config.TLS: Inline PEM-encoded Certs, Keys and CAs

oxzi · oxzi · commit b9a288c46974 · 2025-03-05T10:56:35.000+01:00
Introduced support for raw encoded PEM data instead of filenames for
TLS.Cert, TLS.Key and TLS.Ca. This should make it easier to get rid of
the additional entrypoint program for docker-icingadb and allow direct
use of Icinga DB with its environment variable support.

In addition to the implementation, new tests were written with the goal
of complete coverage. A consumer of this type, database.Config, got
another test case using PEMs both as environment variables and as YAML
diff --git a/config/tls.go b/config/tls.go
@@ -3,8 +3,10 @@ package config
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"github.com/pkg/errors"
 	"os"
+	"strings"
 )
 
 // TLS represents configuration for a TLS client.
@@ -34,13 +36,15 @@ type TLS struct {
 	// Enable indicates whether TLS is enabled.
 	Enable bool `yaml:"tls" env:"TLS"`
 
-	// Cert is the path to the TLS certificate file. If provided, Key must also be specified.
+	// Cert is either the path to the TLS certificate file or a raw PEM-encoded string representing it.
+	// If provided, Key must also be specified.
 	Cert string `yaml:"cert" env:"CERT"`
 
-	// Key is the path to the TLS key file. If specified, Cert must also be provided.
+	// Key is either the path to the TLS key file or a raw PEM-encoded string representing it.
+	// If specified, Cert must also be provided.
 	Key string `yaml:"key" env:"KEY"`
 
-	// Ca is the path to the CA certificate file.
+	// Ca is either the path to the CA certificate file or a raw PEM-encoded string representing it.
 	Ca string `yaml:"ca" env:"CA"`
 
 	// Insecure indicates whether to skip verification of the server's certificate chain and host name.
@@ -57,6 +61,9 @@ func (t *TLS) MakeConfig(serverName string) (*tls.Config, error) {
 		return nil, nil
 	}
 
+	isRawPem := func(s string) bool { return strings.HasPrefix(strings.TrimSpace(s), "-----BEGIN") }
+	strToPem := func(s string) []byte { return []byte(strings.TrimSpace(s)) }
+
 	tlsConfig := &tls.Config{MinVersion: tls.VersionTLS12}
 	if t.Cert == "" {
 		if t.Key != "" {
@@ -65,24 +72,39 @@ func (t *TLS) MakeConfig(serverName string) (*tls.Config, error) {
 	} else if t.Key == "" {
 		return nil, errors.New("client certificate given, but private key missing")
 	} else {
-		crt, err := tls.LoadX509KeyPair(t.Cert, t.Key)
-		if err != nil {
-			return nil, errors.Wrap(err, "can't load X.509 key pair")
+		if c, k := isRawPem(t.Cert), isRawPem(t.Key); c != k {
+			return nil, fmt.Errorf("either both certificate and key are PEM or none; is PEM certificate=%t, key=%t", c, k)
+		} else if c {
+			crt, err := tls.X509KeyPair(strToPem(t.Cert), strToPem(t.Key))
+			if err != nil {
+				return nil, errors.Wrap(err, "can't load X.509 key pair from raw PEM")
+			}
+			tlsConfig.Certificates = []tls.Certificate{crt}
+		} else {
+			crt, err := tls.LoadX509KeyPair(t.Cert, t.Key)
+			if err != nil {
+				return nil, errors.Wrap(err, "can't load X.509 key pair from files")
+			}
+			tlsConfig.Certificates = []tls.Certificate{crt}
 		}
-
-		tlsConfig.Certificates = []tls.Certificate{crt}
 	}
 
 	if t.Insecure {
 		tlsConfig.InsecureSkipVerify = true
 	} else if t.Ca != "" {
-		raw, err := os.ReadFile(t.Ca)
-		if err != nil {
-			return nil, errors.Wrap(err, "can't read CA file")
+		var ca []byte
+		if isRawPem(t.Ca) {
+			ca = strToPem(t.Ca)
+		} else {
+			raw, err := os.ReadFile(t.Ca)
+			if err != nil {
+				return nil, errors.Wrap(err, "can't read CA file")
+			}
+			ca = raw
 		}
 
