diff options
Diffstat (limited to 'internal/httptransport/transport.go')
-rw-r--r-- | internal/httptransport/transport.go | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/internal/httptransport/transport.go b/internal/httptransport/transport.go new file mode 100644 index 00000000..207531f4 --- /dev/null +++ b/internal/httptransport/transport.go @@ -0,0 +1,56 @@ +package httptransport + +import ( + "crypto/tls" + "crypto/x509" + "io/ioutil" + "net" + "net/http" + "os" + "sync" + + log "github.com/sirupsen/logrus" +) + +var ( + sysPoolOnce = &sync.Once{} + sysPool *x509.CertPool + + // Transport can be used with httpclient with TLS and certificates + Transport = &http.Transport{ + DialTLS: func(network, addr string) (net.Conn, error) { + return tls.Dial(network, addr, &tls.Config{RootCAs: pool()}) + }, + } +) + +// This is here because macOS does not support the SSL_CERT_FILE +// environment variable. We have arrange things to read SSL_CERT_FILE as +// late as possible to avoid conflicts with file descriptor passing at +// startup. +func pool() *x509.CertPool { + sysPoolOnce.Do(loadPool) + return sysPool +} + +func loadPool() { + sslCertFile := os.Getenv("SSL_CERT_FILE") + if sslCertFile == "" { + return + } + + var err error + sysPool, err = x509.SystemCertPool() + if err != nil { + log.WithError(err).Error("failed to load system cert pool for artifacts client") + return + } + + certPem, err := ioutil.ReadFile(sslCertFile) + if err != nil { + log.WithError(err).Error("failed to read SSL_CERT_FILE") + return + } + + sysPool.AppendCertsFromPEM(certPem) +} |