From cec98a8f900288ed2fee787960fbcdb61950c524 Mon Sep 17 00:00:00 2001
From: Ricardo Marques <rimarques@suse.com>
Date: Thu, 28 Nov 2019 22:45:42 +0000
Subject: [PATCH] mgr/dashboard: Invalid SSO configuration when certificate
 path does not exist

Fixes: https://tracker.ceph.com/issues/43060

Signed-off-by: Ricardo Marques <rimarques@suse.com>
---
 doc/mgr/dashboard.rst                    |  2 +-
 src/pybind/mgr/dashboard/services/sso.py | 24 ++++++++++++++----------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/doc/mgr/dashboard.rst b/doc/mgr/dashboard.rst
index d004f3d70fc..3868fc82d06 100644
--- a/doc/mgr/dashboard.rst
+++ b/doc/mgr/dashboard.rst
@@ -460,7 +460,7 @@ Parameters:
 * **<idp_metadata>**: URL to remote (`http://`, `https://`) or local (`file://`) path or content of the IdP metadata XML (e.g., `https://myidp/metadata`, `file:///home/myuser/metadata.xml`).
 * **<idp_username_attribute>** *(optional)*: Attribute that should be used to get the username from the authentication response. Defaults to `uid`.
 * **<idp_entity_id>** *(optional)*: Use this when more than one entity id exists on the IdP metadata.
-* **<sp_x_509_cert> / <sp_private_key>** *(optional)*: File path or content of the certificate that should be used by Ceph Dashboard (Service Provider) for signing and encryption.
+* **<sp_x_509_cert> / <sp_private_key>** *(optional)*: File path of the certificate that should be used by Ceph Dashboard (Service Provider) for signing and encryption.
 
 .. note::
   The issuer value of SAML requests will follow this pattern:  **<ceph_dashboard_base_url>**/auth/saml2/metadata
diff --git a/src/pybind/mgr/dashboard/services/sso.py b/src/pybind/mgr/dashboard/services/sso.py
index 00fd61c141d..16a70ed4946 100644
--- a/src/pybind/mgr/dashboard/services/sso.py
+++ b/src/pybind/mgr/dashboard/services/sso.py
@@ -122,8 +122,8 @@ SSO_COMMANDS = [
                'name=idp_metadata,type=CephString '
                'name=idp_username_attribute,type=CephString,req=false '
                'name=idp_entity_id,type=CephString,req=false '
-               'name=sp_x_509_cert,type=CephString,req=false '
-               'name=sp_private_key,type=CephString,req=false',
+               'name=sp_x_509_cert,type=CephFilepath,req=false '
+               'name=sp_private_key,type=CephFilepath,req=false',
         'desc': 'Setup SAML2 Single Sign-On',
         'perm': 'w'
     }
@@ -184,15 +184,19 @@ def handle_sso_command(cmd):
         if not sp_x_509_cert_path and sp_private_key_path:
             return -errno.EINVAL, '', 'Missing parameter `sp_x_509_cert`.'
         has_sp_cert = sp_x_509_cert_path != "" and sp_private_key_path != ""
-        try:
-            with open(sp_x_509_cert_path, 'r') as f:
-                sp_x_509_cert = f.read()
-        except FileNotFoundError:
+        if has_sp_cert:
+            try:
+                with open(sp_x_509_cert_path, 'r') as f:
+                    sp_x_509_cert = f.read()
+            except FileNotFoundError:
+                return -errno.EINVAL, '', '`{}` not found.'.format(sp_x_509_cert_path)
+            try:
+                with open(sp_private_key_path, 'r') as f:
+                    sp_private_key = f.read()
+            except FileNotFoundError:
+                return -errno.EINVAL, '', '`{}` not found.'.format(sp_private_key_path)
+        else:
             sp_x_509_cert = ''
-        try:
-            with open(sp_private_key_path, 'r') as f:
-                sp_private_key = f.read()
-        except FileNotFoundError:
             sp_private_key = ''
 
         if os.path.isfile(idp_metadata):
-- 
2.39.5