Use TLSConfig and remove IsHTTPS in Metrics config

Add unit tests and move acceptance tests

2 files changed, 99 insertions, 5 deletions

diff --git a/internal/config/config.go b/internal/config/config.go
index b26642d1..a59dffd4 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -149,9 +149,15 @@ type Server struct {
 }
 
 type Metrics struct {
-	Address        string
-	IsHTTPS        bool
-	TLSCertificate tls.Certificate
+	Address   string
+	TLSConfig *tls.Config
+}
+
+func (m *Metrics) IsHTTPS() bool {
+	// disable "G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)"
+	// because zero value of tls.Config{} is used for comparison
+	// #nosec G402
+	return m.TLSConfig != &tls.Config{}
 }
 
 var (
@@ -211,12 +217,15 @@ func loadMetricsConfig() (metrics Metrics, err error) {
 		return metrics, errMetricsNoKey
 	}
 
-	metrics.TLSCertificate, err = tls.LoadX509KeyPair(*metricsCertificate, *metricsKey)
+	cert, err := tls.LoadX509KeyPair(*metricsCertificate, *metricsKey)
 	if err != nil {
 		return metrics, err
 	}
 
-	metrics.IsHTTPS = true
+	metrics.TLSConfig = &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS12,
+	}
 
 	return metrics, nil
 }
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
new file mode 100644
index 00000000..0725bcc3
--- /dev/null
+++ b/internal/config/config_test.go
@@ -0,0 +1,85 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"gitlab.com/gitlab-org/gitlab-pages/internal/fixture"
+)
+
+func TestLoadMetricsConfig(t *testing.T) {
+	defaultMetricsAdress := ":9325"
+	defaultDir, defaultMetricsKey, defaultMetricsCertificate := setupHTTPSFixture(t)
+
+	tests := map[string]struct {
+		metricsAddress     string
+		metricsCertificate string
+		metricsKey         string
+		expectedError      error
+	}{
+		"no metrics": {},
+		"http metrics": {
+			metricsAddress: defaultMetricsAdress,
+		},
+		"https metrics": {
+			metricsAddress:     defaultMetricsAdress,
+			metricsCertificate: defaultMetricsCertificate,
+			metricsKey:         defaultMetricsKey,
+		},
+		"https metrics no certificate": {
+			metricsAddress: defaultMetricsAdress,
+			metricsKey:     defaultMetricsKey,
+			expectedError:  errMetricsNoCertificate,
+		},
+		"https metrics no key": {
+			metricsAddress:     defaultMetricsAdress,
+			metricsCertificate: defaultMetricsCertificate,
+			expectedError:      errMetricsNoKey,
+		},
+		"https metrics invalid certificate path": {
+			metricsAddress:     defaultMetricsAdress,
+			metricsCertificate: filepath.Join(defaultDir, "domain.certificate.missing"),
+			metricsKey:         defaultMetricsKey,
+			expectedError:      os.ErrNotExist,
+		},
+		"https metrics invalid key path": {
+			metricsAddress:     defaultMetricsAdress,
+			metricsCertificate: defaultMetricsCertificate,
+			metricsKey:         filepath.Join(defaultDir, "domain.key.missing"),
+			expectedError:      os.ErrNotExist,
+		},
+	}
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			metricsAddress = &tc.metricsAddress
+			metricsCertificate = &tc.metricsCertificate
+			metricsKey = &tc.metricsKey
+			_, err := loadMetricsConfig()
+			require.ErrorIs(t, err, tc.expectedError)
+		})
+	}
+}
+
+func setupHTTPSFixture(t *testing.T) (dir string, key string, cert string) {
+	t.Helper()
+
+	tmpDir := t.TempDir()
+
+	keyfile, err := os.CreateTemp(tmpDir, "https-fixture")
+	require.NoError(t, err)
+	key = keyfile.Name()
+	keyfile.Close()
+
+	certfile, err := os.CreateTemp(tmpDir, "https-fixture")
+	require.NoError(t, err)
+	cert = certfile.Name()
+	certfile.Close()
+
+	require.NoError(t, os.WriteFile(key, []byte(fixture.Key), 0644))
+	require.NoError(t, os.WriteFile(cert, []byte(fixture.Certificate), 0644))
+
+	return tmpDir, keyfile.Name(), certfile.Name()
+}