Merge pull request #113 from Icinga/tls-support-inline-pem

lippserd · web-flow · commit db817043ecba · 2025-03-20T09:09:01.000+01:00
config.TLS: Inline PEM-encoded Certs, Keys and CAs
diff --git a/config/tls.go b/config/tls.go
@@ -3,6 +3,7 @@ package config
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/pem"
 	"github.com/pkg/errors"
 	"os"
 )
@@ -34,13 +35,15 @@ type TLS struct {
 	// Enable indicates whether TLS is enabled.
 	Enable bool `yaml:"tls" env:"TLS"`
 
-	// Cert is the path to the TLS certificate file. If provided, Key must also be specified.
+	// Cert is either the path to the TLS certificate file or a raw PEM-encoded string representing it.
+	// If provided, Key must also be specified.
 	Cert string `yaml:"cert" env:"CERT"`
 
-	// Key is the path to the TLS key file. If specified, Cert must also be provided.
+	// Key is either the path to the TLS key file or a raw PEM-encoded string representing it.
+	// If specified, Cert must also be provided.
 	Key string `yaml:"key" env:"KEY"`
 
-	// Ca is the path to the CA certificate file.
+	// Ca is either the path to the CA certificate file or a raw PEM-encoded string representing it.
 	Ca string `yaml:"ca" env:"CA"`
 
 	// Insecure indicates whether to skip verification of the server's certificate chain and host name.
@@ -49,6 +52,20 @@ type TLS struct {
 	Insecure bool `yaml:"insecure" env:"INSECURE"`
 }
 
+// loadPemOrFile either returns a PEM from within the string or treats it as a file, returning its content.
+func loadPemOrFile(pemOrFile string) ([]byte, error) {
+	block, _ := pem.Decode([]byte(pemOrFile))
+	if block != nil {
+		return []byte(pemOrFile), nil
+	}
+
+	data, err := os.ReadFile(pemOrFile)
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}
+
 // MakeConfig assembles a [*tls.Config] from the TLS struct and the provided serverName.
 // It returns a configured *tls.Config or an error if there are issues with the provided TLS settings.
 // If TLS is not enabled (t.Enable is false), it returns nil without an error.
@@ -58,31 +75,44 @@ func (t *TLS) MakeConfig(serverName string) (*tls.Config, error) {
 	}
 
 	tlsConfig := &tls.Config{MinVersion: tls.VersionTLS12}
-	if t.Cert == "" {
-		if t.Key != "" {
-			return nil, errors.New("private key given, but client certificate missing")
-		}
-	} else if t.Key == "" {
+
+	hasKeyWithoutCert := t.Key != "" && t.Cert == ""
+	hasCertWithoutKey := t.Cert != "" && t.Key == ""
+	hasClientCert := t.Cert != "" && t.Key != ""
+
+	if hasKeyWithoutCert {
+		return nil, errors.New("private key given, but client certificate missing")
+	}
+	if hasCertWithoutKey {
 		return nil, errors.New("client certificate given, but private key missing")
-	} else {
-		crt, err := tls.LoadX509KeyPair(t.Cert, t.Key)
+	}
+	if hasClientCert {
+		certPem, err := loadPemOrFile(t.Cert)
 		if err != nil {
-			return nil, errors.Wrap(err, "can't load X.509 key pair")
+			return nil, errors.Wrap(err, "can't load X.509 client certificate")
+		}
+		keyPem, err := loadPemOrFile(t.Key)
+		if err != nil {
+			return nil, errors.Wrap(err, "can't load X.509 private key")
 		}
 
+		crt, err := tls.X509KeyPair(certPem, keyPem)
+		if err != nil {
+			return nil, errors.Wrap(err, "can't parse client certificate and private key into an X.509 key pair")
+		}
 		tlsConfig.Certificates = []tls.Certificate{crt}
 	}
 
 	if t.Insecure {
 		tlsConfig.InsecureSkipVerify = true
 	} else if t.Ca != "" {
-		raw, err := os.ReadFile(t.Ca)
+		caPem, err := loadPemOrFile(t.Ca)
 		if err != nil {
-			return nil, errors.Wrap(err, "can't read CA file")
+			return nil, errors.Wrap(err, "can't load X.509 CA certificate")
 		}
 
 		tlsConfig.RootCAs = x509.NewCertPool()
-		if !tlsConfig.RootCAs.AppendCertsFromPEM(raw) {
+		if !tlsConfig.RootCAs.AppendCertsFromPEM(caPem) {
 			return nil, errors.New("can't parse CA file")
 		}
 	}
diff --git a/config/tls_test.go b/config/tls_test.go
@@ -16,6 +16,37 @@ import (
 	"time"
 )
 
