Clean fileurl before loading certs

Signed-off-by: Alex Rohozneanu <[email protected]>
open-policy-agent · Oct 8, 2024 · 03d4654 · 03d4654
1 parent 69cd388
commit 03d4654
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/cmd/run.go b/cmd/run.go
@@ -9,6 +9,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	fileurl "github.com/open-policy-agent/opa/internal/file/url"
 	"os"
 	"path"
 	"time"
@@ -422,9 +423,16 @@ func historyPath() string {
 }
 
 func loadCertificate(tlsCertFile, tlsPrivateKeyFile string) (*tls.Certificate, error) {
-
 	if tlsCertFile != "" && tlsPrivateKeyFile != "" {
-		cert, err := tls.LoadX509KeyPair(tlsCertFile, tlsPrivateKeyFile)
+		tlsCertFilePath, err := fileurl.Clean(tlsCertFile)
+		if err != nil {
+			return nil, err
+		}
+		tlsPrivateKeyFilePath, err := fileurl.Clean(tlsPrivateKeyFile)
+		if err != nil {
+			return nil, err
+		}
+		cert, err := tls.LoadX509KeyPair(tlsCertFilePath, tlsPrivateKeyFilePath)
 		if err != nil {
 			return nil, err
 		}
@@ -437,6 +445,10 @@ func loadCertificate(tlsCertFile, tlsPrivateKeyFile string) (*tls.Certificate, e
 }
 
 func loadCertPool(tlsCACertFile string) (*x509.CertPool, error) {
+	tlsCACertFile, err := fileurl.Clean(tlsCACertFile)
+	if err != nil {
+		return nil, err
+	}
 	caCertPEM, err := os.ReadFile(tlsCACertFile)
 	if err != nil {
 		return nil, fmt.Errorf("read CA cert file: %v", err)