1
0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-03-17 20:47:50 +02:00

feat: support setting trusted x509 certificates for tls clients

This commit is contained in:
Pablo Lalloni 2018-08-28 18:40:46 -03:00 committed by Carlos Alexandro Becker
parent b3ac89e091
commit 1948df1a55
4 changed files with 76 additions and 2 deletions

View File

@ -3,6 +3,8 @@ package http
import (
"bytes"
"crypto/tls"
"crypto/x509"
"fmt"
"html/template"
"io"
@ -97,6 +99,10 @@ func CheckConfig(ctx *context.Context, put *config.Put, kind string) error {
return misconfigured(kind, put, fmt.Sprintf("missing %s environment variable", envName))
}
if ctx.Config.TrustedCerts != "" && !x509.NewCertPool().AppendCertsFromPEM([]byte(ctx.Config.TrustedCerts)) {
return misconfigured(kind, put, "no certificate could be added from the specified trusted_certificates configuration")
}
return nil
}
@ -240,7 +246,22 @@ func newUploadRequest(target, username, secret string, a *asset) (*h.Request, er
// executeHTTPRequest processes the http call with respect of context ctx
func executeHTTPRequest(ctx *context.Context, req *h.Request, check ResponseChecker) (*h.Response, error) {
resp, err := h.DefaultClient.Do(req)
client := h.DefaultClient
if ctx.Config.TrustedCerts != "" {
pool, err := loadSystemRoots()
if err != nil {
return "", nil, err
}
pool.AppendCertsFromPEM([]byte(ctx.Config.TrustedCerts)) // already validated certs checked by CheckConfig
client = &h.Client{
Transport: &h.Transport{
TLSClientConfig: &tls.Config{
RootCAs: pool,
},
},
}
}
resp, err := client.Do(req)
if err != nil {
// If we got an error, and the context has been canceled,
// the context's error is probably more useful.
@ -249,7 +270,6 @@ func executeHTTPRequest(ctx *context.Context, req *h.Request, check ResponseChec
return nil, ctx.Err()
default:
}
return nil, err
}

11
internal/http/system.go Normal file
View File

@ -0,0 +1,11 @@
// +build !windows
package http
import (
"crypto/x509"
)
func loadSystemRoots() (*x509.CertPool, error) {
return x509.SystemCertPool()
}

View File

@ -0,0 +1,42 @@
// +build windows
package http
import (
"crypto/x509"
"syscall"
"unsafe"
)
func loadSystemRoots() (*x509.CertPool, error) {
const CRYPT_E_NOT_FOUND = 0x80092004
store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
if err != nil {
return nil, err
}
defer syscall.CertCloseStore(store, 0)
roots := x509.NewCertPool()
var cert *syscall.CertContext
for {
cert, err = syscall.CertEnumCertificatesInStore(store, cert)
if err != nil {
if errno, ok := err.(syscall.Errno); ok {
if errno == CRYPT_E_NOT_FOUND {
break
}
}
return nil, err
}
if cert == nil {
break
}
// Copy the buf, since ParseCertificate does not create its own copy.
buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
buf2 := make([]byte, cert.Length)
copy(buf2, buf)
if c, err := x509.ParseCertificate(buf2); err == nil {
roots.AddCert(c)
}
}
return roots, nil
}

View File

@ -317,6 +317,7 @@ type Project struct {
EnvFiles EnvFiles `yaml:"env_files,omitempty"`
Git Git `yaml:",omitempty"`
Before Before `yaml:",omitempty"`
TrustedCerts string `yaml:"trusted_certificates,omitempty"`
// this is a hack ¯\_(ツ)_/¯
SingleBuild Build `yaml:"build,omitempty"`