diff options
author | Jon Marius Venstad <jonmv@users.noreply.github.com> | 2024-01-24 11:22:10 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-24 11:22:10 +0100 |
commit | 661067f8265f3c6c54dd69a8316ccb3b9822c16d (patch) | |
tree | 629d473b96ffd45a979fcafa6695437002687e69 | |
parent | 0d5d4f67d46aa52464d0cb286bfde3d1e7c2085b (diff) | |
parent | 19062b9bc4a7f4e5c2570466befa02ffdd9557c7 (diff) |
Merge pull request #30032 from vespa-engine/mpolden/abort-on-tls-alert
Treat TLS alert as authentication failure
-rw-r--r-- | client/go/internal/vespa/crypto.go | 13 | ||||
-rw-r--r-- | client/go/internal/vespa/target.go | 6 |
2 files changed, 18 insertions, 1 deletions
diff --git a/client/go/internal/vespa/crypto.go b/client/go/internal/vespa/crypto.go index 9b4d776d97d..568d7a84d18 100644 --- a/client/go/internal/vespa/crypto.go +++ b/client/go/internal/vespa/crypto.go @@ -13,6 +13,7 @@ import ( "encoding/base64" "encoding/hex" "encoding/pem" + "errors" "fmt" "io" "math/big" @@ -220,3 +221,15 @@ func randomSerialNumber() (*big.Int, error) { serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) return rand.Int(rand.Reader, serialNumberLimit) } + +// isTLSAlert returns whether err contains a TLS alert error. +func isTLSAlert(err error) bool { + for ; err != nil; err = errors.Unwrap(err) { + // This is ugly, but alert types are currently not exposed: + // https://github.com/golang/go/issues/35234 + if fmt.Sprintf("%T", err) == "tls.alert" { + return true + } + } + return false +} diff --git a/client/go/internal/vespa/target.go b/client/go/internal/vespa/target.go index 90d1e1997da..ed3cb146eb1 100644 --- a/client/go/internal/vespa/target.go +++ b/client/go/internal/vespa/target.go @@ -153,7 +153,11 @@ func (s *Service) Do(request *http.Request, timeout time.Duration) (*http.Respon if err := s.CurlWriter.print(request, s.TLSOptions, timeout); err != nil { return nil, err } - return s.httpClient.Do(request, timeout) + resp, err := s.httpClient.Do(request, timeout) + if isTLSAlert(err) { + return nil, fmt.Errorf("%w: %s", errAuth, err) + } + return resp, err } // SetClient sets a custom HTTP client that this service should use. |