From 0fe47eee487765f116054eea5b131e4d83e0c66e Mon Sep 17 00:00:00 2001
From: Dayan Graham <d.graham50@hotmail.co.uk>
Date: Mon, 13 Mar 2023 16:58:39 +0000
Subject: [PATCH] feat(assets): Add support for mutual TLS to allow the assets
 service to fetch files behind authentication walls (#1034)

---
 backend/internal/assets/cacher/cacher.go | 35 ++++++++++++++++++++++--
 backend/internal/config/assets/config.go |  3 ++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/backend/internal/assets/cacher/cacher.go b/backend/internal/assets/cacher/cacher.go
index 4b0353a9a..1df32ca26 100644
--- a/backend/internal/assets/cacher/cacher.go
+++ b/backend/internal/assets/cacher/cacher.go
@@ -2,9 +2,11 @@ package cacher
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"mime"
 	"net/http"
 	metrics "openreplay/backend/pkg/metrics/assets"
@@ -38,14 +40,43 @@ func (c *cacher) CanCache() bool {
 
 func NewCacher(cfg *config.Config) *cacher {
 	rewriter := assets.NewRewriter(cfg.AssetsOrigin)
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true,
+	}
+
+	if cfg.ClientCertFilePath != "" && cfg.ClientKeyFilePath != "" && cfg.CaCertFilePath != "" {
+
+		var cert tls.Certificate
+		var err error
+
+		cert, err = tls.LoadX509KeyPair(cfg.ClientCertFilePath, cfg.ClientKeyFilePath)
+		if err != nil {
+			log.Fatalf("Error creating x509 keypair from the client cert file %s and client key file %s , Error: %s", err, cfg.ClientCertFilePath, cfg.ClientKeyFilePath)
+		}
+
+		caCert, err := ioutil.ReadFile(cfg.CaCertFilePath)
+		if err != nil {
+			log.Fatalf("Error opening cert file %s, Error: %s", cfg.CaCertFilePath, err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		tlsConfig = &tls.Config{
+				InsecureSkipVerify: true,
+				Certificates:       []tls.Certificate{cert},
+				RootCAs:            caCertPool,
+			}
+		
+	}
+
 	c := &cacher{
 		timeoutMap: newTimeoutMap(),
 		s3:         storage.NewS3(cfg.AWSRegion, cfg.S3BucketAssets),
 		httpClient: &http.Client{
 			Timeout: time.Duration(6) * time.Second,
 			Transport: &http.Transport{
-				Proxy:           http.ProxyFromEnvironment,
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				Proxy: http.ProxyFromEnvironment,
+				TLSClientConfig: tlsConfig,
 			},
 		},
 		rewriter:       rewriter,
diff --git a/backend/internal/config/assets/config.go b/backend/internal/config/assets/config.go
index 399ee84f4..19c747e71 100644
--- a/backend/internal/config/assets/config.go
+++ b/backend/internal/config/assets/config.go
@@ -15,6 +15,9 @@ type Config struct {
 	AssetsSizeLimit      int               `env:"ASSETS_SIZE_LIMIT,required"`
 	AssetsRequestHeaders map[string]string `env:"ASSETS_REQUEST_HEADERS"`
 	UseProfiler          bool              `env:"PROFILER_ENABLED,default=false"`
+	ClientKeyFilePath    string            `env:"CLIENT_KEY_FILE_PATH"`
+	CaCertFilePath       string            `env:"CA_CERT_FILE_PATH"`
+	ClientCertFilePath   string            `env:"CLIENT_CERT_FILE_PATH"`
 }
 
 func New() *Config {