| 269 | } |
| 270 | |
| 271 | func validateAndSanitizeDataSourceTLS(ds *storepb.DataSource) error { |
| 272 | if !ds.GetUseSsl() { |
| 273 | ds.SslCa = "" |
| 274 | ds.SslCert = "" |
| 275 | ds.SslKey = "" |
| 276 | ds.SslCaPath = "" |
| 277 | ds.SslCertPath = "" |
| 278 | ds.SslKeyPath = "" |
| 279 | return nil |
| 280 | } |
| 281 | for _, conflict := range []struct { |
| 282 | inlineField string |
| 283 | pathField string |
| 284 | inlineValue string |
| 285 | pathValue string |
| 286 | }{ |
| 287 | {"ssl_ca", "ssl_ca_path", ds.GetSslCa(), ds.GetSslCaPath()}, |
| 288 | {"ssl_cert", "ssl_cert_path", ds.GetSslCert(), ds.GetSslCertPath()}, |
| 289 | {"ssl_key", "ssl_key_path", ds.GetSslKey(), ds.GetSslKeyPath()}, |
| 290 | } { |
| 291 | if conflict.inlineValue != "" && conflict.pathValue != "" { |
| 292 | return errors.Errorf("cannot set both %s and %s; clear one of them by including the field in the update_mask with an empty value when switching TLS material source", conflict.inlineField, conflict.pathField) |
| 293 | } |
| 294 | } |
| 295 | for _, pathField := range []struct { |
| 296 | field string |
| 297 | path string |
| 298 | }{ |
| 299 | {"ssl_ca_path", ds.GetSslCaPath()}, |
| 300 | {"ssl_cert_path", ds.GetSslCertPath()}, |
| 301 | {"ssl_key_path", ds.GetSslKeyPath()}, |
| 302 | } { |
| 303 | if pathField.path != "" && !filepath.IsAbs(pathField.path) { |
| 304 | return errors.Errorf("%s must be an absolute path", pathField.field) |
| 305 | } |
| 306 | } |
| 307 | if ds.GetSslCa() != "" { |
| 308 | if err := validateInlineCAPEM([]byte(ds.GetSslCa())); err != nil { |
| 309 | return errors.Wrap(err, "invalid ssl_ca PEM") |
| 310 | } |
| 311 | } |
| 312 | certSet := ds.GetSslCert() != "" || ds.GetSslCertPath() != "" |
| 313 | keySet := ds.GetSslKey() != "" || ds.GetSslKeyPath() != "" |
| 314 | if certSet != keySet { |
| 315 | return errors.New("ssl_cert and ssl_key must be both set or unset") |
| 316 | } |
| 317 | if ds.GetSslCert() != "" && ds.GetSslKey() != "" { |
| 318 | if _, err := tls.X509KeyPair([]byte(ds.GetSslCert()), []byte(ds.GetSslKey())); err != nil { |
| 319 | return errors.Wrap(err, "invalid ssl_cert or ssl_key PEM") |
| 320 | } |
| 321 | } |
| 322 | if ds.GetSslCert() != "" && ds.GetSslKey() == "" { |
| 323 | if err := validateInlineCertPEM([]byte(ds.GetSslCert())); err != nil { |
| 324 | return errors.Wrap(err, "invalid ssl_cert PEM") |
| 325 | } |
| 326 | } |
| 327 | if ds.GetSslKey() != "" && ds.GetSslCert() == "" { |
| 328 | if err := validateInlineKeyPEM([]byte(ds.GetSslKey())); err != nil { |