plugins/discovery: Check for empty key config

Currently OPA allows users to use unsigned discovery
bundles that themselves point to signed service bundles.
The discovery plugin checks if the keys in the service bundle
do not update those in the boot config. It's possible that
the signing config in the discovery object be a nil pointer.
This is change adds a check for that.

Fixes: #4656

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>

plugins/discovery/discovery.go

@@ -290,10 +290,12 @@ func (c *Discovery) processBundle(ctx context.Context, b *bundleApi.Bundle) (*pl
 		return nil, err
 	}
 
-	for key, kc := range keys {
-		if curr, ok := c.config.Signing.PublicKeys[key]; ok {
-			if !curr.Equal(kc) {
-				return nil, fmt.Errorf("updates to keys specified in the boot configuration are not allowed")
+	if c.config.Signing != nil {
+		for key, kc := range keys {
+			if curr, ok := c.config.Signing.PublicKeys[key]; ok {
+				if !curr.Equal(kc) {
+					return nil, fmt.Errorf("updates to keys specified in the boot configuration are not allowed")
+				}
 			}
 		}
 	}

plugins/discovery/discovery_test.go

@@ -827,7 +827,42 @@ func TestProcessBundleWithSigning(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Unexpected error %v", err)
 	}
+}
+
+func TestProcessBundleWithNoSigningConfig(t *testing.T) {
+	ctx := context.Background()
 
+	manager, err := plugins.New([]byte(`{
+		"labels": {"x": "y"},
+		"services": {
+			"localhost": {
+				"url": "http://localhost:9999"
+			}
+		},
+		"discovery": {"name": "config"}
+	}`), "test-id", inmem.New())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	disco, err := New(manager)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	initialBundle := makeDataBundle(1, `
+		{
+			"config": {
+				"bundles": {"test1": {"service": "localhost"}},
+				"keys": {"my_local_key": {"algorithm": "HS256", "key": "new_secret"}}
+			}
+		}
+	`)
+
+	_, err = disco.processBundle(ctx, initialBundle)
+	if err != nil {
+		t.Fatalf("Unexpected error %v", err)
+	}
 }
 
 type testServer struct {