From 9ccf6d2b9535751ae3f586a771635347a9717049 Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Tue, 16 Oct 2018 18:33:48 +0000
Subject: [PATCH] Only b64encode ssl_ca if it needs it

The description of the ssl_ca config option in config.yaml states
that the certificate should be base64 encoded. But if it is then
the charm b64encodes it again when sending the ca down the client
relations. This change gates encoding the ca on whether it is
already encoded.

Change-Id: I9828d7567fd7f04cd0d80229ea1ff1275ea4269e
Closes-Bug: #1798066
---
 hooks/ssl_utils.py           | 10 ++++++++--
 unit_tests/test_ssl_utils.py | 13 +++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/hooks/ssl_utils.py b/hooks/ssl_utils.py
index f5255f78..553a47e9 100644
--- a/hooks/ssl_utils.py
+++ b/hooks/ssl_utils.py
@@ -23,6 +23,7 @@ from charmhelpers.core.hookenv import (
 )
 
 import base64
+import binascii
 
 
 def get_ssl_mode():
@@ -53,8 +54,13 @@ def configure_client_ssl(relation_data):
     relation_data['ssl_port'] = config('ssl_port')
     if external_ca:
         if config('ssl_ca'):
-            relation_data['ssl_ca'] = base64.b64encode(
-                config('ssl_ca'))
+            try:
+                base64.decodestring(config('ssl_ca'))
+                # No need to encode it, it is already encoded.
+                ssl_ca_encoded = config('ssl_ca')
+            except binascii.Error:
+                ssl_ca_encoded = base64.b64encode(config('ssl_ca'))
+            relation_data['ssl_ca'] = ssl_ca_encoded
         return
     ca = ServiceCA.get_ca()
     relation_data['ssl_ca'] = base64.b64encode(ca.get_ca_bundle())
diff --git a/unit_tests/test_ssl_utils.py b/unit_tests/test_ssl_utils.py
index 6664e90e..65ecd571 100644
--- a/unit_tests/test_ssl_utils.py
+++ b/unit_tests/test_ssl_utils.py
@@ -110,6 +110,19 @@ class TestSSLUtils(CharmTestCase):
             relation_data,
             {'ssl_port': '9090', 'ssl_ca': 'ZXh0X2Nh'})
 
+    @patch('ssl_utils.get_ssl_mode')
+    def test_get_ssl_mode_ssl_on_ext_ca_b64(self, get_ssl_mode):
+        get_ssl_mode.return_value = ('on', True)
+        test_config = {
+            'ssl_port': '9090',
+            'ssl_ca': 'ZXh0X2Nh'}
+        self.config.side_effect = lambda x: test_config[x]
+        relation_data = {}
+        ssl_utils.configure_client_ssl(relation_data)
+        self.assertEqual(
+            relation_data,
+            {'ssl_port': '9090', 'ssl_ca': 'ZXh0X2Nh'})
+
     @patch('ssl_utils.local_unit')
     @patch('ssl_utils.relation_ids')
     @patch('ssl_utils.relation_get')