Changed keystore parse error to be more strict

jportner · jportner · commit 75d0f706cc07 · 2020-01-11T13:46:46.000-05:00
The Elasticsearch config should error out if a PKCS12 keystore does not contain a key *or* a certificate. This was intended to be the functionality in PR #53810, but it was overlooked. Changing it now since this PR is changing code in the same file.
diff --git a/src/core/server/elasticsearch/elasticsearch_config.test.ts b/src/core/server/elasticsearch/elasticsearch_config.test.ts
@@ -270,14 +270,20 @@ describe('throws when config is invalid', () => {
     );
   });
 
-  it('throws if keystore does not contain a key or certificate', () => {
+  it('throws if keystore does not contain a key', () => {
     mockReadPkcs12Keystore.mockReturnValueOnce({});
     const value = { ssl: { keystore: { path: 'some-path' } } };
     expect(
       () => new ElasticsearchConfig(config.schema.validate(value))
-    ).toThrowErrorMatchingInlineSnapshot(
-      `"Did not find key or certificate in Elasticsearch keystore."`
-    );
+    ).toThrowErrorMatchingInlineSnapshot(`"Did not find key in Elasticsearch keystore."`);
+  });
+
+  it('throws if keystore does not contain a certificate', () => {
+    mockReadPkcs12Keystore.mockReturnValueOnce({ key: 'foo' });
+    const value = { ssl: { keystore: { path: 'some-path' } } };
+    expect(
+      () => new ElasticsearchConfig(config.schema.validate(value))
+    ).toThrowErrorMatchingInlineSnapshot(`"Did not find certificate in Elasticsearch keystore."`);
   });
 
   it('throws if truststore path is invalid', () => {
diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts
@@ -283,8 +283,10 @@ const readKeyAndCerts = (rawConfig: ElasticsearchConfigType) => {
       rawConfig.ssl.keystore.path,
       rawConfig.ssl.keystore.password
     );
-    if (!keystore.key && !keystore.cert) {
-      throw new Error(`Did not find key or certificate in Elasticsearch keystore.`);
+    if (!keystore.key) {
+      throw new Error(`Did not find key in Elasticsearch keystore.`);
+    } else if (!keystore.cert) {
+      throw new Error(`Did not find certificate in Elasticsearch keystore.`);
     }
     key = keystore.key;
     certificate = keystore.cert;
