fix: remove windows line endings from config ssl-cert and ssl-chain

Closes-Bug: #2064542
Change-Id: I34874cc19d65c4d6f37f58b9108883463df6d5f6

src/reactive/vault_handlers.py

@@ -1,4 +1,5 @@
 import base64
+import io
 import os
 import psycopg2
 import subprocess
@@ -402,9 +403,11 @@ def configure_ssl():
         status_set('maintenance', 'installing SSL key and cert')
         ssl_key = base64.decodebytes(c['ssl-key'].encode())
         write_file('/var/snap/vault/common/vault.key', ssl_key, perms=0o600)
-        ssl_cert = base64.decodebytes(c['ssl-cert'].encode())
+
+        ssl_cert: bytes = decode_and_sanitize(c['ssl-cert'])
         if c['ssl-chain']:
-            ssl_cert = ssl_cert + base64.decodebytes(c['ssl-chain'].encode())
+            ssl_cert = ssl_cert + decode_and_sanitize(c['ssl-chain'])
+
         write_file('/var/snap/vault/common/vault.crt', ssl_cert, perms=0o600)
         set_state('vault.ssl.available')
     else:
@@ -420,6 +423,24 @@ def configure_ssl():
     remove_state('configured')
 
 
+def decode_and_sanitize(ssl_cert_unsanitized_b64: str) -> bytes:
+    r"""Decodes a base-64-encoded certificate and sanitizes it
+    by removing windows (\r and \rf) line endings
+
+    Args:
+        ssl_cert_unsanitized_b64: string, encoded as base64, containing a SSL
+        certificate
+
+    Returns:
+        Certificate decoded (from base64) with line endings as \n and
+        not \r or \r\n. The result is encoded as a sequence of bytes
+    """
+
+    unsanizited_cert = base64.decodebytes(ssl_cert_unsanitized_b64.encode())
+    sanitized_cert = io.TextIOWrapper(io.BytesIO(unsanizited_cert)).read()
+    return sanitized_cert.encode()
+
+
 @when('config.changed.ssl-cert')
 def ssl_cert_changed():
     remove_state('vault.ssl.configured')

unit_tests/test_reactive_vault_handlers.py

@@ -1,3 +1,5 @@
+import base64
+import subprocess
 from unittest import mock
 from unittest.mock import patch, call
 
@@ -101,6 +103,38 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
             'ssl-cert': 'acert',
             'ssl-key': 'akey'}))
 
+    @mock.patch.object(handlers, 'write_file')
+    @mock.patch.object(subprocess, 'check_call')
+    def test_sanitize_ssl_certs(self, _, write_file: mock.MagicMock):
+        """Tests whether windows based certs are sanitized
+        before producing vault.crt file"""
+
+        # arrange
+        unsanitized_cert_b64 = base64.encodebytes(
+            unit_tests.test_utils.DUMMY_CERTIFICATE_UNSANITIZED.encode()
+        ).decode()
+
+        self.config.return_value = {
+            'ssl-cert': unsanitized_cert_b64,
+            'ssl-chain': unsanitized_cert_b64,
+            'ssl-ca': 'noop',
+            'ssl-key': 'akey'}
+
+        # act
+        handlers.configure_ssl()
+
+        # verify
+        expected_cert_file_contents = (
+            unit_tests.test_utils.DUMMY_CERTIFICATE_SANITIZED.encode() +
+            unit_tests.test_utils.DUMMY_CERTIFICATE_SANITIZED.encode()
+        )
+        expected_write_file_call = mock.call(
+            '/var/snap/vault/common/vault.crt',
+            expected_cert_file_contents,
+            perms=0o600)
+
+        self.assertIn(expected_write_file_call, write_file.call_args_list)
+
     @patch.object(handlers.vault, 'can_restart')
     def test_configure_vault(self, can_restart):
         can_restart.return_value = True

unit_tests/test_utils.py

@@ -97,3 +97,27 @@ class TestConfig(object):
 
