From d18e8c661d2a34149fba1dfc6c6abadb15622a76 Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Wed, 9 Dec 2020 11:16:39 -0700
Subject: [PATCH] improve ca cert error message, use GetCertPool for databroker
 storage (#1666)

---
 cmd/pomerium-cli/kubernetes.go | 25 ++++++++-----------------
 go.sum                         |  3 +++
 internal/databroker/server.go  | 13 ++++---------
 pkg/cryptutil/tls.go           |  8 ++++----
 4 files changed, 19 insertions(+), 30 deletions(-)

diff --git a/cmd/pomerium-cli/kubernetes.go b/cmd/pomerium-cli/kubernetes.go
index aa90bd70c..e6906daa3 100644
--- a/cmd/pomerium-cli/kubernetes.go
+++ b/cmd/pomerium-cli/kubernetes.go
@@ -3,8 +3,6 @@ package main
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -20,6 +18,8 @@ import (
 	"golang.org/x/crypto/ssh/terminal"
 	"golang.org/x/sync/errgroup"
 	jose "gopkg.in/square/go-jose.v2"
+
+	"github.com/pomerium/pomerium/pkg/cryptutil"
 )
 
 var kubernetesExecCredentialOption struct {
@@ -148,21 +148,12 @@ func runOpenBrowser(ctx context.Context, li net.Listener, serverURL *url.URL) er
 	if kubernetesExecCredentialOption.disableTLSVerification {
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}
-	if kubernetesExecCredentialOption.alternateCAPath != "" {
-		data, err := ioutil.ReadFile(kubernetesExecCredentialOption.alternateCAPath)
-		if err != nil {
-			return fmt.Errorf("error reading CA certificate: %w", err)
-		}
-		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
-		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
-	}
-	if kubernetesExecCredentialOption.caCert != "" {
-		data, err := base64.StdEncoding.DecodeString(kubernetesExecCredentialOption.caCert)
-		if err != nil {
-			return fmt.Errorf("error reading CA certificate: %w", err)
-		}
-		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
-		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
+	transport.TLSClientConfig.RootCAs, err = cryptutil.GetCertPool(
+		kubernetesExecCredentialOption.caCert,
+		kubernetesExecCredentialOption.alternateCAPath,
+	)
+	if err != nil {
+		return err
 	}
 
 	client := &http.Client{
diff --git a/go.sum b/go.sum
index 2e1c444c3..63288c24b 100644
--- a/go.sum
+++ b/go.sum
@@ -519,6 +519,7 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T
 github.com/rakyll/statik v0.1.7 h1:OF3QCZUuyPxuGEP7B4ypUa7sB/iHtqOTDYZXGM8KOdQ=
 github.com/rakyll/statik v0.1.7/go.mod h1:AlZONWzMtEnMs7W4e/1LURLiI49pIMmp6V9Unghqrcc=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -721,6 +722,7 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20201207163604-931764155e3f h1:bGuVhRryQ3m1t3U3cQOa4TdSuMIXKrTrvmdJjQLbMKc=
 golang.org/x/oauth2 v0.0.0-20201207163604-931764155e3f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -931,6 +933,7 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.34.0 h1:raiipEjMOIC/TO2AvyTxP25XFdLxNIBwzDh3FM3XztI=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
diff --git a/internal/databroker/server.go b/internal/databroker/server.go
index 7d9f9f3e3..31b02298f 100644
--- a/internal/databroker/server.go
+++ b/internal/databroker/server.go
@@ -4,9 +4,7 @@ package databroker
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"reflect"
 	"sort"
 	"strings"
@@ -26,6 +24,7 @@ import (
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/signal"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
+	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/storage"
 	"github.com/pomerium/pomerium/pkg/storage/inmemory"
@@ -464,13 +463,9 @@ func (srv *Server) getDB(recordType string, lock bool) (db storage.Backend, vers
 }
 
 func (srv *Server) newDB(recordType string) (db storage.Backend, err error) {
-	caCertPool := x509.NewCertPool()
-	if srv.cfg.storageCAFile != "" {
-		if caCert, err := ioutil.ReadFile(srv.cfg.storageCAFile); err == nil {
-			caCertPool.AppendCertsFromPEM(caCert)
-		} else {
-			log.Warn().Err(err).Msg("failed to read databroker CA file")
-		}
+	caCertPool, err := cryptutil.GetCertPool("", srv.cfg.storageCAFile)
+	if err != nil {
+		log.Warn().Err(err).Msg("failed to read databroker CA file")
 	}
 	tlsConfig := &tls.Config{
 		RootCAs: caCertPool,
diff --git a/pkg/cryptutil/tls.go b/pkg/cryptutil/tls.go
index 185240ed4..4edc5b013 100644
--- a/pkg/cryptutil/tls.go
+++ b/pkg/cryptutil/tls.go
@@ -16,7 +16,7 @@ import (
 func GetCertPool(ca, caFile string) (*x509.CertPool, error) {
 	rootCAs, err := x509.SystemCertPool()
 	if err != nil {
-		log.Error().Msg("pkg/cryptutil: failed getting system cert pool making new one")
+		log.Error().Err(err).Msg("pkg/cryptutil: failed getting system cert pool making new one")
 		rootCAs = x509.NewCertPool()
 	}
 	if ca == "" && caFile == "" {
@@ -27,16 +27,16 @@ func GetCertPool(ca, caFile string) (*x509.CertPool, error) {
 	if ca != "" {
 		data, err = base64.StdEncoding.DecodeString(ca)
 		if err != nil {
-			return nil, fmt.Errorf("failed to decode certificate authority: %w", err)
+			return nil, fmt.Errorf("failed to decode base64-encoded certificate authority: %w", err)
 		}
 	} else {
 		data, err = ioutil.ReadFile(caFile)
 		if err != nil {
-			return nil, fmt.Errorf("certificate authority file %v not readable: %w", caFile, err)
+			return nil, fmt.Errorf("failed to read certificate authority file (%s): %w", caFile, err)
 		}
 	}
 	if ok := rootCAs.AppendCertsFromPEM(data); !ok {
-		return nil, fmt.Errorf("failed to append CA cert to certPool")
+		return nil, fmt.Errorf("failed to append any PEM-encoded certificates")
 	}
 	log.Debug().Msg("pkg/cryptutil: added custom certificate authority")
 	return rootCAs, nil