add validation for tls private key and cert file values

tenable · May 18, 2021 · 8bdb990 · 8bdb990
1 parent 9ac1667
commit 8bdb990
Show file tree

Hide file tree

Showing 5 changed files with 155 additions and 3 deletions.
diff --git a/pkg/http-server/start.go b/pkg/http-server/start.go
@@ -49,13 +49,21 @@ func Start(port, configFile, certFile, privateKeyFile string) {
 func (g *APIServer) start(routes []*Route, port, certFile, privateKeyFile string) {
 
 	var (
-		err    error
 		logger = logging.GetDefaultLogger() // new logger
-		router = mux.NewRouter()            // new router
+		err    error
+		router = mux.NewRouter() // new router
 	)
 
 	logger.Info("registering routes...")
 
+	if privateKeyFile != "" || certFile != "" {
+		logger.Debugf("certfile is %s, privateKeyFile is %s", certFile, privateKeyFile)
+
+		if err := g.validateFiles(privateKeyFile, certFile); err != nil {
+			logger.Fatal(err)
+		}
+	}
+
 	// register all routes
 	for _, v := range routes {
 		logger.Info("Route ", v.verb, " - ", v.path)
@@ -72,19 +80,25 @@ func (g *APIServer) start(routes []*Route, port, certFile, privateKeyFile string
 		Handler: router,
 	}
 
+	message := make(chan string)
 	go func() {
 		var err error
 		if certFile != "" && privateKeyFile != "" {
 			// In case a certificate file is specified, the server support TLS
+			message <- "https server listening at port %v"
 			err = server.ListenAndServeTLS(certFile, privateKeyFile)
 		} else {
+			message <- "http server listening at port %v"
 			err = server.ListenAndServe()
 		}
 		if err != nil && err != http.ErrServerClosed {
 			logger.Fatal(err)
 		}
 	}()
-	logger.Infof("http server listening at port %v", port)
+
+	logger.Infof(<-message, port)
+
+	close(message)
 
 	// Wait for interrupt signal to gracefully shutdown the server
 	quit := make(chan os.Signal, 1)

