to_json: use yamlcpp; support yaml output

bneradt · bneradt · commit 3ad74cee01ed · 2026-01-02T17:38:03.000Z
This also makes yaml the default traffic_ctl config ssl_multicert show format
diff --git a/doc/appendices/command-line/traffic_ctl.en.rst b/doc/appendices/command-line/traffic_ctl.en.rst
@@ -311,6 +311,35 @@ Display the current value of a configuration record.
    Display information about the registered files in |TS|. This includes the full file path, config record name, parent config (if any)
    if needs root access and if the file is required in |TS|.
 
+.. program:: traffic_ctl config
+.. option:: ssl-multicert show [--yaml | --json]
+
+   Display the current ``ssl_multicert.yaml`` configuration. By default, output is in YAML format.
+   Use ``--json`` or ``-j`` to output in JSON format.
+
+   .. option:: --yaml, -y
+
+      Output in YAML format (default).
+
+   .. option:: --json, -j
+
+      Output in JSON format.
+
+   Example:
+
+   .. code-block:: bash
+
+      $ traffic_ctl config ssl-multicert show
+      ssl_multicert:
+        - ssl_cert_name: server.pem
+          dest_ip: "*"
+          ssl_key_name: server.key
+
+   .. code-block:: bash
+
+      $ traffic_ctl config ssl-multicert show --json
+      {"ssl_multicert": [{"ssl_cert_name": "server.pem", "dest_ip": "*", "ssl_key_name": "server.key"}]}
+
 .. _traffic-control-command-metric:
 
 traffic_ctl metric
diff --git a/src/config/ssl_multicert.cc b/src/config/ssl_multicert.cc
@@ -129,44 +129,6 @@ parse_legacy_line(std::string_view line)
   return result;
 }
 
-/// Escape a string for JSON output.
-std::string
-json_escape(std::string const &s)
-{
-  std::string result;
-  result.reserve(s.size() + 2);
-  result += '"';
-  for (char c : s) {
-    switch (c) {
-    case '"':
-      result += "\\\"";
-      break;
-    case '\\':
-      result += "\\\\";
-      break;
-    case '\b':
-      result += "\\b";
-      break;
-    case '\f':
-      result += "\\f";
-      break;
-    case '\n':
-      result += "\\n";
-      break;
-    case '\r':
-      result += "\\r";
-      break;
-    case '\t':
-      result += "\\t";
-      break;
-    default:
-      result += c;
-    }
-  }
-  result += '"';
-  return result;
-}
-
 /// Escape a string for YAML output if needed.
 std::string
 yaml_escape(std::string const &value)
@@ -456,39 +418,24 @@ SSLMultiCertMarshaller::to_yaml(SSLMultiCertConfig const &config)
 std::string
 SSLMultiCertMarshaller::to_json(SSLMultiCertConfig const &config)
 {
-  std::ostringstream out;
-  out << "{\n  \"ssl_multicert\": [\n";
+  YAML::Emitter json;
+  json << YAML::DoubleQuoted << YAML::Flow;
+  json << YAML::BeginMap;
+  json << YAML::Key << KEY_SSL_MULTICERT << YAML::Value << YAML::BeginSeq;
 
-  bool first_entry = true;
   for (auto const &entry : config) {
-    if (!first_entry) {
-      out << ",\n";
-    }
-    first_entry = false;
-
-    out << "    {";
-    bool first_field = true;
+    json << YAML::BeginMap;
 
     auto write_field = [&](char const *key, std::string const &value) {
-      if (value.empty()) {
-        return;
-      }
-      if (!first_field) {
-        out << ", ";
+      if (!value.empty()) {
+        json << YAML::Key << key << YAML::Value << value;
       }
-      first_field = false;
-      out << json_escape(key) << ": " << json_escape(value);
     };
 
     auto write_int_field = [&](char const *key, std::optional<int> const &value) {
-      if (!value.has_value()) {
-        return;
+      if (value.has_value()) {
+        json << YAML::Key << key << YAML::Value << value.value();
       }
-      if (!first_field) {
-        out << ", ";
-      }
-      first_field = false;
-      out << json_escape(key) << ": " << value.value();
     };
 
     write_field(KEY_SSL_CERT_NAME, entry.ssl_cert_name);
@@ -502,11 +449,11 @@ SSLMultiCertMarshaller::to_json(SSLMultiCertConfig const &config)
     write_int_field(KEY_SSL_TICKET_ENABLED, entry.ssl_ticket_enabled);
     write_int_field(KEY_SSL_TICKET_NUMBER, entry.ssl_ticket_number);
 
