Invalid type")
raise verrors
else:
type = TYPES[data["type"]]
attributes_verrors = validate_attributes(type.credentials_schema, data)
verrors.add_child(f"{schema_name}.attributes", attributes_verrors)
if verrors:
raise verrors
await type.validate_and_pre_save(self.middleware, verrors, f"{schema_name}.attributes", data["attributes"])
if verrors:
raise verrors
async def clean(self, tunable, schema_name, old=None):
verrors = ValidationErrors()
skip_dupe = False
tun_comment = tunable.get('comment')
tun_value = tunable['value']
tun_var = tunable['var']
if tun_comment is not None:
tunable['comment'] = tun_comment.strip()
if '"' in tun_value or "'" in tun_value:
verrors.add(f"{schema_name}.value",
'Quotes in value are not allowed')
if schema_name == 'tunable_update' and old:
old_tun_var = old['var']
if old_tun_var == tun_var:
# They aren't trying to change to a new name, just updating
skip_dupe = True
if not skip_dupe:
tun_vars = await self.middleware.call(
'datastore.query', self._config.datastore, [('tun_var', '=',
tun_var)])
if tun_vars:
verrors.add(f"{schema_name}.value",
'This variable already exists')
if verrors:
raise verrors
return tunable
async def common_validation(self, catalog, schema, data):
found_trains = set(catalog['trains'])
diff = set(data['preferred_trains']) - found_trains
verrors = ValidationErrors()
if diff:
verrors.add(
f'{schema}.preferred_trains',
f'{", ".join(diff)} trains were not found in catalog.')
if not data['preferred_trains']:
verrors.add(
f'{schema}.preferred_trains',
'At least 1 preferred train must be specified for a catalog.')
verrors.check()
async def _validate(self, schema_name, data, id=None):
verrors = ValidationErrors()
await self._ensure_unique(verrors, schema_name, "name", data["name"],
id)
if data["type"] not in TYPES:
verrors.add(f"{schema_name}.type", "Invalid type")
raise verrors
else:
type = TYPES[data["type"]]
attributes_verrors = validate_attributes(type.credentials_schema,
data)
verrors.add_child(f"{schema_name}.attributes", attributes_verrors)
if verrors:
raise verrors
await type.validate_and_pre_save(self.middleware, verrors,
f"{schema_name}.attributes",
data["attributes"])
if verrors:
raise verrors
async def validate(self, tunable, schema_name):
sysctl_re = \
re.compile('[a-z][a-z0-9_]+\.([a-z0-9_]+\.)*[a-z0-9_]+', re.I)
loader_re = \
re.compile('[a-z][a-z0-9_]+\.*([a-z0-9_]+\.)*[a-z0-9_]+', re.I)
verrors = ValidationErrors()
tun_var = tunable['var'].lower()
tun_type = tunable['type'].lower()
if tun_type == 'loader' or tun_type == 'rc':
err_msg = """Variable name must:<br />
1. Start with a letter.<br />
2. End with a letter or number.<br />
3. Can contain a combination of alphanumeric characters, numbers and/or
\ underscores.
"""
else:
err_msg = """Variable name must:<br />
1. Start with a letter.<br />
2. Contain at least one period.<br />
3. End with a letter or number.<br />
4. Can contain a combination of alphanumeric characters, numbers and/or
\ underscores.
"""
if (
tun_type in ('loader', 'rc') and
not loader_re.match(tun_var)
) or (
tun_type == 'sysctl' and
not sysctl_re.match(tun_var)
):
verrors.add(f"{schema_name}.value", err_msg)
if verrors:
raise verrors
async def do_update(self, data):
"""
Update settings of SSH daemon service.
If `bindiface` is empty it will listen for all available addresses.
.. examples(websocket)::
Make sshd listen only to igb0 interface.
