config: update logic for checking overlapping certificates (#4216)

* config: update logic for checking overlapping certificates * add test * go mod tidy
2025-05-14 01:27:46 +02:00 · 2023-06-01 09:30:46 -06:00 · 2023-06-01 09:30:46 -06:00 · baf964f44a
commit baf964f44a
parent 3a791542d4
10 changed files with 216 additions and 138 deletions
--- a/internal/databroker/config_source_test.go
+++ b/internal/databroker/config_source_test.go
@ -2,22 +2,35 @@ package databroker

 import (
 	"context"
+	"encoding/base64"
 	"net"
 	"net/url"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/proto"

 	"github.com/pomerium/pomerium/config"
+	"github.com/pomerium/pomerium/pkg/cryptutil"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/protoutil"
 )

 func TestConfigSource(t *testing.T) {
+	t.Parallel()
+
+	generateCert := func(name string) ([]byte, []byte) {
+		cert, err := cryptutil.GenerateCertificate(nil, name)
+		require.NoError(t, err)
+		certPEM, keyPEM, err := cryptutil.EncodeCertificate(cert)
+		require.NoError(t, err)
+		return certPEM, keyPEM
+	}
+
 	ctx, clearTimeout := context.WithTimeout(context.Background(), 50*time.Second)
 	defer clearTimeout()

@ -45,6 +58,8 @@ func TestConfigSource(t *testing.T) {
 			{URL: *u},
 		}, AllowedUsers: []string{"foo@bar.com"},
 	})
+	certPEM, keyPEM := generateCert("*.example.com")
+	base.Cert, base.Key = base64.StdEncoding.EncodeToString(certPEM), base64.StdEncoding.EncodeToString(keyPEM)

 	baseSource := config.NewStaticSource(&config.Config{
 		OutboundPort: outboundPort,
@ -55,13 +70,17 @@ func TestConfigSource(t *testing.T) {
 	})
 	cfgs <- src.GetConfig()

+	route := &configpb.Route{
+		From: "https://from.example.com",
+		To:   []string{"https://to.example.com"},
+	}
+	cert := &configpb.Settings_Certificate{}
+	cert.CertBytes, cert.KeyBytes = generateCert("*.example.com")
 	data := protoutil.NewAny(&configpb.Config{
-		Name: "config",
-		Routes: []*configpb.Route{
-			{
-				From: "https://from.example.com",
-				To:   []string{"https://to.example.com"},
-			},
+		Name:   "config",
+		Routes: []*configpb.Route{route},
+		Settings: &configpb.Settings{
+			Certificates: []*configpb.Settings_Certificate{cert},
 		},
 	})
 	_, _ = dataBrokerServer.Put(ctx, &databroker.PutRequest{
@ -86,6 +105,7 @@ func TestConfigSource(t *testing.T) {
 		return
 	case cfg := <-cfgs:
 		assert.Len(t, cfg.Options.AdditionalPolicies, 1)
+		assert.Len(t, cfg.Options.CertificateFiles, 0, "ignores overlapping certificate")
 	}

 	baseSource.SetConfig(ctx, &config.Config{