Fix up oauth2_client ssl options

lukebakken · mergify[bot] · commit 5499875f7888 · 2025-11-10T18:07:29.000Z
This uses the same technique as PR #12557 and #12564 to ensure that when neither `cacerts` nor `cacertfile` are set, the system certs are used. (cherry picked from commit c481f39)
diff --git a/deps/oauth2_client/src/oauth2_client.erl b/deps/oauth2_client/src/oauth2_client.erl
@@ -403,15 +403,23 @@ lookup_root_oauth_provider() ->
 extract_ssl_options_as_list(Map) ->
     {Verify, CaCerts, CaCertFile} = case get_verify_or_peer_verification(Map, verify_peer) of
         verify_peer ->
-            case maps:get(cacertfile, Map, undefined) of
-                undefined ->
-                    case public_key:cacerts_get() of
-                        [] -> {verify_none, undefined, undefined};
-                        Certs -> {verify_peer, Certs, undefined}
+            case {maps:get(cacerts, Map, undefined), maps:get(cacertfile, Map, undefined)} of
+                {undefined, undefined} ->
+                    try public_key:cacerts_get() of
+                        [] ->
+                            {verify_none, undefined, undefined};
+                        Certs ->
+                            {verify_peer, Certs, undefined}
+                    catch _ ->
+                        {verify_none, undefined, undefined}
                     end;
-                CaCert -> {verify_peer, undefined, CaCert}
+                {CaCerts0, undefined} ->
+                    {verify_peer, CaCerts0, undefined};
+                {undefined, CaCertFile0} ->
+                    {verify_peer, undefined, CaCertFile0}
             end;
-        verify_none -> {verify_none, undefined, undefined}
+        verify_none ->
+            {verify_none, undefined, undefined}
     end,
     [ {verify, Verify} ]
     ++
diff --git a/deps/oauth2_client/test/unit_SUITE.erl b/deps/oauth2_client/test/unit_SUITE.erl
@@ -34,8 +34,12 @@ groups() ->
         choose_verify_over_peer_verification,
         verify_set_to_verify_none,
         peer_verification_set_to_verify_none,
+        peer_verification_set_to_verify_peer_with_cacerts,
         peer_verification_set_to_verify_peer_with_cacertfile,
-        verify_set_to_verify_peer_with_cacertfile
+        peer_verification_set_to_verify_peer_without_cacerts_or_cacertfile,
+        verify_set_to_verify_peer_with_cacerts,
+        verify_set_to_verify_peer_with_cacertfile,
+        verify_set_to_verify_peer_without_cacerts_or_cacertfile
     ]},
     {get_expiration_time, [], [
         access_token_response_without_expiration_time,
@@ -230,34 +234,98 @@ peer_verification_set_to_verify_none(_) ->
         cacertfile => "/tmp"
     })).
 
+peer_verification_set_to_verify_peer_without_cacerts_or_cacertfile(_) ->
+    CaCerts = try public_key:cacerts_get() of
+                  CaCerts0 when is_list(CaCerts0) ->
+                      CaCerts0;
+                  _ -> []
+              catch _ ->
+                  []
+              end,
+    Expected = [
+        {verify, verify_peer},
+        {depth, 10},
+        {crl_check, false},
+        {fail_if_no_peer_cert, false},
+        {cacerts, CaCerts}
+    ],
+    ?assertEqual(Expected, oauth2_client:extract_ssl_options_as_list(#{
+        peer_verification => verify_peer
+    })).
+
+verify_set_to_verify_peer_without_cacerts_or_cacertfile(_) ->
+    CaCerts = try public_key:cacerts_get() of
+                  CaCerts0 when is_list(CaCerts0) ->
+                      CaCerts0;
+                  _ -> []
+              catch _ ->
+                  []
+              end,
+    Expected = [
+        {verify, verify_peer},
+        {depth, 10},
+        {crl_check, false},
+        {fail_if_no_peer_cert, false},
+        {cacerts, CaCerts}
+    ],
+    ?assertEqual(Expected, oauth2_client:extract_ssl_options_as_list(#{
+        verify => verify_peer
+    })).
 
 peer_verification_set_to_verify_peer_with_cacertfile(_) ->
     Expected = [
         {verify, verify_peer},
         {depth, 10},
-        {crl_check,false},
-        {fail_if_no_peer_cert,false},
+        {crl_check, false},
+        {fail_if_no_peer_cert, false},
         {cacertfile, "/tmp"}
     ],
     ?assertEqual(Expected, oauth2_client:extract_ssl_options_as_list(#{
         cacertfile => "/tmp",
         peer_verification => verify_peer
     })).
 
-
 verify_set_to_verify_peer_with_cacertfile(_) ->
     Expected = [
         {verify, verify_peer},
         {depth, 10},
-        {crl_check,false},
-        {fail_if_no_peer_cert,false},
+        {crl_check, false},
+        {fail_if_no_peer_cert, false},
         {cacertfile, "/tmp"}
     ],
     ?assertEqual(Expected, oauth2_client:extract_ssl_options_as_list(#{
         cacertfile => "/tmp",
         verify => verify_peer
     })).
 
+peer_verification_set_to_verify_peer_with_cacerts(_) ->
+    CaCerts = [<<1,2,3,4>>, <<5,6,7,8>>],
+    Expected = [
+        {verify, verify_peer},
+        {depth, 10},
+        {crl_check, false},
+        {fail_if_no_peer_cert, false},
+        {cacerts, CaCerts}
+    ],
+    ?assertEqual(Expected, oauth2_client:extract_ssl_options_as_list(#{
+        cacerts => CaCerts,
+        peer_verification => verify_peer
+    })).
+
+verify_set_to_verify_peer_with_cacerts(_) ->
+    CaCerts = [<<1,2,3,4>>, <<5,6,7,8>>],
+    Expected = [
+        {verify, verify_peer},
+        {depth, 10},
+        {crl_check, false},
+        {fail_if_no_peer_cert, false},
+        {cacerts, CaCerts}
+    ],
+    ?assertEqual(Expected, oauth2_client:extract_ssl_options_as_list(#{
+        cacerts => CaCerts,
+        verify => verify_peer
+    })).
+
 access_token_response_with_expires_in(_) ->
     Jwk = ?UTIL_MOD:fixture_jwk(),
     ExpiresIn = os:system_time(seconds),
