Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client/comms: check for non-standard compliant error #2130

Merged
merged 4 commits into from Feb 17, 2023
Merged

client/comms: check for non-standard compliant error #2130

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b3d4c84
check for non-standard compliant error
ukane-philemon Feb 15, 2023
a88f34b
check for more invalid cert errors
ukane-philemon Feb 16, 2023
b792587
review: use errors.As for struct error types in wsconn.go
ukane-philemon Feb 16, 2023
6c01245
use dex.NewError to preserve x509 cert errors
ukane-philemon Feb 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 17 additions & 2 deletions client/comms/wsconn.go
View file
Open in desktop
Expand Up @@ -13,6 +13,7 @@ import (
"net"
"net/http"
"net/url"
"regexp"
"strings"
"sync"
"sync/atomic"
Expand Down Expand Up @@ -64,6 +65,20 @@ func (cs ConnectionStatus) String() string {
}
}

// invalidCertRegexp is a regexp that helps check for non-typed x509 errors
// caused by or related to an invalid cert.
var invalidCertRegexp = regexp.MustCompile(".*(unknown authority|not standards compliant|not trusted)")

// IsErrorInvalidCert checks if the provided error is one of the different
// variant of an invalid cert error returned from the x509 package or is
// ErrInvalidCert.
func IsErrorInvalidCert(err error) bool {
var invalidCert x509.CertificateInvalidError
var unknownCertAuth x509.UnknownAuthorityError
return errors.Is(err, ErrInvalidCert) || errors.Is(err, invalidCert) ||
errors.Is(err, unknownCertAuth) || invalidCertRegexp.MatchString(err.Error())
ukane-philemon marked this conversation as resolved.
Show resolved Hide resolved
}

// ErrInvalidCert is the error returned when attempting to use an invalid cert
// to set up a ws connection.
var ErrInvalidCert = fmt.Errorf("invalid certificate")
Expand Down Expand Up @@ -212,8 +227,8 @@ func (conn *wsConn) connect(ctx context.Context) error {
}
ws, _, err := dialer.DialContext(ctx, conn.cfg.URL, nil)
if err != nil {
var e x509.UnknownAuthorityError
if errors.As(err, &e) {
var e x509.HostnameError // No need to retry...
if IsErrorInvalidCert(err) || errors.Is(err, e) {
conn.setConnectionStatus(InvalidCert)
if conn.tlsCfg == nil {
return ErrCertRequired
Expand Down
4 changes: 2 additions & 2 deletions client/comms/wsconn_test.go
View file
Open in desktop
Expand Up @@ -263,13 +263,13 @@ func TestWsConn(t *testing.T) {
err = noCertConnMaster.Connect(ctx)
noCertConnMaster.Disconnect()
if err == nil || !errors.Is(err, ErrCertRequired) {
t.Fatalf("failed to get ErrCertRequired for no cert connection")
t.Fatalf("failed to get ErrCertRequired for no cert connection, got %v", err)
}

// test invalid cert error
_, err = setupWsConn([]byte("invalid cert"))
if err == nil || !errors.Is(err, ErrInvalidCert) {
t.Fatalf("failed to get ErrInvalidCert for invalid cert connection")
t.Fatalf("failed to get ErrInvalidCert for invalid cert connection, got %v", err)
}

// connect with cert
Expand Down