Merge pull request #119 from cyberark/self-signed-msg

Improve error message when using self-signed certificate

CHANGELOG.md

@@ -12,6 +12,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [8.0.6] - 2023-03-24
 
+### Fixed
+- Improved error message when using self-signed certificates
+  [cyberark/conjur-cli-go#119](https://github.com/cyberark/conjur-cli-go/pull/119)
+
 ## [8.0.5] - 2023-03-24
 
 ### Changed

ci/docker-compose.yml

@@ -23,8 +23,8 @@ services:
   proxy:
     image: nginx:1.13.6-alpine
     volumes:
-      - ../conf/:/etc/nginx/conf.d/:ro
-      - ../conf/tls/:/etc/nginx/tls/:ro
+      - ./conf/:/etc/nginx/conf.d/:ro
+      - ./conf/tls/:/etc/nginx/tls/:ro
     depends_on:
     - conjur
     restart: on-failure

cmd/integration/integration_test.go

@@ -41,6 +41,19 @@ func TestIntegration(t *testing.T) {
 		assert.Contains(t, stdErr, "Must specify an Account")
 	})
 
+	t.Run("init with self-signed cert", func(t *testing.T) {
+		stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "https://proxy", "--force-netrc", "--force")
+		assert.Error(t, err)
+		assert.Equal(t, "", stdOut)
+		assert.Contains(t, stdErr, "Unable to retrieve and validate certificate")
+		assert.Contains(t, stdErr, "re-run the init command with the `--self-signed` flag")
+
+		stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "https://proxy", "--force-netrc", "--force", "--self-signed")
+		assert.NotContains(t, stdErr, "Unable to retrieve and validate certificate")
+		assert.Contains(t, stdOut, "The server's certificate fingerprint is")
+		assert.Contains(t, stdErr, selfSignedWarning)
+	})
+
 	t.Run("init", func(t *testing.T) {
 		stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "http://conjur", "-i", "--force-netrc", "--force")
 		assert.NoError(t, err)

cmd/integration/shared.go

@@ -21,6 +21,7 @@ const pathToBinary = "conjur"
 
 const insecureModeWarning = "Warning: Running the command with '--insecure' makes your system vulnerable to security attacks\n" +
 	"If you prefer to communicate with the server securely you must reinitialize the client in secure mode.\n"
+const selfSignedWarning = "Warning: Using self-signed certificates is not recommended and could lead to exposure of sensitive data\n"
 
 func newConjurCLI(homeDir string) *conjurCLI {
 	return &conjurCLI{

pkg/cmd/init.go

@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"net/url"
 	"os"
@@ -199,7 +200,11 @@ func fetchCertIfNeeded(config *conjurapi.Config, cmdFlagVals initCmdFlagValues,
 
 	cert, err := utils.GetServerCert(url.Host, cmdFlagVals.selfSigned)
 	if err != nil {
-		return fmt.Errorf("Unable to retrieve certificate from %s: %s", url.Host, err)
+		errStr := fmt.Sprintf("Unable to retrieve and validate certificate from %s: %s", url.Host, err)
+		if !cmdFlagVals.selfSigned {
+			errStr += "\nIf you're attempting to use a self-signed certificate, re-run the init command with the `--self-signed` flag\n"
+		}
+		return errors.New(errStr)
 	}
 
 	// Prompt user to accept certificate

pkg/cmd/init_test.go

@@ -206,15 +206,16 @@ appliance_url: http://host
 		name: "fails if can't retrieve server certificate",
 		args: []string{"init", "-u=https://nohost.example.com", "-a=test-account"},
 		assert: func(t *testing.T, conjurrcInTmpDir string, stdout string, stderr string, err error) {
-			assert.Contains(t, stderr, "Unable to retrieve certificate")
+			assert.Contains(t, stderr, "Unable to retrieve and validate certificate")
 			assertFetchCertFailed(t, conjurrcInTmpDir)
 		},
 	},
 	{
 		name: "fails for self-signed certificate",
 		args: []string{"init", "-u=https://self-signed.badssl.com", "-a=test-account"},
 		assert: func(t *testing.T, conjurrcInTmpDir string, stdout string, stderr string, err error) {
-			assert.Contains(t, stderr, "Unable to retrieve certificate")
+			assert.Contains(t, stderr, "Unable to retrieve and validate certificate")
+			assert.Contains(t, stderr, "If you're attempting to use a self-signed certificate, re-run the init command with the `--self-signed` flag")
 			assertFetchCertFailed(t, conjurrcInTmpDir)
 		},
 	},