Correct check for b64 encoding
The previous fix for Bug #1798066 assumed that b64 decoding a PEM certificate would throw an exception. This is not true as PEM certs are b64 encoded. This fix explicitly checks for the 'BEGIN CERTIFICATE' string to check if the supplied ssl_ca value is encoded or not. Change-Id: I4fbdb0c2f768f2641b8fb3b43a4f94f2748484c0
This commit is contained in:
parent
6d0118e9e0
commit
c31f3e289b
|
@ -23,7 +23,6 @@ from charmhelpers.core.hookenv import (
|
||||||
)
|
)
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
import binascii
|
|
||||||
|
|
||||||
|
|
||||||
def get_ssl_mode():
|
def get_ssl_mode():
|
||||||
|
@ -54,12 +53,10 @@ def configure_client_ssl(relation_data):
|
||||||
relation_data['ssl_port'] = config('ssl_port')
|
relation_data['ssl_port'] = config('ssl_port')
|
||||||
if external_ca:
|
if external_ca:
|
||||||
if config('ssl_ca'):
|
if config('ssl_ca'):
|
||||||
try:
|
if "BEGIN CERTIFICATE" in config('ssl_ca'):
|
||||||
base64.decodestring(config('ssl_ca'))
|
|
||||||
# No need to encode it, it is already encoded.
|
|
||||||
ssl_ca_encoded = config('ssl_ca')
|
|
||||||
except binascii.Error:
|
|
||||||
ssl_ca_encoded = base64.b64encode(config('ssl_ca'))
|
ssl_ca_encoded = base64.b64encode(config('ssl_ca'))
|
||||||
|
else:
|
||||||
|
ssl_ca_encoded = config('ssl_ca')
|
||||||
relation_data['ssl_ca'] = ssl_ca_encoded
|
relation_data['ssl_ca'] = ssl_ca_encoded
|
||||||
return
|
return
|
||||||
ca = ServiceCA.get_ca()
|
ca = ServiceCA.get_ca()
|
||||||
|
|
|
@ -22,6 +22,30 @@ TO_PATCH = [
|
||||||
'config',
|
'config',
|
||||||
]
|
]
|
||||||
|
|
||||||
|
TEST_CA = """-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDbTCCAlWgAwIBAgIURtdGGKKjckiLPLue8Wn/sCS5u+QwDQYJKoZIhvcNAQEL
|
||||||
|
BQAwPTE7MDkGA1UEAxMyVmF1bHQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkg
|
||||||
|
KGNoYXJtLXBraS1sb2NhbCkwIBgPMDAwMTAxMDEwMDAwMDBaFw0xODExMjQxMzQx
|
||||||
|
MjdaMD0xOzA5BgNVBAMTMlZhdWx0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
|
||||||
|
IChjaGFybS1wa2ktbG9jYWwpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
|
||||||
|
AQEAwUEg8XFO2GzI19aNAfH8KeBsLvpYTX4nNREEGLMkl7qfqO+rcwNmN/60UxSu
|
||||||
|
Hbsqfjv6B6kWD6dd1/OvveYjxqPA97OqO5LOUE43ojzUkxai5GeF5fvu3QGIR7iZ
|
||||||
|
a9PEDFjFKeCdwyKLoIHNdXw1TM0sQmWM7sSiMhCfrpeZEe+En+KZQugo+BiLrhKA
|
||||||
|
yZTIkEP5+6r/Nrxfkx2/Kklrq8LOyLfH91LbmJEVEKQNloCYphZYwB7n9GPvKlGv
|
||||||
|
pvPuJc7wEkmtCMp0dNjo3MZ0ij1SIN6Ntx8DqhPJ8QKvNDogVmeEGpQFBcrzfkol
|
||||||
|
LMXPBpX2Qx6dPqLGHCbWQDnvewIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYD
|
||||||
|
VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUc1rh2BEHSQJ0qxhPTDQKRJg2AGEwHwYD
|
||||||
|
VR0jBBgwFoAUc1rh2BEHSQJ0qxhPTDQKRJg2AGEwDQYJKoZIhvcNAQELBQADggEB
|
||||||
|
ABZvreticW5UuoQS7NAVICCvh5FwgrkC5tnHX3p8TOhMIpJTgrKhedJZKzLc254g
|
||||||
|
/jAsb7q775IcMOhS2vFJSQd6rV0cMNCdFjk0sTTe01OXoJj2fN3MMbEEGfs6crwk
|
||||||
|
TKiXEJ9XYc04Ul4b8XJ0d5hYejr5IF9leJ2JJMiGTJFGU1Oi8Lctj7qyX0nlo+x5
|
||||||
|
Xhj8BbsJsbUGoA+bXvCOO88voyOZoRGCg1JFztbpgIAV6k64DJ7xp9tNDhZJj0Uo
|
||||||
|
2MDrWbfUYFWMiD5L0d5MjeX7aGIPhJsMund1zFHr1ho64OdCJ1zDmtk4UYzZ0deE