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "ssh.update",
"params": [{
"bindiface": ["igb0"]
}]
}
"""
old = await self.config()
new = old.copy()
new.update(data)
if new['bindiface']:
verrors = ValidationErrors()
iface_choices = await self.middleware.call('ssh.bindiface_choices')
invalid_ifaces = list(
filter(lambda x: x not in iface_choices, new['bindiface']))
if invalid_ifaces:
verrors.add(
'ssh_update.bindiface',
f'The following interfaces are not valid: {", ".join(invalid_ifaces)}',
)
verrors.check()
await self._update_service(old, new)
keyfile = "/usr/local/etc/ssh/ssh_host_ecdsa_key.pub"
if os.path.exists(keyfile):
with open(keyfile, "rb") as f:
pubkey = f.read().strip().split(None, 3)[1]
decoded_key = base64.b64decode(pubkey)
key_digest = hashlib.sha256(decoded_key).digest()
ssh_fingerprint = (b"SHA256:" +
base64.b64encode(key_digest).replace(
b"=", b"")).decode("utf-8")
syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_USER)
syslog.syslog(
syslog.LOG_ERR,
'ECDSA Fingerprint of the SSH KEY: ' + ssh_fingerprint)
syslog.closelog()
return new
async def validate(self, tunable, schema_name):
sysctl_re = \
re.compile('[a-z][a-z0-9_]+\.([a-z0-9_]+\.)*[a-z0-9_]+', re.I)
loader_re = \
re.compile('[a-z][a-z0-9_]+\.*([a-z0-9_]+\.)*[a-z0-9_]+', re.I)
verrors = ValidationErrors()
tun_var = tunable['var'].lower()
tun_type = tunable['type'].lower()
if tun_type == 'loader' or tun_type == 'rc':
err_msg = "Value can start with a letter and end with an alphanumeric. Aphanumeric and underscore" \
" characters are allowed"
else:
err_msg = 'Value can start with a letter and end with an alphanumeric. A period (.) once is a must.' \
' Alphanumeric and underscore characters are allowed'
if (tun_type in ('loader', 'rc') and not loader_re.match(tun_var)) or (
tun_type == 'sysctl' and not sysctl_re.match(tun_var)):
verrors.add(f"{schema_name}.var", err_msg)
if verrors:
raise verrors
async def do_update(self, id, data):
"""
Update all information of a specific VM.
`devices` is a list of virtualized hardware to attach to the virtual machine. If `devices` is not present,
no change is made to devices. If either the device list order or data stored by the device changes when the
attribute is passed, these actions are taken:
1) If there is no device in the `devices` list which was previously attached to the VM, that device is
removed from the virtual machine.
2) Devices are updated in the `devices` list when they contain a valid `id` attribute that corresponds to
an existing device.
3) Devices that do not have an `id` attribute are created and attached to `id` VM.
"""
old = await self.get_instance(id)
new = old.copy()
new.update(data)
if new['name'] != old['name']:
await self.middleware.run_in_thread(self._check_setup_connection)
if old['status']['state'] == 'RUNNING':
raise CallError(
'VM name can only be changed when VM is inactive')
if old['name'] not in self.vms:
raise CallError(f'Unable to locate domain for {old["name"]}')
verrors = ValidationErrors()
await self.__common_validation(verrors, 'vm_update', new, old=old)
if verrors:
raise verrors
devices = new.pop('devices', [])
new.pop('status', None)
if devices != old['devices']:
await self.safe_devices_updates(devices)
await self.__do_update_devices(id, devices)
await self.middleware.call('datastore.update', 'vm.vm', id, new)
vm_data = await self.get_instance(id)
if new['name'] != old['name']:
await self.middleware.run_in_thread(self._rename_domain, old,
vm_data)
return await self.get_instance(id)
async def common_validation(self, data, schema_name):
verrors = ValidationErrors()
if data['authenticator'] not in await self.middleware.call('acme.dns.authenticator.get_authenticator_schemas'):
verrors.add(
f'{schema_name}.authenticator',
f'System does not support {data["authenticator"]} as an Authenticator'
)
else:
authenticator_obj = await self.middleware.call('acme.dns.authenticator.get_authenticator_internal', data)
authenticator_obj.validate_credentials(data['attributes'])
verrors.check()
async def validate_data(self, data, schema):
verrors = ValidationErrors()
await self.validate_path_field(data, schema, verrors)
if not data['name'].isalnum():
verrors.add(f'{schema}.name',
'Only alphanumeric characters are allowed')
verrors.check()
if not os.path.exists(data[self.path_field]):
os.makedirs(data[self.path_field])
async def validate(self, data, schema_name):
verrors = ValidationErrors()
if data['type'] == 'COMMAND':
if not data.get('command'):
verrors.add(f'{schema_name}.command', 'This field is required')
if data['type'] == 'SCRIPT':
if not data.get('script'):
verrors.add(f'{schema_name}.script', 'This field is required')
if verrors:
raise verrors
async def common_validation(self, data, schema_name, old=None):
verrors = ValidationErrors()
filters = [['name', '!=', old['name']]] if old else []
filters.append(['name', '=', data['name']])
if await self.query(filters):
verrors.add(f'{schema_name}.name',
'Specified name is already in use')
if data['authenticator'] not in await self.middleware.call(
'acme.dns.authenticator.get_authenticator_schemas'):
verrors.add(
f'{schema_name}.authenticator',
f'System does not support {data["authenticator"]} as an Authenticator'
)
else:
authenticator_obj = await self.middleware.call(
'acme.dns.authenticator.get_authenticator_internal', data)
authenticator_obj.validate_credentials(data['attributes'])
verrors.check()
async def validate(self, init_shutdown_script, schema_name):
verrors = ValidationErrors()
if init_shutdown_script["type"] == "COMMAND":
if not init_shutdown_script["command"]:
verrors.add("%s.command" % schema_name,
"This field is required")
if init_shutdown_script["type"] == "SCRIPT":
if not init_shutdown_script["script"]:
verrors.add("%s.script" % schema_name,
"This field is required")
if verrors:
raise verrors
async def validate(self, data, schema_name):
verrors = ValidationErrors()
if (data.get('protocol') == 'HTTPHTTPS'
and data.get('tcpport') == data.get('tcpportssl')):
verrors.add(f"{schema_name}.tcpportssl",
'The HTTP and HTTPS ports cannot be the same!')
