From 5805c03044ae351a4a0ea0109ec294393eaba31f Mon Sep 17 00:00:00 2001
From: Anna Khmelnitsky <akhmelnitsky@vmware.com>
Date: Wed, 30 Jan 2019 18:10:16 -0800
Subject: [PATCH] NSX|P: Forbid cert operations without passthrough

Admin util should validate allow_passthrough config before performing
client cert operations. This is until these are implemented against
policy.

Change-Id: I1b3fa3fc502a70b0a456dda2de2eb1c9f6b99eac
---
 .../admin/plugins/common/v3_common_cert.py    | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/vmware_nsx/shell/admin/plugins/common/v3_common_cert.py b/vmware_nsx/shell/admin/plugins/common/v3_common_cert.py
index 55431bb33f..0f26d36043 100644
--- a/vmware_nsx/shell/admin/plugins/common/v3_common_cert.py
+++ b/vmware_nsx/shell/admin/plugins/common/v3_common_cert.py
@@ -13,6 +13,7 @@
 #    under the License.
 
 
+from oslo_config import cfg
 from oslo_log import log as logging
 
 from neutron_lib import context
@@ -67,12 +68,21 @@ def get_certificate_manager(plugin_conf, **kwargs):
 
 
 def verify_client_cert_on(plugin_conf):
-    if plugin_conf.nsx_use_client_auth:
-        return True
-
-    LOG.info("Operation not applicable since client authentication "
+    if not plugin_conf.nsx_use_client_auth:
+        LOG.info("Operation not applicable since client authentication "
              "is disabled")
-    return False
+        return False
+
+    try:
+        if not plugin_conf.allow_passthrough:
+            LOG.info("Operation not applicable since passthrough API is "
+                     "disabled")
+            return False
+    except cfg.NoSuchOptError:
+        # No such option exists - passthrough check is irrelevant
+        pass
+
+    return True
 
 
 def generate_cert(plugin_conf, **kwargs):