config: minor cleanup in GenerateCatchAllCertificate (#5397)

GenerateCatchAllCertificate() appears to return the same result whether
or not DeriveInternalDomainCert is nil. Let's remove this conditional.

config/config.go

@@ -155,38 +155,13 @@ func (cfg *Config) GetTLSClientConfig() (*tls.Config, error) {
 	}, nil
 }
 
-// GenerateCatchAllCertificate generates a catch-all certificate. If no derived CA is defined a
+// GenerateCatchAllCertificate generates a catch-all certificate from a CA
-// self-signed certificate will be generated.
+// derived from the shared secret.
 func (cfg *Config) GenerateCatchAllCertificate() (*tls.Certificate, error) {
-	if cfg.Options.DeriveInternalDomainCert != nil {
-		sharedKey, err := cfg.Options.GetSharedKey()
-		if err != nil {
-			return nil, fmt.Errorf("failed to generate cert, invalid shared key: %w", err)
-		}
-
-		ca, err := derivecert.NewCA(sharedKey)
-		if err != nil {
-			return nil, fmt.Errorf("failed to generate cert, invalid derived CA: %w", err)
-		}
-
-		pem, err := ca.NewServerCert([]string{"*"})
-		if err != nil {
-			return nil, fmt.Errorf("failed to generate cert, error creating server certificate: %w", err)
-		}
-
-		cert, err := pem.TLS()
-		if err != nil {
-			return nil, fmt.Errorf("failed to generate cert, error converting generated certificate into TLS certificate: %w", err)
-		}
-		return &cert, nil
-	}
-
 	sharedKey, err := cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate cert, invalid shared key: %w", err)
 	}
-
-	// finally fall back to a generated, self-signed certificate
 	return cryptutil.GenerateCertificate(sharedKey, "*")
 }
 

config/config_test.go

@@ -0,0 +1,51 @@
+package config_test
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"encoding/pem"
+	"testing"
+
+	"github.com/pomerium/pomerium/config"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+)
+
+func TestGenerateCatchAllCertificate(t *testing.T) {
+	expected := `-----BEGIN CERTIFICATE-----
+MIIBlzCCAT2gAwIBAgIRAPmKEV01Qa1gBWn9yUQPCFgwCgYIKoZIzj0EAwIwLTER
+MA8GA1UEChMIUG9tZXJpdW0xGDAWBgNVBAMTD1BvbWVyaXVtIFBTSyBDQTAgFw0y
+MjEyMDEwMDAwMDBaGA8yMDUwMTIwMTAwMDAwMFowEzERMA8GA1UEChMIUG9tZXJp
+dW0wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkOynLyo4bsBFKiTN87zqoGe4x
+62tdRaE+g5Trxqqv8qWwhb4q9fUWI+pNQigBe2HsGJFsneA2M0S11RXVG2ffo1Yw
+VDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0jBBgw
+FoAU384OyoQVoqmKbzZbfHny25RhyqcwDAYDVR0RBAUwA4IBKjAKBggqhkjOPQQD
+AgNIADBFAiEAitjxkg8yM/OWXGrzdUOA0gAh/c53/+7Gr45XEFCBMNQCIB3OzfDM
+z/tcTCNUHYSh638283eNtxzfadbEhEjJ1Bpe
+-----END CERTIFICATE-----
+`
+	cfg := &config.Config{Options: &config.Options{
+		SharedKey: base64.StdEncoding.EncodeToString([]byte("ABCDEFGHIJKLMNOPQRSTUVWXYZ123456")),
+	}}
+	cert, err := cfg.GenerateCatchAllCertificate()
+	require.NoError(t, err)
+	assertCertPEM(t, []string{expected}, cert)
+
+	cfg.Options.DeriveInternalDomainCert = proto.String("example.com")
+	cert, err = cfg.GenerateCatchAllCertificate()
+	require.NoError(t, err)
+	assertCertPEM(t, []string{expected}, cert)
+}
+
+func assertCertPEM(t *testing.T, expected []string, cert *tls.Certificate) {
+	if assert.Len(t, cert.Certificate, len(expected)) {
+		for i := range cert.Certificate {
+			certPEM := pem.EncodeToMemory(&pem.Block{
+				Type:  "CERTIFICATE",
+				Bytes: cert.Certificate[i],
+			})
+			assert.Equal(t, expected[i], string(certPEM))
+		}
+	}
+}