From 452734fb722958e1c9c233a0270d5673d119dc53 Mon Sep 17 00:00:00 2001
From: Alexander Hughes <Alexander.Hughes@pm.me>
Date: Tue, 29 Dec 2020 15:21:45 -0500
Subject: [PATCH] Making certificate check more robust

Some operators may have externally managed certificates that do not
conform to the originally expected certificate pattern of

---BEGIN CERTIFICATE-----
foo
-----END CERTIFICATE-----

and may instead include additional information on the subject/issuer. In
these cases the current regex will fail to load certs that can be parsed
with the existing cfssl command. Addressing this by tightening up the
regex prior to trying to obtain certificate information.

Change-Id: Ief9993632718caa46b52761b49a97621f134ca53
Signed-off-by: Alexander Hughes <Alexander.Hughes@pm.me>
---
 pegleg/engine/secrets.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pegleg/engine/secrets.py b/pegleg/engine/secrets.py
index 5a22181e..bf82db71 100644
--- a/pegleg/engine/secrets.py
+++ b/pegleg/engine/secrets.py
@@ -301,8 +301,9 @@ def check_cert_expiry(site_name, duration=60):
                     if result['schema'] in cert_schemas:
                         text = result['data']
                         header_pattern = '-----BEGIN CERTIFICATE-----'
-                        find_pattern = r'%s.*?(?=%s|$)' % (
-                            header_pattern, header_pattern)
+                        footer_pattern = '-----END CERTIFICATE-----'
+                        find_pattern = r'%s.*?%s' % (
+                            header_pattern, footer_pattern)
                         certs = re.findall(find_pattern, text, re.DOTALL)
                         for cert in certs:
                             cert_info = pki_util.check_expiry(cert)