Introduce new methods for custom uefi certs

benjamreis · benjamreis · commit 06adb4b12e3b · 2023-11-20T10:43:50.000+01:00
- `Pool.set/get_custom_uefi_certificates`
- `Pool/Host.set_uefi_certificates` deprecated
- `Pool.get_uefi_certificates` return the certificates used by the pool

Signed-off-by: BenjiReis &lt;benjamin.reis@vates.fr&gt;
diff --git a/ocaml/idl/datamodel_pool.ml b/ocaml/idl/datamodel_pool.ml
@@ -1024,10 +1024,31 @@ let disable_repository_proxy =
     ~allowed_roles:(_R_POOL_OP ++ _R_CLIENT_CERT)
     ()
 
+let get_uefi_certificates =
+  call ~name:"get_uefi_certificates"
+    ~lifecycle:[]
+    ~doc:"Gets the UEFI certificates used by a pool and all its hosts."
+    ~params:[(Ref _pool, "self", "The pool")]
+    ~allowed_roles:_R_POOL_ADMIN ()
+    ~result:(String, "The pool's UEFI certificates")
+
 let set_uefi_certificates =
   call ~name:"set_uefi_certificates"
     ~lifecycle:[(Published, "22.16.0", "")]
-    ~doc:"Sets the UEFI certificates for a pool and all its hosts"
+    ~doc:
+      "Sets the UEFI certificates for a pool and all its hosts. Deprecated: \
+       use set_custom_uefi_certificates instead"
+    ~params:
+      [
+        (Ref _pool, "self", "The pool")
+      ; (String, "value", "The certificates to apply to the pool and its hosts")
+      ]
+    ~allowed_roles:_R_POOL_ADMIN ()
+
+let set_custom_uefi_certificates =
+  call ~name:"set_custom_uefi_certificates"
+    ~lifecycle:[(Published, "0.0.0", "")]
+    ~doc:"Sets custom UEFI certificates for a pool and all its hosts"
     ~params:
       [
         (Ref _pool, "self", "The pool")
@@ -1193,7 +1214,9 @@ let t =
       ; disable_client_certificate_auth
       ; configure_repository_proxy
       ; disable_repository_proxy
+      ; get_uefi_certificates
       ; set_uefi_certificates
+      ; set_custom_uefi_certificates
       ; set_https_only
       ; set_telemetry_next_collection
       ; reset_telemetry_uuid
@@ -1382,6 +1405,10 @@ let t =
               ]
             ~default_value:(Some (VString "")) "uefi_certificates"
             "The UEFI certificates allowing Secure Boot"
+        ; field ~qualifier:StaticRO ~ty:String
+            ~lifecycle:[]
+            ~default_value:(Some (VString "")) "custom_uefi_certificates"
+            "Custom UEFI certificates allowing Secure Boot"
         ; field ~in_product_since:rel_stockholm_psr ~qualifier:RW ~ty:Bool
             ~default_value:(Some (VBool false)) "is_psr_pending"
             "True if either a PSR is running or we are waiting for a PSR to be \
diff --git a/ocaml/idl/schematest.ml b/ocaml/idl/schematest.ml
@@ -2,7 +2,7 @@ let hash x = Digest.string x |> Digest.to_hex
 
 (* BEWARE: if this changes, check that schema has been bumped accordingly in
    ocaml/idl/datamodel_common.ml, usually schema_minor_vsn *)
-let last_known_schema_hash = "95077aed35b715c362c7cf98902de578"
+let last_known_schema_hash = "153e7b9b01531b10d3babe0b1a8d7770"
 
 let current_schema_hash : string =
   let open Datamodel_types in
diff --git a/ocaml/tests/common/test_common.ml b/ocaml/tests/common/test_common.ml
@@ -287,8 +287,8 @@ let make_pool ~__context ~master ?(name_label = "") ?(name_description = "")
     ?(ha_cluster_stack = !Xapi_globs.cluster_stack_default)
     ?(guest_agent_config = []) ?(cpu_info = [])
     ?(policy_no_vendor_device = false) ?(live_patching_disabled = false)
-    ?(uefi_certificates = "") ?(repositories = [])
-    ?(client_certificate_auth_enabled = false)
+    ?(uefi_certificates = "") ?(custom_uefi_certificates = "")
+    ?(repositories = []) ?(client_certificate_auth_enabled = false)
     ?(client_certificate_auth_name = "") ?(repository_proxy_url = "")
     ?(repository_proxy_username = "") ?(repository_proxy_password = Ref.null)
     ?(migration_compression = false) ?(coordinator_bias = true)
@@ -306,8 +306,8 @@ let make_pool ~__context ~master ?(name_label = "") ?(name_description = "")
     ~vswitch_controller ~igmp_snooping_enabled ~current_operations
     ~allowed_operations ~restrictions ~other_config ~ha_cluster_stack
     ~guest_agent_config ~cpu_info ~policy_no_vendor_device
-    ~live_patching_disabled ~uefi_certificates ~is_psr_pending:false
-    ~tls_verification_enabled:false ~repositories
+    ~live_patching_disabled ~uefi_certificates ~custom_uefi_certificates
+    ~is_psr_pending:false ~tls_verification_enabled:false ~repositories
     ~client_certificate_auth_enabled ~client_certificate_auth_name
     ~repository_proxy_url ~repository_proxy_username ~repository_proxy_password
     ~migration_compression ~coordinator_bias ~telemetry_uuid
diff --git a/ocaml/xapi/dbsync_master.ml b/ocaml/xapi/dbsync_master.ml
@@ -42,7 +42,7 @@ let create_pool_record ~__context =
       ~other_config:[Xapi_globs.memory_ratio_hvm; Xapi_globs.memory_ratio_pv]
       ~ha_cluster_stack:"xhad" ~guest_agent_config:[] ~cpu_info:[]
       ~policy_no_vendor_device:false ~live_patching_disabled:false
-      ~uefi_certificates:"" ~is_psr_pending:false
+      ~uefi_certificates:"" ~custom_uefi_certificates:"" ~is_psr_pending:false
       ~tls_verification_enabled:false ~repositories:[]
       ~client_certificate_auth_enabled:false ~client_certificate_auth_name:""
       ~repository_proxy_url:"" ~repository_proxy_username:""
diff --git a/ocaml/xapi/message_forwarding.ml b/ocaml/xapi/message_forwarding.ml
@@ -1093,12 +1093,22 @@ functor
           (pool_uuid ~__context self) ;
         Local.Pool.disable_repository_proxy ~__context ~self
 
