From 3fb3decf497d203d74564b4c87e7b8c305a89b14 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Thu, 26 Jan 2023 17:12:59 +0100
Subject: [PATCH] error if tls.key_file or cert_file are missing (#2020)

---
 pkg/apiserver/apiserver.go      |  8 +++++++-
 tests/bats/30_machines_tls.bats | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go
index c03b7158b..4a50dbe38 100644
--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@@ -320,7 +320,13 @@ func (s *APIServer) Run(apiReady chan bool) error {
 		go func() {
 			apiReady <- true
 			log.Infof("CrowdSec Local API listening on %s", s.URL)
-			if s.TLS != nil && s.TLS.CertFilePath != "" && s.TLS.KeyFilePath != "" {
+			if s.TLS != nil && (s.TLS.CertFilePath != "" || s.TLS.KeyFilePath != "") {
+				if s.TLS.KeyFilePath == "" {
+					log.Fatalf("while serving local API: %v", errors.New("missing TLS key file"))
+				} else if s.TLS.CertFilePath == "" {
+					log.Fatalf("while serving local API: %v", errors.New("missing TLS cert file"))
+				}
+
 				if err := s.httpServer.ListenAndServeTLS(s.TLS.CertFilePath, s.TLS.KeyFilePath); err != nil {
 					log.Fatalf("while serving local API: %v", err)
 				}
diff --git a/tests/bats/30_machines_tls.bats b/tests/bats/30_machines_tls.bats
index cd2a57936..7c8458388 100644
--- a/tests/bats/30_machines_tls.bats
+++ b/tests/bats/30_machines_tls.bats
@@ -62,6 +62,14 @@ teardown_file() {
 
 setup() {
     load "../lib/setup.sh"
+    config_set '
+        .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
+        .api.server.tls.key_file=strenv(tmpdir) + "/server-key.pem" |
+        .api.server.tls.ca_cert_path=strenv(tmpdir) + "/inter.pem" |
+        .api.server.tls.crl_path=strenv(tmpdir) + "/crl.pem" | 
+        .api.server.tls.agents_allowed_ou=["agent-ou"]
+    '
+
 }
 
 teardown() {
@@ -70,6 +78,20 @@ teardown() {
 
 #----------
 
+@test "missing key_file" {
+    config_set '.api.server.tls.key_file=""'
+
+    rune -1 timeout 2s "${CROWDSEC}"
+    assert_stderr --partial "missing TLS key file"
+}
+
+@test "missing cert_file" {
+    config_set '.api.server.tls.cert_file=""'
+
+    rune -1 timeout 2s "${CROWDSEC}"
+    assert_stderr --partial "missing TLS cert file"
+}
+
 @test "invalid OU for agent" {
     config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
         .ca_cert_path=strenv(tmpdir) + "/bundle.pem" |