mirror of
https://github.com/project-zot/zot.git
synced 2025-01-06 22:40:28 -05:00
8e68255946
fixed ping function taking too much time closes: #2213 #2212 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
107 lines
2.5 KiB
Go
107 lines
2.5 KiB
Go
package common
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"net/http"
|
|
"os"
|
|
"path"
|
|
"path/filepath"
|
|
)
|
|
|
|
func GetTLSConfig(certsPath string, caCertPool *x509.CertPool) (*tls.Config, error) {
|
|
clientCert := filepath.Join(certsPath, clientCertFilename)
|
|
clientKey := filepath.Join(certsPath, clientKeyFilename)
|
|
caCertFile := filepath.Join(certsPath, caCertFilename)
|
|
|
|
cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
caCert, err := os.ReadFile(caCertFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
caCertPool.AppendCertsFromPEM(caCert)
|
|
|
|
return &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
RootCAs: caCertPool,
|
|
MinVersion: tls.VersionTLS12,
|
|
}, nil
|
|
}
|
|
|
|
func loadPerHostCerts(caCertPool *x509.CertPool, host string) *tls.Config {
|
|
// Check if the /home/user/.config/containers/certs.d/$IP:$PORT dir exists
|
|
home := os.Getenv("HOME")
|
|
clientCertsDir := filepath.Join(home, homeCertsDir, host)
|
|
|
|
if DirExists(clientCertsDir) {
|
|
tlsConfig, err := GetTLSConfig(clientCertsDir, caCertPool)
|
|
|
|
if err == nil {
|
|
return tlsConfig
|
|
}
|
|
}
|
|
|
|
// Check if the /etc/containers/certs.d/$IP:$PORT dir exists
|
|
clientCertsDir = filepath.Join(certsPath, host)
|
|
if DirExists(clientCertsDir) {
|
|
tlsConfig, err := GetTLSConfig(clientCertsDir, caCertPool)
|
|
|
|
if err == nil {
|
|
return tlsConfig
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func CreateHTTPClient(verifyTLS bool, host string, certDir string) (*http.Client, error) {
|
|
htr := http.DefaultTransport.(*http.Transport).Clone() //nolint: forcetypeassert
|
|
if !verifyTLS {
|
|
htr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint: gosec
|
|
|
|
return &http.Client{
|
|
Timeout: httpTimeout,
|
|
Transport: htr,
|
|
}, nil
|
|
}
|
|
|
|
// Add a copy of the system cert pool
|
|
caCertPool, _ := x509.SystemCertPool()
|
|
|
|
tlsConfig := loadPerHostCerts(caCertPool, host)
|
|
if tlsConfig == nil {
|
|
tlsConfig = &tls.Config{RootCAs: caCertPool, MinVersion: tls.VersionTLS12}
|
|
}
|
|
|
|
htr.TLSClientConfig = tlsConfig
|
|
|
|
if certDir != "" {
|
|
clientCert := path.Join(certDir, "client.cert")
|
|
clientKey := path.Join(certDir, "client.key")
|
|
caCertPath := path.Join(certDir, "ca.crt")
|
|
|
|
caCert, err := os.ReadFile(caCertPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
caCertPool.AppendCertsFromPEM(caCert)
|
|
|
|
cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
htr.TLSClientConfig.Certificates = append(htr.TLSClientConfig.Certificates, cert)
|
|
}
|
|
|
|
return &http.Client{
|
|
Transport: htr,
|
|
Timeout: httpTimeout,
|
|
}, nil
|
|
}
|