feat(http): allow to provide self-signed certificates

Allow for the MOBILIZON_CA_CERT_PATH to be used to provide your own root certificates. The CAStore and certify certificates stores should be always already be used as fallback instead of the system store. Closes #1355 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2024-02-09 12:13:22 +01:00 · 2024-02-09 12:13:22 +01:00 · baa11c18b0
parent 9d99684402
commit baa11c18b0
9 changed files with 49 additions and 8 deletions
--- a/lib/mobilizon.ex
+++ b/lib/mobilizon.ex
@ -85,8 +85,10 @@ defmodule Mobilizon do
      ErrorReporting.attach()
    end

+    with :ok <- load_certificates() do
      Supervisor.start_link(children, strategy: :one_for_one, name: Mobilizon.Supervisor)
    end
+  end

  @spec config_change(keyword, keyword, [atom]) :: :ok
  def config_change(changed, _new, removed) do
@ -160,4 +162,16 @@ defmodule Mobilizon do
  end

  defp setup_ecto_dev_logger(_), do: nil
+
+  defp load_certificates do
+    custom_cert_path = System.get_env("MOBILIZON_CA_CERT_PATH")
+
+    if is_binary(custom_cert_path) do
+      with :ok <- :tls_certificate_check.override_trusted_authorities({:file, custom_cert_path}) do
+        :public_key.cacerts_load(custom_cert_path)
+      end
+    else
+      :ok
+    end
+  end
 end
--- a/lib/service/http/activity_pub.ex
+++ b/lib/service/http/activity_pub.ex
@ -3,7 +3,9 @@ defmodule Mobilizon.Service.HTTP.ActivityPub do
  Tesla HTTP Client that is preconfigured to get and post ActivityPub content
  """

+  require Logger
  alias Mobilizon.Config
+  import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0]

  @default_opts [
    recv_timeout: 20_000
@ -13,7 +15,11 @@ defmodule Mobilizon.Service.HTTP.ActivityPub do
  def client(options \\ []) do
    headers = Keyword.get(options, :headers, [])
    adapter = Application.get_env(:tesla, __MODULE__, [])[:adapter] || Tesla.Adapter.Hackney
-    opts = Keyword.merge(@default_opts, Keyword.get(options, :opts, []))
+
+    opts =
+      @default_opts
+      |> Keyword.merge(ssl_options: get_tls_config())
+      |> Keyword.merge(Keyword.get(options, :opts, []))

    middleware = [
      {Tesla.Middleware.Headers,
--- a/lib/service/http/generic_json_client.ex
+++ b/lib/service/http/generic_json_client.ex
@ -4,6 +4,7 @@ defmodule Mobilizon.Service.HTTP.GenericJSONClient do
  """

  alias Mobilizon.Config
+  import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0]

  @default_opts [
    recv_timeout: 20_000
@ -13,7 +14,11 @@ defmodule Mobilizon.Service.HTTP.GenericJSONClient do
  def client(options \\ []) do
    headers = Keyword.get(options, :headers, [])
    adapter = Application.get_env(:tesla, __MODULE__, [])[:adapter] || Tesla.Adapter.Hackney
-    opts = Keyword.merge(@default_opts, Keyword.get(options, :opts, []))
+
+    opts =
+      @default_opts
+      |> Keyword.merge(ssl_options: get_tls_config())
+      |> Keyword.merge(Keyword.get(options, :opts, []))

    middleware = [
      {Tesla.Middleware.Headers,
--- a/lib/service/http/geospatial_client.ex
+++ b/lib/service/http/geospatial_client.ex
@ -6,12 +6,13 @@ defmodule Mobilizon.Service.HTTP.GeospatialClient do

  use Tesla
  alias Mobilizon.Config
+  import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0]

  @default_opts [
    recv_timeout: 20_000
  ]

-  adapter(Tesla.Adapter.Hackney, @default_opts)
+  adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts))

  plug(Tesla.Middleware.FollowRedirects)

--- a/lib/service/http/host_meta_client.ex
+++ b/lib/service/http/host_meta_client.ex
@ -6,12 +6,13 @@ defmodule Mobilizon.Service.HTTP.HostMetaClient do

  use Tesla
  alias Mobilizon.Config
+  import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0]

  @default_opts [
    recv_timeout: 20_000
  ]

-  adapter(Tesla.Adapter.Hackney, @default_opts)
+  adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts))

  plug(Tesla.Middleware.FollowRedirects)

--- a/lib/service/http/remote_media_downloader_client.ex
+++ b/lib/service/http/remote_media_downloader_client.ex
@ -5,12 +5,13 @@ defmodule Mobilizon.Service.HTTP.RemoteMediaDownloaderClient do

  use Tesla
  alias Mobilizon.Config
+  import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0]

  @default_opts [
    recv_timeout: 20_000
  ]

-  adapter(Tesla.Adapter.Hackney, @default_opts)
+  adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts))

  plug(Tesla.Middleware.FollowRedirects)

--- a/lib/service/http/rich_media_preview_client.ex
+++ b/lib/service/http/rich_media_preview_client.ex
@ -5,12 +5,13 @@ defmodule Mobilizon.Service.HTTP.RichMediaPreviewClient do

  use Tesla
  alias Mobilizon.Config
+  import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0]

  @default_opts [
    recv_timeout: 20_000
  ]

-  adapter(Tesla.Adapter.Hackney, @default_opts)
+  adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts))

  plug(Tesla.Middleware.FollowRedirects)

--- a/lib/service/http/utils.ex
+++ b/lib/service/http/utils.ex
@ -3,6 +3,17 @@ defmodule Mobilizon.Service.HTTP.Utils do
  Utils for HTTP operations
  """

+  def get_tls_config do
+    cacertfile =
+      if is_nil(System.get_env("MOBILIZON_CA_CERT_PATH")) do
+        CAStore.file_path()
+      else
+        System.get_env("MOBILIZON_CA_CERT_PATH")
+      end
+
+    [cacertfile: cacertfile]
+  end
+
  @spec get_header(Enum.t(), String.t()) :: String.t() | nil
  def get_header(headers, key) do
    key = String.downcase(key)
--- a/lib/service/http/webfinger_client.ex
+++ b/lib/service/http/webfinger_client.ex
@ -6,12 +6,13 @@ defmodule Mobilizon.Service.HTTP.WebfingerClient do

  use Tesla
  alias Mobilizon.Config
+  import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0]

  @default_opts [
    recv_timeout: 20_000
  ]

-  adapter(Tesla.Adapter.Hackney, @default_opts)
+  adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts))

  plug(Tesla.Middleware.FollowRedirects)