[ceph.git] / patches / 0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Max Carrara <m.carrara@proxmox.com>
Date: Thu, 4 Jan 2024 17:37:50 +0100
Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS
 key/cert pairs

In order to avoid running into PyO3-related issues [0] with PyOpenSSL,
the ability to create self-signed certs is disabled - the command
`ceph dashboard create-self-signed-cert` is made to always return an
error.

The command's error message contains the manual steps the user may
follow in order to set the certificate themselves, as well as a link
to the Ceph Dashboard documentation regarding TLS support. [1]

Furthermore, the check on start-up, that verifies that the configured
key/cert pair actually match, is also removed. This means that users
need to ensure themselves that the correct pair is supplied -
otherwise their browser will complain.

These changes allow the dashboard to launch with TLS enabled again.

[0]: https://tracker.ceph.com/issues/63529
[1]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support

Signed-off-by: Max Carrara <m.carrara@proxmox.com>
---
 src/pybind/mgr/dashboard/module.py | 41 ++++++++++++++++++++----------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py
index 68725be6e35..9db55a3ee93 100644
--- a/src/pybind/mgr/dashboard/module.py
+++ b/src/pybind/mgr/dashboard/module.py
@@ -23,8 +23,7 @@ if TYPE_CHECKING:
 
 from mgr_module import CLIReadCommand, CLIWriteCommand, HandleCommandResult, \
     MgrModule, MgrStandbyModule, NotifyType, Option, _get_localized_key
-from mgr_util import ServerConfigException, build_url, \
-    create_self_signed_cert, get_default_addr, verify_tls_files
+from mgr_util import ServerConfigException, build_url, get_default_addr
 
 from . import mgr
 from .controllers import Router, json_error_page
@@ -172,11 +171,14 @@ class CherryPyConfig(object):
             else:
                 pkey_fname = self.get_localized_module_option('key_file')  # type: ignore
 
-            verify_tls_files(cert_fname, pkey_fname)
-
             # Create custom SSL context to disable TLS 1.0 and 1.1.
             context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-            context.load_cert_chain(cert_fname, pkey_fname)
+
+            try:
+                context.load_cert_chain(cert_fname, pkey_fname)
+            except ssl.SSLError:
+                raise ServerConfigException("No certificate configured")
+
             if sys.version_info >= (3, 7):
                 if Settings.UNSAFE_TLS_v1_2:
                     context.minimum_version = ssl.TLSVersion.TLSv1_2
@@ -473,15 +475,26 @@ class Module(MgrModule, CherryPyConfig):
 
     @CLIWriteCommand("dashboard create-self-signed-cert")
     def set_mgr_created_self_signed_cert(self):
-        cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard')
-        result = HandleCommandResult(*self.set_ssl_certificate(inbuf=cert))
-        if result.retval != 0:
-            return result
-
-        result = HandleCommandResult(*self.set_ssl_certificate_key(inbuf=pkey))
-        if result.retval != 0:
-            return result
-        return 0, 'Self-signed certificate created', ''
+        from textwrap import dedent
+
+        err = """
+        Creating self-signed certificates is currently not available.
+        However, you can still set a key and certificate pair manually:
+
+        1. Generate a private key and self-signed certificate:
+          # openssl req -newkey rsa:2048 -nodes -x509 \\
+          -keyout /root/dashboard-key.pem -out /root/dashboard-cert.pem -sha512 \\
+          -days 3650 -subj "/CN=IT/O=ceph-mgr-dashboard" -utf8
+
+        2. Set the corresponding config keys for the key/cert pair:
+          # ceph config-key set mgr/dashboard/key -i /root/dashboard-key.pem
+          # ceph config-key set mgr/dashboard/crt -i /root/dashboard-crt.pem
+
+        For more information on how to configure TLS for the dashboard, visit:
+        https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
+        """
+
+        return -errno.ENOTSUP, '', dedent(err).strip()
 
