Merge pull request #376 from morgo/mtocker-fix-embed-cert

embed certificate instead of file load
cashapp · Feb 18, 2025 · 704b7ce · 704b7ce
2 parents ef33b31 + 932b30c
commit 704b7ce
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 43 deletions.
diff --git a/pkg/dbconn/conn.go b/pkg/dbconn/conn.go
@@ -4,10 +4,9 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"database/sql"
+	_ "embed"
 	"fmt"
-	"log"
 	"net/url"
-	"os"
 	"regexp"
 	"strconv"
 	"strings"
@@ -28,30 +27,17 @@ const (
 var (
 	rdsAddr = regexp.MustCompile(`rds\.amazonaws\.com(:\d+)?$`)
 	once    sync.Once
+	// https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
+	//go:embed rdsGlobalBundle.pem
+	rdsGlobalBundle []byte
 )
 
-// LoadCertificateBundle loads certificate bundle from a file
-func LoadCertificateBundle(filePath string) ([]byte, error) {
-	certBundle, err := os.ReadFile(filePath)
-	if err != nil {
-		return nil, err
-	}
-	return certBundle, nil
-}
-
 func IsRDSHost(host string) bool {
 	return rdsAddr.MatchString(host)
 }
 
 func NewTLSConfig() *tls.Config {
-	// cert bundle from - https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
-	rdsGlobalBundle, err := LoadCertificateBundle("../../certs/rds/rdsGlobalBundle.pem")
-	if err != nil {
-		log.Fatalf("Failed to load certificate bundle: %v", err)
-	}
-
 	caCertPool := x509.NewCertPool()
-
 	caCertPool.AppendCertsFromPEM(rdsGlobalBundle)
 	return &tls.Config{RootCAs: caCertPool}
 }

diff --git a/pkg/dbconn/conn_test.go b/pkg/dbconn/conn_test.go
@@ -3,7 +3,6 @@ package dbconn
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"os"
 	"testing"
 
 	"github.com/cashapp/spirit/pkg/testutils"
@@ -96,35 +95,12 @@ func TestNewConnRejectsReadOnlyConnections(t *testing.T) {
 	assert.Equal(t, 1, count)
 }
 
-func TestLoadCertificateBundle(t *testing.T) {
-	// create a temp cert bundle
-	tempFile, err := os.CreateTemp(t.TempDir(), "cert_bundle_*.pem")
-	assert.NoError(t, err, "Failed to create temp file")
-	defer os.Remove(tempFile.Name())
-
-	testData := []byte("-----BEGIN CERTIFICATE-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7\n-----END CERTIFICATE-----")
-	_, err = tempFile.Write(testData)
-	assert.NoError(t, err, "Failed to write to temp file")
-	err = tempFile.Close()
-	assert.NoError(t, err, "Failed to close temp file")
-
-	certBundle, err := LoadCertificateBundle(tempFile.Name())
-	assert.NoError(t, err, "Failed to load certificate bundle")
-
-	// verify the loaded cert bundle
-	assert.Equal(t, testData, certBundle, "Loaded certificate bundle does not match expected data")
-}
-
 func TestValidCertificateBundle(t *testing.T) {
-	// load certificate bundle from file
-	certBundle, err := LoadCertificateBundle("../../certs/rds/rdsGlobalBundle.pem")
-	assert.NoError(t, err, "Failed to load certificate bundle")
-
 	// parse certificate bundle
 	var block *pem.Block
 	foundCertificates := false
 	for {
-		block, certBundle = pem.Decode(certBundle)
+		block, rdsGlobalBundle = pem.Decode(rdsGlobalBundle)
 		if block == nil {
 			break
 		}

diff --git a/certs/rds/rdsGlobalBundle.pem → pkg/dbconn/rdsGlobalBundle.pem b/certs/rds/rdsGlobalBundle.pem → pkg/dbconn/rdsGlobalBundle.pem