 		tlsConfig.RootCAs = x509.NewCertPool()
-		if !tlsConfig.RootCAs.AppendCertsFromPEM(raw) {
+		if !tlsConfig.RootCAs.AppendCertsFromPEM(ca) {
 			return nil, errors.New("can't parse CA file")
 		}
 	}
diff --git a/config/tls_test.go b/config/tls_test.go
@@ -48,13 +48,47 @@ func TestTLS_MakeConfig(t *testing.T) {
 	t.Run("Missing client certificate", func(t *testing.T) {
 		tlsConfig := &TLS{Enable: true, Key: "test.key"}
 		_, err := tlsConfig.MakeConfig("icinga.com")
-		require.Error(t, err)
+		require.ErrorContains(t, err, "client certificate missing")
 	})
 
 	t.Run("Missing private key", func(t *testing.T) {
 		tlsConfig := &TLS{Enable: true, Cert: "test.crt"}
 		_, err := tlsConfig.MakeConfig("icinga.com")
-		require.Error(t, err)
+		require.ErrorContains(t, err, "private key missing")
+	})
+
+	t.Run("Cert is file, Key is PEM", func(t *testing.T) {
+		tlsConfig := &TLS{
+			Enable: true,
+			Cert:   "test.crt",
+			Key: `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+-----END EC PRIVATE KEY----`,
+		}
+		_, err := tlsConfig.MakeConfig("icinga.com")
+		require.ErrorContains(t, err, "either both certificate and key are PEM or none; is PEM certificate=false, key=true")
+	})
+
+	t.Run("Cert is PEM, Key is file", func(t *testing.T) {
+		tlsConfig := &TLS{
+			Enable: true,
+			Cert: `-----BEGIN CERTIFICATE-----
+MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+6MF9+Yw1Yy0t
+-----END CERTIFICATE-----`,
+			Key: "test.key",
+		}
+		_, err := tlsConfig.MakeConfig("icinga.com")
+		require.ErrorContains(t, err, "either both certificate and key are PEM or none; is PEM certificate=true, key=false")
 	})
 
 	t.Run("x509", func(t *testing.T) {
@@ -93,7 +127,7 @@ func TestTLS_MakeConfig(t *testing.T) {
 		defer func(name string) {
 			_ = os.Remove(name)
 		}(corruptFile.Name())
-		err = os.WriteFile(corruptFile.Name(), []byte("corrupt PEM"), 0600)
+		err = os.WriteFile(corruptFile.Name(), []byte("-----BEGIN CORRUPT-----\nOOPS\n-----END CORRUPT-----"), 0600)
 		require.NoError(t, err)
 
 		t.Run("Valid certificate and key", func(t *testing.T) {
@@ -104,6 +138,19 @@ func TestTLS_MakeConfig(t *testing.T) {
 			require.Len(t, config.Certificates, 1)
 		})
 
+		t.Run("Valid certificate and key as PEM", func(t *testing.T) {
+			certRaw, err := os.ReadFile(certFile.Name())
+			require.NoError(t, err)
+			keyRaw, err := os.ReadFile(keyFile.Name())
+			require.NoError(t, err)
+
+			tlsConfig := &TLS{Enable: true, Cert: string(certRaw), Key: string(keyRaw)}
+			config, err := tlsConfig.MakeConfig("icinga.com")
+			require.NoError(t, err)
+			require.NotNil(t, config)
+			require.Len(t, config.Certificates, 1)
+		})
+
 		t.Run("Mismatched certificate and key", func(t *testing.T) {
 			_key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 			require.NoError(t, err)
@@ -149,6 +196,17 @@ func TestTLS_MakeConfig(t *testing.T) {
 			require.Error(t, err)
 		})
 
+		t.Run("Corrupt certificate as PEM", func(t *testing.T) {
+			corruptRaw, err := os.ReadFile(corruptFile.Name())
+			require.NoError(t, err)
+			keyRaw, err := os.ReadFile(keyFile.Name())
+			require.NoError(t, err)
+
+			tlsConfig := &TLS{Enable: true, Cert: string(corruptRaw), Key: string(keyRaw)}
+			_, err = tlsConfig.MakeConfig("icinga.com")
+			require.Error(t, err)
+		})
+
 		t.Run("Invalid key path", func(t *testing.T) {
 			tlsConfig := &TLS{Enable: true, Cert: certFile.Name(), Key: "nonexistent.key"}
 			_, err := tlsConfig.MakeConfig("icinga.com")
@@ -184,6 +242,17 @@ func TestTLS_MakeConfig(t *testing.T) {
 			require.NotNil(t, config.RootCAs)
 		})
 
