TLS certs in CLI client

resolve #194

pkg/cli/client.go

@@ -6,11 +6,14 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"io/ioutil"
 	"net/http"
 	"net/url"
+	"os"
+	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@@ -18,16 +21,39 @@ import (
 	zotErrors "github.com/anuvu/zot/errors"
 )
 
-var httpClient *http.Client //nolint: gochecknoglobals
+var httpClientsMap = make(map[string]*http.Client) //nolint: gochecknoglobals
+var httpClientLock sync.Mutex                      //nolint: gochecknoglobals
 
-const httpTimeout = 5 * time.Minute
+const (
+	httpTimeout        = 5 * time.Minute
+	certsPath          = "/etc/containers/certs.d"
+	homeCertsDir       = ".config/containers/certs.d"
+	clientCertFilename = "client.cert"
+	clientKeyFilename  = "client.key"
+	caCertFilename     = "ca.crt"
+)
 
-func createHTTPClient(verifyTLS bool) *http.Client {
+func createHTTPClient(verifyTLS bool, host string) *http.Client {
 	var tr = http.DefaultTransport.(*http.Transport).Clone()
 	if !verifyTLS {
 		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint: gosec
+
+		return &http.Client{
+			Timeout:   httpTimeout,
+			Transport: tr,
+		}
 	}
 
+	// Add a copy of the system cert pool
+	caCertPool, _ := x509.SystemCertPool()
+
+	tlsConfig := loadPerHostCerts(caCertPool, host)
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{RootCAs: caCertPool}
+	}
+
+	tr = &http.Transport{TLSClientConfig: tlsConfig}
+
 	return &http.Client{
 		Timeout:   httpTimeout,
 		Transport: tr,
@@ -70,10 +96,22 @@ func makeGraphQLRequest(url, query, username,
 }
 
 func doHTTPRequest(req *http.Request, verifyTLS bool, resultsPtr interface{}) (http.Header, error) {
-	if httpClient == nil {
-		httpClient = createHTTPClient(verifyTLS)
+	var httpClient *http.Client
+
+	host := req.Host
+
+	httpClientLock.Lock()
+
+	if httpClientsMap[host] == nil {
+		httpClient = createHTTPClient(verifyTLS, host)
+
+		httpClientsMap[host] = httpClient
+	} else {
+		httpClient = httpClientsMap[host]
 	}
 
+	httpClientLock.Unlock()
+
 	resp, err := httpClient.Do(req)
 	if err != nil {
 		return nil, err
@@ -98,6 +136,68 @@ func doHTTPRequest(req *http.Request, verifyTLS bool, resultsPtr interface{}) (h
 	return resp.Header, nil
 }
 
+func loadPerHostCerts(caCertPool *x509.CertPool, host string) *tls.Config {
+	// Check if the /home/user/.config/containers/certs.d/$IP:$PORT dir exists
+	home := os.Getenv("HOME")
+	clientCertsDir := filepath.Join(home, homeCertsDir, host)
+
+	if dirExists(clientCertsDir) {
+		tlsConfig, err := getTLSConfig(clientCertsDir, caCertPool)
+
+		if err == nil {
+			return tlsConfig
+		}
+	}
+
+	// Check if the /etc/containers/certs.d/$IP:$PORT dir exists
+	clientCertsDir = filepath.Join(certsPath, host)
+	if dirExists(clientCertsDir) {
+		tlsConfig, err := getTLSConfig(clientCertsDir, caCertPool)
+
+		if err == nil {
+			return tlsConfig
+		}
+	}
+
+	return nil
+}
+
+func getTLSConfig(certsPath string, caCertPool *x509.CertPool) (*tls.Config, error) {
+	clientCert := filepath.Join(certsPath, clientCertFilename)
+	clientKey := filepath.Join(certsPath, clientKeyFilename)
+	caCertFile := filepath.Join(certsPath, caCertFilename)
+
+	cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
+	if err != nil {
+		return nil, err
+	}
+
+	caCert, err := ioutil.ReadFile(caCertFile)
+	if err != nil {
+		return nil, err
+	}
+
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      caCertPool,
+	}, nil
+}
+
+func dirExists(d string) bool {
+	fi, err := os.Stat(d)
+	if err != nil && os.IsNotExist(err) {
+		return false
+	}
+
+	if !fi.IsDir() {
+		return false
+	}
+
+	return true
+}
+
 func isURL(str string) bool {
 	u, err := url.Parse(str)
 	return err == nil && u.Scheme != "" && u.Host != ""