+func Test_loadPemOrFile(t *testing.T) {
+	cert, _, err := generateCert("cert", generateCertOptions{})
+	require.NoError(t, err)
+	certPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+
+	certFile, err := os.CreateTemp("", "cert-*.pem")
+	require.NoError(t, err)
+	defer func(name string) {
+		_ = os.Remove(name)
+	}(certFile.Name())
+	_, err = certFile.Write(certPem)
+	require.NoError(t, err)
+
+	t.Run("Load raw PEM", func(t *testing.T) {
+		out, err := loadPemOrFile(string(certPem))
+		require.NoError(t, err)
+		require.Equal(t, certPem, out)
+	})
+
+	t.Run("Load file", func(t *testing.T) {
+		out, err := loadPemOrFile(certFile.Name())
+		require.NoError(t, err)
+		require.Equal(t, certPem, out)
+	})
+
+	t.Run("Invalid file", func(t *testing.T) {
+		_, err := loadPemOrFile("/dev/null/nonexistent")
+		require.Error(t, err)
+	})
+}
+
 func TestTLS_MakeConfig(t *testing.T) {
 	t.Run("TLS disabled", func(t *testing.T) {
 		tlsConfig := &TLS{Enable: false}
@@ -48,13 +79,13 @@ func TestTLS_MakeConfig(t *testing.T) {
 	t.Run("Missing client certificate", func(t *testing.T) {
 		tlsConfig := &TLS{Enable: true, Key: "test.key"}
 		_, err := tlsConfig.MakeConfig("icinga.com")
-		require.Error(t, err)
+		require.ErrorContains(t, err, "client certificate missing")
 	})
 
 	t.Run("Missing private key", func(t *testing.T) {
 		tlsConfig := &TLS{Enable: true, Cert: "test.crt"}
 		_, err := tlsConfig.MakeConfig("icinga.com")
-		require.Error(t, err)
+		require.ErrorContains(t, err, "private key missing")
 	})
 
 	t.Run("x509", func(t *testing.T) {
@@ -93,7 +124,7 @@ func TestTLS_MakeConfig(t *testing.T) {
 		defer func(name string) {
 			_ = os.Remove(name)
 		}(corruptFile.Name())
-		err = os.WriteFile(corruptFile.Name(), []byte("corrupt PEM"), 0600)
+		err = os.WriteFile(corruptFile.Name(), []byte("-----BEGIN CORRUPT-----\nOOPS\n-----END CORRUPT-----"), 0600)
 		require.NoError(t, err)
 
 		t.Run("Valid certificate and key", func(t *testing.T) {
@@ -104,6 +135,30 @@ func TestTLS_MakeConfig(t *testing.T) {
 			require.Len(t, config.Certificates, 1)
 		})
 
+		t.Run("Valid certificate and key as PEM", func(t *testing.T) {
+			certRaw, err := os.ReadFile(certFile.Name())
+			require.NoError(t, err)
+			keyRaw, err := os.ReadFile(keyFile.Name())
+			require.NoError(t, err)
+
+			tlsConfig := &TLS{Enable: true, Cert: string(certRaw), Key: string(keyRaw)}
+			config, err := tlsConfig.MakeConfig("icinga.com")
+			require.NoError(t, err)
+			require.NotNil(t, config)
+			require.Len(t, config.Certificates, 1)
+		})
+
+		t.Run("Valid certificate and key, mixed file and PEM", func(t *testing.T) {
+			keyRaw, err := os.ReadFile(keyFile.Name())
+			require.NoError(t, err)
+
+			tlsConfig := &TLS{Enable: true, Cert: certFile.Name(), Key: string(keyRaw)}
+			config, err := tlsConfig.MakeConfig("icinga.com")
+			require.NoError(t, err)
+			require.NotNil(t, config)
+			require.Len(t, config.Certificates, 1)
+		})
+
 		t.Run("Mismatched certificate and key", func(t *testing.T) {
 			_key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 			require.NoError(t, err)
@@ -149,6 +204,17 @@ func TestTLS_MakeConfig(t *testing.T) {
 			require.Error(t, err)
 		})
 
