2023-06-22 14:29:45 +03:00
package common
import (
"crypto/tls"
"crypto/x509"
"net/http"
"os"
"path"
"path/filepath"
)
func GetTLSConfig ( certsPath string , caCertPool * x509 . CertPool ) ( * tls . Config , error ) {
clientCert := filepath . Join ( certsPath , clientCertFilename )
clientKey := filepath . Join ( certsPath , clientKeyFilename )
caCertFile := filepath . Join ( certsPath , caCertFilename )
cert , err := tls . LoadX509KeyPair ( clientCert , clientKey )
if err != nil {
return nil , err
}
caCert , err := os . ReadFile ( caCertFile )
if err != nil {
return nil , err
}
caCertPool . AppendCertsFromPEM ( caCert )
return & tls . Config {
Certificates : [ ] tls . Certificate { cert } ,
RootCAs : caCertPool ,
MinVersion : tls . VersionTLS12 ,
} , nil
}
func loadPerHostCerts ( caCertPool * x509 . CertPool , host string ) * tls . Config {
// Check if the /home/user/.config/containers/certs.d/$IP:$PORT dir exists
home := os . Getenv ( "HOME" )
clientCertsDir := filepath . Join ( home , homeCertsDir , host )
if DirExists ( clientCertsDir ) {
tlsConfig , err := GetTLSConfig ( clientCertsDir , caCertPool )
if err == nil {
return tlsConfig
}
}
// Check if the /etc/containers/certs.d/$IP:$PORT dir exists
clientCertsDir = filepath . Join ( certsPath , host )
if DirExists ( clientCertsDir ) {
tlsConfig , err := GetTLSConfig ( clientCertsDir , caCertPool )
if err == nil {
return tlsConfig
}
}
return nil
}
func CreateHTTPClient ( verifyTLS bool , host string , certDir string ) ( * http . Client , error ) {
htr := http . DefaultTransport . ( * http . Transport ) . Clone ( ) //nolint: forcetypeassert
if ! verifyTLS {
htr . TLSClientConfig = & tls . Config { InsecureSkipVerify : true } //nolint: gosec
return & http . Client {
Timeout : httpTimeout ,
Transport : htr ,
} , nil
}
// Add a copy of the system cert pool
caCertPool , _ := x509 . SystemCertPool ( )
tlsConfig := loadPerHostCerts ( caCertPool , host )
if tlsConfig == nil {
tlsConfig = & tls . Config { RootCAs : caCertPool , MinVersion : tls . VersionTLS12 }
}
htr . TLSClientConfig = tlsConfig
if certDir != "" {
clientCert := path . Join ( certDir , "client.cert" )
clientKey := path . Join ( certDir , "client.key" )
caCertPath := path . Join ( certDir , "ca.crt" )
caCert , err := os . ReadFile ( caCertPath )
if err != nil {
return nil , err
}
caCertPool . AppendCertsFromPEM ( caCert )
cert , err := tls . LoadX509KeyPair ( clientCert , clientKey )
if err != nil {
return nil , err
}
htr . TLSClientConfig . Certificates = append ( htr . TLSClientConfig . Certificates , cert )
}
return & http . Client {
Transport : htr ,
2024-02-14 19:18:10 +02:00
Timeout : httpTimeout ,
2023-06-22 14:29:45 +03:00
} , nil
}