Fix NullPointerException in Postgres when using client SSL properties (#20034)

Only attempt to read values that were actually set on the client side Add test to confirm specific combination from reported issue works

Fix NullPointerException in Postgres when using client SSL properties (#20034)
a2f4563c · Jeff Evans · GitHub · 44a734d4 · a2f4563c · a2f4563c
Unverified Commit a2f4563c authored 3 years ago by Jeff Evans Committed by GitHub 3 years ago
--- a/src/metabase/driver/postgres.clj
+++ b/src/metabase/driver/postgres.clj
@@ -365,22 +365,23 @@
                          (secret/db-details-prop->secret-map db-details "ssl-client-cert"))
        ssl-key-pw      (when (:ssl-use-client-auth db-details)
                          (secret/db-details-prop->secret-map db-details "ssl-key-password"))
-        all-subprops    (apply concat (map :subprops [ssl-root-cert ssl-client-key ssl-client-cert ssl-key-pw]))]
+        all-subprops    (apply concat (map :subprops [ssl-root-cert ssl-client-key ssl-client-cert ssl-key-pw]))
+        has-value?      (comp some? :value)]
    (cond-> (set/rename-keys db-details {:ssl-mode :sslmode})
      ;; if somehow there was no ssl-mode set, just make it required (preserves existing behavior)
      (nil? (:ssl-mode db-details))
      (assoc :sslmode "require")

-      ssl-root-cert
+      (has-value? ssl-root-cert)
      (assoc :sslrootcert (secret/value->file! ssl-root-cert :postgres))

-      ssl-client-key
+      (has-value? ssl-client-key)
      (assoc :sslkey (secret/value->file! ssl-client-key :postgres))

-      ssl-client-cert
+      (has-value? ssl-client-cert)
      (assoc :sslcert (secret/value->file! ssl-client-cert :postgres))

-      ssl-key-pw
+      (has-value? ssl-key-pw)
      (assoc :sslpassword (secret/value->string ssl-key-pw))

      true

--- a/test/metabase/driver/postgres_test.clj
+++ b/test/metabase/driver/postgres_test.clj
@@ -692,3 +692,30 @@
                               "Skipping %s because %s env var is not set"
                               "postgres-ssl-connectivity-test"
                               "MB_POSTGRES_SSL_TEST_SSL")))))
+
+(def ^:private dummy-pem-contents
+  (str "-----BEGIN CERTIFICATE-----\n"
+       "-----END CERTIFICATE-----"))
+
+(deftest handle-nil-client-ssl-properties-test
+  (mt/test-driver :postgres
+    (testing "Setting only one of the client SSL params doesn't result in an NPE error (#19984)"
+      (mt/with-temp-file [dummy-root-cert   "dummy-root-cert.pem"
+                          dummy-client-cert "dummy-client-cert.pem"]
+        (spit dummy-root-cert dummy-pem-contents)
+        (spit dummy-client-cert dummy-pem-contents)
+        (let [db-details {:host "dummy-hostname"
+                          :dbname "test-db"
+                          :port 5432
+                          :user "dummy-login"
+                          :password "dummy-password"
+                          :ssl true
+                          :ssl-use-client-auth true
+                          :ssl-mode "verify-full"
+                          :ssl-root-cert-options "local"
+                          :ssl-root-cert-path dummy-root-cert
+                          :ssl-client-cert-options "local"
+                          :ssl-client-cert-value dummy-client-cert}]
+          ;; this will fail/throw an NPE if the fix for #19984 is not put in place (since the server code will
+          ;; attempt to "store" a non-existent :ssl-client-key-value to a temp file)
+          (is (map? (#'postgres/ssl-params db-details))))))))