+		t.Run("Corrupt certificate as PEM", func(t *testing.T) {
+			corruptRaw, err := os.ReadFile(corruptFile.Name())
+			require.NoError(t, err)
+			keyRaw, err := os.ReadFile(keyFile.Name())
+			require.NoError(t, err)
+
+			tlsConfig := &TLS{Enable: true, Cert: string(corruptRaw), Key: string(keyRaw)}
+			_, err = tlsConfig.MakeConfig("icinga.com")
+			require.Error(t, err)
+		})
+
 		t.Run("Invalid key path", func(t *testing.T) {
 			tlsConfig := &TLS{Enable: true, Cert: certFile.Name(), Key: "nonexistent.key"}
 			_, err := tlsConfig.MakeConfig("icinga.com")
@@ -184,6 +250,17 @@ func TestTLS_MakeConfig(t *testing.T) {
 			require.NotNil(t, config.RootCAs)
 		})
 
+		t.Run("Valid CA as PEM", func(t *testing.T) {
+			caRaw, err := os.ReadFile(caFile.Name())
+			require.NoError(t, err)
+
+			tlsConfig := &TLS{Enable: true, Ca: string(caRaw)}
+			config, err := tlsConfig.MakeConfig("icinga.com")
+			require.NoError(t, err)
+			require.NotNil(t, config)
+			require.NotNil(t, config.RootCAs)
+		})
+
 		t.Run("Invalid CA path", func(t *testing.T) {
 			tlsConfig := &TLS{Enable: true, Ca: "nonexistent.ca"}
 			_, err := tlsConfig.MakeConfig("icinga.com")
diff --git a/database/config_test.go b/database/config_test.go
@@ -161,6 +161,124 @@ ca: ca.pem`,
 				},
 			},
 		},
+		{
+			Name: "TLS with raw PEM",
+			Data: testutils.ConfigTestData{
+				Yaml: minimalYaml + `
+tls: true
+cert: |-
+  -----BEGIN CERTIFICATE-----
+  MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+  DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+  EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+  7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+  5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+  BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+  NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+  Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+  6MF9+Yw1Yy0t
+  -----END CERTIFICATE-----
+key: |-
+  -----BEGIN EC PRIVATE KEY-----
+  MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+  AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+  EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+  -----END EC PRIVATE KEY-----
+ca: |-
+  -----BEGIN CERTIFICATE-----
+  MIICSTCCAfOgAwIBAgIUcmQfIJAvbxdVm0PFanS4FWH71Z0wDQYJKoZIhvcNAQEL
+  BQAweTELMAkGA1UEBhMCREUxEjAQBgNVBAgMCUZyYW5jb25pYTESMBAGA1UEBwwJ
+  TnVyZW1iZXJnMUIwQAYDVQQKDDlIb25lc3QgTWFya3VzJyBVc2VkIE51Y2xlYXIg
+  UG93ZXIgUGxhbnRzIGFuZCBDZXJ0aWZpY2F0ZXMwHhcNMjUwMzA1MDk0ODIwWhcN
+  MjUwMzA2MDk0ODIwWjB5MQswCQYDVQQGEwJERTESMBAGA1UECAwJRnJhbmNvbmlh
+  MRIwEAYDVQQHDAlOdXJlbWJlcmcxQjBABgNVBAoMOUhvbmVzdCBNYXJrdXMnIFVz
+  ZWQgTnVjbGVhciBQb3dlciBQbGFudHMgYW5kIENlcnRpZmljYXRlczBcMA0GCSqG
+  SIb3DQEBAQUAA0sAMEgCQQCeEGX2IolvELSUjC1DqvJRbTs4DKwE8ZZHDAGrc5K9
+  DFrLKvkwgfv3g9R2NJE5o/A5vBLq22IDCFdI26M6t10HAgMBAAGjUzBRMB0GA1Ud
+  DgQWBBQn+dCzVtAzYOGC8tIi9JLmRbWI7jAfBgNVHSMEGDAWgBQn+dCzVtAzYOGC
