From 7f77be8f85aafbd090401f0a7576847f078452aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Farkas?= <gabor.farkas@gmail.com>
Date: Mon, 19 Feb 2024 11:58:42 +0100
Subject: [PATCH] postgres: tls: only use non-empty certificates (#82182)

---
 .../tlsmanager.go                             | 13 +++++++
 .../tlsmanager_test.go                        | 39 +++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/pkg/tsdb/grafana-postgresql-datasource/tlsmanager.go b/pkg/tsdb/grafana-postgresql-datasource/tlsmanager.go
index 953e983e5e6..116872d0613 100644
--- a/pkg/tsdb/grafana-postgresql-datasource/tlsmanager.go
+++ b/pkg/tsdb/grafana-postgresql-datasource/tlsmanager.go
@@ -200,6 +200,19 @@ func (m *tlsManager) writeCertFiles(dsInfo sqleng.DataSourceInfo, tlsconfig *tls
 		return err
 	}
 
+	// we do not want to point to cert-files that do not exist
+	if tlsRootCert == "" {
+		tlsconfig.RootCertFile = ""
+	}
+
+	if tlsClientCert == "" {
+		tlsconfig.CertFile = ""
+	}
+
+	if tlsClientKey == "" {
+		tlsconfig.CertKeyFile = ""
+	}
+
 	// Update datasource cache
 	m.dsCacheInstance.cache.Store(cacheKey, dsInfo.Updated)
 	return nil
diff --git a/pkg/tsdb/grafana-postgresql-datasource/tlsmanager_test.go b/pkg/tsdb/grafana-postgresql-datasource/tlsmanager_test.go
index d685e61b22b..8e60e841cab 100644
--- a/pkg/tsdb/grafana-postgresql-datasource/tlsmanager_test.go
+++ b/pkg/tsdb/grafana-postgresql-datasource/tlsmanager_test.go
@@ -237,6 +237,45 @@ func TestGetTLSSettings(t *testing.T) {
 				CertKeyFile:         filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "client.key"),
 			},
 		},
+		{
+			desc:    "Custom TLS mode verify-ca with no client certificates with certificate files content",
+			updated: updatedTime.Add(3 * time.Minute),
+			uid:     "xxx",
+			jsonData: sqleng.JsonData{
+				Mode:                "verify-ca",
+				ConfigurationMethod: "file-content",
+			},
+			secureJSONData: map[string]string{
+				"tlsCACert": "I am CA certification",
+			},
+			tlsSettings: tlsSettings{
+				Mode:                "verify-ca",
+				ConfigurationMethod: "file-content",
+				RootCertFile:        filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "root.crt"),
+				CertFile:            "",
+				CertKeyFile:         "",
+			},
+		},
+		{
+			desc:    "Custom TLS mode require with client certificates and no root certificate with certificate files content",
+			updated: updatedTime.Add(4 * time.Minute),
+			uid:     "xxx",
+			jsonData: sqleng.JsonData{
+				Mode:                "require",
+				ConfigurationMethod: "file-content",
+			},
+			secureJSONData: map[string]string{
+				"tlsClientCert": "I am client certification",
+				"tlsClientKey":  "I am client key",
+			},
+			tlsSettings: tlsSettings{
+				Mode:                "require",
+				ConfigurationMethod: "file-content",
+				RootCertFile:        "",
+				CertFile:            filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "client.crt"),
+				CertKeyFile:         filepath.Join(cfg.DataPath, "tls", "xxxgeneratedTLSCerts", "client.key"),
+			},
+		},
 	}
 	for _, tt := range testCases {
 		t.Run(tt.desc, func(t *testing.T) {