github.com/blend/go-sdk@v1.20220411.3/web/tls_option.go

github.com/blend/go-sdk@v1.20220411.3/web/tls_option.go (about)

     1  /*
     2  
     3  Copyright (c) 2022 - Present. Blend Labs, Inc. All rights reserved
     4  Use of this source code is governed by a MIT license that can be found in the LICENSE file.
     5  
     6  */
     7  
     8  package web
     9  
    10  import (
    11  	"crypto/tls"
    12  	"crypto/x509"
    13  
    14  	"github.com/blend/go-sdk/ex"
    15  )
    16  
    17  // TLSOption is an option for TLS configs.
    18  type TLSOption func(*tls.Config) error
    19  
    20  // OptTLSClientCertPool adds a given set of certs in binary PEM format
    21  // to the system CA pool.
    22  func OptTLSClientCertPool(certPEMs ...[]byte) TLSOption {
    23  	return func(t *tls.Config) error {
    24  		if t == nil {
    25  			t = &tls.Config{}
    26  		}
    27  		t.ClientCAs = x509.NewCertPool()
    28  		for _, certPem := range certPEMs {
    29  			ok := t.ClientCAs.AppendCertsFromPEM(certPem)
    30  			if !ok {
    31  				return ex.New("invalid ca cert for client cert pool")
    32  			}
    33  		}
    34  		// this is deprecated
    35  		// t.BuildNameToCertificate()
    36  
    37  		// this forces the server to reload the tls config for every request if there is a cert pool loaded.
    38  		// normally this would introduce overhead but it allows us to hot patch the cert pool.
    39  		t.GetConfigForClient = func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
    40  			return t, nil
    41  		}
    42  		return nil
    43  	}
    44  }
    45  
    46  // OptTLSClientCertVerification sets the verification level for client certs.
    47  func OptTLSClientCertVerification(verification tls.ClientAuthType) TLSOption {
    48  	return func(t *tls.Config) error {
    49  		if t == nil {
    50  			t = &tls.Config{}
    51  		}
    52  		t.ClientAuth = verification
    53  		return nil
    54  	}
    55  }