MB-52182 Add --set-client-certificate

Reload internal client certificate (behaviour is similar to
node certificate):

couchbase-cli ssl-manage -c 127.0.0.1:9000 \
              -u Administrator \
              --set-client-certificate \
              --pkey-passphrase-settings ./settings.json

Change-Id: Ia07ebdb66de945d64b9e80acf6b504121716cc8b
Reviewed-on: https://review.couchbase.org/c/couchbase-cli/+/225210
Reviewed-by: Lubomir Marinski <lubo.marinski@couchbase.com>
Tested-by: Build Bot <build@couchbase.com>
Reviewed-by: Safian Ali <safian.ali@couchbase.com>

Author: timofey-barmin

cbmgr.py

@@ -4262,6 +4262,8 @@ def __init__(self):
                               help="Regenerate the cluster certificate and save it to a file")
         me_group.add_argument("--set-node-certificate", dest="set_cert", action="store_true",
                               default=False, help="Sets the node certificate")
+        me_group.add_argument("--set-client-certificate", dest="set_client_cert", action="store_true",
+                              default=False, help="Sets the internal client certificate")
         group.add_argument("--pkey-passphrase-settings", dest="pkey_settings", metavar="<path>",
                            help="Optional path to a JSON file containing private key passphrase settings")
         me_group.add_argument("--set-client-auth", dest="client_auth_path", metavar="<path>",
@@ -4365,9 +4367,13 @@ def val_or_unknown(ca, key):
             _exit_if_errors(errors)
             _success(f'Uploaded cluster certificate to {opts.cluster}')
         elif opts.set_cert:
-            _, errors = self.rest.set_node_certificate(_read_json_file_if_provided(opts.pkey_settings))
+            _, errors = self.rest.set_certificate(_read_json_file_if_provided(opts.pkey_settings), is_client_cert=False)
             _exit_if_errors(errors)
             _success("Node certificate set")
+        elif opts.set_client_cert:
+            _, errors = self.rest.set_certificate(_read_json_file_if_provided(opts.pkey_settings), is_client_cert=True)
+            _exit_if_errors(errors)
+            _success("Internal client certificate set")
         elif opts.client_auth_path:
             data = _exit_on_file_read_failure(opts.client_auth_path)
             try:

cluster_manager.py

@@ -2000,7 +2000,7 @@ def retrieve_node_certificate(self, node):
         url = f'{self.hostname}/pools/default/certificate/node/{node}'
         return self._get(url)
 
-    def set_node_certificate(self, pkey_settings):
+    def set_certificate(self, pkey_settings, is_client_cert=False):
         """Activates the current node certificate
 
         Grabs chain.pem and pkey.pem from the <data folder>/inbox/ directory and
@@ -2014,7 +2014,12 @@ def set_node_certificate(self, pkey_settings):
         if pkey_settings:
             params["privateKeyPassphrase"] = pkey_settings
 
-        return self._post_json(f'{self.hostname}/node/controller/reloadCertificate', params)
+        if is_client_cert:
+            endpoint = '/node/controller/reloadClientCertificate'
+        else:
+            endpoint = '/node/controller/reloadCertificate'
+
+        return self._post_json(f'{self.hostname}{endpoint}', params)
 
     def set_client_cert_auth(self, config):
         """Enable/disable the client cert auth"""

test/mock_server.py

@@ -570,6 +570,7 @@ def export_eventing_functions(rest_params=None, server_args=None, path="", endpo
     (r'/node/controller/disableUnusedExternalListeners', {'POST': do_nothing}),
     (r'/node/controller/loadTrustedCAs', {'POST': do_nothing}),
     (r'/node/controller/reloadCertificate', {'POST': do_nothing}),
+    (r'/node/controller/reloadClientCertificate', {'POST': do_nothing}),
     (r'/node/controller/setupNetConfig', {'POST': do_nothing}),
     (r'/controller/addNode$', {'POST': do_nothing}),
     (r'/controller/failOver$', {'POST': do_nothing}),

test/test_cli.py

@@ -2321,6 +2321,17 @@ def test_set_node_certificate_not_init(self):
         self.assertIn('POST:/node/controller/reloadCertificate', self.server.trace)
         self.assertIn('Node certificate set', self.str_output)
 
+    def test_set_client_certificate(self):
+        self.no_error_run(self.command + ['--set-client-certificate'], self.server_args)
+        self.assertIn('POST:/node/controller/reloadClientCertificate', self.server.trace)
+        self.assertIn('Internal client certificate set', self.str_output)
+
+    def test_set_client_certificate_not_init(self):
+        self.server_args['init'] = False
+        self.no_error_run(self.command + ['--set-client-certificate'], self.server_args)
+        self.assertIn('POST:/node/controller/reloadClientCertificate', self.server.trace)
+        self.assertIn('Internal client certificate set', self.str_output)
+
     def test_set_node_certificate_with_pkey_settings(self):
         pkey_settings_file = tempfile.NamedTemporaryFile(delete=False)
         pkey_settings_file.write(b'{"type":"plain","password":"asdf"}')