From 63d4c8fbf9406ce2dd4d37295f03f98eac91385f Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Tue, 31 Oct 2023 19:08:18 -0400
Subject: [PATCH] validation: option to bypass

---
 config/options.go                    | 6 ++++++
 internal/databroker/config_source.go | 9 ++++++---
 pkg/cryptutil/certificates_index.go  | 4 ++++
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/config/options.go b/config/options.go
index d651c5b1f..69423238a 100644
--- a/config/options.go
+++ b/config/options.go
@@ -300,6 +300,8 @@ type Options struct {
 	AuditKey *PublicKeyEncryptionKeyOptions `mapstructure:"audit_key"`
 
 	BrandingOptions httputil.BrandingOptions
+
+	DisableValidation bool
 }
 
 type certificateFilePair struct {
@@ -577,6 +579,10 @@ func bindEnvsRecursive(t reflect.Type, v *viper.Viper, keyPrefix, envPrefix stri
 
 // Validate ensures the Options fields are valid, and hydrated.
 func (o *Options) Validate() error {
+	if o.DisableValidation {
+		return nil
+	}
+
 	ctx := context.TODO()
 	if !IsValidService(o.Services) {
 		return fmt.Errorf("config: %s is an invalid service type", o.Services)
diff --git a/internal/databroker/config_source.go b/internal/databroker/config_source.go
index 743039151..4eeefa418 100644
--- a/internal/databroker/config_source.go
+++ b/internal/databroker/config_source.go
@@ -101,9 +101,12 @@ func (src *ConfigSource) rebuild(ctx context.Context, firstTime firstTime) {
 	ids := maps.Keys(src.dbConfigs)
 	sort.Strings(ids)
 
-	certsIndex := cryptutil.NewCertificatesIndex()
-	for _, cert := range cfg.Options.GetX509Certificates() {
-		certsIndex.Add(cert)
+	var certsIndex *cryptutil.CertificatesIndex
+	if !cfg.Options.DisableValidation {
+		certsIndex = cryptutil.NewCertificatesIndex()
+		for _, cert := range cfg.Options.GetX509Certificates() {
+			certsIndex.Add(cert)
+		}
 	}
 
 	// add all the config policies to the list
diff --git a/pkg/cryptutil/certificates_index.go b/pkg/cryptutil/certificates_index.go
index bb16d748f..d9a4ba1a4 100644
--- a/pkg/cryptutil/certificates_index.go
+++ b/pkg/cryptutil/certificates_index.go
@@ -34,6 +34,10 @@ func (c *CertificatesIndex) Add(cert *x509.Certificate) {
 
 // OverlapsWithExistingCertificate returns true if the certificate overlaps with an existing certificate.
 func (c *CertificatesIndex) OverlapsWithExistingCertificate(cert *x509.Certificate) (bool, string) {
+	if c == nil {
+		return false, ""
+	}
+
 	usage := getCertUsage(cert)
 	for _, name := range cert.DNSNames {
 		if c.match(name, usage) {