config: use getters for certificates (#2001)

* config: use getters for certificates

* update log message

internal/autocert/manager.go

@@ -102,8 +102,12 @@ func (mgr *Manager) getCertMagicConfig(cfg *config.Config) (*certmagic.Config, e
 	mgr.certmagic.MustStaple = cfg.Options.AutocertOptions.MustStaple
 	mgr.certmagic.OnDemand = nil // disable on-demand
 	mgr.certmagic.Storage = &certmagic.FileStorage{Path: cfg.Options.AutocertOptions.Folder}
+	certs, err := cfg.AllCertificates()
+	if err != nil {
+		return nil, err
+	}
 	// add existing certs to the cache, and staple OCSP
-	for _, cert := range cfg.AllCertificates() {
+	for _, cert := range certs {
 		if err := mgr.certmagic.CacheUnmanagedTLSCertificate(cert, nil); err != nil {
 			return nil, fmt.Errorf("config: failed caching cert: %w", err)
 		}

internal/controlplane/xds_listeners.go

@@ -631,7 +631,13 @@ func (srv *Server) buildRouteConfiguration(name string, virtualHosts []*envoy_co
 }
 
 func (srv *Server) buildDownstreamTLSContext(cfg *config.Config, domain string) *envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext {
-	cert, err := cryptutil.GetCertificateForDomain(cfg.AllCertificates(), domain)
+	certs, err := cfg.AllCertificates()
+	if err != nil {
+		log.Warn().Str("domain", domain).Err(err).Msg("failed to get all certificates from config")
+		return nil
+	}
+
+	cert, err := cryptutil.GetCertificateForDomain(certs, domain)
 	if err != nil {
 		log.Warn().Str("domain", domain).Err(err).Msg("failed to get certificate for domain")
 		return nil
@@ -792,7 +798,7 @@ func getDownstreamValidationContext(
 ) *envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext {
 	needsClientCert := false
 
-	if cfg.Options.ClientCA != "" {
+	if ca, _ := cfg.Options.GetClientCA(); len(ca) > 0 {
 		needsClientCert = true
 	}
 	if !needsClientCert {

internal/controlplane/xds_listeners_test.go

@@ -1,7 +1,6 @@
 package controlplane
 
 import (
-	"crypto/tls"
 	"os"
 	"path/filepath"
 	"testing"
@@ -13,7 +12,6 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/controlplane/filemgr"
 	"github.com/pomerium/pomerium/internal/testutil"
-	"github.com/pomerium/pomerium/pkg/cryptutil"
 )
 
 const (
@@ -469,11 +467,6 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 }
 
 func Test_buildDownstreamTLSContext(t *testing.T) {
-	certA, err := cryptutil.CertificateFromBase64(aExampleComCert, aExampleComKey)
-	if !assert.NoError(t, err) {
-		return
-	}
-
 	srv, _ := NewServer("TEST", nil)
 
 	cacheDir, _ := os.UserCacheDir()
@@ -482,7 +475,8 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 
 	t.Run("no-validation", func(t *testing.T) {
 		downstreamTLSContext := srv.buildDownstreamTLSContext(&config.Config{Options: &config.Options{
-			Certificates: []tls.Certificate{*certA},
+			Cert: aExampleComCert,
+			Key:  aExampleComKey,
 		}}, "a.example.com")
 
 		testutil.AssertProtoJSONEqual(t, `{
@@ -514,8 +508,9 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 	})
 	t.Run("client-ca", func(t *testing.T) {
 		downstreamTLSContext := srv.buildDownstreamTLSContext(&config.Config{Options: &config.Options{
-			Certificates: []tls.Certificate{*certA},
-			ClientCA:     "TEST",
+			Cert:     aExampleComCert,
+			Key:      aExampleComKey,
+			ClientCA: "TEST",
 		}}, "a.example.com")
 
 		testutil.AssertProtoJSONEqual(t, `{
@@ -550,7 +545,8 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 	})
 	t.Run("policy-client-ca", func(t *testing.T) {
 		downstreamTLSContext := srv.buildDownstreamTLSContext(&config.Config{Options: &config.Options{
-			Certificates: []tls.Certificate{*certA},
+			Cert: aExampleComCert,
+			Key:  aExampleComKey,
 			Policies: []config.Policy{
 				{
 					Source:                &config.StringURL{URL: mustParseURL(t, "https://a.example.com")},