Support for TLS client certificate authentication

This adds --tls-client-cert and --tls-client-key parameters and enables use of that certificate/key pair when connecting to https servers.
2025-08-13 12:17:27 +00:00 · 2017-12-29 19:51:13 -08:00
parent e706f1a8d1
commit e805b968b1
9 changed files with 68 additions and 44 deletions
--- a/internal/backend/azure/azure_test.go
+++ b/internal/backend/azure/azure_test.go
@@ -16,7 +16,7 @@ import (
 )

 func newAzureTestSuite(t testing.TB) *test.Suite {
-	tr, err := backend.Transport(nil)
+	tr, err := backend.Transport(nil, "", "")
 	if err != nil {
 		t.Fatalf("cannot create transport for tests: %v", err)
 	}
--- a/internal/backend/b2/b2_test.go
+++ b/internal/backend/b2/b2_test.go
@@ -16,7 +16,7 @@ import (
 )

 func newB2TestSuite(t testing.TB) *test.Suite {
-	tr, err := backend.Transport(nil)
+	tr, err := backend.Transport(nil, "", "")
 	if err != nil {
 		t.Fatalf("cannot create transport for tests: %v", err)
 	}
--- a/internal/backend/http_transport.go
+++ b/internal/backend/http_transport.go
@@ -15,7 +15,7 @@ import (
 // Transport returns a new http.RoundTripper with default settings applied. If
 // a custom rootCertFilename is non-empty, it must point to a valid PEM file,
 // otherwise the function will return an error.
-func Transport(rootCertFilenames []string) (http.RoundTripper, error) {
+func Transport(rootCertFilenames []string, tlsClientCert string, tlsClientKey string) (http.RoundTripper, error) {
 	// copied from net/http
 	tr := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
@@ -29,6 +29,15 @@ func Transport(rootCertFilenames []string) (http.RoundTripper, error) {
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig:       &tls.Config{},
+	}
+
+	if tlsClientCert != "" && tlsClientKey != "" {
+		c, err := tls.LoadX509KeyPair(tlsClientCert, tlsClientKey)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read client certificate/key pair: %v", err)
+		}
+		tr.TLSClientConfig.Certificates = []tls.Certificate{c}
 	}

 	if rootCertFilenames == nil {
@@ -49,9 +58,7 @@ func Transport(rootCertFilenames []string) (http.RoundTripper, error) {
 		}
 	}

-	tr.TLSClientConfig = &tls.Config{
-		RootCAs: p,
-	}
+	tr.TLSClientConfig.RootCAs = p

 	// wrap in the debug round tripper
 	return debug.RoundTripper(tr), nil
--- a/internal/backend/rest/rest_test.go
+++ b/internal/backend/rest/rest_test.go
@@ -68,7 +68,7 @@ func runRESTServer(ctx context.Context, t testing.TB, dir string) (*url.URL, fun
 }

 func newTestSuite(ctx context.Context, t testing.TB, url *url.URL, minimalData bool) *test.Suite {
-	tr, err := backend.Transport(nil)
+	tr, err := backend.Transport(nil, "", "")
 	if err != nil {
 		t.Fatalf("cannot create transport for tests: %v", err)
 	}
--- a/internal/backend/s3/s3_test.go
+++ b/internal/backend/s3/s3_test.go
@@ -121,7 +121,7 @@ func createS3(t testing.TB, cfg MinioTestConfig, tr http.RoundTripper) (be resti
 }

 func newMinioTestSuite(ctx context.Context, t testing.TB) *test.Suite {
-	tr, err := backend.Transport(nil)
+	tr, err := backend.Transport(nil, "", "")
 	if err != nil {
 		t.Fatalf("cannot create transport for tests: %v", err)
 	}
@@ -221,7 +221,7 @@ func BenchmarkBackendMinio(t *testing.B) {
 }

 func newS3TestSuite(t testing.TB) *test.Suite {
-	tr, err := backend.Transport(nil)
+	tr, err := backend.Transport(nil, "", "")
 	if err != nil {
 		t.Fatalf("cannot create transport for tests: %v", err)
 	}
--- a/internal/backend/swift/swift_test.go
+++ b/internal/backend/swift/swift_test.go
@@ -16,7 +16,7 @@ import (
 )

 func newSwiftTestSuite(t testing.TB) *test.Suite {
-	tr, err := backend.Transport(nil)
+	tr, err := backend.Transport(nil, "", "")
 	if err != nil {
 		t.Fatalf("cannot create transport for tests: %v", err)
 	}