-    out << "}";
+    json << YAML::EndMap;
   }
 
-  out << "\n  ]\n}\n";
-  return out.str();
+  json << YAML::EndSeq << YAML::EndMap;
+  return json.c_str();
 }
 
 } // namespace config
diff --git a/src/traffic_ctl/SSLMultiCertCommand.cc b/src/traffic_ctl/SSLMultiCertCommand.cc
@@ -52,6 +52,8 @@ SSLMultiCertCommand::SSLMultiCertCommand(ts::Arguments *args) : CtrlCommand(args
   _printer = std::make_unique<GenericPrinter>(print_opts);
 
   if (args->get("show")) {
+    // Default to YAML; use JSON only if explicitly requested.
+    _output_json  = args->get("json");
     _invoked_func = [this]() { show_config(); };
   } else {
     throw std::invalid_argument("Unsupported ssl-multicert subcommand");
@@ -77,8 +79,6 @@ SSLMultiCertCommand::show_config()
   }
 
   config::SSLMultiCertMarshaller marshaller;
-
-  // Output in JSON format for easy consumption by tools.
-  std::string const output = marshaller.to_json(result.value);
+  std::string const              output = _output_json ? marshaller.to_json(result.value) : marshaller.to_yaml(result.value);
   _printer->write_output(output);
 }
diff --git a/src/traffic_ctl/SSLMultiCertCommand.h b/src/traffic_ctl/SSLMultiCertCommand.h
@@ -42,4 +42,6 @@ class SSLMultiCertCommand : public CtrlCommand
 
 private:
   void show_config();
+
+  bool _output_json = false;
 };
diff --git a/src/traffic_ctl/traffic_ctl.cc b/src/traffic_ctl/traffic_ctl.cc
@@ -143,8 +143,13 @@ main([[maybe_unused]] int argc, const char **argv)
   // ssl-multicert subcommand
   auto &ssl_multicert_command =
     config_command.add_command("ssl-multicert", "Manage ssl_multicert configuration").require_commands();
-  ssl_multicert_command.add_command("show", "Show the ssl_multicert configuration in JSON format", Command_Execute)
-    .add_example_usage("traffic_ctl config ssl-multicert show");
+  auto &ssl_multicert_show = ssl_multicert_command.add_command("show", "Show the ssl_multicert configuration", Command_Execute)
+                               .add_example_usage("traffic_ctl config ssl-multicert show")
+                               .add_example_usage("traffic_ctl config ssl-multicert show --yaml")
+                               .add_example_usage("traffic_ctl config ssl-multicert show --json");
+  ssl_multicert_show.add_mutex_group("format", false, "Output format");
+  ssl_multicert_show.add_option_to_group("format", "--yaml", "-y", "Output in YAML format (default)");
+  ssl_multicert_show.add_option_to_group("format", "--json", "-j", "Output in JSON format");
 
   // convert subcommand - convert config files between formats
   auto &convert_command = config_command.add_command("convert", "Convert configuration files to YAML format").require_commands();
diff --git a/tests/gold_tests/tls/ssl_key_dialog.test.py b/tests/gold_tests/tls/ssl_key_dialog.test.py
@@ -40,9 +40,13 @@
     })
 
 ts.Disk.ssl_multicert_yaml.AddLines(
-    [
-        'dest_ip=* ssl_cert_name=passphrase.pem ssl_key_name=passphrase.key ssl_key_dialog="exec:/bin/bash -c \'echo -n passphrase\'"',
-    ])
+    """
+ssl_multicert:
+  - dest_ip: "*"
+    ssl_cert_name: passphrase.pem
+    ssl_key_name: passphrase.key
+    ssl_key_dialog: "exec:/bin/bash -c 'echo -n passphrase'"
+""".split("\n"))
 
