From 2c6bf5bc9ade5f8bfbd639030f95df9be755c47b Mon Sep 17 00:00:00 2001
From: Shlomo Heigh <shlomo.heigh@cyberark.com>
Date: Mon, 27 Mar 2023 15:18:19 -0400
Subject: [PATCH] Improve error message when using self-signed certificate

---
 CHANGELOG.md                        |  4 ++++
 ci/docker-compose.yml               |  4 ++--
 cmd/integration/integration_test.go | 13 +++++++++++++
 cmd/integration/shared.go           |  1 +
 pkg/cmd/init.go                     |  7 ++++++-
 pkg/cmd/init_test.go                |  5 +++--
 6 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 811cdfc7..c096cf80 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [8.0.6] - 2023-03-24
 
+### Fixed
+- Improved error message when using self-signed certificates
+  [cyberark/conjur-cli-go#119](https://github.com/cyberark/conjur-cli-go/pull/119)
+
 ## [8.0.5] - 2023-03-24
 
 ### Changed
diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml
index bcd715bc..6b2d1486 100644
--- a/ci/docker-compose.yml
+++ b/ci/docker-compose.yml
@@ -23,8 +23,8 @@ services:
   proxy:
     image: nginx:1.13.6-alpine
     volumes:
-      - ../conf/:/etc/nginx/conf.d/:ro
-      - ../conf/tls/:/etc/nginx/tls/:ro
+      - ./conf/:/etc/nginx/conf.d/:ro
+      - ./conf/tls/:/etc/nginx/tls/:ro
     depends_on:
     - conjur
     restart: on-failure
diff --git a/cmd/integration/integration_test.go b/cmd/integration/integration_test.go
index 08073955..6ab127e1 100644
--- a/cmd/integration/integration_test.go
+++ b/cmd/integration/integration_test.go
@@ -41,6 +41,19 @@ func TestIntegration(t *testing.T) {
 		assert.Contains(t, stdErr, "Must specify an Account")
 	})
 
+	t.Run("init with self-signed cert", func(t *testing.T) {
+		stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "https://proxy", "--force-netrc", "--force")
+		assert.Error(t, err)
+		assert.Equal(t, "", stdOut)
+		assert.Contains(t, stdErr, "Unable to retrieve and validate certificate")
+		assert.Contains(t, stdErr, "re-run the init command with the `--self-signed` flag")
+
+		stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "https://proxy", "--force-netrc", "--force", "--self-signed")
+		assert.NotContains(t, stdErr, "Unable to retrieve and validate certificate")
+		assert.Contains(t, stdOut, "The server's certificate fingerprint is")
+		assert.Contains(t, stdErr, selfSignedWarning)
+	})
+
 	t.Run("init", func(t *testing.T) {
 		stdOut, stdErr, err = conjurCLI.Run("init", "-a", account, "-u", "http://conjur", "-i", "--force-netrc", "--force")
 		assert.NoError(t, err)
diff --git a/cmd/integration/shared.go b/cmd/integration/shared.go
index db22877b..494de8f1 100644
--- a/cmd/integration/shared.go
+++ b/cmd/integration/shared.go
@@ -21,6 +21,7 @@ const pathToBinary = "conjur"
 
 const insecureModeWarning = "Warning: Running the command with '--insecure' makes your system vulnerable to security attacks\n" +
 	"If you prefer to communicate with the server securely you must reinitialize the client in secure mode.\n"
+const selfSignedWarning = "Warning: Using self-signed certificates is not recommended and could lead to exposure of sensitive data\n"
 
 func newConjurCLI(homeDir string) *conjurCLI {
 	return &conjurCLI{
diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
index 3d45b05b..22da6a89 100644
--- a/pkg/cmd/init.go
+++ b/pkg/cmd/init.go
@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"net/url"
 	"os"
@@ -199,7 +200,11 @@ func fetchCertIfNeeded(config *conjurapi.Config, cmdFlagVals initCmdFlagValues,
 
 	cert, err := utils.GetServerCert(url.Host, cmdFlagVals.selfSigned)
 	if err != nil {
-		return fmt.Errorf("Unable to retrieve certificate from %s: %s", url.Host, err)
+		errStr := fmt.Sprintf("Unable to retrieve and validate certificate from %s: %s", url.Host, err)
+		if !cmdFlagVals.selfSigned {
+			errStr += "\nIf you're attempting to use a self-signed certificate, re-run the init command with the `--self-signed` flag\n"
+		}
+		return errors.New(errStr)
 	}
 
 	// Prompt user to accept certificate
diff --git a/pkg/cmd/init_test.go b/pkg/cmd/init_test.go
index ed7efe7d..01a1bf8c 100644
--- a/pkg/cmd/init_test.go
+++ b/pkg/cmd/init_test.go
@@ -206,7 +206,7 @@ appliance_url: http://host
 		name: "fails if can't retrieve server certificate",
 		args: []string{"init", "-u=https://nohost.example.com", "-a=test-account"},
 		assert: func(t *testing.T, conjurrcInTmpDir string, stdout string, stderr string, err error) {
-			assert.Contains(t, stderr, "Unable to retrieve certificate")
+			assert.Contains(t, stderr, "Unable to retrieve and validate certificate")
 			assertFetchCertFailed(t, conjurrcInTmpDir)
 		},
 	},
@@ -214,7 +214,8 @@ appliance_url: http://host
 		name: "fails for self-signed certificate",
 		args: []string{"init", "-u=https://self-signed.badssl.com", "-a=test-account"},
 		assert: func(t *testing.T, conjurrcInTmpDir string, stdout string, stderr string, err error) {
-			assert.Contains(t, stderr, "Unable to retrieve certificate")
+			assert.Contains(t, stderr, "Unable to retrieve and validate certificate")
+			assert.Contains(t, stderr, "If you're attempting to use a self-signed certificate, re-run the init command with the `--self-signed` flag")
 			assertFetchCertFailed(t, conjurrcInTmpDir)
 		},
 	},