Do not override cfg.CAPins if ApplyCAPins is called with empty caPins… (#14122)

Do not override cfg.CAPins if ApplyCAPins is called with empty caPins slice
2024-10-21 01:34:01 +00:00 · 2022-07-11 18:19:18 -07:00 · 2022-07-11 18:19:18 -07:00 · d1781d39be
parent 51b3bc3dda
commit d1781d39be
3 changed files with 84 additions and 1 deletions
--- a/lib/config/configuration_test.go
+++ b/lib/config/configuration_test.go
@ -1369,6 +1369,57 @@ func TestDebugFlag(t *testing.T) {
 	require.True(t, cfg.Debug)
 }

+func TestMergingCAPinConfig(t *testing.T) {
+	tests := []struct {
+		desc       string
+		cliPins    []string
+		configPins string // this goes into the yaml in bracket syntax [val1,val2,...]
+		want       []string
+	}{
+		{
+			desc:       "pin taken from cli only",
+			cliPins:    []string{"cli-pin"},
+			configPins: "",
+			want:       []string{"cli-pin"},
+		},
+		{
+			desc:       "pin taken from file config only",
+			cliPins:    []string{},
+			configPins: "fc-pin",
+			want:       []string{"fc-pin"},
+		},
+		{
+			desc:       "non-empty pins from cli override file config",
+			cliPins:    []string{"cli-pin1", "", "cli-pin2", ""},
+			configPins: "fc-pin",
+			want:       []string{"cli-pin1", "cli-pin2"},
+		},
+		{
+			desc:       "all empty pins from cli do not override file config",
+			cliPins:    []string{"", ""},
+			configPins: "fc-pin1,fc-pin2",
+			want:       []string{"fc-pin1", "fc-pin2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			clf := CommandLineFlags{
+				CAPins: tt.cliPins,
+				ConfigString: base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf(
+					configWithCAPins,
+					tt.configPins,
+				))),
+			}
+			cfg := service.MakeDefaultConfig()
+			require.Empty(t, cfg.CAPins)
+			err := Configure(&clf, cfg)
+			require.NoError(t, err)
+			require.ElementsMatch(t, tt.want, cfg.CAPins)
+		})
+	}
+}
+
 func TestLicenseFile(t *testing.T) {
 	testCases := []struct {
 		path   string
--- a/lib/config/testdata_test.go
+++ b/lib/config/testdata_test.go
@ -213,3 +213,33 @@ auth_service:
    type: saml
    local_auth: false
 `
+
+const configWithCAPins = `
+teleport:
+  nodename: cat.example.com
+  advertise_ip: 10.10.10.1
+  pid_file: /var/run/teleport.pid
+  log:
+    output: stderr
+    severity: INFO
+  ca_pin: [%v]
+auth_service:
+  enabled: yes
+  listen_addr: 10.5.5.1:3025
+  cluster_name: magadan
+  tokens:
+  - "proxy,node:xxx"
+  - "auth:yyy"
+  authentication:
+    type: local
+    second_factor: off
+
+ssh_service:
+  enabled: no
+
+proxy_service:
+  enabled: yes
+  web_listen_addr: webhost
+  tunnel_listen_addr: tunnelhost:1001
+  public_addr: web3:443
+`
--- a/lib/service/cfg.go
+++ b/lib/service/cfg.go
@ -301,7 +301,9 @@ func (cfg *Config) ApplyCAPins(caPins []string) error {
 		}
 		filteredPins = append(filteredPins, strings.Split(pins, "\n")...)
 	}
-	cfg.CAPins = filteredPins
+	if len(filteredPins) > 0 {
+		cfg.CAPins = filteredPins
+	}
 	return nil
 }