Fix error checks during certificatePath reading and parsing in azuread

microsoft · Nov 26, 2024 · 9a09d6f · 9a09d6f
1 parent 573423d
commit 9a09d6f
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 2 deletions.
diff --git a/azuread/configuration.go b/azuread/configuration.go
@@ -184,11 +184,11 @@ func (p *azureFedAuthConfig) provideActiveDirectoryToken(ctx context.Context, se
 		case p.certificatePath != "":
 			var certData []byte
 			certData, err = os.ReadFile(p.certificatePath)
-			if err != nil {
+			if err == nil {
 				var certs []*x509.Certificate
 				var key crypto.PrivateKey
 				certs, key, err = azidentity.ParseCertificates(certData, []byte(p.clientSecret))
-				if err != nil {
+				if err == nil {
 					cred, err = azidentity.NewClientCertificateCredential(tenant, p.clientID, certs, key, nil)
 				}
 			}

diff --git a/azuread/configuration_test.go b/azuread/configuration_test.go
@@ -4,7 +4,11 @@
 package azuread
 
 import (
+	"context"
+	"net/url"
+	"os"
 	"reflect"
+	"strings"
 	"testing"
 
 	mssql "github.com/microsoft/go-mssqldb"
@@ -137,3 +141,66 @@ func TestValidateParameters(t *testing.T) {
 		}
 	}
 }
+
+func TestProvideActiveDirectoryTokenValidations(t *testing.T) {
+	nonExistentCertPath := os.TempDir() + "non_existent_cert.pem"
+
+	f, err := os.CreateTemp("", "malformed_cert.pem")
+	if err != nil {
+		t.Fatalf("create temporary file: %v", err)
+	}
+	if err = f.Truncate(0); err != nil {
+		t.Fatalf("truncate temporary file: %v", err)
+	}
+	if _, err = f.Write([]byte("malformed")); err != nil {
+		t.Fatalf("write to temporary file: %v", err)
+	}
+	if err = f.Close(); err != nil {
+		t.Fatalf("close temporary file: %v", err)
+	}
+	malformedCertPath := f.Name()
+	t.Cleanup(func() { _ = os.Remove(malformedCertPath) })
+
+	tests := []struct {
+		name        string
+		dsn         string
+		expectedErr string
+	}{
+		{
+			name: "ActiveDirectoryServicePrincipal_cert_not_found",
+			dsn: `sqlserver://someserver.database.windows.net?` +
+				`user id=` + url.QueryEscape("my-app-id@my-tenant-id") + "&" +
+				`fedauth=ActiveDirectoryServicePrincipal` + "&" +
+				`clientcertpath=` + nonExistentCertPath + "&" +
+				`applicationclientid=someguid`,
+			expectedErr: "no such file or directory",
+		},
+		{
+			name: "ActiveDirectoryServicePrincipal_cert_malformed",
+			dsn: `sqlserver://someserver.database.windows.net?` +
+				`user id=` + url.QueryEscape("my-app-id@my-tenant-id") + "&" +
+				`fedauth=ActiveDirectoryServicePrincipal` + "&" +
+				`clientcertpath=` + malformedCertPath + "&" +
+				`applicationclientid=someguid`,
+			expectedErr: "error reading P12 data",
+		},
+	}
+	for _, tst := range tests {
+		t.Run(tst.name, func(t *testing.T) {
+			config, err := parse(tst.dsn)
+			if err != nil {
+				t.Errorf("Unexpected parse error: %v", err)
+				return
+			}
+			_, err = config.provideActiveDirectoryToken(context.Background(), "", "authority/tenant")
+			if err == nil {
+				t.Errorf("Expected error but got nil")
+				return
+			}
+			if !strings.Contains(err.Error(), tst.expectedErr) {
+				t.Errorf("Expected error substring '%s' but got err = %v", tst.expectedErr, err)
+				return
+			}
+		})
+	}
+}