if (data.get('protocol') != 'HTTP' and data.get('certssl') is None):
verrors.add(
f"{schema_name}.certssl",
'Webdav SSL protocol specified without choosing a certificate')
if verrors:
raise verrors
return data
async def validate(self, data, schema_name):
verrors = ValidationErrors()
if data.get('protocol') == 'httphttps' and data.get(
'tcpport') == data.get('tcpportssl'):
verrors.add(f"{schema_name}.tcpportssl",
'The HTTP and HTTPS ports cannot be the same!')
cert_ssl = data.get('certssl') or 0
if data.get('protocol') != 'http':
if not cert_ssl:
verrors.add(
f"{schema_name}.certssl",
'WebDAV SSL protocol specified without choosing a certificate'
)
elif not (await self.middleware.call('certificate.query',
[['id', '=', cert_ssl]])):
verrors.add(f"{schema_name}.certssl",
'Please provide a valid certificate id')
if verrors:
raise verrors
return data
async def do_update(self, data):
"""
Update LLDP Service Configuration.
`country` is a two letter ISO 3166 country code required for LLDP location support.
`location` is an optional attribute specifying the physical location of the host.
"""
old = await self.config()
new = old.copy()
new.update(data)
verrors = ValidationErrors()
if new['country'] not in await self.country_choices():
verrors.add(
'lldp_update.country',
f'{new["country"]} not in countries recognized by the system.')
verrors.check()
await self._update_service(old, new)
return new
async def validate_general_settings(self, data, schema):
verrors = ValidationErrors()
for key in [key for key in data.keys() if 'nameserver' in key]:
nameserver_value = data.get(key)
if nameserver_value:
try:
nameserver_ip = ipaddress.ip_address(nameserver_value)
except ValueError as e:
verrors.add(
f'{schema}.{key}',
str(e)
)
else:
if nameserver_ip.is_loopback:
verrors.add(
f'{schema}.{key}',
'Loopback is not a valid nameserver'
)
elif nameserver_ip.is_unspecified:
verrors.add(
f'{schema}.{key}',
'Unspecified addresses are not valid as nameservers'
)
elif nameserver_ip.version == 4:
if nameserver_value == '255.255.255.255':
verrors.add(
f'{schema}.{key}',
'This is not a valid nameserver address'
)
elif nameserver_value.startswith('169.254'):
verrors.add(
f'{schema}.{key}',
'169.254/16 subnet is not valid for nameserver'
)
nameserver_number = int(key[-1])
for i in range(nameserver_number - 1, 0, -1):
if f'nameserver{i}' in data.keys() and not data[f'nameserver{i}']:
verrors.add(
f'{schema}.{key}',
f'Must fill out namserver{i} before filling out {key}'
)
ipv4_gateway_value = data.get('ipv4gateway')
if ipv4_gateway_value:
if not await self.middleware.call(
'routes.ipv4gw_reachable',
ipaddress.ip_address(ipv4_gateway_value).exploded
):
verrors.add(
f'{schema}.ipv4gateway',
f'Gateway {ipv4_gateway_value} is unreachable'
)
netwait_ip = data.get('netwait_ip')
if netwait_ip:
for ip in netwait_ip:
try:
ipaddress.ip_address(ip)
except ValueError as e:
verrors.add(
f'{schema}.netwait_ip',
f'{e.__str__()}'
)
if data.get('domains'):
if len(data.get('domains')) > 5:
verrors.add(
f'{schema}.domains',
'No more than 5 additional domains are allowed'
)
return verrors
def do_create(self, data):
"""
Register with ACME Server
Create a regisration for a specific ACME Server registering root user with it
`acme_directory_uri` is a directory endpoint for any ACME Server
.. examples(websocket)::
Register with ACME Server
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "acme.registration.create",
"params": [{
"tos": true,
"acme_directory_uri": "https://acme-staging-v02.api.letsencrypt.org/directory"
"JWK_create": {
"key_size": 2048,
"public_exponent": 65537
}
}]
}
"""
# STEPS FOR CREATION
# 1) CREATE KEY
# 2) REGISTER CLIENT
# 3) SAVE REGISTRATION OBJECT
# 4) SAVE REGISTRATION BODY
verrors = ValidationErrors()