diff --git a/pkg/http-server/validate.go b/pkg/http-server/validate.go
@@ -0,0 +1,32 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
+package httpserver
+
+import "fmt"
+
+func (g *APIServer) validateFiles(privateKeyFile, certFile string) error {
+	keylength := len(privateKeyFile)
+	certlength := len(certFile)
+
+	if keylength > 0 && certlength == 0 {
+		return fmt.Errorf("private key file provided but certficate file missing")
+	} else if keylength == 0 && certlength > 0 {
+		return fmt.Errorf("certificate file provided but private key file missing")
+	}
+
+	return nil
+}
diff --git a/pkg/http-server/validate_test.go b/pkg/http-server/validate_test.go
@@ -0,0 +1,54 @@
+package httpserver
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+)
+
+func TestValidateFiles(t *testing.T) {
+	server := APIServer{}
+	table := []struct {
+		name           string
+		privateKeyFile string
+		certFile       string
+		wantOutput     interface{}
+		wantErr        error
+	}{
+		{
+			name:           "normal file names",
+			privateKeyFile: "key",
+			certFile:       "cert",
+			wantErr:        nil,
+		},
+		{
+			name:           "error in both privatekey and certfile filenames",
+			privateKeyFile: "",
+			certFile:       "server.crt",
+			wantErr:        fmt.Errorf("certificate file provided but private key file missing"),
+		},
+		{
+			name:           "error in privatekey filename",
+			privateKeyFile: "",
+			certFile:       "",
+			wantErr:        nil,
+		},
+		{
+			name:           "error in certfile filename",
+			privateKeyFile: "keyfile",
+			certFile:       "",
+			wantErr:        fmt.Errorf("private key file provided but certficate file missing"),
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			gotErr := server.validateFiles(tt.privateKeyFile, tt.certFile)
+			if !reflect.DeepEqual(gotErr, tt.wantErr) {
+				if tt.wantErr != nil && gotErr != nil && tt.wantErr.Error() != gotErr.Error() {
+					t.Errorf("error got: '%v', want: '%v'", gotErr, tt.wantErr)
+				}
+			}
+		})
+	}
+}
diff --git a/test/e2e/test_data/certs/server.crt b/test/e2e/test_data/certs/server.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9TCCAt2gAwIBAgIJANcasjhanWjaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
+VQQGEwJJTjEUMBIGA1UECAwLTWFoYXJhc2h0cmExDTALBgNVBAcMBFB1bmUxETAP
+BgNVBAoMCEFjY3VyaWNzMScwJQYJKoZIhvcNAQkBFhhkZXZhbmcuZ2F1ckBhY2N1
+cmljcy5jb20xLjAsBgNVBAMMJXRlcnJhc2Nhbi50ZXJyYXNjYW4uc3ZjLmNsdXN0
+ZXIubG9jYWwwHhcNMjEwNTEwMjIzMTM0WhcNMjEwNjA5MjIzMTM0WjCBnjELMAkG
+A1UEBhMCSU4xFDASBgNVBAgMC01haGFyYXNodHJhMQ0wCwYDVQQHDARQdW5lMREw
+DwYDVQQKDAhBY2N1cmljczEnMCUGCSqGSIb3DQEJARYYZGV2YW5nLmdhdXJAYWNj
+dXJpY3MuY29tMS4wLAYDVQQDDCV0ZXJyYXNjYW4udGVycmFzY2FuLnN2Yy5jbHVz
+dGVyLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnph3od0J
+zp3RI8eQx488YVWIlBbqGZChDxoS8aadmBc+clM2ZPnEDfgsOvCe8UL0uG//waC1
+UzNoXe5ThhsqD8avrlfqxYQk+PGcaf/iOOEMN9+G+rUmqm1zKkVPRkHjtMXvGUHb
+lwULA0qMlvW24noWPXS+D+6cv90pFxP+2Xkh4FnDE63pXrQ+2Gf2hNVDMNaeiTP9
+zPnyBE+6Pd5uLAMHrBpwkC9M39yhnLx1vlKO/XnOQGXANpItVHO8HsbKT+o6fbPI
+/RshvNi7rq1mPBcbq/gwTs68RpafdXDKIWMOZDpMVOto5+B2DRMHIvZ/BW4y5Ip0
++wI2kXw8UlrHkQIDAQABozQwMjAwBgNVHREEKTAngiV0ZXJyYXNjYW4udGVycmFz
+Y2FuLnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQAGHoZvgZwd
+dLbaZaVT6jfZLqZxz2g004/sK9z4U6bcXTeXx5nJUsE4RkCVt+wAsH1eNF8Xdr7c
+rMTH5mcHYcpcRH1CBktYkMF5nZwLzjRoR5abju0BZWrsEZi7cDJOeboW6EQqFBn8
+LFsG2437Lx8to8XYheo91HG3QFdFo2kofaelUAqIxz0WdPnjChPH7RpjUEubXn1+
+VKKrFhB6zKulU+YJaEJ0LO38CejrwKRT+pr1v3HaWnJSitZaJDDwxvkvSjdf8Rk2
+4HsU1Rp2v3ts1zfzUthWrnc3G8darZx5ZdQWjRK2C17zrtzJO7M33D8BjiQaTQXL
+kCfVMzBQKmOp
+-----END CERTIFICATE-----
diff --git a/test/e2e/test_data/certs/server.key b/test/e2e/test_data/certs/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCemHeh3QnOndEj
+x5DHjzxhVYiUFuoZkKEPGhLxpp2YFz5yUzZk+cQN+Cw68J7xQvS4b//BoLVTM2hd
+7lOGGyoPxq+uV+rFhCT48Zxp/+I44Qw334b6tSaqbXMqRU9GQeO0xe8ZQduXBQsD
+SoyW9bbiehY9dL4P7py/3SkXE/7ZeSHgWcMTreletD7YZ/aE1UMw1p6JM/3M+fIE
+T7o93m4sAwesGnCQL0zf3KGcvHW+Uo79ec5AZcA2ki1Uc7wexspP6jp9s8j9GyG8
+2LuurWY8Fxur+DBOzrxGlp91cMohYw5kOkxU62jn4HYNEwci9n8FbjLkinT7AjaR
+fDxSWseRAgMBAAECggEBAI5mH6R6L0ARe6NAoMJN3c0XW5Z8LJ3fun0w0CmhjIbu
+9+b2yDRJ/rr8Rdp2CoBduhWQmndksOqPkfok72HOKioYH83OqsHGMNxFNEgItTqU
+9r+EOFILLTiBJZKiwNc4ehfqURDAjUZABO9jlHBHF3qqXCW6GJ19hcjP7wEFtyHT
+s5Vcdab07waMAzqmX4kK2GmgZMicXJykZyYxTrhz1ZKDfS3z6m1WlHHgUfOPULK8
+1JpERBLquOykk/InuoYKo2YTIOUoTEydX0ws30xQFz3Vt91mnL9J9fyevkULio8K
+o+kISh+48uqgf/3WY01AASYEGZ4PxxruAc0Jmtl3bkECgYEAz2KOWyMC0V4fgk9h
+PbRA1hoVAuQ8tcsy6KXjP+1GjlFvbBro321+pY5A7Cg4tiwAqaCxVg2kb4kKFNBn
+LXaCZ06nkht8D9dH9Q3oVz+fs01BikfPaa9HJ+oqgloqZ2JAs+tvJuEgZJwyrl0Z
+Gefy0T2Ar6WdF4UM2Ua3crh6ds0CgYEAw8X+uohDSFRpDMOYH4GU/nrmpW/0YyHY
+SGegnCvdMelCW/3YunWs8HCUkyOXEDh8AvMdXQmR6bab4RQn7XSUC+wogdHYkCUR
+wJfYjc9697ta6WEaaPCyqURVuOPBPsP77zmfpSXRpyChA1TDKGYR3k5jHdpJI0qs
+y44QieWHq9UCgYEAqwq6JmiF1nAuxKb7qIyWPP9d/PiJKdbhsge/meX0n0SDBUJc
+doo0Pg9JdHzn6Tf5g+3I1RSDXopECk6oClMH0nSIuHR6qgYAjxhdXDhZWuSI/aek
+ZaHuqfjz/nanKoVaoAm5rvNWaCR7mFuobDllhzWWgUeyfMd7hWhRvQhx2LECgYAC
+HKmx03R+XELB235RoLE9yY+ha0LEqwHNTijiZmq9dhm8KlHjOQ/DjENeDv07NJDJ
+61t+vHKxhcHKvM/tdNuAAW0ycVQXwf6eCEVSylE2SPQjHmQNi8MxpkYSd4qHJdAa
+9ZEuU+keF3EFOy3byrYYotnY4Zj2Y4DXtVGiWzKKfQKBgFyCnZeDxtaSQveUivYE
+FdU7TZV5SWzAIOOxjfzYgUGP+Ypjz3V6t4LqTiMqFE0hwxLvzy8sgxf46IQD+g8g
+Q/mM2pq5tQqfdiO2g/56GZkr4yWh7q789QPRWMQYvPswffL7ln2V82WHfepgFYST
+dQDfcPWTV/kgupqIJs5OI5Sl
+-----END PRIVATE KEY-----