mirror of
https://github.com/goreleaser/goreleaser.git
synced 2025-03-17 20:47:50 +02:00
feat: support setting trusted x509 certificates for tls clients
This commit is contained in:
parent
b3ac89e091
commit
1948df1a55
@ -3,6 +3,8 @@ package http
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"html/template"
|
||||
"io"
|
||||
@ -97,6 +99,10 @@ func CheckConfig(ctx *context.Context, put *config.Put, kind string) error {
|
||||
return misconfigured(kind, put, fmt.Sprintf("missing %s environment variable", envName))
|
||||
}
|
||||
|
||||
if ctx.Config.TrustedCerts != "" && !x509.NewCertPool().AppendCertsFromPEM([]byte(ctx.Config.TrustedCerts)) {
|
||||
return misconfigured(kind, put, "no certificate could be added from the specified trusted_certificates configuration")
|
||||
}
|
||||
|
||||
return nil
|
||||
|
||||
}
|
||||
@ -240,7 +246,22 @@ func newUploadRequest(target, username, secret string, a *asset) (*h.Request, er
|
||||
|
||||
// executeHTTPRequest processes the http call with respect of context ctx
|
||||
func executeHTTPRequest(ctx *context.Context, req *h.Request, check ResponseChecker) (*h.Response, error) {
|
||||
resp, err := h.DefaultClient.Do(req)
|
||||
client := h.DefaultClient
|
||||
if ctx.Config.TrustedCerts != "" {
|
||||
pool, err := loadSystemRoots()
|
||||
if err != nil {
|
||||
return "", nil, err
|
||||
}
|
||||
pool.AppendCertsFromPEM([]byte(ctx.Config.TrustedCerts)) // already validated certs checked by CheckConfig
|
||||
client = &h.Client{
|
||||
Transport: &h.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
RootCAs: pool,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
// If we got an error, and the context has been canceled,
|
||||
// the context's error is probably more useful.
|
||||
@ -249,7 +270,6 @@ func executeHTTPRequest(ctx *context.Context, req *h.Request, check ResponseChec
|
||||
return nil, ctx.Err()
|
||||
default:
|
||||
}
|
||||
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
11
internal/http/system.go
Normal file
11
internal/http/system.go
Normal file
@ -0,0 +1,11 @@
|
||||
// +build !windows
|
||||
|
||||
package http
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
)
|
||||
|
||||
func loadSystemRoots() (*x509.CertPool, error) {
|
||||
return x509.SystemCertPool()
|
||||
}
|
42
internal/http/system_win.go
Normal file
42
internal/http/system_win.go
Normal file
@ -0,0 +1,42 @@
|
||||
// +build windows
|
||||
|
||||
package http
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"syscall"
|
||||
"unsafe"
|
||||
)
|
||||
|
||||
func loadSystemRoots() (*x509.CertPool, error) {
|
||||
const CRYPT_E_NOT_FOUND = 0x80092004
|
||||
store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer syscall.CertCloseStore(store, 0)
|
||||
roots := x509.NewCertPool()
|
||||
var cert *syscall.CertContext
|
||||
for {
|
||||
cert, err = syscall.CertEnumCertificatesInStore(store, cert)
|
||||
if err != nil {
|
||||
if errno, ok := err.(syscall.Errno); ok {
|
||||
if errno == CRYPT_E_NOT_FOUND {
|
||||
break
|
||||
}
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
if cert == nil {
|
||||
break
|
||||
}
|
||||
// Copy the buf, since ParseCertificate does not create its own copy.
|
||||
buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
|
||||
buf2 := make([]byte, cert.Length)
|
||||
copy(buf2, buf)
|
||||
if c, err := x509.ParseCertificate(buf2); err == nil {
|
||||
roots.AddCert(c)
|
||||
}
|
||||
}
|
||||
return roots, nil
|
||||
}
|
@ -317,6 +317,7 @@ type Project struct {
|
||||
EnvFiles EnvFiles `yaml:"env_files,omitempty"`
|
||||
Git Git `yaml:",omitempty"`
|
||||
Before Before `yaml:",omitempty"`
|
||||
TrustedCerts string `yaml:"trusted_certificates,omitempty"`
|
||||
|
||||
// this is a hack ¯\_(ツ)_/¯
|
||||
SingleBuild Build `yaml:"build,omitempty"`
|
||||
|
Loading…
x
Reference in New Issue
Block a user