directory = self.get_directory(data['acme_directory_uri'])
if not isinstance(directory, messages.Directory):
verrors.add(
'acme_registration_create.acme_directory_uri',
f'System was unable to retrieve the directory with the specified acme_directory_uri: {directory}'
)
# Normalizing uri after directory call as let's encrypt staging api
# does not accept a trailing slash right now
data['acme_directory_uri'] += '/' if data['acme_directory_uri'][
-1] != '/' else ''
if not data['tos']:
verrors.add('acme_registration_create.tos',
'Please agree to the terms of service')
# For now we assume that only root is responsible for certs issued under ACME protocol
email = (self.middleware.call_sync('user.query',
[['uid', '=', 0]]))[0]['email']
if not email:
raise CallError(
'Please specify root email address which will be used with the ACME server'
)
if self.middleware.call_sync(
'acme.registration.query',
[['directory', '=', data['acme_directory_uri']]]):
verrors.add(
'acme_registration_create.acme_directory_uri',
'A registration with the specified directory uri already exists'
)
if verrors:
raise verrors
key = jose.JWKRSA(key=rsa.generate_private_key(
public_exponent=data['JWK_create']['public_exponent'],
key_size=data['JWK_create']['key_size'],
backend=default_backend()))
acme_client = client.ClientV2(directory, client.ClientNetwork(key))
register = acme_client.new_account(
messages.NewRegistration.from_data(email=email,
terms_of_service_agreed=True))
# We have registered with the acme server
# Save registration object
registration_id = self.middleware.call_sync(
'datastore.insert', self._config.datastore, {
'uri': register.uri,
'tos': register.terms_of_service,
'new_account_uri': directory.newAccount,
'new_nonce_uri': directory.newNonce,
'new_order_uri': directory.newOrder,
'revoke_cert_uri': directory.revokeCert,
'directory': data['acme_directory_uri']
})
# Save registration body
self.middleware.call_sync(
'datastore.insert', 'system.acmeregistrationbody', {
'contact': register.body.contact[0],
'status': register.body.status,
'key': key.json_dumps(),
'acme': registration_id
})
return self.middleware.call_sync(
f'{self._config.namespace}._get_instance', registration_id)
def validate_credentials(data):
verrors = ValidationErrors()
if data.get('api_token'):
if data.get('cloudflare_email'):
verrors.add('cloudflare_email',
'Should not be specified when using "api_token".')
if data.get('api_key'):
verrors.add('api_key',
'Should not be specified when using "api_token".')
elif data.get('cloudflare_email') or data.get('api_key'):
if not data.get('cloudflare_email'):
verrors.add(
'cloudflare_email',
'Attribute is required when using a Global API Key (should be associated with Cloudflare account).'
)
if not data.get('api_key'):
verrors.add(
'api_key',
'Attribute is required when using a Global API Key.')
else:
verrors.add(
'api_token',
'Attribute must be specified when Global API Key is not specified.'
)
verrors.check()
async def do_create(self, data):
"""
Create a Virtual Machine (VM).
`devices` is a list of virtualized hardware to add to the newly created Virtual Machine.
Failure to attach a device destroys the VM and any resources allocated by the VM devices.
Maximum of 16 guest virtual CPUs are allowed. By default, every virtual CPU is configured as a
separate package. Multiple cores can be configured per CPU by specifying `cores` attributes.
`vcpus` specifies total number of CPU sockets. `cores` specifies number of cores per socket. `threads`
specifies number of threads per core.
`ensure_display_device` when set ( the default ) will ensure that the guest always has access to a video device.
