forked from opcr-io/policy
/
transport.go
58 lines (52 loc) · 1.62 KB
/
transport.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package app
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"log"
"net/http"
"runtime"
)
func (c *PolicyApp) TransportWithTrustedCAs() *http.Transport {
if c.Configuration.Insecure {
return &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} // nolint:gosec // feature used for debugging
}
// Get the SystemCertPool, continue with an empty pool on error
var (
rootCAs *x509.CertPool
err error
)
if runtime.GOOS != `windows` {
rootCAs, err = x509.SystemCertPool()
if err != nil {
c.UI.Problem().WithErr(err).WithEnd(1).Msg("Failed to load system cert pool.")
}
} else {
// TODO: Remove runtime check when updating to go1.18 https://github.com/deviceinsight/kafkactl/issues/108
if len(c.Configuration.CA) > 0 {
c.UI.Exclamation().Msg("Cannot use custom CAs on Windows. Please configure your system store to trust your CAs.")
}
return http.DefaultTransport.(*http.Transport)
}
if rootCAs == nil {
rootCAs = x509.NewCertPool()
}
// Read in the cert files
for _, localCertFile := range c.Configuration.CA {
certs, err := ioutil.ReadFile(localCertFile)
if err != nil {
c.UI.Problem().WithErr(err).WithEnd(1).Msgf("Failed to append %q to RootCAs.", localCertFile)
}
// Append our cert to the system pool
if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
log.Println("No certs appended, using system certs only")
c.UI.Exclamation().Msgf("Cert %q not appended to RootCAs.", localCertFile)
}
}
// Trust the augmented cert pool in our client
config := &tls.Config{
RootCAs: rootCAs,
MinVersion: tls.VersionTLS12,
}
return &http.Transport{TLSClientConfig: config}
}