Merge pull request #4021 from rhafer/cacheck

Improve LDAP CA cert check
2026-01-05 19:59:37 -06:00 · 2022-06-23 16:13:45 +02:00
parent a03c0239fe b2c304c5d8
commit be33c56b0b
4 changed files with 31 additions and 9 deletions
--- a/.drone.star
+++ b/.drone.star
@@ -1594,7 +1594,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
            "name": "wait-for-ocis-server",
            "image": OC_CI_ALPINE,
            "commands": [
-                "curl -k -u admin:admin --fail --retry-connrefused --retry 10 --retry-all-errors 'https://ocis-server:9200/graph/v1.0/users/admin'",
+                "curl -k -u admin:admin --fail --retry-connrefused --retry 7 --retry-all-errors 'https://ocis-server:9200/graph/v1.0/users/admin'",
            ],
            "depends_on": depends_on,
        }
--- a/extensions/graph/pkg/server/http/server.go
+++ b/extensions/graph/pkg/server/http/server.go
@@ -59,6 +59,10 @@ func Server(opts ...Option) (http.Service, error) {
 		svc.EventsPublisher(publisher),
 	)

+	if handle == nil {
+		return http.Service{}, errors.New("could not initialize graph service")
+	}
+
 	{
 		handle = svc.NewInstrument(handle, options.Metrics)
 		handle = svc.NewLogging(handle, options.Logger)
--- a/extensions/graph/pkg/service/v0/service.go
+++ b/extensions/graph/pkg/service/v0/service.go
@@ -106,10 +106,13 @@ func NewService(opts ...Option) Service {
 				certs := x509.NewCertPool()
 				pemData, err := ioutil.ReadFile(options.Config.Identity.LDAP.CACert)
 				if err != nil {
-					options.Logger.Error().Msgf("Error initializing LDAP Backend: '%s'", err)
+					options.Logger.Error().Err(err).Msgf("Error initializing LDAP Backend")
+					return nil
+				}
+				if !certs.AppendCertsFromPEM(pemData) {
+					options.Logger.Error().Msgf("Error initializing LDAP Backend. Adding CA cert failed")
 					return nil
 				}
-				certs.AppendCertsFromPEM(pemData)
 				tlsConf.RootCAs = certs
 			}

--- a/ocis-pkg/ldap/ldap.go
+++ b/ocis-pkg/ldap/ldap.go
@@ -1,24 +1,39 @@
 package ldap

 import (
+	"crypto/x509"
 	"errors"
+	"io/ioutil"
 	"os"
 	"time"

 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
 )

-const _caTimeout = 5
+const (
+	caCheckRetries = 3
+	caCheckSleep   = 2
+)

 func WaitForCA(log log.Logger, insecure bool, caCert string) error {
 	if !insecure && caCert != "" {
-		if _, err := os.Stat(caCert); errors.Is(err, os.ErrNotExist) {
-			log.Warn().Str("LDAP CACert", caCert).Msgf("File does not exist. Waiting %d seconds for it to appear.", _caTimeout)
-			time.Sleep(_caTimeout * time.Second)
-			if _, err := os.Stat(caCert); errors.Is(err, os.ErrNotExist) {
-				log.Warn().Str("LDAP CACert", caCert).Msgf("File still does not exist after Timeout")
+		for i := 0; i < caCheckRetries; i++ {
+			if _, err := os.Stat(caCert); err != nil && !errors.Is(err, os.ErrNotExist) {
 				return err
 			}
+			// Check if this actually is a CA cert. We need to retry here as well
+			// as the file might exist already, but have no contents yet.
+			certs := x509.NewCertPool()
+			pemData, err := ioutil.ReadFile(caCert)
+			if err != nil {
+				log.Debug().Err(err).Str("LDAP CACert", caCert).Msg("Error reading CA")
+			} else if !certs.AppendCertsFromPEM(pemData) {
+				log.Debug().Str("LDAP CAcert", caCert).Msg("Failed to append CA to pool")
+			} else {
+				return nil
+			}
+			time.Sleep(caCheckSleep * time.Second)
+			log.Warn().Str("LDAP CACert", caCert).Msgf("CA cert file is not ready yet. Waiting %d seconds for it to appear.", caCheckSleep)
 		}
 	}
 	return nil