From 2a6ad90b72c21d4737b68cbd8051ca0dd1ec712f Mon Sep 17 00:00:00 2001 From: yusing Date: Mon, 13 Apr 2026 16:44:48 +0800 Subject: [PATCH] fix(entrypoint): return nil map from compileInboundMTLSProfiles on error compileInboundMTLSProfiles now returns a nil map when compilation fails, instead of a partially populated map alongside the error. This avoids callers accidentally using incomplete state when err != nil. Add TestCompileInboundMTLSProfilesReturnsNilMapOnError for a mixed ok/bad profile map. Reformat fakeHTTPRoute stub methods in the test file. --- internal/entrypoint/inbound_mtls.go | 5 +++- internal/entrypoint/inbound_mtls_test.go | 30 +++++++++++++++++------- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/internal/entrypoint/inbound_mtls.go b/internal/entrypoint/inbound_mtls.go index 40348f5f..2f91e1ba 100644 --- a/internal/entrypoint/inbound_mtls.go +++ b/internal/entrypoint/inbound_mtls.go @@ -33,7 +33,10 @@ func compileInboundMTLSProfiles(profiles map[string]types.InboundMTLSProfile) (m compiled[name] = pool } - return compiled, errs.Error() + if err := errs.Error(); err != nil { + return nil, err + } + return compiled, nil } func buildInboundMTLSCAPool(profile types.InboundMTLSProfile) (*x509.CertPool, error) { diff --git a/internal/entrypoint/inbound_mtls_test.go b/internal/entrypoint/inbound_mtls_test.go index 18c9fdfd..b87510d6 100644 --- a/internal/entrypoint/inbound_mtls_test.go +++ b/internal/entrypoint/inbound_mtls_test.go @@ -80,15 +80,17 @@ func (r *fakeHTTPRoute) DisplayName() string { return r.name } func (r *fakeHTTPRoute) ContainerInfo() *types.Container { return nil } -func (r *fakeHTTPRoute) GetAgent() *agentpool.Agent { return nil } -func (r *fakeHTTPRoute) IsDocker() bool { return false } -func (r *fakeHTTPRoute) IsAgent() bool { return false } -func (r *fakeHTTPRoute) UseLoadBalance() bool { return false } -func (r *fakeHTTPRoute) UseIdleWatcher() bool { return false } -func (r *fakeHTTPRoute) UseHealthCheck() bool { return false } -func (r *fakeHTTPRoute) UseAccessLog() bool { return false } -func (r *fakeHTTPRoute) ServeHTTP(http.ResponseWriter, *http.Request) {} -func (r *fakeHTTPRoute) InboundMTLSProfileRef() string { return r.inboundMTLSProfile } +func (r *fakeHTTPRoute) GetAgent() *agentpool.Agent { return nil } +func (r *fakeHTTPRoute) IsDocker() bool { return false } +func (r *fakeHTTPRoute) IsAgent() bool { return false } +func (r *fakeHTTPRoute) UseLoadBalance() bool { return false } +func (r *fakeHTTPRoute) UseIdleWatcher() bool { return false } +func (r *fakeHTTPRoute) UseHealthCheck() bool { return false } +func (r *fakeHTTPRoute) UseAccessLog() bool { return false } +func (r *fakeHTTPRoute) ServeHTTP(http.ResponseWriter, *http.Request) { + // no-op: test stub +} +func (r *fakeHTTPRoute) InboundMTLSProfileRef() string { return r.inboundMTLSProfile } func newTestHTTPServer(t *testing.T, ep *Entrypoint) *httpServer { t.Helper() @@ -176,6 +178,16 @@ func TestSetInboundMTLSProfilesRejectsBadCAFile(t *testing.T) { require.ErrorContains(t, err, "missing.pem") } +func TestCompileInboundMTLSProfilesReturnsNilMapOnError(t *testing.T) { + compiled, err := compileInboundMTLSProfiles(map[string]types.InboundMTLSProfile{ + "ok": {UseSystemCAs: true}, + "bad": {CAFiles: []string{filepath.Join(t.TempDir(), "missing.pem")}}, + }) + require.Nil(t, compiled) + require.Error(t, err) + require.ErrorContains(t, err, "missing.pem") +} + func TestMutateServerTLSConfigRejectsUnknownRouteProfile(t *testing.T) { ep := NewTestEntrypoint(t, nil) ep.SetFindRouteDomains([]string{".example.com"})