+      let get_uefi_certificates ~__context ~self =
+        info "Pool.get_uefi_certificates: pool='%s'" (pool_uuid ~__context self) ;
+        Local.Pool.get_uefi_certificates ~__context ~self
+
       let set_uefi_certificates ~__context ~self ~value =
         info "Pool.set_uefi_certificates: pool='%s' value='%s'"
           (pool_uuid ~__context self)
           value ;
         Local.Pool.set_uefi_certificates ~__context ~self ~value
 
+      let set_custom_uefi_certificates ~__context ~self ~value =
+        info "Pool.set_custom_uefi_certificates: pool='%s' value='%s'"
+          (pool_uuid ~__context self)
+          value ;
+        Local.Pool.set_custom_uefi_certificates ~__context ~self ~value
+
       let set_https_only ~__context ~self ~value =
         info "Pool.set_https_only: pool='%s' value='%B'"
           (pool_uuid ~__context self)
diff --git a/ocaml/xapi/xapi_host.ml b/ocaml/xapi/xapi_host.ml
@@ -2795,24 +2795,18 @@ let write_uefi_certificates_to_disk ~__context ~host =
       let@ path = with_empty_dir !Xapi_globs.varstore_dir in
       (* get from pool for consistent results across hosts *)
       let pool_uefi_certs =
-        Db.Pool.get_uefi_certificates ~__context
+        Db.Pool.get_custom_uefi_certificates ~__context
           ~self:(Helpers.get_pool ~__context)
       in
       really_write_uefi_certificates_to_disk ~__context ~host
         ~value:pool_uefi_certs ;
       check_valid_uefi_certs_in path
 
 let set_uefi_certificates ~__context ~host ~value =
-  match !Xapi_globs.allow_custom_uefi_certs with
-  | false ->
-      raise Api_errors.(Server_error (Api_errors.operation_not_allowed, [""]))
-  | true ->
-      Db.Host.set_uefi_certificates ~__context ~self:host ~value ;
-      Helpers.call_api_functions ~__context (fun rpc session_id ->
-          Client.Client.Pool.set_uefi_certificates ~rpc ~session_id
-            ~self:(Helpers.get_pool ~__context)
-            ~value
-      )
+  let msg =
+    "To set UEFI certificates use: `Pool.set_custom_uefi_certificates`"
+  in
+  raise Api_errors.(Server_error (Api_errors.operation_not_allowed, [msg]))
 
 let set_iscsi_iqn ~__context ~host ~value =
   if value = "" then
diff --git a/ocaml/xapi/xapi_pool.ml b/ocaml/xapi/xapi_pool.ml
@@ -3567,7 +3567,22 @@ let disable_repository_proxy ~__context ~self =
         Db.Secret.destroy ~__context ~self:old_secret_ref
     )
 
+let get_uefi_certificates ~__context ~self =
+  let custom_certs = Db.Pool.get_custom_uefi_certificates ~__context ~self in
+  match (!Xapi_globs.allow_custom_uefi_certs, custom_certs) with
+  | false, _ | true, "" ->
+      Db.Pool.get_uefi_certificates ~__context ~self
+  | true, _ ->
+      custom_certs
+
 let set_uefi_certificates ~__context ~self ~value =
+  let msg =
+    "Setting UEFI certificates is depreacted, please use \
+     `set_custom_uefi_certificates`"
+  in
+  raise Api_errors.(Server_error (operation_not_allowed, [msg]))
+
+let set_custom_uefi_certificates ~__context ~self ~value =
   match !Xapi_globs.allow_custom_uefi_certs with
   | false ->
       let msg =
@@ -3576,7 +3591,7 @@ let set_uefi_certificates ~__context ~self ~value =
       in
       raise Api_errors.(Server_error (operation_not_allowed, [msg]))
   | true ->
-      Db.Pool.set_uefi_certificates ~__context ~self ~value ;
+      Db.Pool.set_custom_uefi_certificates ~__context ~self ~value ;
       Helpers.call_api_functions ~__context (fun rpc session_id ->
           List.iter
             (fun host ->
diff --git a/ocaml/xapi/xapi_pool.mli b/ocaml/xapi/xapi_pool.mli
@@ -385,9 +385,14 @@ val configure_repository_proxy :
 
 val disable_repository_proxy : __context:Context.t -> self:API.ref_pool -> unit
 
+val get_uefi_certificates : __context:Context.t -> self:API.ref_pool -> string
+
 val set_uefi_certificates :
   __context:Context.t -> self:API.ref_pool -> value:string -> unit
 
+val set_custom_uefi_certificates :
+  __context:Context.t -> self:API.ref_pool -> value:string -> unit
+
 val set_https_only :
   __context:Context.t -> self:API.ref_pool -> value:bool -> unit
 