     @CLIWriteCommand("dashboard set-rgw-credentials")
     def set_rgw_credentials(self):
-- 
2.39.2
Commit	Line	Data
86a553d6 MC	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Max Carrara <m.carrara@proxmox.com>
	3	Date: Thu, 4 Jan 2024 17:37:50 +0100
	4	Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS
	5	key/cert pairs
	6
	7	In order to avoid running into PyO3-related issues [0] with PyOpenSSL,
	8	the ability to create self-signed certs is disabled - the command
	9	`ceph dashboard create-self-signed-cert` is made to always return an
	10	error.
	11
	12	The command's error message contains the manual steps the user may
	13	follow in order to set the certificate themselves, as well as a link
	14	to the Ceph Dashboard documentation regarding TLS support. [1]
	15
	16	Furthermore, the check on start-up, that verifies that the configured
	17	key/cert pair actually match, is also removed. This means that users
	18	need to ensure themselves that the correct pair is supplied -
	19	otherwise their browser will complain.
	20
	21	These changes allow the dashboard to launch with TLS enabled again.
	22
	23	[0]: https://tracker.ceph.com/issues/63529
	24	[1]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
	25
	26	Signed-off-by: Max Carrara <m.carrara@proxmox.com>
	27	---
	28	src/pybind/mgr/dashboard/module.py \| 41 ++++++++++++++++++++----------
	29	1 file changed, 27 insertions(+), 14 deletions(-)
	30
	31	diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py
	32	index 68725be6e35..9db55a3ee93 100644
	33	--- a/src/pybind/mgr/dashboard/module.py
	34	+++ b/src/pybind/mgr/dashboard/module.py
	35	@@ -23,8 +23,7 @@ if TYPE_CHECKING:
	36
	37	from mgr_module import CLIReadCommand, CLIWriteCommand, HandleCommandResult, \
	38	MgrModule, MgrStandbyModule, NotifyType, Option, _get_localized_key
	39	-from mgr_util import ServerConfigException, build_url, \
	40	- create_self_signed_cert, get_default_addr, verify_tls_files
	41	+from mgr_util import ServerConfigException, build_url, get_default_addr
	42
	43	from . import mgr
	44	from .controllers import Router, json_error_page
	45	@@ -172,11 +171,14 @@ class CherryPyConfig(object):
	46	else:
	47	pkey_fname = self.get_localized_module_option('key_file') # type: ignore
	48
	49	- verify_tls_files(cert_fname, pkey_fname)
	50	-
	51	# Create custom SSL context to disable TLS 1.0 and 1.1.
	52	context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
	53	- context.load_cert_chain(cert_fname, pkey_fname)
	54	+
	55	+ try:
	56	+ context.load_cert_chain(cert_fname, pkey_fname)
	57	+ except ssl.SSLError:
	58	+ raise ServerConfigException("No certificate configured")
	59	+
	60	if sys.version_info >= (3, 7):
	61	if Settings.UNSAFE_TLS_v1_2:
	62	context.minimum_version = ssl.TLSVersion.TLSv1_2
	63	@@ -473,15 +475,26 @@ class Module(MgrModule, CherryPyConfig):
	64
65	@CLIWriteCommand("dashboard create-self-signed-cert")
66	def set_mgr_created_self_signed_cert(self):
67	- cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard')
68	- result = HandleCommandResult(*self.set_ssl_certificate(inbuf=cert))
69	- if result.retval != 0:
70	- return result
71	-
72	- result = HandleCommandResult(*self.set_ssl_certificate_key(inbuf=pkey))
73	- if result.retval != 0:
74	- return result
75	- return 0, 'Self-signed certificate created', ''
76	+ from textwrap import dedent
77	+
78	+ err = """
79	+ Creating self-signed certificates is currently not available.
80	+ However, you can still set a key and certificate pair manually:
81	+
82	+ 1. Generate a private key and self-signed certificate:
83	+ # openssl req -newkey rsa:2048 -nodes -x509 \\
84	+ -keyout /root/dashboard-key.pem -out /root/dashboard-cert.pem -sha512 \\
85	+ -days 3650 -subj "/CN=IT/O=ceph-mgr-dashboard" -utf8
86	+
87	+ 2. Set the corresponding config keys for the key/cert pair:
88	+ # ceph config-key set mgr/dashboard/key -i /root/dashboard-key.pem
89	+ # ceph config-key set mgr/dashboard/crt -i /root/dashboard-crt.pem
90	+
91	+ For more information on how to configure TLS for the dashboard, visit:
92	+ https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
93	+ """
94	+
95	+ return -errno.ENOTSUP, '', dedent(err).strip()
96
97	@CLIWriteCommand("dashboard set-rgw-credentials")
98	def set_rgw_credentials(self):
99	--
100	2.39.2
101