Add ca-file saving in profile

author: brgayazov <bulat@ydb.tech> 2023-03-01 20:41:29 +0300
committer: brgayazov <bulat@ydb.tech> 2023-03-01 20:41:29 +0300
commit: a60b817418e3a1c43b5b6da6e9c31c5130482e9b (patch)
tree: 91719662d1874baf6582b3736bef5966bbd65191
parent: 789192585f1d3f02af4b1002f4e23499a0168eb7 (diff)
download: ydb-a60b817418e3a1c43b5b6da6e9c31c5130482e9b.tar.gz
5 files changed, 44 insertions, 4 deletions
diff --git a/ydb/public/lib/ydb_cli/commands/ydb_profile.cpp b/ydb/public/lib/ydb_cli/commands/ydb_profile.cpp
index 0d8bc79aab..f41b522496 100644
--- a/ydb/public/lib/ydb_cli/commands/ydb_profile.cpp
+++ b/ydb/public/lib/ydb_cli/commands/ydb_profile.cpp
@@ -248,6 +248,9 @@ namespace {
         if (profile->Has("iam-endpoint")) {
             Cout << "  iam-endpoint: " << profile->GetValue("iam-endpoint").as<TString>() << Endl;
         }
+        if (profile->Has("ca-file")) {
+            Cout << "  ca-file: " << profile->GetValue("ca-file").as<TString>() << Endl;
+        }
     }
 }
 
@@ -308,7 +311,8 @@ void TCommandProfileCommon::GetOptionsFromStdin() {
         {"sa-key-file", SaKeyFile},
         {"user", User},
         {"password-file", PasswordFile},
-        {"iam-endpoint", IamEndpoint}
+        {"iam-endpoint", IamEndpoint},
+        {"ca-file", CaCertsFile}
     };
     while (Cin.ReadLine(line)) {
         Strip(line, trimmedLine);
@@ -355,6 +359,9 @@ void TCommandProfileCommon::ConfigureProfile(const TString& profileName, std::sh
     SetupProfileSetting("endpoint", Endpoint, existingProfile, profileName, profile, interactive, cmdLine);
     SetupProfileSetting("database", Database, existingProfile, profileName, profile, interactive, cmdLine);
     SetupProfileAuthentication(existingProfile, profileName, profile, config, interactive, cmdLine);
+    if (cmdLine && CaCertsFile) {
+        profile->SetValue("ca-file", CaCertsFile);
+    }
 
     if (interactive) {
         TString activeProfileName = profileManager->GetActiveProfileName();
@@ -584,7 +591,7 @@ bool TCommandProfileCommon::AnyProfileOptionInCommandLine() {
     return Endpoint || Database || TokenFile ||
            IamTokenFile || YcTokenFile ||
            SaKeyFile || UseMetadataCredentials || User ||
-           PasswordFile || IamEndpoint || AnonymousAuth;
+           PasswordFile || IamEndpoint || AnonymousAuth || CaCertsFile;
 }
 
 TCommandCreateProfile::TCommandCreateProfile()
@@ -618,6 +625,9 @@ void TCommandProfileCommon::Config(TConfig& config) {
         opts.AddLongOption("iam-endpoint", "Endpoint of IAM service to refresh token in YC OAuth or YC Service account authentication modes")
         .RequiredArgument("STR").StoreResult(&IamEndpoint);
     }
+    opts.AddLongOption("ca-file",
+        "Path to a file containing the PEM encoding of the server root certificates for tls connections.")
+        .RequiredArgument("PATH").StoreResult(&CaCertsFile);
     if (!IsStdinInteractive()) {
         GetOptionsFromStdin();
     }
@@ -969,6 +979,8 @@ void TCommandUpdateProfile::Config(TConfig& config) {
     if (config.UseIamAuth) {
         opts.AddLongOption("no-iam-endpoint", "Delete endpoint of IAM service from the profile").StoreTrue(&NoIamEndpoint);
     }
+    opts.AddLongOption("no-ca-file", "Delete path to file containing the PEM encoding of the "
+        "server root certificates for tls connections from the profile").StoreTrue(&NoCaCertsFile);
 }
 
 void TCommandUpdateProfile::ValidateNoOptions() {
@@ -990,6 +1002,10 @@ void TCommandUpdateProfile::ValidateNoOptions() {
         } else {
             if (IamEndpoint && NoIamEndpoint) {
                 str << "\"--iam-endpoint\" and \"--no-iam-endpoint\"";
+            } else {
+                if (CaCertsFile && NoCaCertsFile) {
+                    str << "\"--ca-file\" and \"--no-ca-file\"";
+                }
             }
         }
     }
@@ -1011,6 +1027,9 @@ void TCommandUpdateProfile::DropNoOptions(std::shared_ptr<IProfile> profile) {
     if (NoAuth) {
         profile->RemoveValue("authentication");
     }
+    if (NoCaCertsFile) {
+        profile->RemoveValue("ca-file");
+    }
 }
 
 void TCommandUpdateProfile::Parse(TConfig& config) {
diff --git a/ydb/public/lib/ydb_cli/commands/ydb_profile.h b/ydb/public/lib/ydb_cli/commands/ydb_profile.h
index 5e73d6c33c..9a81735c00 100644
--- a/ydb/public/lib/ydb_cli/commands/ydb_profile.h
+++ b/ydb/public/lib/ydb_cli/commands/ydb_profile.h
@@ -31,7 +31,7 @@ protected:
                      TConfig& config, bool interactive, bool cmdLine);
 
