From d1ad4469b3b2ba3adcc75b673621149e2bd36eef Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Thu, 17 Nov 2022 09:26:13 -0500
Subject: [PATCH] Fix semgrep false-positive due to co-dependent returns
 (#17984)

We previously tried to extract this log into a function (shouldExit),
but semgrep doesn't expand function invocations, leading us to be forced
to add another rule to the regex.

Instead, add the extraneous `err != nil` conditional into the if
statements, even though skip/err should always be true in these cases
and it should never be evaluated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 command/healthcheck/pki_ca_validity_period.go   | 4 ++--
 command/healthcheck/pki_crl_validity_period.go  | 6 +++---
 command/healthcheck/pki_hardware_backed_root.go | 6 +++---
 command/healthcheck/pki_root_issued_leaves.go   | 8 ++++----
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/command/healthcheck/pki_ca_validity_period.go b/command/healthcheck/pki_ca_validity_period.go
index 63c7e1a756..993de7cbad 100644
--- a/command/healthcheck/pki_ca_validity_period.go
+++ b/command/healthcheck/pki_ca_validity_period.go
@@ -100,7 +100,7 @@ func (h *CAValidityPeriod) FetchResources(e *Executor) error {
 	exit, _, issuers, err := pkiFetchIssuers(e, func() {
 		h.UnsupportedVersion = true
 	})
-	if exit {
+	if exit || err != nil {
 		return err
 	}
 
@@ -108,7 +108,7 @@ func (h *CAValidityPeriod) FetchResources(e *Executor) error {
 		skip, _, cert, err := pkiFetchIssuer(e, issuer, func() {
 			h.UnsupportedVersion = true
 		})
-		if skip {
+		if skip || err != nil {
 			if err != nil {
 				return err
 			}
diff --git a/command/healthcheck/pki_crl_validity_period.go b/command/healthcheck/pki_crl_validity_period.go
index 4f4b6f91e0..16b1ebb80f 100644
--- a/command/healthcheck/pki_crl_validity_period.go
+++ b/command/healthcheck/pki_crl_validity_period.go
@@ -73,7 +73,7 @@ func (h *CRLValidityPeriod) FetchResources(e *Executor) error {
 	exit, _, issuers, err := pkiFetchIssuers(e, func() {
 		h.UnsupportedVersion = true
 	})
-	if exit {
+	if exit || err != nil {
 		return err
 	}
 
@@ -81,7 +81,7 @@ func (h *CRLValidityPeriod) FetchResources(e *Executor) error {
 		exit, _, crl, err := pkiFetchIssuerCRL(e, issuer, false, func() {
 			h.UnsupportedVersion = true
 		})
-		if exit {
+		if exit || err != nil {
 			if err != nil {
 				return err
 			}
@@ -93,7 +93,7 @@ func (h *CRLValidityPeriod) FetchResources(e *Executor) error {
 		exit, _, delta, err := pkiFetchIssuerCRL(e, issuer, true, func() {
 			h.NoDeltas = true
 		})
-		if exit {
+		if exit || err != nil {
 			if err != nil {
 				return err
 			}
diff --git a/command/healthcheck/pki_hardware_backed_root.go b/command/healthcheck/pki_hardware_backed_root.go
index d9e163bbb6..a978f120e2 100644
--- a/command/healthcheck/pki_hardware_backed_root.go
+++ b/command/healthcheck/pki_hardware_backed_root.go
@@ -52,7 +52,7 @@ func (h *HardwareBackedRoot) FetchResources(e *Executor) error {
 	exit, _, issuers, err := pkiFetchIssuers(e, func() {
 		h.UnsupportedVersion = true
 	})
-	if exit {
+	if exit || err != nil {
 		return err
 	}
 
@@ -60,7 +60,7 @@ func (h *HardwareBackedRoot) FetchResources(e *Executor) error {
 		skip, ret, entry, err := pkiFetchIssuerEntry(e, issuer, func() {
 			h.UnsupportedVersion = true
 		})
-		if skip || entry == nil {
+		if skip || err != nil || entry == nil {
 			if err != nil {
 				return err
 			}
@@ -86,7 +86,7 @@ func (h *HardwareBackedRoot) FetchResources(e *Executor) error {
 		skip, _, keyEntry, err := pkiFetchKeyEntry(e, keyId, func() {
 			h.UnsupportedVersion = true
 		})
-		if skip || keyEntry == nil {
+		if skip || err != nil || keyEntry == nil {
 			if err != nil {
 				return err
 			}
diff --git a/command/healthcheck/pki_root_issued_leaves.go b/command/healthcheck/pki_root_issued_leaves.go
index 07a7dafabb..86159094f4 100644
--- a/command/healthcheck/pki_root_issued_leaves.go
+++ b/command/healthcheck/pki_root_issued_leaves.go
@@ -59,7 +59,7 @@ func (h *RootIssuedLeaves) FetchResources(e *Executor) error {
 	exit, _, issuers, err := pkiFetchIssuers(e, func() {
 		h.UnsupportedVersion = true
 	})
-	if exit {
+	if exit || err != nil {
 		return err
 	}
 
@@ -67,7 +67,7 @@ func (h *RootIssuedLeaves) FetchResources(e *Executor) error {
 		skip, _, cert, err := pkiFetchIssuer(e, issuer, func() {
 			h.UnsupportedVersion = true
 		})
-		if skip {
+		if skip || err != nil {
 			if err != nil {
 				return err
 			}
@@ -88,7 +88,7 @@ func (h *RootIssuedLeaves) FetchResources(e *Executor) error {
 	exit, _, leaves, err := pkiFetchLeaves(e, func() {
 		h.UnsupportedVersion = true
 	})
-	if exit {
+	if exit || err != nil {
 		return err
 	}
 
@@ -101,7 +101,7 @@ func (h *RootIssuedLeaves) FetchResources(e *Executor) error {
 		skip, _, cert, err := pkiFetchLeaf(e, serial, func() {
 			h.UnsupportedVersion = true
 		})
-		if skip {
+		if skip || err != nil {
 			if err != nil {
 				return err
 			}