diff --git a/troubleshoot/proxy/certs.go b/troubleshoot/proxy/certs.go index 000258789..4ab9c739e 100644 --- a/troubleshoot/proxy/certs.go +++ b/troubleshoot/proxy/certs.go @@ -1,6 +1,7 @@ package troubleshoot import ( + "errors" "fmt" "time" @@ -15,6 +16,14 @@ func (t *Troubleshoot) validateCerts(certs *envoy_admin_v3.Certificates) error { var resultErr error now := time.Now() + if certs == nil { + return errors.New("certs object is nil") + } + + if len(certs.GetCertificates()) == 0 { + return errors.New("no certificates provided") + } + for _, cert := range certs.GetCertificates() { for _, cacert := range cert.GetCaCert() { if now.After(cacert.GetExpirationTime().AsTime()) { diff --git a/troubleshoot/proxy/certs_test.go b/troubleshoot/proxy/certs_test.go new file mode 100644 index 000000000..55bf006c9 --- /dev/null +++ b/troubleshoot/proxy/certs_test.go @@ -0,0 +1,71 @@ +package troubleshoot + +import ( + "testing" + "time" + + envoy_admin_v3 "github.com/envoyproxy/go-control-plane/envoy/admin/v3" + "github.com/stretchr/testify/require" + "google.golang.org/protobuf/types/known/timestamppb" +) + +func TestValidateCerts(t *testing.T) { + + t.Parallel() + + anHourAgo := timestamppb.New(time.Now().Add(-1 * time.Hour)) + + x := []struct { + certs *envoy_admin_v3.Certificates + expectedError string + }{ + { + certs: nil, + expectedError: "certs object is nil", + }, + { + certs: &envoy_admin_v3.Certificates{ + Certificates: []*envoy_admin_v3.Certificate{}, + }, + expectedError: "no certificates provided", + }, + { + certs: &envoy_admin_v3.Certificates{ + Certificates: []*envoy_admin_v3.Certificate{ + { + CaCert: []*envoy_admin_v3.CertificateDetails{ + { + ExpirationTime: anHourAgo, + }, + }, + }, + }, + }, + expectedError: "Ca cert is expired", + }, + { + certs: &envoy_admin_v3.Certificates{ + Certificates: []*envoy_admin_v3.Certificate{ + { + CertChain: []*envoy_admin_v3.CertificateDetails{ + { + ExpirationTime: anHourAgo, + }, + }, + }, + }, + }, + expectedError: "cert chain is expired", + }, + } + + ts := Troubleshoot{} + for _, tc := range x { + err := ts.validateCerts(tc.certs) + if tc.expectedError != "" { + require.Error(t, err) + require.Contains(t, err.Error(), tc.expectedError) + } + } + +} diff --git a/troubleshoot/proxy/troubleshoot_proxy.go b/troubleshoot/proxy/troubleshoot_proxy.go index 365ecbf76..cbb83deb0 100644 --- a/troubleshoot/proxy/troubleshoot_proxy.go +++ b/troubleshoot/proxy/troubleshoot_proxy.go @@ -39,6 +39,11 @@ func NewTroubleshoot(envoyIP *net.IPAddr, envoyPort string) (*Troubleshoot, erro if err != nil { return nil, err } + + if envoyIP == nil { + return nil, fmt.Errorf("envoy address is empty") + } + return &Troubleshoot{ client: c, envoyAddr: *envoyIP,