|
||||||
|
5nLA3FXh+snaEpmpl7X9Xus=
|
||||||
|
-----END CERTIFICATE-----"""
|
||||||
|
|
||||||
|
B64_TEST_CA = """LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiVENDQWxXZ0F3SUJBZ0lVUnRkR0dLS2pja2lMUEx1ZThXbi9zQ1M1dStRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1BURTdNRGtHQTFVRUF4TXlWbUYxYkhRZ1VtOXZkQ0JEWlhKMGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrZwpLR05vWVhKdExYQnJhUzFzYjJOaGJDa3dJQmdQTURBd01UQXhNREV3TURBd01EQmFGdzB4T0RFeE1qUXhNelF4Ck1qZGFNRDB4T3pBNUJnTlZCQU1UTWxaaGRXeDBJRkp2YjNRZ1EyVnlkR2xtYVdOaGRHVWdRWFYwYUc5eWFYUjUKSUNoamFHRnliUzF3YTJrdGJHOWpZV3dwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQwpBUUVBd1VFZzhYRk8yR3pJMTlhTkFmSDhLZUJzTHZwWVRYNG5OUkVFR0xNa2w3cWZxTytyY3dObU4vNjBVeFN1Ckhic3FmanY2QjZrV0Q2ZGQxL092dmVZanhxUEE5N09xTzVMT1VFNDNvanpVa3hhaTVHZUY1ZnZ1M1FHSVI3aVoKYTlQRURGakZLZUNkd3lLTG9JSE5kWHcxVE0wc1FtV003c1NpTWhDZnJwZVpFZStFbitLWlF1Z28rQmlMcmhLQQp5WlRJa0VQNSs2ci9Ocnhma3gyL0trbHJxOExPeUxmSDkxTGJtSkVWRUtRTmxvQ1lwaFpZd0I3bjlHUHZLbEd2CnB2UHVKYzd3RWttdENNcDBkTmpvM01aMGlqMVNJTjZOdHg4RHFoUEo4UUt2TkRvZ1ZtZUVHcFFGQmNyemZrb2wKTE1YUEJwWDJReDZkUHFMR0hDYldRRG52ZXdJREFRQUJvMk13WVRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRApWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWMxcmgyQkVIU1FKMHF4aFBURFFLUkpnMkFHRXdId1lEClZSMGpCQmd3Rm9BVWMxcmgyQkVIU1FKMHF4aFBURFFLUkpnMkFHRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUJadnJldGljVzVVdW9RUzdOQVZJQ0N2aDVGd2dya0M1dG5IWDNwOFRPaE1JcEpUZ3JLaGVkSlpLekxjMjU0ZwovakFzYjdxNzc1SWNNT2hTMnZGSlNRZDZyVjBjTU5DZEZqazBzVFRlMDFPWG9KajJmTjNNTWJFRUdmczZjcndrClRLaVhFSjlYWWMwNFVsNGI4WEowZDVoWWVqcjVJRjlsZUoySkpNaUdUSkZHVTFPaThMY3RqN3F5WDBubG8reDUKWGhqOEJic0pzYlVHb0ErYlh2Q09PODh2b3lPWm9SR0NnMUpGenRicGdJQVY2azY0REo3eHA5dE5EaFpKajBVbwoyTURyV2JmVVlGV01pRDVMMGQ1TWplWDdhR0lQaEpzTXVuZDF6RkhyMWhvNjRPZENKMXpEbXRrNFVZelowZGVFCjVuTEEzRlhoK3NuYUVwbXBsN1g5WHVzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t""" # noqa: E501
|
||||||
|
|
||||||
|
|
||||||
class TestSSLUtils(CharmTestCase):
|
class TestSSLUtils(CharmTestCase):
|
||||||
|
|
||||||
|
@ -102,13 +126,14 @@ class TestSSLUtils(CharmTestCase):
|
||||||
get_ssl_mode.return_value = ('on', True)
|
get_ssl_mode.return_value = ('on', True)
|
||||||
test_config = {
|
test_config = {
|
||||||
'ssl_port': '9090',
|
'ssl_port': '9090',
|
||||||
'ssl_ca': 'ext_ca'}
|
'ssl_ca': TEST_CA}
|
||||||
self.config.side_effect = lambda x: test_config[x]
|
self.config.side_effect = lambda x: test_config[x]
|
||||||
relation_data = {}
|
relation_data = {}
|
||||||
ssl_utils.configure_client_ssl(relation_data)
|
ssl_utils.configure_client_ssl(relation_data)
|
||||||
|
self.maxDiff = None
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
relation_data,
|
relation_data,
|
||||||
{'ssl_port': '9090', 'ssl_ca': 'ZXh0X2Nh'})
|
{'ssl_port': '9090', 'ssl_ca': B64_TEST_CA})
|
||||||
|
|
||||||
@patch('ssl_utils.get_ssl_mode')
|
@patch('ssl_utils.get_ssl_mode')
|
||||||
def test_get_ssl_mode_ssl_on_ext_ca_b64(self, get_ssl_mode):
|
def test_get_ssl_mode_ssl_on_ext_ca_b64(self, get_ssl_mode):
|
||||||
|
|
Loading…
Reference in New Issue