From a8e4c9c368fd3ab7685b5c9c0a258013a5a6b90a Mon Sep 17 00:00:00 2001
From: pratikmahajan <pratik@mahajan.xyz>
Date: Thu, 25 Jan 2024 17:16:31 +0000
Subject: [PATCH] add support for root certificates

for registries that rely on self signed root certificates,
add an option to include these certificates.
---
 Cargo.toml       |  2 +-
 src/v2/config.rs | 25 ++++++++++++++++++++++---
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 475633f3..7295c6d8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -44,7 +44,7 @@ strum = "0.23"
 strum_macros = "0.23"
 tar = "0.4"
 tokio = "1.0"
-reqwest = { version = "0.11", default-features = false, features = ["json", "stream"] }
+reqwest = { version = "0.11", default-features = false, features = ["json", "stream", "rustls-tls-native-roots", "native-tls"] }
 sha2 = "^0.10.0"
 bytes = "1.1"
 pin-project = "1.0"
diff --git a/src/v2/config.rs b/src/v2/config.rs
index f5c18d87..82e54e34 100644
--- a/src/v2/config.rs
+++ b/src/v2/config.rs
@@ -1,3 +1,5 @@
+use reqwest::Certificate;
+
 use crate::{mediatypes::MediaTypes, v2::*};
 
 /// Configuration for a `Client`.
@@ -10,6 +12,7 @@ pub struct Config {
     password: Option<String>,
     accept_invalid_certs: bool,
     accepted_types: Option<Vec<(MediaTypes, Option<f64>)>>,
+    root_certificate: Option<Certificate>,
 }
 
 impl Config {
@@ -67,6 +70,12 @@ impl Config {
         self
     }
 
+    /// Set the root certificate if required for the registry
+    pub fn root_certificate(mut self, root_certificate: Certificate) -> Self {
+        self.root_certificate = Some(root_certificate);
+        self
+    }
+
     /// Return a `Client` to interact with a v2 registry.
     pub fn build(self) -> Result<Client> {
         let base = if self.insecure_registry {
@@ -87,9 +96,18 @@ impl Config {
                 p.unwrap_or_else(|| "".into()),
             )),
         };
-        let client = reqwest::ClientBuilder::new()
-            .danger_accept_invalid_certs(self.accept_invalid_certs)
-            .build()?;
+
+        let client: reqwest::Client;
+        if self.root_certificate.is_some() {
+            client = reqwest::ClientBuilder::new()
+                .add_root_certificate(self.root_certificate.unwrap())
+                .danger_accept_invalid_certs(self.accept_invalid_certs)
+                .build()?;
+        } else {
+            client = reqwest::ClientBuilder::new()
+                .danger_accept_invalid_certs(self.accept_invalid_certs)
+                .build()?;
+        }
 
         let accepted_types = match self.accepted_types {
             Some(a) => a,
@@ -134,6 +152,7 @@ impl Default for Config {
             user_agent: Some(crate::USER_AGENT.to_owned()),
             username: None,
             password: None,
+            root_certificate: None,
         }
     }
 }