Add support for custom root certificate

[zynaxsoft]

Request

Add an ability to define a custom root certificate for querying a schema from the Internet.

Motivation

In my environment, it's necessary to use a custom root certificate.
I am using Taplo as a language server with Neovim. Here is what I would get when I opened a Cargo.toml file.
An error from Neovim :LspLog

taplo:configuration_change:initialize: failed to fetch catalog error=error sending request for URL 
(https://www.schemastore.org/api/json/catalog.json): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer\n\nCaused by:
    0: error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
    1: invalid peer certificate contents: invalid peer certificate: UnknownIssuer 
     self.root=file:///...
    OR taplo:configuration_change:initialize: failed to add schemas from catalog error=error sending request for URL 
(https://www.schemastore.org/api/json/catalog.json): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer self.root=file:///...
"

I have already setup my OS to trust the custom certificate. Also it seems that this crate uses reqwest to do the query.
I believe reqwest doesn't get the list of root certificates from the OS.

[ia0]

Thanks for the diagnosis. But if I understand correctly, shouldn't this be reported to reqwest instead?

[zynaxsoft]

Thank you for picking this up!

I believe the current trend of implementing HTTPS client is to not obey what an OS says about the root CA they trust, but let the application/user side specifically adds a custom root CA by themselves.

reqwest already supports this with add_root_certificate

I am not sure if this is the correct place for the implementation but I see in this line, this uses the default built-in root CAs which means it doesn't use the OS setting.

[ia0]

I see, so you essentially want to add .add_root_certificate(certificate) here:

taplo/crates/taplo-lsp/src/world.rs

Lines 127 to 129 in 5bd9625

	client = reqwest::Client::builder()
	.timeout(Duration::from_secs(10))
	.build()

The question is where do you get certificate. I can see at least 2 sources: a flag or an environment variable (or a flag that defaults to an environment variable). In the case of a flag, the question is how this would be made available in WorkspaceState::new(). I see at least 2 options: a function parameter or a global variable.

I think the simplest solution would be to just use an environment variable (or use a flag with a global variable). Would you be able to write a PR? If not, I could take a look this weekend, but I'll need you to be able to test it or provide instructions on how to test it.

[zynaxsoft]

Yes, that's what I wanted to do essentially. To confirm my understanding, does the flag you mentioned mean something that is passed from the LSP configuration? (I am thinking about nvim-lspconfig#taplo).

Environment variable could work too and I agree it would be the simplest way to do it. Though I am not really sure about the design. I guess we could do both.

On the other hand, do we need to also implement this for taplo-cli for consistency?

I am willing to help and write a PR, but I would need some pointers on where to look.

[ia0]

Does the flag you mentioned mean something that is passed from the LSP configuration?

Actually I had it wrong, we need 2 things:

• An initialization option for taplo-lsp (which I think is called init_options in neovim):

  taplo/crates/taplo-lsp/src/config.rs

  Line 14 in 5bd9625

  pub struct InitConfig {

• A flag for taplo-cli:

  taplo/crates/taplo-cli/src/args.rs

  Line 23 in 5bd9625

  pub struct GeneralArgs {

And we also need to update the reqwest::Client in taplo-cli too:

taplo/crates/taplo-cli/src/lib.rs

Lines 24 to 26 in 5bd9625

	let http = reqwest::Client::builder()
	.timeout(std::time::Duration::from_secs(5))
	.build()

I guess we could do both.

Yes, but I'm not sure it's worth the effort.

On the other hand, do we need to also implement this for taplo-cli for consistency?

Yes, I think we need to do that.

I am willing to help and write a PR, but I would need some pointers on where to look.

Great! Thanks a lot! Let's only do the environment variable. You essentially need to:

• Do something like if let Ok(path) = std::env::var("TAPLO_ROOT_CERTIFICATE") to get the root certificate path
• Use Certificate::from_der or Certificate::from_pem depending on the extension (see https://docs.rs/reqwest/0.11.18/reqwest/tls/struct.Certificate.html#method.from_der) to build the certificate
• Update the reqwest::ClientBuilder with add_root_certificate within the if let above.