For headless installations like ubuntu server this is required for the guest to operate properly. However
for cases where consumer would like to use GPU passthrough and does not want a display device added should set
this to `false`.
`arch_type` refers to architecture type and can be specified for the guest. By default the value is `null` and
system in this case will choose a reasonable default based on host.
`machine_type` refers to machine type of the guest based on the architecture type selected with `arch_type`.
By default the value is `null` and system in this case will choose a reasonable default based on `arch_type`
configuration.
`shutdown_timeout` indicates the time in seconds the system waits for the VM to cleanly shutdown. During system
shutdown, if the VM hasn't exited after a hardware shutdown signal has been sent by the system within
`shutdown_timeout` seconds, system initiates poweroff for the VM to stop it.
`hide_from_msr` is a boolean which when set will hide the KVM hypervisor from standard MSR based discovery and
is useful to enable when doing GPU passthrough.
SCALE Angelfish: Specifying `devices` is deprecated and will be removed in next major release.
"""
async with LIBVIRT_LOCK:
await self.middleware.run_in_thread(self._check_setup_connection)
if data.get('devices'):
warnings.warn(
'SCALE Angelfish: Specifying "devices" in "vm.create" is deprecated and will be '
'removed in next major release.', DeprecationWarning)
verrors = ValidationErrors()
await self.__common_validation(verrors, 'vm_create', data)
verrors.check()
devices = data.pop('devices')
vm_id = await self.middleware.call('datastore.insert', 'vm.vm', data)
try:
await self.safe_devices_updates(devices)
except Exception as e:
await self.middleware.call('vm.delete', vm_id)
raise e
else:
for device in devices:
await self.middleware.call('vm.device.create', {
'vm': vm_id,
**device
})
await self.middleware.run_in_thread(self._add, vm_id)
return await self.get_instance(vm_id)
async def validate_general_settings(self, data, schema):
verrors = ValidationErrors()
for key in [key for key in data.keys() if 'nameserver' in key]:
nameserver_value = data.get(key)
if nameserver_value:
try:
nameserver_ip = ipaddress.ip_address(nameserver_value)
except ValueError as e:
verrors.add(f'{schema}.{key}', str(e))
else:
if nameserver_ip.is_loopback:
verrors.add(f'{schema}.{key}',
'Loopback is not a valid nameserver')
elif nameserver_ip.is_unspecified:
verrors.add(
f'{schema}.{key}',
'Unspecified addresses are not valid as nameservers'
)
elif nameserver_ip.version == 4:
if nameserver_value == '255.255.255.255':
verrors.add(
f'{schema}.{key}',
'This is not a valid nameserver address')
elif nameserver_value.startswith('169.254'):
verrors.add(
f'{schema}.{key}',
'169.254/16 subnet is not valid for nameserver'
)
nameserver_number = int(key[-1])
for i in range(nameserver_number - 1, 0, -1):
if f'nameserver{i}' in data.keys(
) and not data[f'nameserver{i}']:
verrors.add(
f'{schema}.{key}',
f'Must fill out namserver{i} before filling out {key}'
)
ipv4_gateway_value = data.get('ipv4gateway')
if ipv4_gateway_value:
if not await self.middleware.call(
'route.ipv4gw_reachable',
ipaddress.ip_address(ipv4_gateway_value).exploded):
verrors.add(f'{schema}.ipv4gateway',
f'Gateway {ipv4_gateway_value} is unreachable')
netwait_ip = data.get('netwait_ip')
if netwait_ip:
for ip in netwait_ip:
try:
ipaddress.ip_address(ip)
except ValueError as e:
verrors.add(f'{schema}.netwait_ip', f'{e.__str__()}')
if data.get('domains'):
if len(data.get('domains')) > 5:
verrors.add(f'{schema}.domains',
'No more than 5 additional domains are allowed')
return verrors
def do_create(self, data):
"""
Register with ACME Server
Create a regisration for a specific ACME Server registering root user with it
`acme_directory_uri` is a directory endpoint for any ACME Server
.. examples(websocket)::
Register with ACME Server
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "acme.registration.create",
"params": [{
"tos": true,
"acme_directory_uri": "https://acme-staging-v02.api.letsencrypt.org/directory"
"JWK_create": {
"key_size": 2048,
"public_exponent": 65537
}
}]
}
"""
# STEPS FOR CREATION
# 1) CREATE KEY
# 2) REGISTER CLIENT
# 3) SAVE REGISTRATION OBJECT
# 4) SAVE REGISTRATION BODY
verrors = ValidationErrors()
