add knob to use ca_webpki_roots and defaults

Signed-off-by: Rajat Jindal <[email protected]>

Author: rajatjindal

crates/trigger-http/src/lib.rs

@@ -1162,15 +1162,15 @@ fn get_client_tls_config_for_authority(
     client_tls_opts: Option<HashMap<Authority, ParsedClientTlsOpts>>,
 ) -> Result<rustls::ClientConfig> {
     // derived from https://github.com/tokio-rs/tls/blob/master/tokio-rustls/examples/client/src/main.rs
-    let mut root_cert_store = rustls::RootCertStore {
+    let ca_webpki_roots = rustls::RootCertStore {
         roots: webpki_roots::TLS_SERVER_ROOTS.into(),
     };
 
     let client_tls_opts = match client_tls_opts {
         Some(opts) => opts,
         _ => {
             return Ok(rustls::ClientConfig::builder()
-                .with_root_certificates(root_cert_store)
+                .with_root_certificates(ca_webpki_roots)
                 .with_no_client_auth());
         }
     };
@@ -1179,11 +1179,28 @@ fn get_client_tls_config_for_authority(
         Some(opts) => opts,
         _ => {
             return Ok(rustls::ClientConfig::builder()
-                .with_root_certificates(root_cert_store)
+                .with_root_certificates(ca_webpki_roots)
                 .with_no_client_auth());
         }
     };
 
+    let custom_root_ca_provided = client_tls_opts_for_host.custom_root_ca.is_some();
+
+    // use_ca_webpki_roots is true if
+    // 1. ca_webpki_roots is explicitly true in runtime config OR
+    // 2. custom_root_ca is not provided
+    //
+    // if custom_root_ca is provided, use_ca_webpki_roots defaults to false
+    let use_ca_webpki_roots = client_tls_opts_for_host
+        .ca_webpki_roots
+        .unwrap_or(if custom_root_ca_provided { false } else { true });
+
+    let mut root_cert_store = if use_ca_webpki_roots {
+        ca_webpki_roots
+    } else {
+        rustls::RootCertStore::empty()
+    };
+
     if let Some(custom_root_ca) = &client_tls_opts_for_host.custom_root_ca {
         for cer in custom_root_ca {
             match root_cert_store.add(cer.to_owned()) {

crates/trigger/src/runtime_config.rs

@@ -537,9 +537,10 @@ mod tests {
         let input = ClientTlsOpts {
             component_ids: vec!["component-id-foo".to_string()],
             hosts: vec!["fermyon.com".to_string(), "fermyon.com:5443".to_string()],
-            custom_root_ca_file: None,
+            ca_roots_file: None,
             cert_chain_file: None,
             private_key_file: None,
+            ca_webpki_roots: None,
         };
 
         let parsed = parse_client_tls_opts(&input);
@@ -552,9 +553,10 @@ mod tests {
         let input = ClientTlsOpts {
             component_ids: vec!["component-id-foo".to_string()],
             hosts: vec!["".to_string(), "fermyon.com:5443".to_string()],
-            custom_root_ca_file: None,
+            ca_roots_file: None,
             cert_chain_file: None,
             private_key_file: None,
+            ca_webpki_roots: None,
         };
 
         let parsed = parse_client_tls_opts(&input);
@@ -570,9 +572,10 @@ mod tests {
         let input = ClientTlsOpts {
             component_ids: vec!["component-id-foo".to_string()],
             hosts: vec!["perc%ent:443".to_string(), "fermyon.com:5443".to_string()],
-            custom_root_ca_file: None,
+            ca_roots_file: None,
             cert_chain_file: None,
             private_key_file: None,
+            ca_webpki_roots: None,
         };
 
         let parsed = parse_client_tls_opts(&input);
@@ -606,10 +609,11 @@ pub struct ParsedClientTlsOpts {
     pub custom_root_ca: Option<Vec<rustls_pki_types::CertificateDer<'static>>>,
     pub cert_chain: Option<Vec<rustls_pki_types::CertificateDer<'static>>>,
     pub private_key: Option<Arc<rustls_pki_types::PrivateKeyDer<'static>>>,
+    pub ca_webpki_roots: Option<bool>,
 }
 
 fn parse_client_tls_opts(inp: &ClientTlsOpts) -> Result<ParsedClientTlsOpts, anyhow::Error> {
-    let custom_root_ca = match &inp.custom_root_ca_file {
+    let custom_root_ca = match &inp.ca_roots_file {
         Some(path) => Some(load_certs(path).context("loading custom root ca")?),
         None => None,
     };
@@ -643,5 +647,6 @@ fn parse_client_tls_opts(inp: &ClientTlsOpts) -> Result<ParsedClientTlsOpts, any
         custom_root_ca,
         cert_chain,
         private_key,
+        ca_webpki_roots: inp.ca_webpki_roots,
     })
 }

crates/trigger/src/runtime_config/client_tls.rs

@@ -12,9 +12,10 @@ use std::{
 pub struct ClientTlsOpts {
     pub component_ids: Vec<String>,
     pub hosts: Vec<String>,
-    pub custom_root_ca_file: Option<PathBuf>,
+    pub ca_roots_file: Option<PathBuf>,
     pub cert_chain_file: Option<PathBuf>,
     pub private_key_file: Option<PathBuf>,
+    pub ca_webpki_roots: Option<bool>,
 }
 
 // load_certs parse and return the certs from the provided file