From 7793ec61aa2354257e285e34ba9338e5906ebe92 Mon Sep 17 00:00:00 2001 From: Pascal Hartig Date: Mon, 23 Mar 2020 17:02:15 +0000 Subject: [PATCH] Add ability to set custom CA roots --- pkg/download/downloader.go | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/pkg/download/downloader.go b/pkg/download/downloader.go index b68a38e..aa5680c 100644 --- a/pkg/download/downloader.go +++ b/pkg/download/downloader.go @@ -1,8 +1,12 @@ package download import ( + "crypto/tls" + "crypto/x509" "fmt" + "io/ioutil" "net/http" + "os" "path/filepath" "runtime" "time" @@ -11,7 +15,7 @@ import ( "github.com/develar/app-builder/pkg/log" "github.com/develar/app-builder/pkg/util" "github.com/develar/errors" - "github.com/develar/go-fs-util" + fsutil "github.com/develar/go-fs-util" "github.com/dustin/go-humanize" "go.uber.org/zap" ) @@ -27,6 +31,35 @@ func getUserAgent() string { return util.GetEnvOrDefault("DOWNLOADER_USER_AGENT", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36") } +func getTlsConfig() *tls.Config { + localCertFile := os.Getenv("NODE_EXTRA_CA_CERTS") + if len(localCertFile) == 0 { + return &tls.Config{} + } + + // Get the SystemCertPool, continue with an empty pool on error + rootCAs, _ := x509.SystemCertPool() + if rootCAs == nil { + rootCAs = x509.NewCertPool() + } + + // Read in the cert file + certs, err := ioutil.ReadFile(localCertFile) + if err != nil { + log.Warn("Failed to append to root certificates", zap.String("extraCert", localCertFile), zap.Error(err)) + } + + // Append our cert to the system pool + if ok := rootCAs.AppendCertsFromPEM(certs); !ok { + log.Warn("No certs appended, using system certs only") + } + + // Trust the augmented cert pool in our client + return &tls.Config{ + RootCAs: rootCAs, + } +} + func getMaxPartCount() int { const maxPartCount = 8 result := runtime.NumCPU() * 2 @@ -56,6 +89,7 @@ type Downloader struct { func NewDownloader() *Downloader { return NewDownloaderWithTransport(&http.Transport{ Proxy: util.ProxyFromEnvironmentAndNpm, + TLSClientConfig: getTlsConfig(), MaxIdleConns: 64, MaxIdleConnsPerHost: 64, IdleConnTimeout: 30 * time.Second,