feat: add options to host rules to enable mTLS calls to host

renovatebot · Aug 30, 2023 · 930bfd3 · 930bfd3
1 parent 685c4ca
commit 930bfd3
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 0 deletions.
diff --git a/lib/config/options/index.ts b/lib/config/options/index.ts
@@ -2348,6 +2348,36 @@ const options: RenovateOptions[] = [
     cli: false,
     env: false,
   },
+  {
+    name: 'certificateAuthority',
+    description: 'The overriding trusted CA certificate',
+    type: 'string',
+    stage: 'repository',
+    parent: 'hostRules',
+    default: null,
+    cli: false,
+    env: false,
+  },
+  {
+    name: 'privateKey',
+    description: 'The private key in PEM format',
+    type: 'string',
+    stage: 'repository',
+    parent: 'hostRules',
+    default: null,
+    cli: false,
+    env: false,
+  },
+  {
+    name: 'certificate',
+    description: 'The certificate chains in PEM format',
+    type: 'string',
+    stage: 'repository',
+    parent: 'hostRules',
+    default: null,
+    cli: false,
+    env: false,
+  },
   {
     name: 'cacheHardTtlMinutes',
     description:

diff --git a/lib/types/host-rules.ts b/lib/types/host-rules.ts
@@ -15,6 +15,9 @@ export interface HostRuleSearchResult {
   dnsCache?: boolean;
   keepalive?: boolean;
   artifactAuth?: string[] | null;
+  certificateAuthority?: string;
+  privateKey?: string;
+  certificate?: string;
 }
 
 export interface HostRule extends HostRuleSearchResult {

diff --git a/lib/util/http/host-rules.spec.ts b/lib/util/http/host-rules.spec.ts
@@ -46,6 +46,14 @@ describe('util/http/host-rules', () => {
       hostType: 'bitbucket',
       token: 'cdef',
     });
+
+    hostRules.add({
+      hostType: 'maven',
+      matchHost: 'https://custom.datasource',
+      certificateAuthority: 'ca-cert',
+      certificate: 'cert',
+      privateKey: 'key',
+    });
   });
 
   afterEach(() => {
@@ -148,6 +156,24 @@ describe('util/http/host-rules', () => {
     `);
   });
 
+  it('https', () => {
+    expect(
+      applyHostRules('https://custom.datasource/data/path', {
+        ...options,
+        hostType: 'maven',
+      })
+    ).toMatchInlineSnapshot(`
+      {
+        "hostType": "maven",
+        "https": {
+          "certificate": "cert",
+          "certificateAuthority": "ca-cert",
+          "key": "key",
+        },
+      }
+    `);
+  });
+
   it('no fallback to github', () => {
     hostRules.add({
       hostType: 'github-tags',

diff --git a/lib/util/http/host-rules.ts b/lib/util/http/host-rules.ts
@@ -30,6 +30,7 @@ export type HostRulesGotOptions = Pick<
   | 'lookup'
   | 'agent'
   | 'http2'
+  | 'https'
 >;
 
 export function findMatchingRules<GotOptions extends HostRulesGotOptions>(
@@ -162,6 +163,18 @@ export function applyHostRules<GotOptions extends HostRulesGotOptions>(
   if (!hasProxy() && foundRules.enableHttp2 === true) {
     options.http2 = true;
   }
+
+  if (
+    foundRules.certificateAuthority !== null ||
+    foundRules.privateKey !== null ||
+    foundRules.certificate !== null
+  ) {
+    options.https = {
+      certificateAuthority: foundRules.certificateAuthority,
+      key: foundRules.privateKey,
+      certificate: foundRules.certificate,
+    };
+  }
   return options;
 }