Merge pull request #3 from canonical/feature/capture_server_cert

paulomach · web-flow · commit 6726fb952c2e · 2023-03-16T11:10:51.000-03:00
add certificate retrieval action
diff --git a/actions.yaml b/actions.yaml
@@ -23,3 +23,7 @@ get-session-ssl-cipher:
         - "disabled"
       description: Use ssl for connection
       default: enabled
+
+get-server-certificate:
+  description: Retrieve server certificate in pem format
+
diff --git a/src/charm.py b/src/charm.py
@@ -9,6 +9,7 @@
 """
 
 import logging
+import re
 import secrets
 import string
 import subprocess
@@ -63,6 +64,10 @@ def __init__(self, *args):
             getattr(self.on, "get_session_ssl_cipher_action"), self._get_session_ssl_cipher
         )
 
+        self.framework.observe(
+            getattr(self.on, "get_server_certificate_action"), self._get_server_certificate
+        )
+
         # Database related events
         self.database = DatabaseRequires(self, "database", DATABASE_NAME)
         self.framework.observe(
@@ -319,6 +324,37 @@ def _get_session_ssl_cipher(self, event: ActionEvent) -> None:
 
         event.set_results({"cipher": cipher})
 
+    def _get_server_certificate(self, event: ActionEvent) -> None:
+        """Get the server certificate."""
+        certificate = "error"
+        if not self._database_config:
+            event.fail()
+        else:
+            try:
+                process = subprocess.run(
+                    [
+                        "openssl",
+                        "s_client",
+                        "-starttls",
+                        "mysql",
+                        "-connect",
+                        f"{self._database_config['host']}:{self._database_config['port']}",
+                    ],
+                    capture_output=True,
+                )
+                # butchered stdout due non utf chars after the certificate
+                raw_output = process.stdout[:2800].decode("utf8")
+                matches = re.search(
+                    r"^(-----BEGIN C.*END CERTIFICATE-----[,\s])",
+                    raw_output,
+                    re.MULTILINE | re.DOTALL,
+                )
+                certificate = matches.group(0)
+            except Exception:
+                event.fail()
+
+        event.set_results({"certificate": certificate})
+
 
 if __name__ == "__main__":
     main(MySQLTestApplication)
