3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-07 03:48:17 +02:00
Code Issues Projects Releases Packages Wiki Activity

rework error handling and validation

Browse source
This commit is contained in:
Kenneth Jenkins 2023-08-08 10:07:55 -07:00
parent d45a5d1bee
commit 2fc3886b9d
2 changed files with 28 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

48
config/mtls.go
View file

@ -34,10 +34,18 @@ type DownstreamMTLSSettings struct {
// GetCA returns the certificate authority (or nil if unset). // GetCA returns the certificate authority (or nil if unset).
func (s *DownstreamMTLSSettings) GetCA() ([]byte, error) { func (s *DownstreamMTLSSettings) GetCA() ([]byte, error) {
if s.CA != "" { if s.CA != "" {
return base64.StdEncoding.DecodeString(s.CA) ca, err := base64.StdEncoding.DecodeString(s.CA)
if err != nil {
return nil, fmt.Errorf("CA: %w", err)
}
return ca, nil
} }
if s.CAFile != "" { if s.CAFile != "" {
return os.ReadFile(s.CAFile) ca, err := os.ReadFile(s.CAFile)
if err != nil {
return nil, fmt.Errorf("CA file: %w", err)
}
return ca, nil
} }
return nil, nil return nil, nil
} }
@ -45,39 +53,37 @@ func (s *DownstreamMTLSSettings) GetCA() ([]byte, error) {
// GetCRL returns the certificate revocation list bundle (or nil if unset). // GetCRL returns the certificate revocation list bundle (or nil if unset).
func (s *DownstreamMTLSSettings) GetCRL() ([]byte, error) { func (s *DownstreamMTLSSettings) GetCRL() ([]byte, error) {
if s.CRL != "" { if s.CRL != "" {
return base64.StdEncoding.DecodeString(s.CRL) crl, err := base64.StdEncoding.DecodeString(s.CRL)
if err != nil {
return nil, fmt.Errorf("CRL: %w", err)
}
return crl, nil
} }
if s.CRLFile != "" { if s.CRLFile != "" {
return os.ReadFile(s.CRLFile) crl, err := os.ReadFile(s.CRLFile)
if err != nil {
return nil, fmt.Errorf("CRL file: %w", err)
}
return crl, nil
} }
return nil, nil return nil, nil
} }
func (s *DownstreamMTLSSettings) validate() error { func (s *DownstreamMTLSSettings) validate() error {
if s.CA != "" { if _, err := s.GetCA(); err != nil {
if _, err := base64.StdEncoding.DecodeString(s.CA); err != nil { return err
return fmt.Errorf("CA: %w", err)
}
} }
if s.CAFile != "" { crl, err := s.GetCRL()
if _, err := os.ReadFile(s.CAFile); err != nil { if err != nil {
return fmt.Errorf("CA file: %w", err) return err
}
} }
if len(crl) > 0 {
if s.CRL != "" { if _, err := cryptutil.DecodeCRL(crl); err != nil {
if _, err := cryptutil.CRLFromBase64(s.CRL); err != nil {
return fmt.Errorf("CRL: %w", err) return fmt.Errorf("CRL: %w", err)
} }
} }
if s.CRLFile != "" {
if _, err := cryptutil.CRLFromFile(s.CRLFile); err != nil {
return fmt.Errorf("CRL file: %w", err)
}
}
return nil return nil
} }