directory = self.get_directory(data['acme_directory_uri'])
if not isinstance(directory, messages.Directory):
verrors.add(
'acme_registration_create.acme_directory_uri',
f'System was unable to retrieve the directory with the specified acme_directory_uri: {directory}'
)
# Normalizing uri after directory call as let's encrypt staging api
# does not accept a trailing slash right now
data['acme_directory_uri'] += '/' if data['acme_directory_uri'][-1] != '/' else ''
if not data['tos']:
verrors.add(
'acme_registration_create.tos',
'Please agree to the terms of service'
)
# For now we assume that only root is responsible for certs issued under ACME protocol
email = (self.middleware.call_sync('user.query', [['uid', '=', 0]]))[0]['email']
if not email:
raise CallError(
'Please specify root email address which will be used with the ACME server'
)
if self.middleware.call_sync(
'acme.registration.query', [['directory', '=', data['acme_directory_uri']]]
):
verrors.add(
'acme_registration_create.acme_directory_uri',
'A registration with the specified directory uri already exists'
)
if verrors:
raise verrors
key = jose.JWKRSA(key=rsa.generate_private_key(
public_exponent=data['JWK_create']['public_exponent'],
key_size=data['JWK_create']['key_size'],
backend=default_backend()
))
acme_client = client.ClientV2(directory, client.ClientNetwork(key))
register = acme_client.new_account(
messages.NewRegistration.from_data(
email=email,
terms_of_service_agreed=True
)
)
# We have registered with the acme server
# Save registration object
registration_id = self.middleware.call_sync(
'datastore.insert',
self._config.datastore,
{
'uri': register.uri,
'tos': register.terms_of_service,
'new_account_uri': directory.newAccount,
'new_nonce_uri': directory.newNonce,
'new_order_uri': directory.newOrder,
'revoke_cert_uri': directory.revokeCert,
'directory': data['acme_directory_uri']
}
)
# Save registration body
self.middleware.call_sync(
'datastore.insert',
'system.acmeregistrationbody',
{
'contact': register.body.contact[0],
'status': register.body.status,
'key': key.json_dumps(),
'acme': registration_id
}
)
return self.middleware.call_sync(f'{self._config.namespace}._get_instance', registration_id)
async def do_create(self, job, data):
"""
`catalog_create.preferred_trains` specifies trains which will be displayed in the UI directly for a user.
"""
verrors = ValidationErrors()
# We normalize the label
data['label'] = data['label'].upper()
if await self.query([['id', '=', data['label']]]):
verrors.add('catalog_create.label',
'A catalog with specified label already exists',
errno=errno.EEXIST)
if await self.query([['repository', '=', data['repository']],
['branch', '=', data['branch']]]):
for k in ('repository', 'branch'):
verrors.add(
f'catalog_create.{k}',
'A catalog with same repository/branch already exists',
errno=errno.EEXIST)
verrors.check()
if not data['preferred_trains']:
data['preferred_trains'] = ['stable']
if not data.pop('force'):
job.set_progress(40, f'Validating {data["label"]!r} catalog')
# We will validate the catalog now to ensure it's valid wrt contents / format
path = os.path.join(
TMP_IX_APPS_DIR, 'validate_catalogs',
convert_repository_to_path(data['repository'], data['branch']))
try:
await self.middleware.call('catalog.update_git_repository', {
**data, 'location': path
}, True)
await self.middleware.call(
'catalog.validate_catalog_from_path', path)
await self.common_validation(
{
'trains':
await self.middleware.call(
'catalog.retrieve_train_names', path)
}, 'catalog_create', data)
except CallError as e:
verrors.add('catalog_create.label',
f'Failed to validate catalog: {e}')
finally:
await self.middleware.run_in_thread(shutil.rmtree,
path,
ignore_errors=True)
else:
job.set_progress(50, 'Skipping validation of catalog')
verrors.check()
job.set_progress(60, 'Completed Validation')
await self.middleware.call('datastore.insert', self._config.datastore,
data)
job.set_progress(70, f'Successfully added {data["label"]!r} catalog')
job.set_progress(80, f'Syncing {data["label"]} catalog')
sync_job = await self.middleware.call('catalog.sync', data['label'])
await sync_job.wait()
if sync_job.error:
raise CallError(
f'Catalog was added successfully but failed to sync: {sync_job.error}'
)
job.set_progress(100, f'Successfully synced {data["label"]!r} catalog')
return await self.get_instance(data['label'])
