mgr/dashboard: read cert from in-memory file

nizamial09 · nizamial09 · commit e05532e24cd0 · 2024-05-30T23:28:52.000+05:30
Fixes: https://tracker.ceph.com/issues/66303 Signed-off-by: Nizamudeen A <nia@redhat.com>
diff --git a/src/pybind/mgr/dashboard/controllers/multi_cluster.py b/src/pybind/mgr/dashboard/controllers/multi_cluster.py
@@ -3,6 +3,7 @@
 import base64
 import json
 import re
+import tempfile
 import time
 from urllib.parse import urlparse
 
@@ -37,8 +38,14 @@ def _proxy(self, method, base_url, path, params=None, payload=None, verify=False
                     'Accept': 'application/vnd.ceph.api.v1.0+json',
                     'Content-Type': 'application/json',
                 }
+            cert_file_path = verify
+            if verify:
+                with tempfile.NamedTemporaryFile(delete=False) as cert_file:
+                    cert_file.write(cert.encode('utf-8'))
+                    cert_file_path = cert_file.name
             response = requests.request(method, base_url + path, params=params,
-                                        json=payload, verify=verify, cert=cert, headers=headers)
+                                        json=payload, verify=cert_file_path,
+                                        headers=headers)
         except Exception as e:
             raise DashboardException(
                 "Could not reach {}, {}".format(base_url+path, e),
@@ -78,11 +85,13 @@ def auth(self, url: str, cluster_alias: str, username: str,
                         payload={'url': cors_endpoints_string}, token=cluster_token,
                         verify=ssl_verify, cert=ssl_certificate)
 
-            fsid = self._proxy('GET', url, 'api/health/get_cluster_fsid', token=cluster_token)
+            fsid = self._proxy('GET', url, 'api/health/get_cluster_fsid', token=cluster_token,
+                               verify=ssl_verify, cert=ssl_certificate)
 
             managed_by_clusters_content = self._proxy('GET', url,
                                                       'api/settings/MANAGED_BY_CLUSTERS',
-                                                      token=cluster_token)
+                                                      token=cluster_token,
+                                                      verify=ssl_verify, cert=ssl_certificate)
 
             managed_by_clusters_config = managed_by_clusters_content['value']
 
@@ -95,7 +104,8 @@ def auth(self, url: str, cluster_alias: str, username: str,
 
             # add prometheus targets
             prometheus_url = self._proxy('GET', url, 'api/multi-cluster/get_prometheus_api_url',
-                                         token=cluster_token)
+                                         token=cluster_token, verify=ssl_verify,
+                                         cert=ssl_certificate)
 
             _set_prometheus_targets(prometheus_url)
 
@@ -145,7 +155,8 @@ def check_cluster_connection(self, url, payload, username, ssl_verify, ssl_certi
                                          component='multi-cluster')
 
             user_content = self._proxy('GET', url, f'api/user/{username}',
-                                       token=content['token'])
+                                       token=content['token'], verify=ssl_verify,
+                                       cert=ssl_certificate)
 
             if 'status' in user_content and user_content['status'] == '403 Forbidden':
                 raise DashboardException(msg='User is not an administrator',
@@ -164,7 +175,8 @@ def check_cluster_connection(self, url, payload, username, ssl_verify, ssl_certi
         cluster_token = content['token']
 
         managed_by_clusters_content = self._proxy('GET', url, 'api/settings/MANAGED_BY_CLUSTERS',
-                                                  token=cluster_token)
+                                                  token=cluster_token, verify=ssl_verify,
+                                                  cert=ssl_certificate)
 
         managed_by_clusters_config = managed_by_clusters_content['value']
 
@@ -247,19 +259,23 @@ def reconnect_cluster(self, url: str, username=None, password=None,
                     for cluster in cluster_details:
                         if cluster["url"] == url and cluster["user"] == username:
                             cluster['token'] = cluster_token
+                            cluster['ssl_verify'] = ssl_verify
+                            cluster['ssl_certificate'] = ssl_certificate
             Settings.MULTICLUSTER_CONFIG = multicluster_config
         return True
 
     @Endpoint('PUT')
     @UpdatePermission
     # pylint: disable=unused-variable
-    def edit_cluster(self, url, cluster_alias, username):
+    def edit_cluster(self, url, cluster_alias, username, verify=False, ssl_certificate=None):
         multicluster_config = self.load_multi_cluster_config()
         if "config" in multicluster_config:
             for key, cluster_details in multicluster_config["config"].items():
                 for cluster in cluster_details:
                     if cluster["url"] == url and cluster["user"] == username:
                         cluster['cluster_alias'] = cluster_alias
+                        cluster['ssl_verify'] = verify
+                        cluster['ssl_certificate'] = ssl_certificate if verify else ''
         Settings.MULTICLUSTER_CONFIG = multicluster_config
         return Settings.MULTICLUSTER_CONFIG
 
@@ -291,7 +307,9 @@ def delete_cluster(self, cluster_name, cluster_user):
 
                     managed_by_clusters_content = self._proxy('GET', cluster_url,
                                                               'api/settings/MANAGED_BY_CLUSTERS',
-                                                              token=cluster_token)
+                                                              token=cluster_token,
+                                                              verify=cluster_ssl_verify,
+                                                              cert=cluster_ssl_certificate)
 
                     managed_by_clusters_config = managed_by_clusters_content['value']
                     for cluster in managed_by_clusters_config:
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/ceph/cluster/multi-cluster/multi-cluster-form/multi-cluster-form.component.ts b/src/pybind/mgr/dashboard/frontend/src/app/ceph/cluster/multi-cluster/multi-cluster-form/multi-cluster-form.component.ts
@@ -197,7 +197,7 @@ export class MultiClusterFormComponent implements OnInit, OnDestroy {
       case 'edit':
         this.subs.add(
           this.multiClusterService
-            .editCluster(this.cluster.url, clusterAlias, this.cluster.user)
+            .editCluster(this.cluster.url, clusterAlias, this.cluster.user, ssl, ssl_certificate)
             .subscribe({
               ...commonSubscribtion,
               complete: () => this.handleSuccess($localize`Cluster updated successfully`)
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/shared/api/multi-cluster.service.ts b/src/pybind/mgr/dashboard/frontend/src/app/shared/api/multi-cluster.service.ts
@@ -115,11 +115,19 @@ export class MultiClusterService {
     return this.http.delete(`api/multi-cluster/delete_cluster/${clusterName}/${clusterUser}`);
   }
 
-  editCluster(url: any, clusterAlias: string, username: string) {
+  editCluster(
+    url: any,
+    clusterAlias: string,
+    username: string,
+    verify = false,
+    ssl_certificate = ''
+  ) {
     return this.http.put('api/multi-cluster/edit_cluster', {
       url,
       cluster_alias: clusterAlias,
-      username
+      username: username,
+      verify: verify,
+      ssl_certificate: ssl_certificate
     });
   }
 
diff --git a/src/pybind/mgr/dashboard/openapi.yaml b/src/pybind/mgr/dashboard/openapi.yaml
@@ -7222,10 +7222,15 @@ paths:
               properties:
                 cluster_alias:
                   type: string
+                ssl_certificate:
+                  type: string
                 url:
                   type: string
                 username:
                   type: string
+                verify:
+                  default: false
+                  type: boolean
               required:
               - url
               - cluster_alias
