From 27258b9c54980dcba26ccf041c316b221f0ad392 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 7 Mar 2018 08:46:28 -0800
Subject: [PATCH] Ensure to load only regular files for CAs (#5612)

In kubernetes statefulset like environments when secrets
are mounted to pods they have sub-directories, we should
ideally be only looking for regular files here and skip
all others.
---
 cmd/certs.go      | 11 +++++++----
 cmd/certs_test.go | 21 +++++----------------
 2 files changed, 12 insertions(+), 20 deletions(-)

diff --git a/cmd/certs.go b/cmd/certs.go
index 9af5efe9d..78f147b68 100644
--- a/cmd/certs.go
+++ b/cmd/certs.go
@@ -23,7 +23,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"path/filepath"
 )
 
 // TLSPrivateKeyPassword is the environment variable which contains the password used
@@ -64,14 +63,18 @@ func parsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
 func getRootCAs(certsCAsDir string) (*x509.CertPool, error) {
 	// Get all CA file names.
 	var caFiles []string
-	fis, err := ioutil.ReadDir(certsCAsDir)
+	fis, err := readDir(certsCAsDir)
 	if err != nil {
 		return nil, err
 	}
 	for _, fi := range fis {
-		caFiles = append(caFiles, filepath.Join(certsCAsDir, fi.Name()))
+		// Skip all directories.
+		if hasSuffix(fi, slashSeparator) {
+			continue
+		}
+		// We are only interested in regular files here.
+		caFiles = append(caFiles, pathJoin(certsCAsDir, fi))
 	}
-
 	if len(caFiles) == 0 {
 		return nil, nil
 	}
diff --git a/cmd/certs_test.go b/cmd/certs_test.go
index 8a3d2e485..9c9f2912d 100644
--- a/cmd/certs_test.go
+++ b/cmd/certs_test.go
@@ -219,27 +219,16 @@ func TestGetRootCAs(t *testing.T) {
 		t.Fatalf("Unable create test file. %v", err)
 	}
 
-	nonexistentErr := fmt.Errorf("open nonexistent-dir: no such file or directory")
-	if runtime.GOOS == "windows" {
-		// Below concatenation is done to get rid of goline error
-		// "error strings should not be capitalized or end with punctuation or a newline"
-		nonexistentErr = fmt.Errorf("open nonexistent-dir:" + " The system cannot find the file specified.")
-	}
-
-	err1 := fmt.Errorf("read %s: is a directory", filepath.Join(dir1, "empty-dir"))
-	if runtime.GOOS == "windows" {
-		// Below concatenation is done to get rid of goline error
-		// "error strings should not be capitalized or end with punctuation or a newline"
-		err1 = fmt.Errorf("read %s:"+" The handle is invalid.", filepath.Join(dir1, "empty-dir"))
-	}
-
 	testCases := []struct {
 		certCAsDir  string
 		expectedErr error
 	}{
-		{"nonexistent-dir", nonexistentErr},
-		{dir1, err1},
+		{"nonexistent-dir", errFileNotFound},
+		// Ignores directories.
+		{dir1, nil},
+		// Ignore empty directory.
 		{emptydir, nil},
+		// Loads the cert properly.
 		{dir2, nil},
 	}