2
config/mtls_test.go
View file

@ -79,7 +79,7 @@ func TestDownstreamMTLSSettingsValidate(t *testing.T) {
{"bad CRL", DownstreamMTLSSettings{CRL: "dGhpc2lzZmluZQo="}, {"bad CRL", DownstreamMTLSSettings{CRL: "dGhpc2lzZmluZQo="},
"CRL: cryptutil: invalid crl, no X509 CRL block found"}, "CRL: cryptutil: invalid crl, no X509 CRL block found"},
{"bad CRL file", DownstreamMTLSSettings{CRLFile: "-"}, {"bad CRL file", DownstreamMTLSSettings{CRLFile: "-"},
"CRL file: cryptutil: failed to read crl file (-): open -: no such file or directory"}, "CRL file: open -: no such file or directory"},
{"OK", DownstreamMTLSSettings{ {"OK", DownstreamMTLSSettings{
CA: "dGhpc2lzZmluZQo=", CA: "dGhpc2lzZmluZQo=",
CRL: "LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUNOVENCbmdJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBNk1SNHdIQVlEVlFRS0V4VnRhMk5sY25RZ1pHVjIKWld4dmNHMWxiblFnUTBFeEdEQVdCZ05WQkFNVEQyUnZkMjV6ZEhKbFlXMGdRMEVnTWhjTk1qTXdOekU1TWpFMQpNREUxV2hjTk16TXdOekUyTWpFMU1ERTFXcUF3TUM0d0h3WURWUjBqQkJnd0ZvQVVDeFEyY0JhNVl6cVZ6YW1wCmlOQ3g4S3dGRnlRd0N3WURWUjBVQkFRQ0FoQUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJnUUNZYW14OHBNK1IKQ2x5c2tjdTdvdWh1L1IxSnkxbldHeVd0S3BoWXEwWEZiT0xsbmsyWjdlRGZBWDhFZWoyRmF2cXh6YXBSMngyTwo0aUpORENtaXdZWVlVUzJYMkxKM3JSUkpYeVh2V2h0ZkhyeFVSZDZCaXRDMklYcHlrQnRWbGYzekFuWjhHWkZRClMxamRmeUxNdUVBaUR3SWFpM1l0OEhzRHAvcUcwODlvWGNvU3R5UWcvdVJwbVd5MDVBOXVDVk9mTkhTTFNadTgKbHI0cWF0bGV1MHdXYlYxYW1MOHRPOXg0Q1JrTzBvMVlhUXE0RG9PcnVQciszTmtUbVB2R2lkaDNGNzFWNklFQQpoK0t6ZGJSWHhGbUNDV0xXbXBKRGNyZ1I3S1VxWk9oVVV0K0RVcWFxaFY0NHFJMG5ycFIrUVpMb2hvRG9yOUx3CksrdWZqM24yOWVTUlgrM1B4K29WV1BUOFlaUDJ1S1BkaXppOTZtZTJqV1RyNTF4OUFqRW9KRHNUbllSbDkrdVkKU2hpVXhXblRkUXNvb2tuSWZjUy8wemZnWjg3R3ZVVnppbkNRekpwd1Z4ZDRBbHQ4QWxSK2ZYQXFOSW9PZ3V5dgpwL0N0UlZualZFN2w3SFcvaFFScTFKMGlqQ0NLd215Zi9LVGQ2RUs0VGRydmJYL1U5bXNWTThZPQotLS0tLUVORCBYNTA5IENSTC0tLS0tCg==", CRL: "LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUNOVENCbmdJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBNk1SNHdIQVlEVlFRS0V4VnRhMk5sY25RZ1pHVjIKWld4dmNHMWxiblFnUTBFeEdEQVdCZ05WQkFNVEQyUnZkMjV6ZEhKbFlXMGdRMEVnTWhjTk1qTXdOekU1TWpFMQpNREUxV2hjTk16TXdOekUyTWpFMU1ERTFXcUF3TUM0d0h3WURWUjBqQkJnd0ZvQVVDeFEyY0JhNVl6cVZ6YW1wCmlOQ3g4S3dGRnlRd0N3WURWUjBVQkFRQ0FoQUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJnUUNZYW14OHBNK1IKQ2x5c2tjdTdvdWh1L1IxSnkxbldHeVd0S3BoWXEwWEZiT0xsbmsyWjdlRGZBWDhFZWoyRmF2cXh6YXBSMngyTwo0aUpORENtaXdZWVlVUzJYMkxKM3JSUkpYeVh2V2h0ZkhyeFVSZDZCaXRDMklYcHlrQnRWbGYzekFuWjhHWkZRClMxamRmeUxNdUVBaUR3SWFpM1l0OEhzRHAvcUcwODlvWGNvU3R5UWcvdVJwbVd5MDVBOXVDVk9mTkhTTFNadTgKbHI0cWF0bGV1MHdXYlYxYW1MOHRPOXg0Q1JrTzBvMVlhUXE0RG9PcnVQciszTmtUbVB2R2lkaDNGNzFWNklFQQpoK0t6ZGJSWHhGbUNDV0xXbXBKRGNyZ1I3S1VxWk9oVVV0K0RVcWFxaFY0NHFJMG5ycFIrUVpMb2hvRG9yOUx3CksrdWZqM24yOWVTUlgrM1B4K29WV1BUOFlaUDJ1S1BkaXppOTZtZTJqV1RyNTF4OUFqRW9KRHNUbllSbDkrdVkKU2hpVXhXblRkUXNvb2tuSWZjUy8wemZnWjg3R3ZVVnppbkNRekpwd1Z4ZDRBbHQ4QWxSK2ZYQXFOSW9PZ3V5dgpwL0N0UlZualZFN2w3SFcvaFFScTFKMGlqQ0NLd215Zi9LVGQ2RUs0VGRydmJYL1U5bXNWTThZPQotLS0tLUVORCBYNTA5IENSTC0tLS0tCg==",