feat: check TLSConfig early to catch missing certificates (#10341)

Co-authored-by: Josef Johansson <josjoh@oderland.se>
2022-01-18 23:04:09 +01:00 · 2022-01-18 23:04:09 +01:00 · eeb5d0ea3d
parent 80580c070f
commit eeb5d0ea3d
6 changed files with 51 additions and 8 deletions
--- a/config/config.go
+++ b/config/config.go
@ -2,6 +2,7 @@ package config

 import (
 	"bytes"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"log"
@ -1188,6 +1189,12 @@ func (c *Config) addOutput(name string, table *ast.Table) error {
 		return err
 	}

+	if c, ok := interface{}(output).(interface{ TLSConfig() (*tls.Config, error) }); ok {
+		if _, err := c.TLSConfig(); err != nil {
+			return err
+		}
+	}
+
 	ro := models.NewRunningOutput(output, outputConfig, c.Agent.MetricBatchSize, c.Agent.MetricBufferLimit)
 	c.Outputs = append(c.Outputs, ro)
 	return nil
@ -1333,6 +1340,12 @@ func (c *Config) addInput(name string, table *ast.Table) error {
 		return err
 	}

+	if c, ok := interface{}(input).(interface{ TLSConfig() (*tls.Config, error) }); ok {
+		if _, err := c.TLSConfig(); err != nil {
+			return err
+		}
+	}
+
 	rp := models.NewRunningInput(input, pluginConfig)
 	rp.SetDefaultTags(c.Tags)
 	c.Inputs = append(c.Inputs, rp)
--- a/config/config_test.go
+++ b/config/config_test.go
@ -215,6 +215,11 @@ func TestConfig_LoadDirectory(t *testing.T) {
 	}
 }

+func TestConfig_WrongCertPath(t *testing.T) {
+	c := NewConfig()
+	require.Error(t, c.LoadConfig("./testdata/wrong_cert_path.toml"))
+}
+
 func TestConfig_LoadSpecialTypes(t *testing.T) {
 	c := NewConfig()
 	require.NoError(t, c.LoadConfig("./testdata/special_types.toml"))
@ -226,8 +231,12 @@ func TestConfig_LoadSpecialTypes(t *testing.T) {
 	require.Equal(t, Duration(time.Second), input.WriteTimeout)
 	// Tests telegraf size parsing.
 	require.Equal(t, Size(1024*1024), input.MaxBodySize)
-	// Tests toml multiline basic strings.
-	require.Equal(t, "/path/to/my/cert", strings.TrimRight(input.TLSCert, "\r\n"))
+	// Tests toml multiline basic strings on single line.
+	require.Equal(t, "./testdata/special_types.pem", input.TLSCert)
+	// Tests toml multiline basic strings on single line.
+	require.Equal(t, "./testdata/special_types.key", input.TLSKey)
+	// Tests toml multiline basic strings on multiple lines.
+	require.Equal(t, "/path/", strings.TrimRight(input.Paths[0], "\r\n"))
 }

 func TestConfig_FieldNotDefined(t *testing.T) {
@ -733,6 +742,7 @@ type MockupInputPlugin struct {
 	ReadTimeout  Duration `toml:"read_timeout"`
 	WriteTimeout Duration `toml:"write_timeout"`
 	MaxBodySize  Size     `toml:"max_body_size"`
+	Paths        []string `toml:"paths"`
 	Port         int      `toml:"port"`
 	Command      string
 	PidFile      string
--- a/config/testdata/special_types.key
+++ b/config/testdata/special_types.key
@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFYI4Hm+jRW3OC3zvoWDaCig6E7X0Ql9l8elHPU3e5+toAoGCCqGSM49
+AwEHoUQDQgAEGOw1XQ84Ai3GTZJ5o5u1yTFgA3VLZTTT0oHol06LRj5Md3oRy0MQ
+QO5OhsAGGz16SYcPHf77aZmf2Of6ixYaLQ==
+-----END EC PRIVATE KEY-----
--- a/config/testdata/special_types.pem
+++ b/config/testdata/special_types.pem
@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjTCCATOgAwIBAgIRALJ1hlgDYCh5dWfr6tdrBEYwCgYIKoZIzj0EAwIwFDES
+MBAGA1UEAxMJbG9jYWxob3N0MB4XDTIyMDExMjA3NTgyMloXDTIyMDExMzA3NTgy
+MlowFDESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEGOw1XQ84Ai3GTZJ5o5u1yTFgA3VLZTTT0oHol06LRj5Md3oRy0MQQO5OhsAG
+Gz16SYcPHf77aZmf2Of6ixYaLaNmMGQwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUuKpGXAb1DaVSffJ/xuF6
+FE31CC8wFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUCIHCb
+m2phe189gftRke2Mo45lDsEAGaXsjA4lO/IOMo5lAiEA5k2X0bQfFhSfAcZPFtDI
+iUwvC9SD3+CnzkP35O0jo+c=
+-----END CERTIFICATE-----
--- a/config/testdata/special_types.toml
+++ b/config/testdata/special_types.toml
@ -1,9 +1,8 @@
 [[inputs.http_listener_v2]]
  write_timeout = "1s"
  max_body_size = "1MiB"
-  tls_cert = """
-/path/to/my/cert
-"""
-  tls_key = '''
-/path/to/my/key
-'''
+  paths = [ """
+/path/
+""" ]
+  tls_cert = """./testdata/special_types.pem"""
+  tls_key = '''./testdata/special_types.key'''
--- a/config/testdata/wrong_cert_path.toml
+++ b/config/testdata/wrong_cert_path.toml
@ -0,0 +1,5 @@
+[[inputs.http_listener_v2]]
+  write_timeout = "1s"
+  max_body_size = "1MiB"
+  tls_cert = "invalid.pem"
+  tls_key = "invalid.key"