Skip to content

Commit 04f1b93

Browse files
tmshorttmshort
authored
Add support for SSL env vars to cert pool watcher (#1672)
The SystemRoot store looks at the SSL_CERT_DIR and SSL_CERT_FILE environment variables for certificate locations. Because these variables are under control of the user, we should assume that the user wants to control the contents of the SystemRoot, and subsequently that those contents could change (as compared to certs located in the default /etc/pki location). Thus, we should watch those locations if they exist. Signed-off-by: Todd Short <[email protected]>
1 parent da0e803 commit 04f1b93

File tree

2 files changed

+26
-2
lines changed

2 files changed

+26
-2
lines changed

internal/httputil/certpoolwatcher.go

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ import (
44
"crypto/x509"
55
"fmt"
66
"os"
7+
"slices"
8+
"strings"
79
"sync"
810
"time"
911

@@ -44,8 +46,26 @@ func NewCertPoolWatcher(caDir string, log logr.Logger) (*CertPoolWatcher, error)
4446
if err != nil {
4547
return nil, err
4648
}
47-
if err = watcher.Add(caDir); err != nil {
48-
return nil, err
49+
50+
// If the SSL_CERT_DIR or SSL_CERT_FILE environment variables are
51+
// specified, this means that we have some control over the system root
52+
// location, thus they may change, thus we should watch those locations.
53+
watchPaths := strings.Split(os.Getenv("SSL_CERT_DIR"), ":")
54+
watchPaths = append(watchPaths, caDir, os.Getenv("SSL_CERT_FILE"))
55+
watchPaths = slices.DeleteFunc(watchPaths, func(p string) bool {
56+
if p == "" {
57+
return true
58+
}
59+
if _, err := os.Stat(p); err != nil {
60+
return true
61+
}
62+
return false
63+
})
64+
65+
for _, p := range watchPaths {
66+
if err := watcher.Add(p); err != nil {
67+
return nil, err
68+
}
4969
}
5070

5171
cpw := &CertPoolWatcher{

internal/httputil/certpoolwatcher_test.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,10 @@ func TestCertPoolWatcher(t *testing.T) {
7272
t.Logf("Create cert file at %q\n", certName)
7373
createCert(t, certName)
7474

75+
// Update environment variables for the watcher - some of these should not exist
76+
os.Setenv("SSL_CERT_DIR", tmpDir+":/tmp/does-not-exist.dir")
77+
os.Setenv("SSL_CERT_FILE", "/tmp/does-not-exist.file")
78+
7579
// Create the cert pool watcher
7680
cpw, err := httputil.NewCertPoolWatcher(tmpDir, log.FromContext(context.Background()))
7781
require.NoError(t, err)

0 commit comments

Comments
 (0)