feat: expose certificates pool creation (#2210)

This commit is contained in:
Ludovic Fernandez 2024-06-13 23:10:59 +02:00 committed by GitHub
parent c63be848f6
commit 834a9089f1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 31 additions and 15 deletions

View file

@ -57,7 +57,7 @@ func (m *hostMatcher) matches(r *http.Request, domain string) bool {
return strings.HasPrefix(r.Host, domain)
}
// hostMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.
// arbitraryMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.
type arbitraryMatcher string
func (m arbitraryMatcher) name() string {

View file

@ -100,26 +100,41 @@ func initCertPool() *x509.CertPool {
return nil
}
certPool := getCertPool()
useSystemCertPool, _ := strconv.ParseBool(os.Getenv(caSystemCertPool))
for _, customPath := range strings.Split(customCACertsPath, string(os.PathListSeparator)) {
customCAs, err := os.ReadFile(customPath)
if err != nil {
panic(fmt.Sprintf("error reading %s=%q: %v",
caCertificatesEnvVar, customPath, err))
}
caCerts := strings.Split(customCACertsPath, string(os.PathListSeparator))
if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
panic(fmt.Sprintf("error creating x509 cert pool from %s=%q: %v",
caCertificatesEnvVar, customPath, err))
}
certPool, err := CreateCertPool(caCerts, useSystemCertPool)
if err != nil {
panic(fmt.Sprintf("create certificates pool: %v", err))
}
return certPool
}
func getCertPool() *x509.CertPool {
useSystemCertPool, _ := strconv.ParseBool(os.Getenv(caSystemCertPool))
// CreateCertPool creates a *x509.CertPool populated with the PEM certificates.
func CreateCertPool(caCerts []string, useSystemCertPool bool) (*x509.CertPool, error) {
if len(caCerts) == 0 {
return nil, nil
}
certPool := newCertPool(useSystemCertPool)
for _, customPath := range caCerts {
customCAs, err := os.ReadFile(customPath)
if err != nil {
return nil, fmt.Errorf("error reading %q: %w", customPath, err)
}
if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
return nil, fmt.Errorf("error creating x509 cert pool from %q: %w", customPath, err)
}
}
return certPool, nil
}
func newCertPool(useSystemCertPool bool) *x509.CertPool {
if !useSystemCertPool {
return x509.NewCertPool()
}
@ -128,5 +143,6 @@ func getCertPool() *x509.CertPool {
if err == nil {
return pool
}
return x509.NewCertPool()
}

View file

@ -59,7 +59,7 @@ func (c mockUpdateClient) UpdateTXTRecord(acct goacmedns.Account, value string)
return nil
}
// errorRegisterClient is a mock implementing the acmeDNSClient interface that always
// errorUpdateClient is a mock implementing the acmeDNSClient interface that always
// returns errors from errorUpdateClient.
type errorUpdateClient struct {
mockClient