Clean file url before assigning to runtime params

open-policy-agent · Oct 10, 2024 · 37bb0cf · 37bb0cf
1 parent e6af23b
commit 37bb0cf
Showing 1 changed file with 20 additions and 19 deletions.
diff --git a/cmd/run.go b/cmd/run.go
@@ -292,18 +292,31 @@ func initRuntime(ctx context.Context, params runCmdParams, args []string, addrSe
 		"1.3": tls.VersionTLS13,
 	}
 
-	cert, err := loadCertificate(params.tlsCertFile, params.tlsPrivateKeyFile)
+	tlsCertFilePath, err := fileurl.Clean(params.tlsCertFile)
+	if err != nil {
+		return nil, fmt.Errorf("invalid certificate file path: %w", err)
+	}
+	tlsPrivateKeyFilePath, err := fileurl.Clean(params.tlsPrivateKeyFile)
+	if err != nil {
+		return nil, fmt.Errorf("invalid certificate private key file path: %w", err)
+	}
+	tlsCACertFilePath, err := fileurl.Clean(params.tlsCACertFile)
+	if err != nil {
+		return nil, fmt.Errorf("invalid CA certificate file path: %w", err)
+	}
+
+	cert, err := loadCertificate(tlsCertFilePath, tlsPrivateKeyFilePath)
 	if err != nil {
 		return nil, err
 	}
 
-	params.rt.CertificateFile = params.tlsCertFile
-	params.rt.CertificateKeyFile = params.tlsPrivateKeyFile
+	params.rt.CertificateFile = tlsCertFilePath
+	params.rt.CertificateKeyFile = tlsPrivateKeyFilePath
 	params.rt.CertificateRefresh = params.tlsCertRefresh
-	params.rt.CertPoolFile = params.tlsCACertFile
+	params.rt.CertPoolFile = tlsCACertFilePath
 
-	if params.tlsCACertFile != "" {
-		pool, err := loadCertPool(params.tlsCACertFile)
+	if tlsCACertFilePath != "" {
+		pool, err := loadCertPool(tlsCACertFilePath)
 		if err != nil {
 			return nil, err
 		}
@@ -424,15 +437,7 @@ func historyPath() string {
 
 func loadCertificate(tlsCertFile, tlsPrivateKeyFile string) (*tls.Certificate, error) {
 	if tlsCertFile != "" && tlsPrivateKeyFile != "" {
-		tlsCertFilePath, err := fileurl.Clean(tlsCertFile)
-		if err != nil {
-			return nil, fmt.Errorf("invalid certificate file path: %w", err)
-		}
-		tlsPrivateKeyFilePath, err := fileurl.Clean(tlsPrivateKeyFile)
-		if err != nil {
-			return nil, fmt.Errorf("invalid certificate private key file path: %w", err)
-		}
-		cert, err := tls.LoadX509KeyPair(tlsCertFilePath, tlsPrivateKeyFilePath)
+		cert, err := tls.LoadX509KeyPair(tlsCertFile, tlsPrivateKeyFile)
 		if err != nil {
 			return nil, err
 		}
@@ -445,10 +450,6 @@ func loadCertificate(tlsCertFile, tlsPrivateKeyFile string) (*tls.Certificate, e
 }
 
 func loadCertPool(tlsCACertFile string) (*x509.CertPool, error) {
-	tlsCACertFile, err := fileurl.Clean(tlsCACertFile)
-	if err != nil {
-		return nil, err
-	}
 	caCertPEM, err := os.ReadFile(tlsCACertFile)
 	if err != nil {
 		return nil, fmt.Errorf("read CA cert file: %v", err)