NSXAdmin: Block cert commands when feature is off

Allow certificate commands only when client authentication is enabled. Applies to all certificate commands except nsx-list command, which is operational regardless feature status. Change-Id: I1c9fc54ad103c19146673d7114c2eea0aa61269f
2017-05-08 11:27:13 -07:00
parent 5843b659ae
commit e89bc88f59
1 changed files with 21 additions and 0 deletions
--- a/vmware_nsx/shell/admin/plugins/nsxv3/resources/certificates.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv3/resources/certificates.py
@@ -68,11 +68,23 @@ def get_certificate_manager(**kwargs):
            storage_driver)


+def verify_client_cert_on():
+    if cfg.CONF.nsx_v3.nsx_use_client_auth:
+        return True
+
+    LOG.info("Operation not applicable since client authentication "
+             "is disabled")
+    return False
+
+
@admin_utils.output_header
 def generate_cert(resource, event, trigger, **kwargs):
    """Generate self signed client certificate and private key
    """

+    if not verify_client_cert_on():
+        return
+
    if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() == "none":
        LOG.info("Generate operation is not supported "
                 "with storage type 'none'")
@@ -120,6 +132,8 @@ def generate_cert(resource, event, trigger, **kwargs):
@admin_utils.output_header
 def delete_cert(resource, event, trigger, **kwargs):
    """Delete client certificate and private key """
+    if not verify_client_cert_on():
+        return

    with get_certificate_manager(**kwargs) as cert:
        if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() == "none":
@@ -142,6 +156,9 @@ def delete_cert(resource, event, trigger, **kwargs):
 def show_cert(resource, event, trigger, **kwargs):
    """Show client certificate details """

+    if not verify_client_cert_on():
+        return
+
    with get_certificate_manager(**kwargs) as cert:
        if cert.exists():
            cert_pem, key_pem = cert.get_pem()
@@ -186,6 +203,8 @@ def get_cert_filename(**kwargs):
@admin_utils.output_header
 def import_cert(resource, event, trigger, **kwargs):
    """Import client certificate that was generated externally"""
+    if not verify_client_cert_on():
+        return

    if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() != "none":
        LOG.info("Import operation is supported "
@@ -208,6 +227,8 @@ def import_cert(resource, event, trigger, **kwargs):
@admin_utils.output_header
 def show_nsx_certs(resource, event, trigger, **kwargs):
    """Show client certificates associated with openstack identity in NSX"""
+
+    # Note - this operation is supported even if the feature is disabled
    nsx_trust = get_nsx_trust_management(**kwargs)

    ids = nsx_trust.get_identities(cert_utils.NSX_OPENSTACK_IDENTITY)