chore: add checks for server ca certificates in refresh.go (GoogleCloudPlatform#1037)

Author: kgala2

internal/cloudsql/refresh.go

@@ -139,6 +139,9 @@ func fetchMetadata(
 
 	// parse the server-side CA certificate
 	caCerts := []*x509.Certificate{}
+	if db.ServerCaCert == nil {
+		return metadata{}, errtype.NewRefreshError("instance does not have a server CA certificate", inst.String(), nil)
+	}
 	for b, rest := pem.Decode([]byte(db.ServerCaCert.Cert)); b != nil; b, rest = pem.Decode(rest) {
 		if b == nil {
 			return metadata{}, errtype.NewRefreshError("failed to decode valid PEM cert", inst.String(), nil)

internal/cloudsql/refresh_test.go

@@ -401,6 +401,16 @@ func TestRefreshMetadataRefreshError(t *testing.T) {
 			wantErr: &errtype.RefreshError{},
 			desc:    "When the server cert does not decode",
 		},
+		{
+			req: mock.InstanceGetSuccess(
+				mock.NewFakeCSQLInstance(
+					cn.Project(), cn.Region(), cn.Name(),
+					mock.WithRegion("my-region"),
+					mock.WithServerCaCert(nil),
+				), 1),
+			wantErr: &errtype.RefreshError{},
+			desc:    "When the server CA cert is nil",
+		},
 		{
 			req: mock.InstanceGetSuccess(
 				mock.NewFakeCSQLInstance(

internal/mock/cloudsql.go

@@ -74,6 +74,8 @@ type FakeCSQLInstance struct {
 	Cert *x509.Certificate
 	// certs holds all of the certificates for this instance
 	certs *TLSCertificates
+	// ServerCaCert is the server CA certificate for the mock instance.
+	ServerCaCert *sqladmin.SslCert
 }
 
 // String returns the instance connection name for the
@@ -226,6 +228,13 @@ func WithServerCAMode(serverCAMode string) FakeCSQLInstanceOption {
 	}
 }
 
+// WithServerCaCert sets the ServerCaCert of the instance.
+func WithServerCaCert(c *sqladmin.SslCert) FakeCSQLInstanceOption {
+	return func(i *FakeCSQLInstance) {
+		i.ServerCaCert = c
+	}
+}
+
 // NewFakeCSQLInstance returns a CloudSQLInst object for configuring mocks.
 func NewFakeCSQLInstance(project, region, name string, opts ...FakeCSQLInstanceOption) FakeCSQLInstance {