Skip to content

Commit

Permalink
agent crashes when certs file exists but doesn't contain certs
Browse files Browse the repository at this point in the history
Fix issue where agent crashes when no certs available due to not finding them in the certificate file (when trying to reload from that file).
  • Loading branch information
Peter Wilson authored Sep 16, 2022
1 parent 97739ef commit e5ddc02
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 13 deletions.
5 changes: 5 additions & 0 deletions dependency/vault_pki.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,11 @@ func (d *VaultPKIQuery) Fetch(clients *ClientSet, opts *QueryOptions) (interface
// returns time left in ~90% of the original lease and a boolean
// that returns false if cert needs renewing, true otherwise
func goodFor(cert *x509.Certificate) (time.Duration, bool) {
// If we got called with a cert that doesn't exist, just say there's no
// time left, and it needs to be renewed
if cert == nil {
return 0, false
}
// These are all int64's with Seconds since the Epoch, handy for the math
start, end := cert.NotBefore.Unix(), cert.NotAfter.Unix()
now := time.Now().UTC().Unix()
Expand Down
35 changes: 22 additions & 13 deletions dependency/vault_pki_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,29 @@ func Test_VaultPKI_uniqueID(t *testing.T) {
}

func Test_VaultPKI_notGoodFor(t *testing.T) {
// only test the negation, postive is tested below with pemsificates
// fetched in Vault integration tests (creating pemss is non-trivial)
_, cert, err := pemsCert([]byte(validCert))
if err != nil {
t.Error(err)
tests := map[string]struct {
input []byte
}{
"valid cert": {input: []byte(validCert)},
"empty cert": {input: make([]byte, 0)},
}
dur, ok := goodFor(cert)
if ok != false {
t.Error("should be false")
}
// duration should be negative as pems has already expired
// but still tests pems time parsing (it'd be 0 if there was an issue)
if dur > 0 {
t.Error("duration shouldn't be positive (old cert)")

for name, tc := range tests {
// only test the negation, postive is tested below with pemsificates
// fetched in Vault integration tests (creating pemss is non-trivial)
_, cert, err := pemsCert(tc.input)
if err != nil {
t.Error(err)
}
dur, ok := goodFor(cert)
if ok != false {
t.Errorf("%v: should be false", name)
}
// duration should be negative as pems has already expired
// but still tests pems time parsing (it'd be 0 if there was an issue)
if dur > 0 {
t.Errorf("%v: duration shouldn't be positive (old cert)", name)
}
}
}

Expand Down

0 comments on commit e5ddc02

Please sign in to comment.