+  8tIi9JLmRbWI7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAlA27
+  ti1NKC+o+iZtyU8I/32aPaFme1+eQNIxvqXfw49jSM/FyDjhfZ0XlAxmK6tzF3mM
+  LJZsYbxapLeyWoA05Q==
+  -----END CERTIFICATE-----
+`,
+				Env: withMinimalEnv(map[string]string{
+					"TLS": "1",
+					"CERT": `-----BEGIN CERTIFICATE-----
+MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+6MF9+Yw1Yy0t
+-----END CERTIFICATE-----`,
+					"KEY": `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+-----END EC PRIVATE KEY-----`,
+					"CA": `-----BEGIN CERTIFICATE-----
+MIICSTCCAfOgAwIBAgIUcmQfIJAvbxdVm0PFanS4FWH71Z0wDQYJKoZIhvcNAQEL
+BQAweTELMAkGA1UEBhMCREUxEjAQBgNVBAgMCUZyYW5jb25pYTESMBAGA1UEBwwJ
+TnVyZW1iZXJnMUIwQAYDVQQKDDlIb25lc3QgTWFya3VzJyBVc2VkIE51Y2xlYXIg
+UG93ZXIgUGxhbnRzIGFuZCBDZXJ0aWZpY2F0ZXMwHhcNMjUwMzA1MDk0ODIwWhcN
+MjUwMzA2MDk0ODIwWjB5MQswCQYDVQQGEwJERTESMBAGA1UECAwJRnJhbmNvbmlh
+MRIwEAYDVQQHDAlOdXJlbWJlcmcxQjBABgNVBAoMOUhvbmVzdCBNYXJrdXMnIFVz
+ZWQgTnVjbGVhciBQb3dlciBQbGFudHMgYW5kIENlcnRpZmljYXRlczBcMA0GCSqG
+SIb3DQEBAQUAA0sAMEgCQQCeEGX2IolvELSUjC1DqvJRbTs4DKwE8ZZHDAGrc5K9
+DFrLKvkwgfv3g9R2NJE5o/A5vBLq22IDCFdI26M6t10HAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQn+dCzVtAzYOGC8tIi9JLmRbWI7jAfBgNVHSMEGDAWgBQn+dCzVtAzYOGC
+8tIi9JLmRbWI7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAlA27
+ti1NKC+o+iZtyU8I/32aPaFme1+eQNIxvqXfw49jSM/FyDjhfZ0XlAxmK6tzF3mM
+LJZsYbxapLeyWoA05Q==
+-----END CERTIFICATE-----`,
+				}),
+			},
+			Expected: Config{
+				Type:     "pgsql",
+				Host:     "localhost",
+				User:     "icinga",
+				Database: "icingadb",
+				Password: "secret",
+				Options:  defaultOptions,
+				TlsOptions: config.TLS{
+					Enable: true,
+					Cert: `-----BEGIN CERTIFICATE-----
+MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+6MF9+Yw1Yy0t
+-----END CERTIFICATE-----`,
+					Key: `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+-----END EC PRIVATE KEY-----`,
+					Ca: `-----BEGIN CERTIFICATE-----
+MIICSTCCAfOgAwIBAgIUcmQfIJAvbxdVm0PFanS4FWH71Z0wDQYJKoZIhvcNAQEL
+BQAweTELMAkGA1UEBhMCREUxEjAQBgNVBAgMCUZyYW5jb25pYTESMBAGA1UEBwwJ
+TnVyZW1iZXJnMUIwQAYDVQQKDDlIb25lc3QgTWFya3VzJyBVc2VkIE51Y2xlYXIg
+UG93ZXIgUGxhbnRzIGFuZCBDZXJ0aWZpY2F0ZXMwHhcNMjUwMzA1MDk0ODIwWhcN
+MjUwMzA2MDk0ODIwWjB5MQswCQYDVQQGEwJERTESMBAGA1UECAwJRnJhbmNvbmlh
+MRIwEAYDVQQHDAlOdXJlbWJlcmcxQjBABgNVBAoMOUhvbmVzdCBNYXJrdXMnIFVz
+ZWQgTnVjbGVhciBQb3dlciBQbGFudHMgYW5kIENlcnRpZmljYXRlczBcMA0GCSqG
+SIb3DQEBAQUAA0sAMEgCQQCeEGX2IolvELSUjC1DqvJRbTs4DKwE8ZZHDAGrc5K9
+DFrLKvkwgfv3g9R2NJE5o/A5vBLq22IDCFdI26M6t10HAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQn+dCzVtAzYOGC8tIi9JLmRbWI7jAfBgNVHSMEGDAWgBQn+dCzVtAzYOGC
+8tIi9JLmRbWI7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAlA27
+ti1NKC+o+iZtyU8I/32aPaFme1+eQNIxvqXfw49jSM/FyDjhfZ0XlAxmK6tzF3mM
+LJZsYbxapLeyWoA05Q==
+-----END CERTIFICATE-----`,
+				},
+			},
+		},
 		{
 			Name: "max_connections cannot be 0",
 			Data: testutils.ConfigTestData{