     def __getitem__(self, k):
         return self.get(k)
+
+
+DUMMY_CERTIFICATE_SANITIZED = """-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUBTucjQO1X2maobZzRGoyrIclCikwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MDcxNjA2MjQzOVoXDTI0MDcy
+MzA2MjQzOVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEApof+89fH3hsPxfKrQqyKZq3FN6XaJvQ6knCnPBmh+g5Q
+JddawhnNj3RF/WZZs6xAEunahqp6vZtAlMe+9EiAKNMOpD3bzWRjn+AcVTnP1ey8
+Z5e9JDD3Iqls/f+ZjiY8afVefLv1H74NRUYH4f2dKDJvAUxsI7dQ3l+2hRewLUh3
+nSGpUx8hZ4vfWczf+ad31ADoFVH5lA74gn2pR5IzVo8vzV4kgNuf7j4FhJDE38i8
+Yqg8rSvWUvJ8qMPrgw690m/HsrvINWegyDGZcEmV+FKXQ1ywu7FEPjdDVdvqiRbm
+ZVyUUezGGmL6vHVj0IxoaBxH4oF3BkhCII0WNVCh1wIDAQABo1MwUTAdBgNVHQ4E
+FgQUEpuYqSDsDOcbnz+84s3PD3/hDT0wHwYDVR0jBBgwFoAUEpuYqSDsDOcbnz+8
+4s3PD3/hDT0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAWo7d
+j8ImS7DTLpQ+AcHbKB+mCr+PR6vc8im2hxmr4JgFQmEPnFEZw7J69IgtQX5Gii2D
+ZkVAJdu/vwBcoOqNA9V4FT0H+waf/r/rVWJM5stGGl861xv7Z0qtwbma2Q5YWRVi
+mmgDqZ7LkxpQADvXASdtxqdz9iHQqk0rEIpAkHIJ9GHiiTeZyw5xvQSFuCTkKnUE
+fryz3NWEjQ+nmMCa/Ced01JpMAl97G8KoUyNLP6JuLMa6Aw3xj1Rzm3xwq1EXw3F
+4yrorpLte/RtqB0QK2e8d+QxtE42RaGwxcx4I0cU0eANBf/mtSQ2ugjj0b1BWRi2
+rJdsjaJKlkavdpVxUQ==
+-----END CERTIFICATE-----
+"""
+
+DUMMY_CERTIFICATE_UNSANITIZED = '-----BEGIN CERTIFICATE-----\r\nMIIDCTCCAfGgAwIBAgIUBTucjQO1X2maobZzRGoyrIclCikwDQYJKoZIhvcNAQEL\rBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MDcxNjA2MjQzOVoXDTI0MDcy\rMzA2MjQzOVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF\r\nAAOCAQ8AMIIBCgKCAQEApof+89fH3hsPxfKrQqyKZq3FN6XaJvQ6knCnPBmh+g5Q\r\nJddawhnNj3RF/WZZs6xAEunahqp6vZtAlMe+9EiAKNMOpD3bzWRjn+AcVTnP1ey8\r\nZ5e9JDD3Iqls/f+ZjiY8afVefLv1H74NRUYH4f2dKDJvAUxsI7dQ3l+2hRewLUh3\r\nnSGpUx8hZ4vfWczf+ad31ADoFVH5lA74gn2pR5IzVo8vzV4kgNuf7j4FhJDE38i8\r\nYqg8rSvWUvJ8qMPrgw690m/HsrvINWegyDGZcEmV+FKXQ1ywu7FEPjdDVdvqiRbm\r\nZVyUUezGGmL6vHVj0IxoaBxH4oF3BkhCII0WNVCh1wIDAQABo1MwUTAdBgNVHQ4E\r\nFgQUEpuYqSDsDOcbnz+84s3PD3/hDT0wHwYDVR0jBBgwFoAUEpuYqSDsDOcbnz+8\r\n4s3PD3/hDT0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAWo7d\r\nj8ImS7DTLpQ+AcHbKB+mCr+PR6vc8im2hxmr4JgFQmEPnFEZw7J69IgtQX5Gii2D\r\nZkVAJdu/vwBcoOqNA9V4FT0H+waf/r/rVWJM5stGGl861xv7Z0qtwbma2Q5YWRVi\r\nmmgDqZ7LkxpQADvXASdtxqdz9iHQqk0rEIpAkHIJ9GHiiTeZyw5xvQSFuCTkKnUE\r\nfryz3NWEjQ+nmMCa/Ced01JpMAl97G8KoUyNLP6JuLMa6Aw3xj1Rzm3xwq1EXw3F\r\n4yrorpLte/RtqB0QK2e8d+QxtE42RaGwxcx4I0cU0eANBf/mtSQ2ugjj0b1BWRi2\r\nrJdsjaJKlkavdpVxUQ==\r\n-----END CERTIFICATE-----\n'  # noqa: E501