feat(sender): allow adding additional root certificates

ctron · Jan 30, 2024 · dd684e2 · dd684e2
1 parent c216adc
commit dd684e2
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/common/src/sender/mod.rs b/common/src/sender/mod.rs
@@ -3,9 +3,12 @@
 pub mod provider;
 
 mod error;
+
 pub use error::*;
+use std::path::PathBuf;
 
 use crate::sender::provider::{TokenInjector, TokenProvider};
+use anyhow::Context;
 use reqwest::{header, IntoUrl, Method, RequestBuilder};
 use std::sync::Arc;
 use std::time::Duration;
@@ -19,6 +22,7 @@ pub struct HttpSender {
 pub struct Options {
     pub connect_timeout: Option<Duration>,
     pub timeout: Option<Duration>,
+    pub additional_root_certificates: Vec<PathBuf>,
 }
 
 const USER_AGENT: &str = concat!("CSAF-Walker/", env!("CARGO_PKG_VERSION"));
@@ -41,6 +45,13 @@ impl HttpSender {
             client = client.timeout(timeout);
         }
 
+        for cert in options.additional_root_certificates {
+            let cert = std::fs::read(&cert)
+                .with_context(|| format!("Reading certificate: {}", cert.display()))?;
+            let cert = reqwest::tls::Certificate::from_pem(&cert)?;
+            client = client.add_root_certificate(cert);
+        }
+
         Ok(Self {
             client: client.build()?,
             provider: Arc::new(provider),

diff --git a/extras/src/visitors/send/clap.rs b/extras/src/visitors/send/clap.rs
@@ -1,5 +1,6 @@
 use crate::visitors::SendVisitor;
 use reqwest::Url;
+use std::path::PathBuf;
 use walker_common::sender::{self, provider::OpenIdTokenProviderConfigArguments, HttpSender};
 
 #[derive(Debug, clap::Parser)]
@@ -16,6 +17,10 @@ pub struct SendArguments {
     #[arg(id = "sender-timeout", long, default_value = "5m")]
     pub timeout: humantime::Duration,
 
+    /// Additional root certificates
+    #[arg(id = "sender-root-certificate", long)]
+    pub additional_root_certificates: Vec<PathBuf>,
+
     /// Number of retries in case of temporary failures
     #[arg(id = "sender-retries", long, default_value = "0")]
     pub retries: usize,
@@ -36,6 +41,7 @@ impl SendArguments {
             sender::Options {
                 connect_timeout: Some(self.connect_timeout.into()),
                 timeout: Some(self.timeout.into()),
+                additional_root_certificates: self.additional_root_certificates,
             },
         )
         .await?;