github.com/blend/go-sdk@v1.20240719.1/web/tls_option.go

github.com/blend/go-sdk@v1.20240719.1/web/tls_option.go (about)

     1  /*
     2  
     3  Copyright (c) 2024 - Present. Blend Labs, Inc. All rights reserved
     4  Use of this source code is governed by a MIT license that can be found in the LICENSE file.
     5  
     6  */
     7  
     8  package web
     9  
    10  import (
    11  	"crypto/tls"
    12  	"crypto/x509"
    13  	"os"
    14  
    15  	"github.com/blend/go-sdk/ex"
    16  )
    17  
    18  // TLSOption is an option for TLS configs.
    19  type TLSOption func(*tls.Config) error
    20  
    21  // OptTLSClientCertPool adds a given set of certs in binary PEM format
    22  // to the system CA pool.
    23  func OptTLSClientCertPool(certPEMs ...[]byte) TLSOption {
    24  	return func(t *tls.Config) error {
    25  		if t == nil {
    26  			t = &tls.Config{}
    27  		}
    28  		t.ClientCAs = x509.NewCertPool()
    29  		for _, certPEM := range certPEMs {
    30  			ok := t.ClientCAs.AppendCertsFromPEM(certPEM)
    31  			if !ok {
    32  				return ex.New("invalid ca cert for client cert pool")
    33  			}
    34  		}
    35  		// this is deprecated
    36  		// t.BuildNameToCertificate()
    37  
    38  		// this forces the server to reload the tls config for every request if there is a cert pool loaded.
    39  		// normally this would introduce overhead but it allows us to hot patch the cert pool.
    40  		t.GetConfigForClient = func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
    41  			return t, nil
    42  		}
    43  		return nil
    44  	}
    45  }
    46  
    47  // OptTLSAppendCACertsFromPaths adds CA certs from file paths
    48  // to the system CA pool.
    49  func OptTLSAppendCACertsFromPaths(paths ...string) TLSOption {
    50  	return func(t *tls.Config) error {
    51  		if t == nil {
    52  			return nil
    53  		}
    54  		t.ClientCAs = x509.NewCertPool()
    55  		for _, path := range paths {
    56  			ca, err := os.ReadFile(path)
    57  			if err != nil {
    58  				return err
    59  			}
    60  			if ok := t.ClientCAs.AppendCertsFromPEM(ca); !ok {
    61  				return ex.New("invalid ca cert for client cert pool")
    62  			}
    63  		}
    64  
    65  		// this forces the server to reload the tls config for every request if there is a cert pool loaded.
    66  		// normally this would introduce overhead but it allows us to hot patch the cert pool.
    67  		t.GetConfigForClient = func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
    68  			return t, nil
    69  		}
    70  		return nil
    71  	}
    72  }
    73  
    74  // OptTLSClientCertVerification sets the verification level for client certs.
    75  func OptTLSClientCertVerification(verification tls.ClientAuthType) TLSOption {
    76  	return func(t *tls.Config) error {
    77  		if t == nil {
    78  			t = &tls.Config{}
    79  		}
    80  		t.ClientAuth = verification
    81  		return nil
    82  	}
    83  }