From 1979e43eab62b3e84f589e28c67e0d0a5fbc9d29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kapcs=C3=A1ndi=20Istv=C3=A1n?= <istvan.kapcsandi@gmail.com>
Date: Fri, 5 Jun 2020 09:29:12 +0200
Subject: [PATCH 1/2] add tls connection envs: CA_ROOT_FILE,
 CLIENT_PKCS12_FILE, CLIENT_PKCS12_PASS

---
 README.md |  3 +++
 src/db.rs | 50 ++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 49 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index 48be14c0e..664333209 100755
--- a/README.md
+++ b/README.md
@@ -261,6 +261,9 @@ You can also configure martin using environment variables
 | DATABASE_URL                | postgres://postgres@localhost/db | postgres database connection |
 | WATCH_MODE                  | true                             | scan for new sources         |
 | DANGER_ACCEPT_INVALID_CERTS | false                            | Trust invalid certificates   |
+| CA_ROOT_FILE                | /certs/ca_root.crt               | Server root certificate file |
+| CLIENT_PKCS12_FILE          | /certs/identity.pfx              | Client certificate file      |
+| CLIENT_PKCS12_PASS          | secret                           | Client certificate password  |
 
 ## Configuration File
 
diff --git a/src/db.rs b/src/db.rs
index f849f973d..a2a24ea40 100755
--- a/src/db.rs
+++ b/src/db.rs
@@ -1,7 +1,9 @@
-use std::io;
+use std::{env, io};
 use std::str::FromStr;
 
-use native_tls::TlsConnector;
+use native_tls::{Certificate, Identity, TlsConnector};
+use std::fs::File;
+use std::io::{Read};
 use postgres_native_tls::MakeTlsConnector;
 use r2d2::PooledConnection;
 use r2d2_postgres::PostgresConnectionManager;
@@ -15,8 +17,48 @@ pub type Pool = r2d2::Pool<ConnectionManager>;
 pub type Connection = PooledConnection<ConnectionManager>;
 
 fn make_tls_connector(danger_accept_invalid_certs: bool) -> io::Result<MakeTlsConnector> {
-    let connector = TlsConnector::builder()
-        .danger_accept_invalid_certs(danger_accept_invalid_certs)
+    let key = "CA_ROOT_FILE";
+    let ca_file = match env::var_os(key) {
+        Some(s) => s.into_string().unwrap(),
+        None => {
+            println!("{} is not defined in the environment", key);
+            String::default()
+        }
+    };
+    let key = "CLIENT_PKCS12_FILE";
+    let client_identity_file = match env::var_os(key) {
+        Some(s) => s.into_string().unwrap(),
+        None => {
+            println!("{} is not defined in the environment", key);
+            String::default()
+        }
+    };
+    let key = "CLIENT_PKCS12_PASS";
+    let client_identity_pass =  match env::var_os(key) {
+        Some(s) => s.into_string().unwrap(),
+        None => {
+            println!("{} is not defined in the environment", key);
+            String::default()
+        }
+    };
+
+    let mut builder = TlsConnector::builder();
+
+    if !client_identity_file.is_empty() {
+        let mut file = File::open(&client_identity_file).unwrap();
+        let mut identity = vec![];
+        file.read_to_end(&mut identity).unwrap();
+        let identity = Identity::from_pkcs12(&identity, &client_identity_pass).unwrap();
+        builder.identity(identity);
+    }
+    if !ca_file.is_empty() {
+        let mut ca = File::open(&ca_file).unwrap();
+        let mut buf = Vec::new();
+        ca.read_to_end(&mut buf).unwrap();
+        let cert = Certificate::from_pem(&buf).unwrap();
+        builder.add_root_certificate(cert);
+    }
+    let connector = builder.danger_accept_invalid_certs(danger_accept_invalid_certs)
         .build()
         .map_err(prettify_error("Can't build TLS connection"))?;
 

From c1f60152411ca5478ce8da5a455389659af4005c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kapcs=C3=A1ndi=20Istv=C3=A1n?= <istvan.kapcsandi@gmail.com>
Date: Sat, 6 Jun 2020 11:26:58 +0200
Subject: [PATCH 2/2] format fix

---
 src/db.rs | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/db.rs b/src/db.rs
index a2a24ea40..8a4428b24 100755
--- a/src/db.rs
+++ b/src/db.rs
@@ -1,14 +1,14 @@
-use std::{env, io};
 use std::str::FromStr;
+use std::{env, io};
 
 use native_tls::{Certificate, Identity, TlsConnector};
-use std::fs::File;
-use std::io::{Read};
 use postgres_native_tls::MakeTlsConnector;
 use r2d2::PooledConnection;
 use r2d2_postgres::PostgresConnectionManager;
 use semver::Version;
 use semver::VersionReq;
+use std::fs::File;
+use std::io::Read;
 
 use crate::utils::prettify_error;
 
@@ -34,7 +34,7 @@ fn make_tls_connector(danger_accept_invalid_certs: bool) -> io::Result<MakeTlsCo
         }
     };
     let key = "CLIENT_PKCS12_PASS";
-    let client_identity_pass =  match env::var_os(key) {
+    let client_identity_pass = match env::var_os(key) {
         Some(s) => s.into_string().unwrap(),
         None => {
             println!("{} is not defined in the environment", key);
@@ -58,7 +58,8 @@ fn make_tls_connector(danger_accept_invalid_certs: bool) -> io::Result<MakeTlsCo
         let cert = Certificate::from_pem(&buf).unwrap();
         builder.add_root_certificate(cert);
     }
-    let connector = builder.danger_accept_invalid_certs(danger_accept_invalid_certs)
+    let connector = builder
+        .danger_accept_invalid_certs(danger_accept_invalid_certs)
         .build()
         .map_err(prettify_error("Can't build TLS connection"))?;
 
