cli: add --cert-principal-map to cert list command

Remove the use of `base.Config.GetCertificateManager()` from the `cert list` implementation as a first step in limiting use of that method, and possibly removing it in the future. Fixes cockroachdb#48011 Release note (cli change): Support `list cert` with certificates which require `--cert-principal-map` to pass validation.
petermattis · May 2, 2020 · 003f7fd · 003f7fd
1 parent 283315f
commit 003f7fd
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 2 deletions.
diff --git a/pkg/cli/cert.go b/pkg/cli/cert.go
@@ -203,9 +203,12 @@ List certificates and keys found in the certificate directory.
 
 // runListCerts loads and lists all certs.
 func runListCerts(cmd *cobra.Command, args []string) error {
-	cm, err := baseCfg.GetCertificateManager()
+	if err := security.SetCertPrincipalMap(certCtx.certPrincipalMap); err != nil {
+		return err
+	}
+	cm, err := security.NewCertificateManager(baseCfg.SSLCertsDir)
 	if err != nil {
-		return errors.Wrap(err, "could not get certificate manager")
+		return errors.Wrap(err, "cannot load certificates")
 	}
 
 	fmt.Fprintf(os.Stdout, "Certificate directory: %s\n", baseCfg.SSLCertsDir)

diff --git a/pkg/cli/context.go b/pkg/cli/context.go
@@ -171,6 +171,8 @@ func initCLIDefaults() {
 
 	authCtx.validityPeriod = 1 * time.Hour
 
+	certCtx.certPrincipalMap = nil
+
 	initPreFlagsDefaults()
 
 	// Clear the "Changed" state of all the registered command-line flags.
@@ -394,3 +396,9 @@ var demoCtx struct {
 	transientCluster          *transientCluster
 	insecure                  bool
 }
+
+// certCtx captures the command-line parameters of the `cert` command.
+// Defaults set by InitCLIDefaults() above.
+var certCtx struct {
+	certPrincipalMap []string
+}
diff --git a/pkg/cli/flags.go b/pkg/cli/flags.go
@@ -442,6 +442,10 @@ func init() {
 		StringFlag(f, &baseCfg.SSLCertsDir, cliflags.CertsDir, baseCfg.SSLCertsDir)
 	}
 
+	// The list certs command needs the certificate principal map.
+	StringSlice(listCertsCmd.Flags(), &certCtx.certPrincipalMap,
+		cliflags.CertPrincipalMap, certCtx.certPrincipalMap)
+
 	for _, cmd := range []*cobra.Command{createCACertCmd, createClientCACertCmd} {
 		f := cmd.Flags()
 		// CA certificates have a longer expiration time.

diff --git a/pkg/cli/interactive_tests/test_cert_advisory_validation.tcl b/pkg/cli/interactive_tests/test_cert_advisory_validation.tcl
@@ -71,3 +71,9 @@ interrupt
 eexpect "interrupted"
 expect $prompt
 end_test
+
+start_test "Check that 'cert list' can utilize cert principal map."
+send "$argv cert list --certs-dir=$certs_dir --cert-principal-map=foo.bar:node\r"
+eexpect "Certificate directory:"
+expect $prompt
+end_test