Fixes issue in SNI getter for IP certificates.

tlm · tlm · commit f623ace83bcd · 2021-05-14T09:40:33.000+10:00
If no ip certificate is defined on the authority it would result in a
panic from the function for accessing nil memory.
diff --git a/pki/tls/sni.go b/pki/tls/sni.go
@@ -30,10 +30,11 @@ func AuthoritySNITLSGetter(authority pki.Authority, logger Logger) func(*tls.Cli
 		if hello.ServerName == "" {
 			logger.Debugf("tls client hello server name is empty. Attempting to provide ip address certificate")
 			leaf, err := authority.LeafForGroup(pki.ControllerIPLeafGroup)
-			if err != nil && !errors.IsNotFound(err) {
+			if err == nil {
+				cert = leaf.TLSCertificate()
+			} else if !errors.IsNotFound(err) {
 				return nil, errors.Annotate(err, "fetching ip address certificate")
 			}
-			cert = leaf.TLSCertificate()
 		} else {
 			authority.LeafRange(func(leaf pki.Leaf) bool {
 				if err := hello.SupportsCertificate(leaf.TLSCertificate()); err == nil {
diff --git a/pki/tls/sni_test.go b/pki/tls/sni_test.go
@@ -23,7 +23,7 @@ type SNISuite struct {
 
 var _ = gc.Suite(&SNISuite{})
 
-func (s *SNISuite) SetUpSuite(c *gc.C) {
+func (s *SNISuite) SetUpTest(c *gc.C) {
 	pki.DefaultKeyProfile = pkitest.OriginalDefaultKeyProfile
 	authority, err := pkitest.NewTestAuthority()
 	c.Assert(err, jc.ErrorIsNil)
@@ -119,3 +119,21 @@ func (s *SNISuite) TestAuthorityTLSGetter(c *gc.C) {
 		TLSCertificatesEqual(c, cert, leaf.TLSCertificate())
 	}
 }
+
+func (s *SNISuite) TestNonExistantIPLeafReturnsDefault(c *gc.C) {
+	leaf, err := s.authority.LeafRequestForGroup(pki.DefaultLeafGroup).
+		AddDNSNames("juju-app").
+		Commit()
+	c.Assert(err, jc.ErrorIsNil)
+
+	helloRequest := &tls.ClientHelloInfo{
+		ServerName:        "",
+		SignatureSchemes:  []tls.SignatureScheme{tls.PSSWithSHA256},
+		SupportedVersions: []uint16{tls.VersionTLS13, tls.VersionTLS12},
+	}
+
+	cert, err := s.sniGetter(helloRequest)
+	c.Assert(err, jc.ErrorIsNil)
+
+	TLSCertificatesEqual(c, cert, leaf.TLSCertificate())
+}
