use the gitlab server cert for non-admin requests

w4 · Jul 19, 2023 · c4885bd · c4885bd
1 parent f3ad70f
commit c4885bd
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 24 deletions.
diff --git a/src/config.rs b/src/config.rs
@@ -29,7 +29,7 @@ pub struct GitlabConfig {
     #[serde(default = "GitlabConfig::default_token_expiry")]
     pub token_expiry: Duration,
     #[serde(default)]
-    pub ssl_cert : Option<String>
+    pub ssl_cert: Option<String>,
 }
 
 impl GitlabConfig {

diff --git a/src/providers/gitlab.rs b/src/providers/gitlab.rs
@@ -5,7 +5,7 @@ use crate::providers::{Release, User};
 use async_trait::async_trait;
 use futures::{stream::FuturesUnordered, StreamExt, TryStreamExt};
 use percent_encoding::{utf8_percent_encode, NON_ALPHANUMERIC};
-use reqwest::{Certificate, header};
+use reqwest::{header, Certificate};
 use serde::{Deserialize, Serialize};
 use std::{borrow::Cow, sync::Arc};
 use time::{Duration, OffsetDateTime};
@@ -16,6 +16,7 @@ pub struct Gitlab {
     client: reqwest::Client,
     base_url: Url,
     token_expiry: Duration,
+    ssl_cert: Option<Certificate>,
 }
 
 impl Gitlab {
@@ -26,20 +27,23 @@ impl Gitlab {
             header::HeaderValue::from_str(&config.admin_token)?,
         );
 
-        let mut client_builder = reqwest::ClientBuilder::new()
-            .default_headers(headers);
+        let mut client_builder = reqwest::ClientBuilder::new().default_headers(headers);
 
-        if let Some(cert_path) = &config.ssl_cert {
-            let gitlab_cert_bytes = std::fs::read(&cert_path)?;
-            let gitlab_cert = Certificate::from_pem(&gitlab_cert_bytes)?;
-            client_builder = client_builder.add_root_certificate(gitlab_cert);
-        }
+        let ssl_cert = match &config.ssl_cert {
+            Some(cert_path) => {
+                let gitlab_cert_bytes = std::fs::read(&cert_path)?;
+                let gitlab_cert = Certificate::from_pem(&gitlab_cert_bytes)?;
+                client_builder = client_builder.add_root_certificate(gitlab_cert.clone());
+                Some(gitlab_cert)
+            }
+            _ => None,
+        };
 
         Ok(Self {
-            client: client_builder
-                .build()?,
+            client: client_builder.build()?,
             base_url: config.uri.join("api/v4/")?,
             token_expiry: config.token_expiry,
+            ssl_cert,
         })
     }
 }
@@ -57,18 +61,23 @@ impl super::UserProvider for Gitlab {
         };
 
         if username == "gitlab-ci-token" {
+            // we're purposely not using `self.client` here as we don't
+            // want to use our admin token for this request but still want to use any ssl cert provided.
+            let mut client_builder = reqwest::Client::builder();
+            if let Some(cert) = &self.ssl_cert {
+                client_builder = client_builder.add_root_certificate(cert.clone())
+            }
+            let client = client_builder.build();
             let res: GitlabJobResponse = handle_error(
-                // we're purposely not using `self.client` here as we don't
-                // want to use our admin token for this request
-                reqwest::Client::new()
+                client?
                     .get(self.base_url.join("job/")?)
                     .header("JOB-TOKEN", password)
                     .send()
                     .await?,
             )
-                .await?
-                .json()
-                .await?;
+            .await?
+            .json()
+            .await?;
 
             Ok(Some(User {
                 id: res.user.id,
@@ -113,9 +122,9 @@ impl super::UserProvider for Gitlab {
                 .send()
                 .await?,
         )
-            .await?
-            .json()
-            .await?;
+        .await?
+        .json()
+        .await?;
 
         Ok(impersonation_token.token)
     }
@@ -190,9 +199,9 @@ impl super::PackageProvider for Gitlab {
                                 .send()
                                 .await?,
                         )
-                            .await?
-                            .json()
-                            .await?;
+                        .await?
+                        .json()
+                        .await?;
 
                         let expected_file_name =
                             format!("{}-{}.crate", release.name, release.version);
@@ -213,7 +222,7 @@ impl super::PackageProvider for Gitlab {
                                 }),
                         )
                     }
-                        .instrument(info_span!("fetch_package_files")),
+                    .instrument(info_span!("fetch_package_files")),
                 ));
             }
         }