     TString ProfileName, Endpoint, Database, TokenFile, YcTokenFile, SaKeyFile,
-            IamTokenFile, IamEndpoint, User, PasswordFile;
+            IamTokenFile, IamEndpoint, User, PasswordFile, CaCertsFile;
 
     bool UseMetadataCredentials = false;
     bool AnonymousAuth = false;
@@ -128,6 +128,7 @@ private:
     bool NoDatabase = false;
     bool NoAuth = false;
     bool NoIamEndpoint = false;
+    bool NoCaCertsFile = false;
 };
 
 class TCommandReplaceProfile : public TCommandProfileCommon {
diff --git a/ydb/public/lib/ydb_cli/commands/ydb_root_common.cpp b/ydb/public/lib/ydb_cli/commands/ydb_root_common.cpp
index fa0edf069b..7e25044fe5 100644
--- a/ydb/public/lib/ydb_cli/commands/ydb_root_common.cpp
+++ b/ydb/public/lib/ydb_cli/commands/ydb_root_common.cpp
@@ -251,6 +251,25 @@ void TClientCommandRootCommon::Parse(TConfig& config) {
     config.VerbosityLevel = std::min(static_cast<TConfig::EVerbosityLevel>(VerbosityLevel), TConfig::EVerbosityLevel::DEBUG);
 }
 
+void TClientCommandRootCommon::ParseCaCerts(TConfig& config) {
+    if (CaCertsFile.empty()) {
+        auto profile = Profile;
+        if (!profile) {
+            profile = ProfileManager->GetActiveProfile();
+        }
+        if (profile && profile->Has("ca-file")) {
+            CaCertsFile = profile->GetValue("ca-file").as<TString>();
+        }
+    }
+    if (!config.EnableSsl && !CaCertsFile.empty()) {
+        throw TMisuseException()
+            << "\"ca-file\" option provided for a non-ssl connection. Use grpcs:// prefix for host to connect using SSL.";
+    }
+    if (!CaCertsFile.empty()) {
+        config.CaCerts = ReadFromFile(CaCertsFile, "CA certificates");
+    }
+}
+
 void TClientCommandRootCommon::ParseAddress(TConfig& config) {
     TString hostname;
     TString port = "2135";
diff --git a/ydb/public/lib/ydb_cli/commands/ydb_root_common.h b/ydb/public/lib/ydb_cli/commands/ydb_root_common.h
index f1d9eb1500..4df60a5435 100644
--- a/ydb/public/lib/ydb_cli/commands/ydb_root_common.h
+++ b/ydb/public/lib/ydb_cli/commands/ydb_root_common.h
@@ -45,6 +45,7 @@ private:
     void ParseProfile();
     void ParseDatabase(TConfig& config);
     void ParseIamEndpoint(TConfig& config);
+    void ParseCaCerts(TConfig& config) override;
 
     TString Database;
 
diff --git a/ydb/public/lib/ydb_cli/common/root.h b/ydb/public/lib/ydb_cli/common/root.h
index e3ba31e411..6ccd4cce46 100644
--- a/ydb/public/lib/ydb_cli/common/root.h
+++ b/ydb/public/lib/ydb_cli/common/root.h
@@ -26,7 +26,7 @@ public:
 protected:
     void ParseToken(TString& token, TString& tokenFile, const TString& envName, bool useDefaultToken = false);
     bool ParseProtocol(TConfig& config, TString& message);
-    void ParseCaCerts(TConfig& config);
+    virtual void ParseCaCerts(TConfig& config);
     virtual void ParseCredentials(TConfig& config);
     virtual void ParseAddress(TConfig& config) = 0;
 };
author	brgayazov <bulat@ydb.tech>	2023-03-01 20:41:29 +0300
committer	brgayazov <bulat@ydb.tech>	2023-03-01 20:41:29 +0300
commit	a60b817418e3a1c43b5b6da6e9c31c5130482e9b (patch)
tree	91719662d1874baf6582b3736bef5966bbd65191
parent	789192585f1d3f02af4b1002f4e23499a0168eb7 (diff)
download	ydb-a60b817418e3a1c43b5b6da6e9c31c5130482e9b.tar.gz