Skip to content

Commit f758ef5

Browse files
ndkndk
committed
Fix panic in tlsRoundTripper when CA file is absent
1 parent 1de8cfa commit f758ef5

File tree

2 files changed

+45
-0
lines changed

2 files changed

+45
-0
lines changed

config/http_config.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1377,6 +1377,9 @@ func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
13771377
// using GetClientCertificate.
13781378
tlsConfig := t.tlsConfig.Clone()
13791379
if !updateRootCA(tlsConfig, caData) {
1380+
if t.settings.CA == nil {
1381+
return nil, errors.New("unable to use specified CA cert: none configured")
1382+
}
13801383
return nil, fmt.Errorf("unable to use specified CA cert %s", t.settings.CA.Description())
13811384
}
13821385
rt, err = t.newRT(tlsConfig)

config/http_config_test.go

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1968,6 +1968,48 @@ func TestModifyTLSCertificates(t *testing.T) {
19681968
}
19691969
}
19701970

1971+
func TestTLSRoundTripper_NoCAConfigured(t *testing.T) {
1972+
bs := getCertificateBlobs(t)
1973+
1974+
tmpDir, err := os.MkdirTemp("", "tlspanic")
1975+
require.NoErrorf(t, err, "Failed to create tmp dir")
1976+
defer os.RemoveAll(tmpDir)
1977+
cert, key := filepath.Join(tmpDir, "cert"), filepath.Join(tmpDir, "key")
1978+
1979+
handler := func(w http.ResponseWriter, r *http.Request) {
1980+
fmt.Fprint(w, ExpectedMessage)
1981+
}
1982+
testServer, err := newTestServer(handler)
1983+
require.NoError(t, err)
1984+
defer testServer.Close()
1985+
1986+
cfg := HTTPClientConfig{
1987+
TLSConfig: TLSConfig{
1988+
CertFile: cert,
1989+
KeyFile: key,
1990+
InsecureSkipVerify: true,
1991+
},
1992+
}
1993+
1994+
writeCertificate(bs, ClientCertificatePath, cert)
1995+
writeCertificate(bs, ClientKeyNoPassPath, key)
1996+
c, err := NewClientFromConfig(cfg, "test")
1997+
require.NoErrorf(t, err, "Error creating HTTP Client: %v", err)
1998+
1999+
req, err := http.NewRequest(http.MethodGet, testServer.URL, nil)
2000+
require.NoErrorf(t, err, "Error creating HTTP request: %v", err)
2001+
2002+
r, err := c.Do(req)
2003+
require.NoErrorf(t, err, "Can't connect to the test server")
2004+
r.Body.Close()
2005+
2006+
err = os.WriteFile(cert, []byte("-----BEGIN GARBAGE-----\nabc\n-----END GARBAGE-----\n"), 0o664)
2007+
require.NoError(t, err)
2008+
2009+
_, err = c.Do(req)
2010+
require.ErrorContainsf(t, err, "unable to use specified CA cert: none configured", "Expected error to mention missing CA cert")
2011+
}
2012+
19712013
// loadHTTPConfigJSON parses the JSON input s into a HTTPClientConfig.
19722014
func loadHTTPConfigJSON(buf []byte) (*HTTPClientConfig, error) {
19732015
cfg := &HTTPClientConfig{}

0 commit comments

Comments
 (0)