Fix some LDAP CA bundle handling

- Make PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE optional for integration tests - When there is no CA bundle provided, be careful to use nil instead of an empty bundle, because nil means to use the OS defaults
2021-04-22 16:58:48 -07:00 · 2021-04-22 16:58:48 -07:00 · 6a350aa4e1
commit 6a350aa4e1
parent ddc632b99c
2 changed files with 3 additions and 2 deletions
--- a/internal/upstreamldap/upstreamldap.go
+++ b/internal/upstreamldap/upstreamldap.go
@ -124,8 +124,9 @@ func (p *Provider) dial(ctx context.Context) (Conn, error) {
 // Unfortunately, the go-ldap library does not seem to support dialing with a context.Context,
 // so we implement it ourselves, heavily inspired by ldap.DialURL.
 func (p *Provider) dialTLS(ctx context.Context, hostAndPort string) (Conn, error) {
-	rootCAs := x509.NewCertPool()
+	var rootCAs *x509.CertPool
 	if p.c.CABundle != nil {
+		rootCAs = x509.NewCertPool()
 		if !rootCAs.AppendCertsFromPEM(p.c.CABundle) {
 			return nil, ldap.NewError(ldap.ErrorNetwork, fmt.Errorf("could not parse CA bundle"))
 		}
--- a/test/library/env.go
+++ b/test/library/env.go
@ -236,7 +236,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {

 	result.SupervisorUpstreamLDAP = TestLDAPUpstream{
 		Host:                           needEnv(t, "PINNIPED_TEST_LDAP_HOST"),
-		CABundle:                       base64Decoded(t, needEnv(t, "PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE")),
+		CABundle:                       base64Decoded(t, os.Getenv("PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE")),
 		BindUsername:                   needEnv(t, "PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME"),
 		BindPassword:                   needEnv(t, "PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD"),
 		UserSearchBase:                 needEnv(t, "PINNIPED_TEST_LDAP_USERS_SEARCH_BASE"),