#6: Added support for fetching trusted CAs from clusters.

couchbaselabs · Nov 2, 2023 · a1c34cd · a1c34cd
1 parent 2a61628
commit a1c34cd
Show file tree

Hide file tree

Showing 8 changed files with 132 additions and 1 deletion.
diff --git a/cmd/certificates-getca.go b/cmd/certificates-getca.go
@@ -0,0 +1,32 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"go.uber.org/zap"
+)
+
+var certificatesGetCaCmd = &cobra.Command{
+	Use:   "get-ca",
+	Short: "Fetches the CA certificate",
+	Args:  cobra.MinimumNArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		helper := CmdHelper{}
+		logger := helper.GetLogger()
+		ctx := helper.GetContext()
+
+		_, deployer, cluster := helper.IdentifyCluster(ctx, args[0])
+
+		cert, err := deployer.GetCertificate(ctx, cluster.GetID())
+		if err != nil {
+			logger.Fatal("failed to get certificate", zap.Error(err))
+		}
+
+		fmt.Printf("%s\n", cert)
+	},
+}
+
+func init() {
+	certificatesCmd.AddCommand(certificatesGetCaCmd)
+}
diff --git a/cmd/certificates.go b/cmd/certificates.go
@@ -0,0 +1,15 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var certificatesCmd = &cobra.Command{
+	Use:   "certificates",
+	Short: "Provides access to tools related to Couchbase Cloud certificates",
+	Run:   nil,
+}
+
+func init() {
+	rootCmd.AddCommand(certificatesCmd)
+}
diff --git a/deployment/clouddeploy/deployer.go b/deployment/clouddeploy/deployer.go
@@ -926,7 +926,7 @@ func (p *Deployer) ListUsers(ctx context.Context, clusterID string) ([]deploymen
 	for _, user := range resp.Data {
 		canRead := false
 		canWrite := false
-		for permName, _ := range user.Data.Permissions {
+		for permName := range user.Data.Permissions {
 			if permName == "data_writer" {
 				canWrite = true
 			} else if permName == "data_reader" {
@@ -1071,3 +1071,19 @@ func (p *Deployer) DeleteBucket(ctx context.Context, clusterID string, bucketNam
 
 	return nil
 }
+
+func (p *Deployer) GetCertificate(ctx context.Context, clusterID string) (string, error) {
+	clusterInfo, err := p.getCluster(ctx, clusterID)
+	if err != nil {
+		return "", err
+	}
+
+	resp, err := p.mgr.Client.GetTrustedCAs(ctx, clusterInfo.Cluster.Id)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to get trusted CAs")
+	}
+
+	lastCert := (*resp)[len(*resp)-1]
+
+	return strings.TrimSpace(lastCert.Pem), nil
+}
diff --git a/deployment/deployer.go b/deployment/deployer.go
@@ -64,4 +64,5 @@ type Deployer interface {
 	ListBuckets(ctx context.Context, clusterID string) ([]BucketInfo, error)
 	CreateBucket(ctx context.Context, clusterID string, opts *CreateBucketOptions) error
 	DeleteBucket(ctx context.Context, clusterID string, bucketName string) error
+	GetCertificate(ctx context.Context, clusterID string) (string, error)
 }
diff --git a/deployment/dockerdeploy/deployer.go b/deployment/dockerdeploy/deployer.go
@@ -848,3 +848,19 @@ func (d *Deployer) DeleteBucket(ctx context.Context, clusterID string, bucketNam
 
 	return nil
 }
+
+func (d *Deployer) GetCertificate(ctx context.Context, clusterID string) (string, error) {
+	controller, err := d.getController(ctx, clusterID)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to get cluster controller")
+	}
+
+	resp, err := controller.Controller().GetTrustedCAs(ctx)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to get trusted CAs")
+	}
+
+	lastCert := (*resp)[len(*resp)-1]
+
+	return strings.TrimSpace(lastCert.Pem), nil
+}
diff --git a/deployment/localdeploy/deployer.go b/deployment/localdeploy/deployer.go
@@ -125,3 +125,7 @@ func (d *Deployer) CreateBucket(ctx context.Context, clusterID string, opts *dep
 func (d *Deployer) DeleteBucket(ctx context.Context, clusterID string, bucketName string) error {
 	return errors.New("localdeploy does not support user management")
 }
+
+func (p *Deployer) GetCertificate(ctx context.Context, clusterID string) (string, error) {
+	return "", errors.New("localdeploy does not support getting the CA certificate")
+}
diff --git a/utils/capellacontrol/controller.go b/utils/capellacontrol/controller.go
@@ -1082,3 +1082,28 @@ func (c *Controller) DeleteBucket(
 
 	return nil
 }
+
+type GetTrustedCAsResponse []GetTrustedCAsResponse_Certificate
+
+type GetTrustedCAsResponse_Certificate struct {
+	ID        int    `json:"id"`
+	Subject   string `json:"subject"`
+	NotBefore string `json:"notBefore"`
+	NotAfter  string `json:"notAfter"`
+	Pem       string `json:"pem"`
+}
+
+func (c *Controller) GetTrustedCAs(
+	ctx context.Context,
+	clusterID string,
+) (*GetTrustedCAsResponse, error) {
+	resp := &GetTrustedCAsResponse{}
+
+	path := fmt.Sprintf("/v2/databases/%s/proxy/pools/default/trustedCAs", clusterID)
+	err := c.doBasicReq(ctx, false, "GET", path, nil, &resp)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp, err
+}
diff --git a/utils/clustercontrol/controller.go b/utils/clustercontrol/controller.go
@@ -490,3 +490,25 @@ func (c *Controller) DeleteBucket(ctx context.Context, bucketName string) error
 
 	return nil
 }
+
+type GetTrustedCAsResponse []GetTrustedCAsResponse_Certificate
+
+type GetTrustedCAsResponse_Certificate struct {
+	ID        int    `json:"id"`
+	Subject   string `json:"subject"`
+	NotBefore string `json:"notBefore"`
+	NotAfter  string `json:"notAfter"`
+	Pem       string `json:"pem"`
+}
+
+func (c *Controller) GetTrustedCAs(ctx context.Context) (*GetTrustedCAsResponse, error) {
+	resp := &GetTrustedCAsResponse{}
+
+	path := "/pools/default/trustedCAs"
+	err := c.doGet(ctx, path, &resp)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}