From c31f3e289b8355dce48fd2406068e21c5cc7fa2e Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Tue, 23 Oct 2018 15:19:17 +0000
Subject: [PATCH] Correct check for b64 encoding

The previous fix for Bug #1798066 assumed that b64 decoding a
PEM certificate would throw an exception. This is not true as
PEM certs are b64 encoded. This fix explicitly checks for the
'BEGIN CERTIFICATE' string to check if the supplied ssl_ca
value is encoded or not.

Change-Id: I4fbdb0c2f768f2641b8fb3b43a4f94f2748484c0
---
 hooks/ssl_utils.py           |  9 +++------
 unit_tests/test_ssl_utils.py | 29 +++++++++++++++++++++++++++--
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/hooks/ssl_utils.py b/hooks/ssl_utils.py
index 553a47e9..a5e79e48 100644
--- a/hooks/ssl_utils.py
+++ b/hooks/ssl_utils.py
@@ -23,7 +23,6 @@ from charmhelpers.core.hookenv import (
 )
 
 import base64
-import binascii
 
 
 def get_ssl_mode():
@@ -54,12 +53,10 @@ def configure_client_ssl(relation_data):
     relation_data['ssl_port'] = config('ssl_port')
     if external_ca:
         if config('ssl_ca'):
-            try:
-                base64.decodestring(config('ssl_ca'))
-                # No need to encode it, it is already encoded.
-                ssl_ca_encoded = config('ssl_ca')
-            except binascii.Error:
+            if "BEGIN CERTIFICATE" in config('ssl_ca'):
                 ssl_ca_encoded = base64.b64encode(config('ssl_ca'))
+            else:
+                ssl_ca_encoded = config('ssl_ca')
             relation_data['ssl_ca'] = ssl_ca_encoded
         return
     ca = ServiceCA.get_ca()
diff --git a/unit_tests/test_ssl_utils.py b/unit_tests/test_ssl_utils.py
index 65ecd571..07c1f99f 100644
--- a/unit_tests/test_ssl_utils.py
+++ b/unit_tests/test_ssl_utils.py
@@ -22,6 +22,30 @@ TO_PATCH = [
     'config',
 ]
 
