feat: support setting trusted x509 certificates for tls clients

2025-03-17 20:47:50 +02:00 · 2018-08-28 18:40:46 -03:00 · 2018-08-28 18:40:46 -03:00 · 1948df1a55
commit 1948df1a55
parent b3ac89e091
4 changed files with 76 additions and 2 deletions
--- a/internal/http/http.go
+++ b/internal/http/http.go
@ -3,6 +3,8 @@ package http

 import (
 	"bytes"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"html/template"
 	"io"
@ -97,6 +99,10 @@ func CheckConfig(ctx *context.Context, put *config.Put, kind string) error {
 		return misconfigured(kind, put, fmt.Sprintf("missing %s environment variable", envName))
 	}

+	if ctx.Config.TrustedCerts != "" && !x509.NewCertPool().AppendCertsFromPEM([]byte(ctx.Config.TrustedCerts)) {
+		return misconfigured(kind, put, "no certificate could be added from the specified trusted_certificates configuration")
+	}
+
 	return nil

 }
@ -240,7 +246,22 @@ func newUploadRequest(target, username, secret string, a *asset) (*h.Request, er

 // executeHTTPRequest processes the http call with respect of context ctx
 func executeHTTPRequest(ctx *context.Context, req *h.Request, check ResponseChecker) (*h.Response, error) {
-	resp, err := h.DefaultClient.Do(req)
+	client := h.DefaultClient
+	if ctx.Config.TrustedCerts != "" {
+		pool, err := loadSystemRoots()
+		if err != nil {
+			return "", nil, err
+		}
+		pool.AppendCertsFromPEM([]byte(ctx.Config.TrustedCerts)) // already validated certs checked by CheckConfig
+		client = &h.Client{
+			Transport: &h.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs: pool,
+				},
+			},
+		}
+	}
+	resp, err := client.Do(req)
 	if err != nil {
 		// If we got an error, and the context has been canceled,
 		// the context's error is probably more useful.
@ -249,7 +270,6 @@ func executeHTTPRequest(ctx *context.Context, req *h.Request, check ResponseChec
 			return nil, ctx.Err()
 		default:
 		}
-
 		return nil, err
 	}

--- a/internal/http/system.go
+++ b/internal/http/system.go
@ -0,0 +1,11 @@
+// +build !windows
+
+package http
+
+import (
+	"crypto/x509"
+)
+
+func loadSystemRoots() (*x509.CertPool, error) {
+	return x509.SystemCertPool()
+}
--- a/internal/http/system_win.go
+++ b/internal/http/system_win.go
@ -0,0 +1,42 @@
+// +build windows
+
+package http
+
+import (
+	"crypto/x509"
+	"syscall"
+	"unsafe"
+)
+
+func loadSystemRoots() (*x509.CertPool, error) {
+	const CRYPT_E_NOT_FOUND = 0x80092004
+	store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
+	if err != nil {
+		return nil, err
+	}
+	defer syscall.CertCloseStore(store, 0)
+	roots := x509.NewCertPool()
+	var cert *syscall.CertContext
+	for {
+		cert, err = syscall.CertEnumCertificatesInStore(store, cert)
+		if err != nil {
+			if errno, ok := err.(syscall.Errno); ok {
+				if errno == CRYPT_E_NOT_FOUND {
+					break
+				}
+			}
+			return nil, err
+		}
+		if cert == nil {
+			break
+		}
+		// Copy the buf, since ParseCertificate does not create its own copy.
+		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
+		buf2 := make([]byte, cert.Length)
+		copy(buf2, buf)
+		if c, err := x509.ParseCertificate(buf2); err == nil {
+			roots.AddCert(c)
+		}
+	}
+	return roots, nil
+}
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -317,6 +317,7 @@ type Project struct {
 	EnvFiles      EnvFiles  `yaml:"env_files,omitempty"`
 	Git           Git       `yaml:",omitempty"`
 	Before        Before    `yaml:",omitempty"`
+	TrustedCerts  string    `yaml:"trusted_certificates,omitempty"`

 	// this is a hack ¯\_(ツ)_/¯
 	SingleBuild Build `yaml:"build,omitempty"`