openstack/charm-rabbitmq-server
Code Issues Proposed changes
7c18da3729
charm-rabbitmq-server/hooks/ssl_utils.py
David Ames 953442f0cb Do not concatenate chained certs w/out line breaks 
The charm was adding the CA and chain certificate without a line break
leading to an invalid certificate pem file on the client side.

Add a line break when concatenating the ca cert and the chain.

Closes-Bug: #1838709
Change-Id: I646c8419838011160a74c4c4c488c04268825efd
2019-08-02 11:05:32 -07:00

125 lines
3.9 KiB
Python
Raw Blame History

# Copyright 2016 Canonical Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import base64
import os
from charmhelpers.contrib.ssl.service import ServiceCA
from charmhelpers.core.hookenv import (
config,
relation_ids,
relation_set,
relation_get,
local_unit,
)
from charmhelpers.contrib.network.ip import (
get_hostname,
get_relation_ip,
)
import charmhelpers.contrib.openstack.cert_utils as ch_cert_utils
import rabbit_net_utils
CERTS_FROM_RELATION = 'certs-relation'
def get_unit_amqp_endpoint_data():
"""Get the hostname and ip address associated with amqp interface.
:returns: Tuple containing ip address and hostname.
:rtype: (str, str)
"""
ip = get_relation_ip(
rabbit_net_utils.AMQP_INTERFACE,
cidr_network=config(rabbit_net_utils.AMQP_OVERRIDE_CONFIG))
return ip, get_hostname(ip)
def get_relation_cert_data():
"""Get certificate bundle associated with the amqp interface.
:returns: Dict with key, cert, ca and, optional, chain keys.
:rtype: Dict
"""
_, hostname = get_unit_amqp_endpoint_data()
return ch_cert_utils.get_bundle_for_cn(hostname)
def get_ssl_mode():
relation_certs = get_relation_cert_data()
if relation_certs:
ssl_mode = CERTS_FROM_RELATION
external_ca = True
else:
ssl_mode = config('ssl')
external_ca = False
# Legacy config boolean option
ssl_on = config('ssl_enabled')
if ssl_mode == 'off' and ssl_on is False:
ssl_mode = 'off'
elif ssl_mode == 'off' and ssl_on:
ssl_mode = 'on'
ssl_key = config('ssl_key')
ssl_cert = config('ssl_cert')
if all((ssl_key, ssl_cert)):
external_ca = True
return ssl_mode, external_ca
def b64encoded_string(ss):
return base64.b64encode(ss.encode('ascii')).decode('ascii')
def configure_client_ssl(relation_data):
"""Configure client with ssl
"""
ssl_mode, external_ca = get_ssl_mode()
if ssl_mode == 'off':
return
relation_data['ssl_port'] = config('ssl_port')
if ssl_mode == CERTS_FROM_RELATION:
relation_certs = get_relation_cert_data()
ca_data = relation_certs['ca']
if relation_certs.get('chain'):
ca_data = ca_data + os.linesep + relation_certs.get('chain')
relation_data['ssl_ca'] = b64encoded_string(ca_data)
else:
if external_ca:
if config('ssl_ca'):
if "BEGIN CERTIFICATE" in config('ssl_ca'):
ssl_ca_encoded = b64encoded_string(config('ssl_ca'))
else:
ssl_ca_encoded = config('ssl_ca')
relation_data['ssl_ca'] = ssl_ca_encoded
return
ca = ServiceCA.get_ca()
relation_data['ssl_ca'] = b64encoded_string(ca.get_ca_bundle())
def reconfigure_client_ssl(ssl_enabled=False):
ssl_config_keys = set(('ssl_key', 'ssl_cert', 'ssl_ca'))
for rid in relation_ids('amqp'):
rdata = relation_get(rid=rid, unit=local_unit())
if not ssl_enabled and ssl_config_keys.intersection(rdata):
# No clean way to remove entirely, but blank them.
relation_set(relation_id=rid, ssl_key='', ssl_cert='', ssl_ca='',
ssl_port='')
elif ssl_enabled and not ssl_config_keys.intersection(rdata):
configure_client_ssl(rdata)
relation_set(relation_id=rid, **rdata)
View Git Blame Copy Permalink