Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Update charm libraries #163

Merged
merged 1 commit into from
Jun 3, 2024
Merged

chore: Update charm libraries #163

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 22 additions & 10 deletions lib/charms/tls_certificates_interface/v3/tls_certificates.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,7 @@ def _on_all_certificates_invalidated(self, event: AllCertificatesInvalidatedEven

# Increment this PATCH version before using `charmcraft publish-lib` or reset
# to 0 if you are raising the major API version
LIBPATCH = 14
LIBPATCH = 15

PYDEPS = ["cryptography", "jsonschema"]

Expand Down Expand Up @@ -1093,6 +1093,13 @@ def generate_csr( # noqa: C901
return signed_certificate.public_bytes(serialization.Encoding.PEM)


def get_sha256_hex(data: str) -> str:
"""Calculate the hash of the provided data and return the hexadecimal representation."""
digest = hashes.Hash(hashes.SHA256())
digest.update(data.encode())
return digest.finalize().hex()


def csr_matches_certificate(csr: str, cert: str) -> bool:
"""Check if a CSR matches a certificate.

Expand Down Expand Up @@ -1872,12 +1879,15 @@ def _on_relation_changed(self, event: RelationChangedEvent) -> None:
]
for certificate in provider_certificates:
if certificate.csr in requirer_csrs:
csr_in_sha256_hex = get_sha256_hex(certificate.csr)
if certificate.revoked:
with suppress(SecretNotFoundError):
logger.debug(
"Removing secret with label %s", f"{LIBID}-{certificate.csr}"
"Removing secret with label %s",
f"{LIBID}-{csr_in_sha256_hex}",
)
secret = self.model.get_secret(label=f"{LIBID}-{certificate.csr}")
secret = self.model.get_secret(
label=f"{LIBID}-{csr_in_sha256_hex}")
secret.remove_all_revisions()
self.on.certificate_invalidated.emit(
reason="revoked",
Expand All @@ -1889,20 +1899,22 @@ def _on_relation_changed(self, event: RelationChangedEvent) -> None:
else:
try:
logger.debug(
"Setting secret with label %s", f"{LIBID}-{certificate.csr}"
"Setting secret with label %s", f"{LIBID}-{csr_in_sha256_hex}"
)
secret = self.model.get_secret(label=f"{LIBID}-{csr_in_sha256_hex}")
secret.set_content(
{"certificate": certificate.certificate, "csr": certificate.csr}
)
secret = self.model.get_secret(label=f"{LIBID}-{certificate.csr}")
secret.set_content({"certificate": certificate.certificate})
secret.set_info(
expire=self._get_next_secret_expiry_time(certificate),
)
except SecretNotFoundError:
logger.debug(
"Creating new secret with label %s", f"{LIBID}-{certificate.csr}"
"Creating new secret with label %s", f"{LIBID}-{csr_in_sha256_hex}"
)
secret = self.charm.unit.add_secret(
{"certificate": certificate.certificate},
label=f"{LIBID}-{certificate.csr}",
{"certificate": certificate.certificate, "csr": certificate.csr},
label=f"{LIBID}-{csr_in_sha256_hex}",
expire=self._get_next_secret_expiry_time(certificate),
)
self.on.certificate_available.emit(
Expand Down Expand Up @@ -1965,7 +1977,7 @@ def _on_secret_expired(self, event: SecretExpiredEvent) -> None:
"""
if not event.secret.label or not event.secret.label.startswith(f"{LIBID}-"):
return
csr = event.secret.label[len(f"{LIBID}-") :]
csr = event.secret.get_content()["csr"]
provider_certificate = self._find_certificate_in_relation_data(csr)
if not provider_certificate:
# A secret expired but we did not find matching certificate. Cleaning up
Expand Down