 request_header = {"headers": "GET / HTTP/1.1\r\nHost: bogus\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
 response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": "success!"}
@@ -65,10 +69,14 @@
 # Update the multicert config
 sslcertpath = ts.Disk.ssl_multicert_yaml.AbsPath
 tr2.Disk.File(sslcertpath, id="ssl_multicert_config", typename="ats:config"),
-tr2.Disk.ssl_multicert_yaml.AddLines(
-    [
-        'dest_ip=* ssl_cert_name=passphrase2.pem ssl_key_name=passphrase2.key ssl_key_dialog="exec:/bin/bash -c \'echo -n passphrase\'"',
-    ])
+tr2.Disk.ssl_multicert_config.AddLines(
+    """
+ssl_multicert:
+  - dest_ip: "*"
+    ssl_cert_name: passphrase2.pem
+    ssl_key_name: passphrase2.key
+    ssl_key_dialog: "exec:/bin/bash -c 'echo -n passphrase'"
+""".split("\n"))
 tr2.StillRunningAfter = ts
 tr2.StillRunningAfter = server
 tr2.Processes.Default.Command = 'echo Updated configs'
diff --git a/tests/gold_tests/tls/tls_check_cert_select_plugin.test.py b/tests/gold_tests/tls/tls_check_cert_select_plugin.test.py
@@ -45,11 +45,17 @@
 ts.Disk.remap_config.AddLine('map / https://foo.com:{1}'.format(ts.Variables.ssl_port, server.Variables.SSL_Port))
 
 ts.Disk.ssl_multicert_yaml.AddLines(
-    [
-        'dest_ip=127.0.0.1 ssl_cert_name=signed-foo.pem ssl_key_name=signed-foo.key',
-        'ssl_cert_name=signed2-bar.pem ssl_key_name=signed-bar.key',
-        'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key',
-    ])
+    """
+ssl_multicert:
+  - dest_ip: 127.0.0.1
+    ssl_cert_name: signed-foo.pem
+    ssl_key_name: signed-foo.key
+  - ssl_cert_name: signed2-bar.pem
+    ssl_key_name: signed-bar.key
+  - dest_ip: "*"
+    ssl_cert_name: server.pem
+    ssl_key_name: server.key
+""".split("\n"))
 
 Test.PrepareTestPlugin(os.path.join(Test.Variables.AtsTestPluginsDir, 'ssl_secret_load_test.so'), ts)
 
diff --git a/tests/gold_tests/tls/tls_check_cert_selection_reload.test.py b/tests/gold_tests/tls/tls_check_cert_selection_reload.test.py
@@ -40,10 +40,13 @@
 ts.Disk.remap_config.AddLine('map /stuff https://foo.com:{1}'.format(ts.Variables.ssl_port, server.Variables.SSL_Port))
 
 ts.Disk.ssl_multicert_yaml.AddLines(
-    [
-        'ssl_cert_name=signed-bar.pem ssl_key_name=signed-bar.key',
-        'dest_ip=* ssl_cert_name=combo.pem',
-    ])
+    """
+ssl_multicert:
+  - ssl_cert_name: signed-bar.pem
+    ssl_key_name: signed-bar.key
+  - dest_ip: "*"
+    ssl_cert_name: combo.pem
+""".split("\n"))
 
 # Case 1, global config policy=permissive properties=signature
 #         override for foo.com policy=enforced properties=all
diff --git a/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py b/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py
@@ -49,11 +49,16 @@
 ts.Disk.remap_config.AddLine('map / https://foo.com:{1}'.format(ts.Variables.ssl_port, server.Variables.SSL_Port))
 
 ts.Disk.ssl_multicert_yaml.AddLines(
-    [
-        'ssl_cert_name=signed-foo-ec.pem,signed-foo.pem ssl_key_name=signed-foo-ec.key,signed-foo.key',
-        'ssl_cert_name=signed-san-ec.pem,signed-san.pem ssl_key_name=signed-san-ec.key,signed-san.key',
-        'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key',
-    ])
+    """
+ssl_multicert:
+  - ssl_cert_name: signed-foo-ec.pem,signed-foo.pem
+    ssl_key_name: signed-foo-ec.key,signed-foo.key
+  - ssl_cert_name: signed-san-ec.pem,signed-san.pem
+    ssl_key_name: signed-san-ec.key,signed-san.key
+  - dest_ip: "*"
+    ssl_cert_name: server.pem
+    ssl_key_name: server.key
+""".split("\n"))
 
