From e642365613773a7c0c3726f5d6479d75751cfe46 Mon Sep 17 00:00:00 2001 From: Maxence Moutoussamy Date: Thu, 19 May 2022 17:12:08 +0200 Subject: [PATCH] Fix panic when getting certificates with non-existing store Co-authored-by: Tom Moulard --- pkg/tls/tlsmanager.go | 7 +++++++ pkg/tls/tlsmanager_test.go | 30 ++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/pkg/tls/tlsmanager.go b/pkg/tls/tlsmanager.go index 50e809e8a..961b1d8e3 100644 --- a/pkg/tls/tlsmanager.go +++ b/pkg/tls/tlsmanager.go @@ -171,6 +171,13 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) { return nil, nil } + if store == nil { + log.WithoutContext().Errorf("TLS: No certificate store found with this name: %q, closing connection", storeName) + + // Same comment as above, as in the isACMETLS case. + return nil, nil + } + log.WithoutContext().Debugf("Serving default certificate for request: %q", domainToCheck) return store.DefaultCertificate, nil } diff --git a/pkg/tls/tlsmanager_test.go b/pkg/tls/tlsmanager_test.go index 63f13fe17..f06d0ab94 100644 --- a/pkg/tls/tlsmanager_test.go +++ b/pkg/tls/tlsmanager_test.go @@ -171,6 +171,36 @@ func TestManager_Get(t *testing.T) { } } +func TestManager_Get_GetCertificate(t *testing.T) { + testCases := []struct { + desc string + expectedGetConfigErr require.ErrorAssertionFunc + expectedCertificate assert.ValueAssertionFunc + }{ + { + desc: "Get a default certificate from non-existing store", + expectedGetConfigErr: require.Error, + expectedCertificate: assert.Nil, + }, + } + + tlsManager := NewManager() + + for _, test := range testCases { + test := test + t.Run(test.desc, func(t *testing.T) { + t.Parallel() + + config, err := tlsManager.Get("default", "foo") + test.expectedGetConfigErr(t, err) + + certificate, err := config.GetCertificate(&tls.ClientHelloInfo{}) + require.NoError(t, err) + test.expectedCertificate(t, certificate) + }) + } +} + func TestClientAuth(t *testing.T) { tlsConfigs := map[string]Options{ "eca": {