From a6129fb8053bf4fdec23a925ecbb2b4a46b69042 Mon Sep 17 00:00:00 2001
From: Vika <vika@fireburn.ru>
Date: Fri, 21 Jul 2023 17:44:49 +0300
Subject: Allow loading TLS root certificates from file

Untested, but will be useful when testing Webmentions in the
end-to-end test.
---
 kittybox-rs/src/main.rs | 40 +++++++++++++++++++++++++++++++++-------
 1 file changed, 33 insertions(+), 7 deletions(-)

diff --git a/kittybox-rs/src/main.rs b/kittybox-rs/src/main.rs
index d96a8fb..7c6ddb6 100644
--- a/kittybox-rs/src/main.rs
+++ b/kittybox-rs/src/main.rs
@@ -148,13 +148,39 @@ async fn compose_kittybox(
 ) -> axum::Router {
     let http: reqwest::Client = {
         #[allow(unused_mut)]
-        let mut builder = reqwest::Client::builder().user_agent(concat!(
-            env!("CARGO_PKG_NAME"),
-            "/",
-            env!("CARGO_PKG_VERSION")
-        ));
-        // TODO: add a root certificate if there's an environment variable pointing at it
-        //builder = builder.add_root_certificate(reqwest::Certificate::from_pem(todo!()));
+        let mut builder = reqwest::Client::builder()
+            .user_agent(concat!(
+                env!("CARGO_PKG_NAME"),
+                "/",
+                env!("CARGO_PKG_VERSION")
+            ));
+        if let Ok(certs) = std::env::var("KITTYBOX_CUSTOM_PKI_ROOTS") {
+            // TODO: add a root certificate if there's an environment variable pointing at it
+            for path in certs.split(':') {
+                let metadata = match tokio::fs::metadata(path).await {
+                    Ok(metadata) => metadata,
+                    Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
+                        tracing::error!("TLS root certificate {} not found, skipping...", path);
+                        continue;
+                    }
+                    Err(err) => panic!("Error loading TLS certificates: {}", err)
+                };
+                if metadata.is_dir() {
+                    let mut dir = tokio::fs::read_dir(path).await.unwrap();
+                    while let Ok(Some(file)) = dir.next_entry().await {
+                        let pem = tokio::fs::read(file.path()).await.unwrap();
+                        builder = builder.add_root_certificate(
+                            reqwest::Certificate::from_pem(&pem).unwrap()
+                        );
+                    }
+                } else {
+                    let pem = tokio::fs::read(path).await.unwrap();
+                    builder = builder.add_root_certificate(
+                        reqwest::Certificate::from_pem(&pem).unwrap()
+                    );
+                }
+            }
+        }
 
         builder.build().unwrap()
     };
-- 
cgit 1.4.1