add CA certificate verification and insecure option (hashicorp#125)

jkroepke · web-flow · commit 09a48c1cd770 · 2022-10-24T16:36:25.000+01:00
Signed-off-by: Jan-Otto Kröpke &lt;jok@cloudeteer.de&gt;

Signed-off-by: Jan-Otto Kröpke &lt;jok@cloudeteer.de&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 3.2.0 (unreleased)
+
+ENHANCEMENTS:
+
+* data-source/http: Added `ca_cert_pem` attribute which allows PEM encoded certificate(s) to be included in the set of root certificate authorities used when verifying server certificates ([#125](https://github.com/hashicorp/terraform-provider-http/pull/125)).
+* data-source/http: Added `insecure` attribute to allow disabling the verification of a server's certificate chain and host name. Defaults to `false` ([#125](https://github.com/hashicorp/terraform-provider-http/pull/125)).
+
 ## 3.1.0 (August 30, 2022)
 
 ENHANCEMENTS:
diff --git a/docs/data-sources/http.md b/docs/data-sources/http.md
@@ -143,6 +143,8 @@ resource "null_resource" "example" {
 
 ### Optional
 
+- `ca_cert_pem` (String) Certificate data of the Certificate Authority (CA) in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
+- `insecure` (Boolean) Disables verification of the server's certificate chain and hostname. Defaults to `false`
 - `method` (String) The HTTP Method for the request. Allowed methods are a subset of methods defined in [RFC7231](https://datatracker.ietf.org/doc/html/rfc7231#section-4.3) namely, `GET`, `HEAD`, and `POST`. `POST` support is only intended for read-only URLs, such as submitting a search.
 - `request_body` (String) The request body as a string.
 - `request_headers` (Map of String) A map of request header field names and values.
diff --git a/internal/provider/data_source_http.go b/internal/provider/data_source_http.go
@@ -2,7 +2,11 @@ package provider
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"github.com/hashicorp/terraform-plugin-framework-validators/schemavalidator"
+	"github.com/hashicorp/terraform-plugin-framework/path"
 	"io/ioutil"
 	"mime"
 	"net/http"
@@ -104,6 +108,22 @@ your control should be treated as untrustworthy.`,
 				DeprecationMessage: "Use response_body instead",
 			},
 
+			"ca_cert_pem": {
+				Description: "Certificate data of the Certificate Authority (CA) " +
+					"in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.",
+				Type:     types.StringType,
+				Optional: true,
+				Validators: []tfsdk.AttributeValidator{
+					schemavalidator.ConflictsWith(path.MatchRoot("insecure")),
+				},
+			},
+
+			"insecure": {
+				Description: "Disables verification of the server's certificate chain and hostname. Defaults to `false`",
+				Type:        types.BoolType,
+				Optional:    true,
+			},
+
 			"response_headers": {
 				Description: `A map of response header field names and values.` +
 					` Duplicate headers are concatenated according to [RFC2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2).`,
@@ -139,7 +159,33 @@ func (d *httpDataSource) Read(ctx context.Context, req datasource.ReadRequest, r
 		method = "GET"
 	}
 
-	client := &http.Client{}
+	caCertificate := model.CaCertificate
+
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{},
+	}
+
+	if !model.Insecure.IsNull() {
+		tr.TLSClientConfig.InsecureSkipVerify = model.Insecure.Value
+	}
+
+	// Use `ca_cert_pem` cert pool
+	if !caCertificate.IsNull() {
+		caCertPool := x509.NewCertPool()
+		if ok := caCertPool.AppendCertsFromPEM([]byte(caCertificate.Value)); !ok {
+			resp.Diagnostics.AddError(
+				"Error configuring TLS client",
+				"Error tls: Can't add the CA certificate to certificate pool. Only PEM encoded certificates are supported.",
+			)
+			return
+		}
+
+		tr.TLSClientConfig.RootCAs = caCertPool
+	}
+
+	client := &http.Client{
+		Transport: tr,
+	}
 
 	request, err := http.NewRequestWithContext(ctx, method, url, requestBody)
 	if err != nil {
@@ -249,6 +295,8 @@ type modelV0 struct {
 	RequestHeaders  types.Map    `tfsdk:"request_headers"`
 	RequestBody     types.String `tfsdk:"request_body"`
 	ResponseHeaders types.Map    `tfsdk:"response_headers"`
+	CaCertificate   types.String `tfsdk:"ca_cert_pem"`
+	Insecure        types.Bool   `tfsdk:"insecure"`
 	ResponseBody    types.String `tfsdk:"response_body"`
 	Body            types.String `tfsdk:"body"`
 	StatusCode      types.Int64  `tfsdk:"status_code"`
diff --git a/internal/provider/data_source_http_test.go b/internal/provider/data_source_http_test.go
