(cliContext *cli.Context)
| 112 | } |
| 113 | |
| 114 | func resolverDefaultTLS(cliContext *cli.Context) (*tls.Config, error) { |
| 115 | tlsConfig := &tls.Config{} |
| 116 | |
| 117 | if cliContext.Bool("skip-verify") { |
| 118 | tlsConfig.InsecureSkipVerify = true |
| 119 | } |
| 120 | |
| 121 | if tlsRootPath := cliContext.String("tlscacert"); tlsRootPath != "" { |
| 122 | tlsRootData, err := os.ReadFile(tlsRootPath) |
| 123 | if err != nil { |
| 124 | return nil, fmt.Errorf("failed to read %q: %w", tlsRootPath, err) |
| 125 | } |
| 126 | |
| 127 | tlsConfig.RootCAs = x509.NewCertPool() |
| 128 | if !tlsConfig.RootCAs.AppendCertsFromPEM(tlsRootData) { |
| 129 | return nil, fmt.Errorf("failed to load TLS CAs from %q: invalid data", tlsRootPath) |
| 130 | } |
| 131 | } |
| 132 | |
| 133 | tlsCertPath := cliContext.String("tlscert") |
| 134 | tlsKeyPath := cliContext.String("tlskey") |
| 135 | if tlsCertPath != "" || tlsKeyPath != "" { |
| 136 | if tlsCertPath == "" || tlsKeyPath == "" { |
| 137 | return nil, errors.New("flags --tlscert and --tlskey must be set together") |
| 138 | } |
| 139 | keyPair, err := tls.LoadX509KeyPair(tlsCertPath, tlsKeyPath) |
| 140 | if err != nil { |
| 141 | return nil, fmt.Errorf("failed to load TLS client credentials (cert=%q, key=%q): %w", tlsCertPath, tlsKeyPath, err) |
| 142 | } |
| 143 | tlsConfig.Certificates = []tls.Certificate{keyPair} |
| 144 | } |
| 145 | |
| 146 | // If nothing was set, return nil rather than empty config |
| 147 | if !tlsConfig.InsecureSkipVerify && tlsConfig.RootCAs == nil && tlsConfig.Certificates == nil { |
| 148 | return nil, nil |
| 149 | } |
| 150 | |
| 151 | return tlsConfig, nil |
| 152 | } |
| 153 | |
| 154 | type staticCredentials struct { |
| 155 | ref string |
no test coverage detected
searching dependent graphs…