+		t.Run("Valid CA as PEM", func(t *testing.T) {
+			caRaw, err := os.ReadFile(caFile.Name())
+			require.NoError(t, err)
+
+			tlsConfig := &TLS{Enable: true, Ca: string(caRaw)}
+			config, err := tlsConfig.MakeConfig("icinga.com")
+			require.NoError(t, err)
+			require.NotNil(t, config)
+			require.NotNil(t, config.RootCAs)
+		})
+
 		t.Run("Invalid CA path", func(t *testing.T) {
 			tlsConfig := &TLS{Enable: true, Ca: "nonexistent.ca"}
 			_, err := tlsConfig.MakeConfig("icinga.com")
diff --git a/database/config_test.go b/database/config_test.go
@@ -161,6 +161,124 @@ ca: ca.pem`,
 				},
 			},
 		},
+		{
+			Name: "TLS with raw PEM",
+			Data: testutils.ConfigTestData{
+				Yaml: minimalYaml + `
+tls: true
+cert: |-
+  -----BEGIN CERTIFICATE-----
+  MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+  DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+  EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+  7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+  5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+  BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+  NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+  Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+  6MF9+Yw1Yy0t
+  -----END CERTIFICATE-----
+key: |-
+  -----BEGIN EC PRIVATE KEY-----
+  MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+  AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+  EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+  -----END EC PRIVATE KEY-----
+ca: |-
+  -----BEGIN CERTIFICATE-----
+  MIICSTCCAfOgAwIBAgIUcmQfIJAvbxdVm0PFanS4FWH71Z0wDQYJKoZIhvcNAQEL
+  BQAweTELMAkGA1UEBhMCREUxEjAQBgNVBAgMCUZyYW5jb25pYTESMBAGA1UEBwwJ
+  TnVyZW1iZXJnMUIwQAYDVQQKDDlIb25lc3QgTWFya3VzJyBVc2VkIE51Y2xlYXIg
+  UG93ZXIgUGxhbnRzIGFuZCBDZXJ0aWZpY2F0ZXMwHhcNMjUwMzA1MDk0ODIwWhcN
+  MjUwMzA2MDk0ODIwWjB5MQswCQYDVQQGEwJERTESMBAGA1UECAwJRnJhbmNvbmlh
+  MRIwEAYDVQQHDAlOdXJlbWJlcmcxQjBABgNVBAoMOUhvbmVzdCBNYXJrdXMnIFVz
+  ZWQgTnVjbGVhciBQb3dlciBQbGFudHMgYW5kIENlcnRpZmljYXRlczBcMA0GCSqG
+  SIb3DQEBAQUAA0sAMEgCQQCeEGX2IolvELSUjC1DqvJRbTs4DKwE8ZZHDAGrc5K9
+  DFrLKvkwgfv3g9R2NJE5o/A5vBLq22IDCFdI26M6t10HAgMBAAGjUzBRMB0GA1Ud
+  DgQWBBQn+dCzVtAzYOGC8tIi9JLmRbWI7jAfBgNVHSMEGDAWgBQn+dCzVtAzYOGC
+  8tIi9JLmRbWI7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAlA27
+  ti1NKC+o+iZtyU8I/32aPaFme1+eQNIxvqXfw49jSM/FyDjhfZ0XlAxmK6tzF3mM
+  LJZsYbxapLeyWoA05Q==
+  -----END CERTIFICATE-----
+`,
+				Env: withMinimalEnv(map[string]string{
+					"TLS": "1",
+					"CERT": `-----BEGIN CERTIFICATE-----
+MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+6MF9+Yw1Yy0t
