From 7f9469400031858ebc0a0343d7d848e50f48e3fd Mon Sep 17 00:00:00 2001
From: Masahiro Nakagawa <repeatedly@gmail.com>
Date: Tue, 28 Jul 2020 01:02:51 +0900
Subject: [PATCH] Raise an error for broken certificate file. fix #3085

Signed-off-by: Masahiro Nakagawa <repeatedly@gmail.com>
---
 lib/fluent/plugin_helper/cert_option.rb | 2 +-
 lib/fluent/plugin_helper/socket.rb      | 2 +-
 test/plugin_helper/data/cert/empty.pem  | 0
 test/plugin_helper/test_cert_option.rb  | 7 +++++++
 test/plugin_helper/test_socket.rb       | 8 ++++++++
 5 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 test/plugin_helper/data/cert/empty.pem

diff --git a/lib/fluent/plugin_helper/cert_option.rb b/lib/fluent/plugin_helper/cert_option.rb
index 0aab5113bf..3d0f7c75dc 100644
--- a/lib/fluent/plugin_helper/cert_option.rb
+++ b/lib/fluent/plugin_helper/cert_option.rb
@@ -185,7 +185,7 @@ def cert_option_certificates_from_file(path)
         list = []
         data.scan(pattern){|match| list << OpenSSL::X509::Certificate.new(match) }
         if list.length == 0
-          log.warn "cert_path does not contain a valid certificate"
+          raise Fluent::ConfigError, "cert_path does not contain a valid certificate"
         end
         list
       end
diff --git a/lib/fluent/plugin_helper/socket.rb b/lib/fluent/plugin_helper/socket.rb
index c4c2ebd3b7..afde072eb3 100644
--- a/lib/fluent/plugin_helper/socket.rb
+++ b/lib/fluent/plugin_helper/socket.rb
@@ -199,7 +199,7 @@ def socket_certificates_from_file(path)
         list = []
         data.scan(pattern) { |match| list << OpenSSL::X509::Certificate.new(match) }
         if list.length == 0
-          log.warn "cert_path does not contain a valid certificate"
+          raise Fluent::ConfigError, "cert_path does not contain a valid certificate"
         end
         list
       end
diff --git a/test/plugin_helper/data/cert/empty.pem b/test/plugin_helper/data/cert/empty.pem
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/test/plugin_helper/test_cert_option.rb b/test/plugin_helper/test_cert_option.rb
index faf52aa011..3464d37dce 100644
--- a/test/plugin_helper/test_cert_option.rb
+++ b/test/plugin_helper/test_cert_option.rb
@@ -15,4 +15,11 @@ class Dummy < Fluent::Plugin::TestBase
     certs = d.cert_option_certificates_from_file("test/plugin_helper/data/cert/cert-with-CRLF.pem")
     assert_equal(1, certs.length)
   end
+
+  test 'raise an error for broken certificates_from_file file' do
+    d = Dummy.new
+    assert_raise Fluent::ConfigError do
+      certs = d.cert_option_certificates_from_file("test/plugin_helper/data/cert/empty.pem")
+    end
+  end
 end
diff --git a/test/plugin_helper/test_socket.rb b/test/plugin_helper/test_socket.rb
index 6b66fd821f..2c5f3027ae 100644
--- a/test/plugin_helper/test_socket.rb
+++ b/test/plugin_helper/test_socket.rb
@@ -128,4 +128,12 @@ def do_start
       client.close
     end
   end
+
+  test 'with empty cert file' do
+    cert_path = File.expand_path(File.dirname(__FILE__) + '/data/cert/empty.pem')
+
+    assert_raise Fluent::ConfigError do
+      SocketHelperTestPlugin.new.socket_create_tls('127.0.0.1', PORT, cert_path: cert_path)
+    end
+  end
 end