 # Case 1, global config policy=permissive properties=signature
 #         override for foo.com policy=enforced properties=all
diff --git a/tests/gold_tests/traffic_ctl/show_ssl_multicert/gold/show_json.gold b/tests/gold_tests/traffic_ctl/show_ssl_multicert/gold/show_json.gold
@@ -0,0 +1 @@
+{"ssl_multicert": [{"ssl_cert_name": "server.pem", "dest_ip": "*", "ssl_key_name": "server.key"}]}
diff --git a/tests/gold_tests/traffic_ctl/show_ssl_multicert/gold/show_yaml.gold b/tests/gold_tests/traffic_ctl/show_ssl_multicert/gold/show_yaml.gold
@@ -0,0 +1,5 @@
+ssl_multicert:
+  - ssl_cert_name: server.pem
+    dest_ip: "*"
+    ssl_key_name: server.key
+
diff --git a/tests/gold_tests/traffic_ctl/show_ssl_multicert/show_ssl_multicert.test.py b/tests/gold_tests/traffic_ctl/show_ssl_multicert/show_ssl_multicert.test.py
@@ -0,0 +1,91 @@
+'''
+Test the traffic_ctl config ssl-multicert show command.
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+Test.Summary = 'Test traffic_ctl config ssl-multicert show command.'
+
+
+class ShowSSLMulticert:
+
+    def __init__(self):
+        self.setup_ts()
+        self.setup_show_default()
+        self.setup_show_json()
+        self.setup_show_yaml()
+
+    def setup_ts(self):
+        self._ts = Test.MakeATSProcess("ts", enable_cache=False, enable_tls=True)
+        self._ts.addDefaultSSLFiles()
+        self._ts.Disk.ssl_multicert_yaml.AddLines(
+            """
+ssl_multicert:
+  - ssl_cert_name: server.pem
+    dest_ip: "*"
+    ssl_key_name: server.key
+""".split("\n"))
+        self._ts.Disk.records_config.update(
+            {
+                'proxy.config.ssl.server.cert.path': f'{self._ts.Variables.SSLDir}',
+                'proxy.config.ssl.server.private_key.path': f'{self._ts.Variables.SSLDir}',
+            })
+
+    def setup_show_default(self):
+        tr = Test.AddTestRun("Test ssl-multicert show (default YAML format)")
+        tr.Processes.Default.Command = 'traffic_ctl config ssl-multicert show'
+        tr.Processes.Default.Streams.stdout = "gold/show_yaml.gold"
+        tr.Processes.Default.ReturnCode = 0
+        tr.Processes.Default.Env = self._ts.Env
+        tr.Processes.Default.StartBefore(self._ts)
+        tr.StillRunningAfter = self._ts
+
+    def setup_show_json(self):
+        # Test with explicit --json flag.
+        tr = Test.AddTestRun("Test ssl-multicert show --json")
+        tr.Processes.Default.Command = 'traffic_ctl config ssl-multicert show --json'
+        tr.Processes.Default.Streams.stdout = "gold/show_json.gold"
+        tr.Processes.Default.ReturnCode = 0
+        tr.Processes.Default.Env = self._ts.Env
+        tr.StillRunningAfter = self._ts
+
+        # Test with short -j flag.
+        tr = Test.AddTestRun("Test ssl-multicert show -j")
+        tr.Processes.Default.Command = 'traffic_ctl config ssl-multicert show -j'
+        tr.Processes.Default.Streams.stdout = "gold/show_json.gold"
+        tr.Processes.Default.ReturnCode = 0
+        tr.Processes.Default.Env = self._ts.Env
+        tr.StillRunningAfter = self._ts
+
+    def setup_show_yaml(self):
+        # Test with --yaml flag.
+        tr = Test.AddTestRun("Test ssl-multicert show --yaml")
+        tr.Processes.Default.Command = 'traffic_ctl config ssl-multicert show --yaml'
+        tr.Processes.Default.Streams.stdout = "gold/show_yaml.gold"
+        tr.Processes.Default.ReturnCode = 0
+        tr.Processes.Default.Env = self._ts.Env
+        tr.StillRunningAfter = self._ts
+
+        # Test with short -y flag.
+        tr = Test.AddTestRun("Test ssl-multicert show -y")
+        tr.Processes.Default.Command = 'traffic_ctl config ssl-multicert show -y'
+        tr.Processes.Default.Streams.stdout = "gold/show_yaml.gold"
+        tr.Processes.Default.ReturnCode = 0
+        tr.Processes.Default.Env = self._ts.Env
+        tr.StillRunningAfter = self._ts
+
+
+ShowSSLMulticert()

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{"ssl_multicert": [{"ssl_cert_name": "server.pem", "dest_ip": "*", "ssl_key_name": "server.key"}]}`