+-----END CERTIFICATE-----`,
+					"KEY": `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+-----END EC PRIVATE KEY-----`,
+					"CA": `-----BEGIN CERTIFICATE-----
+MIICSTCCAfOgAwIBAgIUcmQfIJAvbxdVm0PFanS4FWH71Z0wDQYJKoZIhvcNAQEL
+BQAweTELMAkGA1UEBhMCREUxEjAQBgNVBAgMCUZyYW5jb25pYTESMBAGA1UEBwwJ
+TnVyZW1iZXJnMUIwQAYDVQQKDDlIb25lc3QgTWFya3VzJyBVc2VkIE51Y2xlYXIg
+UG93ZXIgUGxhbnRzIGFuZCBDZXJ0aWZpY2F0ZXMwHhcNMjUwMzA1MDk0ODIwWhcN
+MjUwMzA2MDk0ODIwWjB5MQswCQYDVQQGEwJERTESMBAGA1UECAwJRnJhbmNvbmlh
+MRIwEAYDVQQHDAlOdXJlbWJlcmcxQjBABgNVBAoMOUhvbmVzdCBNYXJrdXMnIFVz
+ZWQgTnVjbGVhciBQb3dlciBQbGFudHMgYW5kIENlcnRpZmljYXRlczBcMA0GCSqG
+SIb3DQEBAQUAA0sAMEgCQQCeEGX2IolvELSUjC1DqvJRbTs4DKwE8ZZHDAGrc5K9
+DFrLKvkwgfv3g9R2NJE5o/A5vBLq22IDCFdI26M6t10HAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQn+dCzVtAzYOGC8tIi9JLmRbWI7jAfBgNVHSMEGDAWgBQn+dCzVtAzYOGC
+8tIi9JLmRbWI7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAlA27
+ti1NKC+o+iZtyU8I/32aPaFme1+eQNIxvqXfw49jSM/FyDjhfZ0XlAxmK6tzF3mM
+LJZsYbxapLeyWoA05Q==
+-----END CERTIFICATE-----`,
+				}),
+			},
+			Expected: Config{
+				Type:     "pgsql",
+				Host:     "localhost",
+				User:     "icinga",
+				Database: "icingadb",
+				Password: "secret",
+				Options:  defaultOptions,
+				TlsOptions: config.TLS{
+					Enable: true,
+					Cert: `-----BEGIN CERTIFICATE-----
+MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+6MF9+Yw1Yy0t
+-----END CERTIFICATE-----`,
+					Key: `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+-----END EC PRIVATE KEY-----`,
+					Ca: `-----BEGIN CERTIFICATE-----
+MIICSTCCAfOgAwIBAgIUcmQfIJAvbxdVm0PFanS4FWH71Z0wDQYJKoZIhvcNAQEL
+BQAweTELMAkGA1UEBhMCREUxEjAQBgNVBAgMCUZyYW5jb25pYTESMBAGA1UEBwwJ
+TnVyZW1iZXJnMUIwQAYDVQQKDDlIb25lc3QgTWFya3VzJyBVc2VkIE51Y2xlYXIg
+UG93ZXIgUGxhbnRzIGFuZCBDZXJ0aWZpY2F0ZXMwHhcNMjUwMzA1MDk0ODIwWhcN
+MjUwMzA2MDk0ODIwWjB5MQswCQYDVQQGEwJERTESMBAGA1UECAwJRnJhbmNvbmlh
+MRIwEAYDVQQHDAlOdXJlbWJlcmcxQjBABgNVBAoMOUhvbmVzdCBNYXJrdXMnIFVz
+ZWQgTnVjbGVhciBQb3dlciBQbGFudHMgYW5kIENlcnRpZmljYXRlczBcMA0GCSqG
+SIb3DQEBAQUAA0sAMEgCQQCeEGX2IolvELSUjC1DqvJRbTs4DKwE8ZZHDAGrc5K9
+DFrLKvkwgfv3g9R2NJE5o/A5vBLq22IDCFdI26M6t10HAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQn+dCzVtAzYOGC8tIi9JLmRbWI7jAfBgNVHSMEGDAWgBQn+dCzVtAzYOGC
+8tIi9JLmRbWI7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAlA27
+ti1NKC+o+iZtyU8I/32aPaFme1+eQNIxvqXfw49jSM/FyDjhfZ0XlAxmK6tzF3mM
+LJZsYbxapLeyWoA05Q==
+-----END CERTIFICATE-----`,
+				},
+			},
+		},
 		{
 			Name: "max_connections cannot be 0",
 			Data: testutils.ConfigTestData{
