{Container app} `az containerapp env certificate upload`: Fix bumping `pyOpenSSL` to `24.0.0`, `OpenSSL.crypto.loads_pkcs12` is removed in `23.3.0` (#28385)

2024-02-19 14:39:07 +08:00 · 2024-02-19 14:39:07 +08:00 · 48d06b2a29
--- a/scripts/ci/credscan/CredScanSuppressions.json
+++ b/scripts/ci/credscan/CredScanSuppressions.json
@ -600,6 +600,7 @@
    {
      "file": [
        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\data\\cert.pfx",
+        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\data\\cert2.pfx",
        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\data\\cert.pem",
        "src\\azure-cli\\azure\\cli\\command_modules\\containerapp\\tests\\latest\\data\\cert.txt"
      ],
--- a/src/azure-cli/azure/cli/command_modules/containerapp/_utils.py
+++ b/src/azure-cli/azure/cli/command_modules/containerapp/_utils.py
@ -1461,6 +1461,8 @@ def get_oidc_client_setting_app_setting_name(provider_name):
 def load_cert_file(file_path, cert_password=None):
    from base64 import b64encode
    from OpenSSL import crypto
+    from cryptography.hazmat.primitives.serialization import pkcs12
+    from cryptography.hazmat.primitives import hashes
    import os

    cert_data = None
@ -1477,12 +1479,15 @@ def load_cert_file(file_path, cert_password=None):
            elif os.path.splitext(file_path)[1] in ['.pfx']:
                cert_data = f.read()
                try:
-                    p12 = crypto.load_pkcs12(cert_data, cert_password)
+                    # The password to use to decrypt the data. None if the PKCS12 is not encrypted.
+                    cert_password_bytes = cert_password.encode('utf-8') if cert_password else None
+                    p12 = pkcs12.load_pkcs12(cert_data, cert_password_bytes)
                except Exception as e:
                    raise FileOperationError('Failed to load the certificate file. This may be due to an incorrect or missing password. Please double check and try again.\nError: {}'.format(e)) from e
-                x509 = p12.get_certificate()
-                digest_algorithm = 'sha256'
-                thumbprint = x509.digest(digest_algorithm).decode("utf-8").replace(':', '')
+                if p12.cert is None:
+                    raise ValidationError("Failed to load the certificate file. The loading result is None.")
+                x509 = p12.cert.certificate
+                thumbprint = x509.fingerprint(hashes.SHA256()).hex().upper()
                blob = b64encode(cert_data).decode("utf-8")
            else:
                raise FileOperationError('Not a valid file type. Only .PFX and .PEM files are supported.')
--- a/src/azure-cli/azure/cli/command_modules/containerapp/tests/latest/data/cert2.pfx
+++ b/src/azure-cli/azure/cli/command_modules/containerapp/tests/latest/data/cert2.pfx
--- a/src/azure-cli/azure/cli/command_modules/containerapp/tests/latest/recordings/test_containerapp_env_certificate_e2e.yaml
+++ b/src/azure-cli/azure/cli/command_modules/containerapp/tests/latest/recordings/test_containerapp_env_certificate_e2e.yaml
--- a/src/azure-cli/azure/cli/command_modules/containerapp/tests/latest/recordings/test_containerapp_env_custom_domains.yaml
+++ b/src/azure-cli/azure/cli/command_modules/containerapp/tests/latest/recordings/test_containerapp_env_custom_domains.yaml
--- a/src/azure-cli/azure/cli/command_modules/containerapp/tests/latest/test_containerapp_clean_null_values.py
+++ b/src/azure-cli/azure/cli/command_modules/containerapp/tests/latest/test_containerapp_clean_null_values.py
@ -3,8 +3,12 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 import unittest
+import os

-from azure.cli.command_modules.containerapp._utils import clean_null_values
+from azure.cli.command_modules.containerapp._utils import clean_null_values, load_cert_file
+from azure.cli.core.azclierror import CLIInternalError
+
+TEST_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__), '..'))


 class UtilsTest(unittest.TestCase):
@ -207,6 +211,35 @@ class UtilsTest(unittest.TestCase):
        self.assertEqual(expect_result_for_new, result_new)
        self.assertEqual(expect_result_for_old, result_old)

+    def test_load_cert_file(self):
+        pfx_file = os.path.join(TEST_DIR, 'data', 'cert.pfx')
+        testpassword = 'test12'
+        blob, thumbprint = load_cert_file(pfx_file, testpassword)
+        self.assertEqual("8D2DC3BF7DF8D2BA32705E079A9C0015FE9CBC7062C8583FE19B7F068AFDC2C9", thumbprint)
+
+        pfx_file = os.path.join(TEST_DIR, 'data', 'cert2.pfx')
+        testpassword = ''
+        blob, thumbprint = load_cert_file(pfx_file, testpassword)
+        self.assertEqual("346C37A6F29AB35063AC42A470CB2F95DB2A068E3E14A17E80A258BE9713E2BF", thumbprint)
+
+        # test load with wrong password
+        pfx_file = os.path.join(TEST_DIR, 'data', 'cert2.pfx')
+        testpassword = 'test12'
+        thumbprint = ''
+        try:
+            blob, thumbprint = load_cert_file(pfx_file, testpassword)
+        except CLIInternalError as e:
+            self.assertTrue(e.error_msg.error_msg.__contains__('Invalid password or PKCS12 data'))
+        self.assertEqual('', thumbprint)
+
+        pfx_file = os.path.join(TEST_DIR, 'data', 'cert2.pfx')
+        blob, thumbprint = load_cert_file(pfx_file)
+        self.assertEqual("346C37A6F29AB35063AC42A470CB2F95DB2A068E3E14A17E80A258BE9713E2BF", thumbprint)
+
+        pem_file = os.path.join(TEST_DIR, 'data', 'cert.pem')
+        blob, thumbprint = load_cert_file(pem_file)
+        self.assertEqual("FEAD2E32FB423702763C1093ACD431E2A05CD55F1419F4BAA6CD5E64030EF499", thumbprint)
+

 # Remove null/None/empty properties in a model since the PATCH API will delete those. Not needed once we move to the SDK
 # This old version will remove properties which value is 0