Skip to content

Commit

Permalink
Improve error message when using self-signed certificate
Browse files Browse the repository at this point in the history
  • Loading branch information
szh committed Mar 27, 2023
1 parent e71652c commit 38458ed
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 3 deletions.
13 changes: 13 additions & 0 deletions cmd/integration/integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,19 @@ func TestIntegration(t *testing.T) {
assert.Contains(t, stdErr, "Must specify an Account")
})

t.Run("init with self-signed cert", func(t *testing.T) {
stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "https://proxy", "--force-netrc", "--force")
assert.Error(t, err)
assert.Equal(t, "", stdOut)
assert.Contains(t, stdErr, "Unable to retrieve and validate certificate")
assert.Contains(t, stdErr, "re-run the init command with the `--self-signed` flag")

stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "https://proxy", "--force-netrc", "--force", "--self-signed")
assert.NotContains(t, stdErr, "Unable to retrieve and validate certificate")
assert.Contains(t, stdOut, "The server's certificate fingerprint is")
assert.Contains(t, stdErr, selfSignedWarning)
})

t.Run("init", func(t *testing.T) {
stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "http://conjur", "-i", "--force-netrc", "--force")
assert.NoError(t, err)
Expand Down
1 change: 1 addition & 0 deletions cmd/integration/shared.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ const pathToBinary = "conjur"

const insecureModeWarning = "Warning: Running the command with '--insecure' makes your system vulnerable to security attacks\n" +
"If you prefer to communicate with the server securely you must reinitialize the client in secure mode.\n"
const selfSignedWarning = "Warning: Using self-signed certificates is not recommended and could lead to exposure of sensitive data\n"

func newConjurCLI(homeDir string) *conjurCLI {
return &conjurCLI{
Expand Down
7 changes: 6 additions & 1 deletion pkg/cmd/init.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package cmd

import (
"errors"
"fmt"
"net/url"
"os"
Expand Down Expand Up @@ -199,7 +200,11 @@ func fetchCertIfNeeded(config *conjurapi.Config, cmdFlagVals initCmdFlagValues,

cert, err := utils.GetServerCert(url.Host, cmdFlagVals.selfSigned)
if err != nil {
return fmt.Errorf("Unable to retrieve certificate from %s: %s", url.Host, err)
errStr := fmt.Sprintf("Unable to retrieve and validate certificate from %s: %s", url.Host, err)
if !cmdFlagVals.selfSigned {
errStr += "\nIf you're attempting to use a self-signed certificate, re-run the init command with the `--self-signed` flag\n"
}
return errors.New(errStr)
}

// Prompt user to accept certificate
Expand Down
4 changes: 2 additions & 2 deletions pkg/cmd/init_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,15 +206,15 @@ appliance_url: http://host
name: "fails if can't retrieve server certificate",
args: []string{"init", "-u=https://nohost.example.com", "-a=test-account"},
assert: func(t *testing.T, conjurrcInTmpDir string, stdout string, stderr string, err error) {
assert.Contains(t, stderr, "Unable to retrieve certificate")
assert.Contains(t, stderr, "Unable to retrieve and validate certificate")
assertFetchCertFailed(t, conjurrcInTmpDir)
},
},
{
name: "fails for self-signed certificate",
args: []string{"init", "-u=https://self-signed.badssl.com", "-a=test-account"},
assert: func(t *testing.T, conjurrcInTmpDir string, stdout string, stderr string, err error) {
assert.Contains(t, stderr, "Unable to retrieve certificate")
assert.Contains(t, stderr, "Unable to retrieve and validate certificate")
assertFetchCertFailed(t, conjurrcInTmpDir)
},
},
Expand Down

0 comments on commit 38458ed

Please sign in to comment.