+TEST_CA = """-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIURtdGGKKjckiLPLue8Wn/sCS5u+QwDQYJKoZIhvcNAQEL
+BQAwPTE7MDkGA1UEAxMyVmF1bHQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkg
+KGNoYXJtLXBraS1sb2NhbCkwIBgPMDAwMTAxMDEwMDAwMDBaFw0xODExMjQxMzQx
+MjdaMD0xOzA5BgNVBAMTMlZhdWx0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
+IChjaGFybS1wa2ktbG9jYWwpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwUEg8XFO2GzI19aNAfH8KeBsLvpYTX4nNREEGLMkl7qfqO+rcwNmN/60UxSu
+Hbsqfjv6B6kWD6dd1/OvveYjxqPA97OqO5LOUE43ojzUkxai5GeF5fvu3QGIR7iZ
+a9PEDFjFKeCdwyKLoIHNdXw1TM0sQmWM7sSiMhCfrpeZEe+En+KZQugo+BiLrhKA
+yZTIkEP5+6r/Nrxfkx2/Kklrq8LOyLfH91LbmJEVEKQNloCYphZYwB7n9GPvKlGv
+pvPuJc7wEkmtCMp0dNjo3MZ0ij1SIN6Ntx8DqhPJ8QKvNDogVmeEGpQFBcrzfkol
+LMXPBpX2Qx6dPqLGHCbWQDnvewIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUc1rh2BEHSQJ0qxhPTDQKRJg2AGEwHwYD
+VR0jBBgwFoAUc1rh2BEHSQJ0qxhPTDQKRJg2AGEwDQYJKoZIhvcNAQELBQADggEB
+ABZvreticW5UuoQS7NAVICCvh5FwgrkC5tnHX3p8TOhMIpJTgrKhedJZKzLc254g
+/jAsb7q775IcMOhS2vFJSQd6rV0cMNCdFjk0sTTe01OXoJj2fN3MMbEEGfs6crwk
+TKiXEJ9XYc04Ul4b8XJ0d5hYejr5IF9leJ2JJMiGTJFGU1Oi8Lctj7qyX0nlo+x5
+Xhj8BbsJsbUGoA+bXvCOO88voyOZoRGCg1JFztbpgIAV6k64DJ7xp9tNDhZJj0Uo
+2MDrWbfUYFWMiD5L0d5MjeX7aGIPhJsMund1zFHr1ho64OdCJ1zDmtk4UYzZ0deE
+5nLA3FXh+snaEpmpl7X9Xus=
+-----END CERTIFICATE-----"""
+
+B64_TEST_CA = """LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiVENDQWxXZ0F3SUJBZ0lVUnRkR0dLS2pja2lMUEx1ZThXbi9zQ1M1dStRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1BURTdNRGtHQTFVRUF4TXlWbUYxYkhRZ1VtOXZkQ0JEWlhKMGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrZwpLR05vWVhKdExYQnJhUzFzYjJOaGJDa3dJQmdQTURBd01UQXhNREV3TURBd01EQmFGdzB4T0RFeE1qUXhNelF4Ck1qZGFNRDB4T3pBNUJnTlZCQU1UTWxaaGRXeDBJRkp2YjNRZ1EyVnlkR2xtYVdOaGRHVWdRWFYwYUc5eWFYUjUKSUNoamFHRnliUzF3YTJrdGJHOWpZV3dwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQwpBUUVBd1VFZzhYRk8yR3pJMTlhTkFmSDhLZUJzTHZwWVRYNG5OUkVFR0xNa2w3cWZxTytyY3dObU4vNjBVeFN1Ckhic3FmanY2QjZrV0Q2ZGQxL092dmVZanhxUEE5N09xTzVMT1VFNDNvanpVa3hhaTVHZUY1ZnZ1M1FHSVI3aVoKYTlQRURGakZLZUNkd3lLTG9JSE5kWHcxVE0wc1FtV003c1NpTWhDZnJwZVpFZStFbitLWlF1Z28rQmlMcmhLQQp5WlRJa0VQNSs2ci9Ocnhma3gyL0trbHJxOExPeUxmSDkxTGJtSkVWRUtRTmxvQ1lwaFpZd0I3bjlHUHZLbEd2CnB2UHVKYzd3RWttdENNcDBkTmpvM01aMGlqMVNJTjZOdHg4RHFoUEo4UUt2TkRvZ1ZtZUVHcFFGQmNyemZrb2wKTE1YUEJwWDJReDZkUHFMR0hDYldRRG52ZXdJREFRQUJvMk13WVRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRApWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWMxcmgyQkVIU1FKMHF4aFBURFFLUkpnMkFHRXdId1lEClZSMGpCQmd3Rm9BVWMxcmgyQkVIU1FKMHF4aFBURFFLUkpnMkFHRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUJadnJldGljVzVVdW9RUzdOQVZJQ0N2aDVGd2dya0M1dG5IWDNwOFRPaE1JcEpUZ3JLaGVkSlpLekxjMjU0ZwovakFzYjdxNzc1SWNNT2hTMnZGSlNRZDZyVjBjTU5DZEZqazBzVFRlMDFPWG9KajJmTjNNTWJFRUdmczZjcndrClRLaVhFSjlYWWMwNFVsNGI4WEowZDVoWWVqcjVJRjlsZUoySkpNaUdUSkZHVTFPaThMY3RqN3F5WDBubG8reDUKWGhqOEJic0pzYlVHb0ErYlh2Q09PODh2b3lPWm9SR0NnMUpGenRicGdJQVY2azY0REo3eHA5dE5EaFpKajBVbwoyTURyV2JmVVlGV01pRDVMMGQ1TWplWDdhR0lQaEpzTXVuZDF6RkhyMWhvNjRPZENKMXpEbXRrNFVZelowZGVFCjVuTEEzRlhoK3NuYUVwbXBsN1g5WHVzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"""  # noqa: E501
+
 
 class TestSSLUtils(CharmTestCase):
 
@@ -102,13 +126,14 @@ class TestSSLUtils(CharmTestCase):
         get_ssl_mode.return_value = ('on', True)
         test_config = {
             'ssl_port': '9090',
-            'ssl_ca': 'ext_ca'}
+            'ssl_ca': TEST_CA}
         self.config.side_effect = lambda x: test_config[x]
         relation_data = {}
         ssl_utils.configure_client_ssl(relation_data)
+        self.maxDiff = None
         self.assertEqual(
             relation_data,
-            {'ssl_port': '9090', 'ssl_ca': 'ZXh0X2Nh'})
+            {'ssl_port': '9090', 'ssl_ca': B64_TEST_CA})
 
     @patch('ssl_utils.get_ssl_mode')
     def test_get_ssl_mode_ssl_on_ext_ca_b64(self, get_ssl_mode):