Return error when SSL certificate cannot be used

We'll only return insecure credentials when the SSL certificate is unspecified.
canonical · Oct 16, 2023 · 1b04b6d · 1b04b6d
1 parent 333f76c
commit 1b04b6d
Showing 1 changed file with 19 additions and 16 deletions.
diff --git a/windows-agent/internal/proservices/landscape/landscape.go b/windows-agent/internal/proservices/landscape/landscape.go
@@ -204,7 +204,11 @@ func (c *Client) connect(ctx context.Context, address string) (conn *connection,
 	dialCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
-	creds := c.transportCredentials(ctx)
+	creds, err := c.transportCredentials(ctx)
+	if err != nil {
+		return nil, err
+	}
+
 	grpcConn, err := grpc.DialContext(dialCtx, address, grpc.WithTransportCredentials(creds))
 	if err != nil {
 		return nil, err
@@ -386,24 +390,25 @@ func (c *Client) setUID(s string) {
 }
 
 // transportCredentials reads the Landscape client config to check if a SSL public key is specified.
-// If this credential is not specified, or it cannot be used for any reason, an insecure credential
-// is returned.
-func (c *Client) transportCredentials(ctx context.Context) credentials.TransportCredentials {
+//
+// If this credential is not specified, an insecure credential is returned.
+// If the credential is specified but erroneous, an error is returned.
+func (c *Client) transportCredentials(ctx context.Context) (cred credentials.TransportCredentials, err error) {
+	defer decorate.OnError(&err, "Landscape credentials")
+
 	conf, err := c.conf.LandscapeClientConfig(ctx)
 	if err != nil {
-		log.Warningf(ctx, "Landscape credentials: could not obtain Landscape config: %v", err)
-		return insecure.NewCredentials()
+		return nil, fmt.Errorf("could not obtain Landscape config: %v", err)
 	}
 
 	if conf == "" {
 		// No Landscape config: default to insecure
-		return insecure.NewCredentials()
+		return insecure.NewCredentials(), nil
 	}
 
 	ini, err := ini.Load(strings.NewReader(conf))
 	if err != nil {
-		log.Errorf(ctx, "Landscape credentials: could not read Landscape config file: %v", err)
-		return insecure.NewCredentials()
+		return insecure.NewCredentials(), fmt.Errorf("could not parse Landscape config file: %v", err)
 	}
 
 	const section = "client"
@@ -412,29 +417,27 @@ func (c *Client) transportCredentials(ctx context.Context) credentials.Transport
 	sec, err := ini.GetSection(section)
 	if err != nil {
 		// No SSL public key provided: default to insecure
-		return insecure.NewCredentials()
+		return insecure.NewCredentials(), nil
 	}
 
 	k, err := sec.GetKey(key)
 	if err != nil {
 		// No SSL public key provided: default to insecure
-		return insecure.NewCredentials()
+		return insecure.NewCredentials(), nil
 	}
 
 	cert, err := os.ReadFile(k.String())
 	if err != nil {
-		log.Errorf(ctx, "Landscape credentials: could not load SSL public key file: %v", err)
-		return insecure.NewCredentials()
+		return nil, fmt.Errorf("could not load SSL public key file: %v", err)
 	}
 
 	certPool := x509.NewCertPool()
 	if ok := certPool.AppendCertsFromPEM(cert); !ok {
-		log.Errorf(ctx, "Landscape credentials: failed to add server CA's certificate: %v", err)
-		return insecure.NewCredentials()
+		return nil, fmt.Errorf("failed to add server CA's certificate: %v", err)
 	}
 
 	return credentials.NewTLS(&tls.Config{
 		RootCAs:    certPool,
 		MinVersion: tls.VersionTLS12,
-	})
+	}), nil
 }