Provision implements caddy.Provisioner.
(ctx caddy.Context)
| 658 | |
| 659 | // Provision implements caddy.Provisioner. |
| 660 | func (hcp *HTTPCertPool) Provision(ctx caddy.Context) error { |
| 661 | caPool := x509.NewCertPool() |
| 662 | var certs []*x509.Certificate |
| 663 | |
| 664 | customTransport := http.DefaultTransport.(*http.Transport).Clone() |
| 665 | if hcp.TLS != nil { |
| 666 | tlsConfig, err := hcp.TLS.makeTLSClientConfig(ctx) |
| 667 | if err != nil { |
| 668 | return err |
| 669 | } |
| 670 | customTransport.TLSClientConfig = tlsConfig |
| 671 | } |
| 672 | |
| 673 | httpClient := *http.DefaultClient |
| 674 | httpClient.Transport = customTransport |
| 675 | |
| 676 | for _, uri := range hcp.Endpoints { |
| 677 | req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil) |
| 678 | if err != nil { |
| 679 | return err |
| 680 | } |
| 681 | res, err := httpClient.Do(req) //nolint:gosec // SSRF false positive... uri comes from config |
| 682 | if err != nil { |
| 683 | return err |
| 684 | } |
| 685 | pembs, err := io.ReadAll(res.Body) |
| 686 | res.Body.Close() |
| 687 | if err != nil { |
| 688 | return err |
| 689 | } |
| 690 | if res.StatusCode < 200 || res.StatusCode >= 300 { |
| 691 | return fmt.Errorf("HTTP %d fetching CA certificate bundle from %s", res.StatusCode, uri) |
| 692 | } |
| 693 | // Parse PEM to extract certificates |
| 694 | pemData := pembs |
| 695 | for len(pemData) > 0 { |
| 696 | var block *pem.Block |
| 697 | block, pemData = pem.Decode(pemData) |
| 698 | if block == nil { |
| 699 | break |
| 700 | } |
| 701 | if block.Type != "CERTIFICATE" { |
| 702 | continue |
| 703 | } |
| 704 | cert, err := x509.ParseCertificate(block.Bytes) |
| 705 | if err != nil { |
| 706 | return fmt.Errorf("parsing certificate from URL %s: %v", uri, err) |
| 707 | } |
| 708 | caPool.AddCert(cert) |
| 709 | certs = append(certs, cert) |
| 710 | } |
| 711 | } |
| 712 | hcp.pool = caPool |
| 713 | hcp.certs = certs |
| 714 | return nil |
| 715 | } |
| 716 | |
| 717 | // Syntax: |
nothing calls this directly
no test coverage detected