From 883615685b54c5a15856b2bbb469c9875bdcbd68 Mon Sep 17 00:00:00 2001 From: feistel <6742251-feistel@users.noreply.gitlab.com> Date: Wed, 11 Aug 2021 19:02:04 +0000 Subject: fix: validate client cert paths exist on disk before proceeding --- client/httpclient.go | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'client/httpclient.go') diff --git a/client/httpclient.go b/client/httpclient.go index f2e82e5..15bae25 100644 --- a/client/httpclient.go +++ b/client/httpclient.go @@ -5,9 +5,11 @@ import ( "crypto/tls" "crypto/x509" "errors" + "fmt" "io/ioutil" "net" "net/http" + "os" "path/filepath" "strings" "time" @@ -25,6 +27,10 @@ const ( defaultReadTimeoutSeconds = 300 ) +var ( + ErrCafileNotFound = errors.New("cafile not found") +) + type HttpClient struct { *http.Client Host string @@ -60,15 +66,6 @@ func NewHTTPClient(gitlabURL, gitlabRelativeURLRoot, caFile, caPath string, self // NewHTTPClientWithOpts builds an HTTP client using the provided options func NewHTTPClientWithOpts(gitlabURL, gitlabRelativeURLRoot, caFile, caPath string, selfSignedCert bool, readTimeoutSeconds uint64, opts []HTTPClientOpt) (*HttpClient, error) { - hcc := &httpClientCfg{ - caFile: caFile, - caPath: caPath, - } - - for _, opt := range opts { - opt(hcc) - } - var transport *http.Transport var host string var err error @@ -77,6 +74,19 @@ func NewHTTPClientWithOpts(gitlabURL, gitlabRelativeURLRoot, caFile, caPath stri } else if strings.HasPrefix(gitlabURL, httpProtocol) { transport, host = buildHttpTransport(gitlabURL) } else if strings.HasPrefix(gitlabURL, httpsProtocol) { + hcc := &httpClientCfg{ + caFile: caFile, + caPath: caPath, + } + + for _, opt := range opts { + opt(hcc) + } + + if _, err := os.Stat(caFile); err != nil { + return nil, fmt.Errorf("cannot find cafile '%s': %w", caFile, ErrCafileNotFound) + } + transport, host, err = buildHttpsTransport(*hcc, selfSignedCert, gitlabURL) if err != nil { return nil, err -- cgit v1.2.1 From 566a74d01f862bc05a6400b84759859a308fc31a Mon Sep 17 00:00:00 2001 From: feistel <6742251-feistel@users.noreply.gitlab.com> Date: Wed, 11 Aug 2021 19:04:48 +0000 Subject: fix: make sure ErrCafileNotFound is returned only when the file doesn't exist --- client/httpclient.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'client/httpclient.go') diff --git a/client/httpclient.go b/client/httpclient.go index 15bae25..fceb0f4 100644 --- a/client/httpclient.go +++ b/client/httpclient.go @@ -84,7 +84,10 @@ func NewHTTPClientWithOpts(gitlabURL, gitlabRelativeURLRoot, caFile, caPath stri } if _, err := os.Stat(caFile); err != nil { - return nil, fmt.Errorf("cannot find cafile '%s': %w", caFile, ErrCafileNotFound) + if os.IsNotExist(err) { + return nil, fmt.Errorf("cannot find cafile '%s': %w", caFile, ErrCafileNotFound) + } + return nil, err } transport, host, err = buildHttpsTransport(*hcc, selfSignedCert, gitlabURL) -- cgit v1.2.1 From 41146cce2bb672c2082537a39f608fbf20f8985f Mon Sep 17 00:00:00 2001 From: Ash McKenzie Date: Tue, 17 Aug 2021 17:37:17 +0000 Subject: test: move os.stat check before the hcc creation --- client/httpclient.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'client/httpclient.go') diff --git a/client/httpclient.go b/client/httpclient.go index fceb0f4..a2ecfd0 100644 --- a/client/httpclient.go +++ b/client/httpclient.go @@ -74,6 +74,13 @@ func NewHTTPClientWithOpts(gitlabURL, gitlabRelativeURLRoot, caFile, caPath stri } else if strings.HasPrefix(gitlabURL, httpProtocol) { transport, host = buildHttpTransport(gitlabURL) } else if strings.HasPrefix(gitlabURL, httpsProtocol) { + if _, err := os.Stat(caFile); err != nil { + if os.IsNotExist(err) { + return nil, fmt.Errorf("cannot find cafile '%s': %w", caFile, ErrCafileNotFound) + } + return nil, err + } + hcc := &httpClientCfg{ caFile: caFile, caPath: caPath, @@ -83,13 +90,6 @@ func NewHTTPClientWithOpts(gitlabURL, gitlabRelativeURLRoot, caFile, caPath stri opt(hcc) } - if _, err := os.Stat(caFile); err != nil { - if os.IsNotExist(err) { - return nil, fmt.Errorf("cannot find cafile '%s': %w", caFile, ErrCafileNotFound) - } - return nil, err - } - transport, host, err = buildHttpsTransport(*hcc, selfSignedCert, gitlabURL) if err != nil { return nil, err -- cgit v1.2.1