From 6a350aa4e1b30f73c69ff7af9a12d3be3a54eb39 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 22 Apr 2021 16:58:48 -0700 Subject: [PATCH] Fix some LDAP CA bundle handling - Make PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE optional for integration tests - When there is no CA bundle provided, be careful to use nil instead of an empty bundle, because nil means to use the OS defaults --- internal/upstreamldap/upstreamldap.go | 3 ++- test/library/env.go | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/upstreamldap/upstreamldap.go b/internal/upstreamldap/upstreamldap.go index ae296db5..5848ebd0 100644 --- a/internal/upstreamldap/upstreamldap.go +++ b/internal/upstreamldap/upstreamldap.go @@ -124,8 +124,9 @@ func (p *Provider) dial(ctx context.Context) (Conn, error) { // Unfortunately, the go-ldap library does not seem to support dialing with a context.Context, // so we implement it ourselves, heavily inspired by ldap.DialURL. func (p *Provider) dialTLS(ctx context.Context, hostAndPort string) (Conn, error) { - rootCAs := x509.NewCertPool() + var rootCAs *x509.CertPool if p.c.CABundle != nil { + rootCAs = x509.NewCertPool() if !rootCAs.AppendCertsFromPEM(p.c.CABundle) { return nil, ldap.NewError(ldap.ErrorNetwork, fmt.Errorf("could not parse CA bundle")) } diff --git a/test/library/env.go b/test/library/env.go index 78aeaec5..0e730d05 100644 --- a/test/library/env.go +++ b/test/library/env.go @@ -236,7 +236,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) { result.SupervisorUpstreamLDAP = TestLDAPUpstream{ Host: needEnv(t, "PINNIPED_TEST_LDAP_HOST"), - CABundle: base64Decoded(t, needEnv(t, "PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE")), + CABundle: base64Decoded(t, os.Getenv("PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE")), BindUsername: needEnv(t, "PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME"), BindPassword: needEnv(t, "PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD"), UserSearchBase: needEnv(t, "PINNIPED_TEST_LDAP_USERS_SEARCH_BASE"),