Display correct error message when host is missing in tctl auth sign

gravitational · Feb 28, 2022 · e9c2e47 · e9c2e47
1 parent 6930ee9
commit e9c2e47
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/tool/tctl/common/auth_command.go b/tool/tctl/common/auth_command.go
@@ -422,7 +422,7 @@ func (a *AuthCommand) generateDatabaseKeys(clusterAPI auth.ClientI) error {
 // for database access.
 func (a *AuthCommand) generateDatabaseKeysForKey(clusterAPI auth.ClientI, key *client.Key) error {
 	principals := strings.Split(a.genHost, ",")
-	if len(principals) == 0 {
+	if len(principals) == 1 && principals[0] == "" {
 		return trace.BadParameter("at least one hostname must be specified via --host flag")
 	}
 	// For CockroachDB node certificates, CommonName must be "node":

diff --git a/tool/tctl/common/auth_command_test.go b/tool/tctl/common/auth_command_test.go
@@ -405,6 +405,7 @@ func TestGenerateDatabaseKeys(t *testing.T) {
 		outKey         []byte
 		outCert        []byte
 		outCA          []byte
+		genKeyErrMsg   string
 	}{
 		{
 			name:           "database certificate",
@@ -463,6 +464,29 @@ func TestGenerateDatabaseKeys(t *testing.T) {
 			outCert:        certBytes,
 			outCA:          caBytes,
 		},
+		{
+			name:           "redis certificate",
+			inFormat:       identityfile.FormatRedis,
+			inHost:         "localhost,redis1,172.0.0.1",
+			inOutDir:       t.TempDir(),
+			inOutFile:      "db",
+			outSubject:     pkix.Name{CommonName: "localhost"},
+			outServerNames: []string{"localhost", "redis1", "172.0.0.1"},
+			outKeyFile:     "db.key",
+			outCertFile:    "db.crt",
+			outCAFile:      "db.cas",
+			outKey:         key.Priv,
+			outCert:        certBytes,
+			outCA:          caBytes,
+		},
+		{
+			name:         "missing host",
+			inFormat:     identityfile.FormatRedis,
+			inOutDir:     t.TempDir(),
+			inHost:       "", // missing host
+			inOutFile:    "db",
+			genKeyErrMsg: "at least one hostname must be specified",
+		},
 	}
 
 	for _, test := range tests {
@@ -476,7 +500,13 @@ func TestGenerateDatabaseKeys(t *testing.T) {
 			}
 
 			err = ac.generateDatabaseKeysForKey(authClient, key)
-			require.NoError(t, err)
+			if test.genKeyErrMsg == "" {
+				require.NoError(t, err)
+			} else {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), test.genKeyErrMsg)
+				return
+			}
 
 			require.NotNil(t, authClient.dbCertsReq)
 			csr, err := tlsca.ParseCertificateRequestPEM(authClient.dbCertsReq.CSR)