From 20bb002cf442b19bcf842f7aa0089792f7043d5d Mon Sep 17 00:00:00 2001
From: alexrohozneanu <53479034+alexrohozneanu@users.noreply.github.com>
Date: Thu, 10 Oct 2024 14:34:10 +0300
Subject: [PATCH] cmd: Support `file://` format for TLS key material file flags
 in `opa run` (#7094)

Allowing Windows drive letters to be specified and respected.

Signed-off-by: Alex Rohozneanu <aro@bigbrother.nl>
---
 cmd/run.go | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/cmd/run.go b/cmd/run.go
index 0b9fd80d38..7078dfe071 100644
--- a/cmd/run.go
+++ b/cmd/run.go
@@ -16,6 +16,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/open-policy-agent/opa/cmd/internal/env"
+	fileurl "github.com/open-policy-agent/opa/internal/file/url"
 	"github.com/open-policy-agent/opa/runtime"
 	"github.com/open-policy-agent/opa/server"
 	"github.com/open-policy-agent/opa/util"
@@ -291,18 +292,31 @@ func initRuntime(ctx context.Context, params runCmdParams, args []string, addrSe
 		"1.3": tls.VersionTLS13,
 	}
 
-	cert, err := loadCertificate(params.tlsCertFile, params.tlsPrivateKeyFile)
+	tlsCertFilePath, err := fileurl.Clean(params.tlsCertFile)
+	if err != nil {
+		return nil, fmt.Errorf("invalid certificate file path: %w", err)
+	}
+	tlsPrivateKeyFilePath, err := fileurl.Clean(params.tlsPrivateKeyFile)
+	if err != nil {
+		return nil, fmt.Errorf("invalid certificate private key file path: %w", err)
+	}
+	tlsCACertFilePath, err := fileurl.Clean(params.tlsCACertFile)
+	if err != nil {
+		return nil, fmt.Errorf("invalid CA certificate file path: %w", err)
+	}
+
+	cert, err := loadCertificate(tlsCertFilePath, tlsPrivateKeyFilePath)
 	if err != nil {
 		return nil, err
 	}
 
-	params.rt.CertificateFile = params.tlsCertFile
-	params.rt.CertificateKeyFile = params.tlsPrivateKeyFile
+	params.rt.CertificateFile = tlsCertFilePath
+	params.rt.CertificateKeyFile = tlsPrivateKeyFilePath
 	params.rt.CertificateRefresh = params.tlsCertRefresh
-	params.rt.CertPoolFile = params.tlsCACertFile
+	params.rt.CertPoolFile = tlsCACertFilePath
 
-	if params.tlsCACertFile != "" {
-		pool, err := loadCertPool(params.tlsCACertFile)
+	if tlsCACertFilePath != "" {
+		pool, err := loadCertPool(tlsCACertFilePath)
 		if err != nil {
 			return nil, err
 		}
@@ -422,7 +436,6 @@ func historyPath() string {
 }
 
 func loadCertificate(tlsCertFile, tlsPrivateKeyFile string) (*tls.Certificate, error) {
-
 	if tlsCertFile != "" && tlsPrivateKeyFile != "" {
 		cert, err := tls.LoadX509KeyPair(tlsCertFile, tlsPrivateKeyFile)
 		if err != nil {