From f6aa0e41e50ac2b596a7c2e7b33297e5f33c31e1 Mon Sep 17 00:00:00 2001
From: Matt Bostock <mbostock@cloudflare.com>
Date: Thu, 28 Sep 2017 14:55:32 +0100
Subject: [PATCH] Return error if datasource TLS CA not parsed

---
 pkg/models/datasource_cache.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkg/models/datasource_cache.go b/pkg/models/datasource_cache.go
index f6c7ee67c5a..79c67691df7 100644
--- a/pkg/models/datasource_cache.go
+++ b/pkg/models/datasource_cache.go
@@ -3,6 +3,7 @@ package models
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"net"
 	"net/http"
 	"sync"
@@ -71,13 +72,13 @@ func (ds *DataSource) GetHttpTransport() (*http.Transport, error) {
 
 	if tlsClientAuth || tlsAuthWithCACert {
 		decrypted := ds.SecureJsonData.Decrypt()
-
 		if tlsAuthWithCACert && len(decrypted["tlsCACert"]) > 0 {
 			caPool := x509.NewCertPool()
 			ok := caPool.AppendCertsFromPEM([]byte(decrypted["tlsCACert"]))
-			if ok {
-				transport.TLSClientConfig.RootCAs = caPool
+			if !ok {
+				return nil, errors.New("Failed to parse TLS CA PEM certificate")
 			}
+			transport.TLSClientConfig.RootCAs = caPool
 		}
 
 		if tlsClientAuth {