Skip to content

Commit 8230d3b

Browse files
krajoramakrajorama
authored
Merge pull request #792 from ndk/main
Fix panic in `tlsRoundTripper` when CA file is absent
2 parents 633281f + 6df665b commit 8230d3b

File tree

2 files changed

+45
-0
lines changed

2 files changed

+45
-0
lines changed

‎config/http_config.go‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1383,6 +1383,9 @@ func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
13831383
// using GetClientCertificate.
13841384
tlsConfig := t.tlsConfig.Clone()
13851385
if !updateRootCA(tlsConfig, caData) {
1386+
if t.settings.CA == nil {
1387+
return nil, errors.New("unable to use specified CA cert: none configured")
1388+
}
13861389
return nil, fmt.Errorf("unable to use specified CA cert %s", t.settings.CA.Description())
13871390
}
13881391
rt, err = t.newRT(tlsConfig)

‎config/http_config_test.go‎

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1969,6 +1969,48 @@ func TestModifyTLSCertificates(t *testing.T) {
19691969
}
19701970
}
19711971

1972+
func TestTLSRoundTripper_NoCAConfigured(t *testing.T) {
1973+
bs := getCertificateBlobs(t)
1974+
1975+
tmpDir, err := os.MkdirTemp("", "tlspanic")
1976+
require.NoErrorf(t, err, "Failed to create tmp dir")
1977+
defer os.RemoveAll(tmpDir)
1978+
cert, key := filepath.Join(tmpDir, "cert"), filepath.Join(tmpDir, "key")
1979+
1980+
handler := func(w http.ResponseWriter, r *http.Request) {
1981+
fmt.Fprint(w, ExpectedMessage)
1982+
}
1983+
testServer, err := newTestServer(handler)
1984+
require.NoError(t, err)
1985+
defer testServer.Close()
1986+
1987+
cfg := HTTPClientConfig{
1988+
TLSConfig: TLSConfig{
1989+
CertFile: cert,
1990+
KeyFile: key,
1991+
InsecureSkipVerify: true,
1992+
},
1993+
}
1994+
1995+
writeCertificate(bs, ClientCertificatePath, cert)
1996+
writeCertificate(bs, ClientKeyNoPassPath, key)
1997+
c, err := NewClientFromConfig(cfg, "test")
1998+
require.NoErrorf(t, err, "Error creating HTTP Client: %v", err)
1999+
2000+
req, err := http.NewRequest(http.MethodGet, testServer.URL, nil)
2001+
require.NoErrorf(t, err, "Error creating HTTP request: %v", err)
2002+
2003+
r, err := c.Do(req)
2004+
require.NoErrorf(t, err, "Can't connect to the test server")
2005+
r.Body.Close()
2006+
2007+
err = os.WriteFile(cert, []byte("-----BEGIN GARBAGE-----\nabc\n-----END GARBAGE-----\n"), 0o664)
2008+
require.NoError(t, err)
2009+
2010+
_, err = c.Do(req)
2011+
require.ErrorContainsf(t, err, "unable to use specified CA cert: none configured", "Expected error to mention missing CA cert")
2012+
}
2013+
19722014
// loadHTTPConfigJSON parses the JSON input s into a HTTPClientConfig.
19732015
func loadHTTPConfigJSON(buf []byte) (*HTTPClientConfig, error) {
19742016
cfg := &HTTPClientConfig{}

0 commit comments

Comments
 (0)