Added mTLS support for http client.

Author: scr-oath

http/README.md

@@ -12,6 +12,14 @@ basic_auth_user = "",
 basic_auth_password = "",
 headers = {"key"="value"},
 debug = false,
+
+# When set, the client will present the client cert for "mTLS"
+client_public_cert_pem_file = nil,
+client_private_key_pem_file = nil,
+
+# When set, this will be used to verify the server certificate (useful for private enterprise certificate authorities).
+# Prefer this over insecure_ssl when possible
+root_cas_pem_file = "",
 ```
 - `request(method, url, [data])` - make request userdata.
 

http/api_test.go

@@ -2,12 +2,19 @@ package http_test
 
 import (
 	"crypto/subtle"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/vadv/gopher-lua-libs/tests"
 	"golang.org/x/sync/errgroup"
+	"io"
 	"io/ioutil"
 	"log"
 	"net/http"
+	"net/http/httptest"
+	"os"
 	"strings"
 	"testing"
 	"time"
@@ -218,3 +225,34 @@ func TestApi(t *testing.T) {
 		assert.NoError(t, state.DoFile("./test/test_serve_static.lua"))
 	})
 }
+
+func TestMTLS(t *testing.T) {
+	s := httptest.NewUnstartedServer(http.HandlerFunc(func(writer http.ResponseWriter, r *http.Request) {
+		_, _ = io.WriteString(writer, "OK\n")
+	}))
+	defer s.Close()
+	serverCert, err := tls.LoadX509KeyPair("test/data/test.cert.pem", "test/data/test.key.pem")
+	require.NoError(t, err)
+	caData, err := os.ReadFile("test/data/test.cert.pem")
+	require.NoError(t, err)
+	cas := x509.NewCertPool()
+	cas.AppendCertsFromPEM(caData)
+	s.TLS = &tls.Config{
+		Certificates: []tls.Certificate{serverCert},
+		ClientCAs:    cas,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+	s.StartTLS()
+
+	preload := tests.SeveralPreloadFuncs(
+		lua_http.Preload,
+		lua_time.Preload,
+		inspect.Preload,
+		plugin.Preload,
+		func(L *lua.LState) {
+			// Attach the server URL to the testing object
+			L.SetGlobal("tURL", lua.LString(s.URL))
+		},
+	)
+	assert.NotZero(t, tests.RunLuaTestFile(t, preload, "test/test_api.lua"))
+}

http/client/client.go

@@ -2,6 +2,7 @@ package http
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"log"
 	"net/http"
@@ -81,22 +82,24 @@ func checkClient(L *lua.LState) *LuaClient {
 
 // http.client(config) returns (user data, error)
 // config table:
-//   {
-//     proxy="http(s)://<user>:<password>@host:<port>",
-//     timeout= 10,
-//     insecure_ssl=false,
-//     user_agent = "gopher-lua",
-//     basic_auth_user = "",
-//     basic_auth_password = "",
-//     headers = {"key"="value"},
-//     debug = false,
-//   }
+//
+//	{
+//	  proxy="http(s)://<user>:<password>@host:<port>",
+//	  timeout= 10,
+//	  insecure_ssl=false,
+//	  user_agent = "gopher-lua",
+//	  basic_auth_user = "",
+//	  basic_auth_password = "",
+//	  headers = {"key"="value"},
+//	  debug = false,
+//	}
 func New(L *lua.LState) int {
 	var config *lua.LTable
 	if L.GetTop() > 0 {
 		config = L.CheckTable(1)
 	}
 	client := &LuaClient{Client: &http.Client{Timeout: DefaultTimeout}, userAgent: DefaultUserAgent}
+	tlsConfig := &tls.Config{}
 	transport := &http.Transport{}
 	// parse env
 	if proxyEnv := os.Getenv(`HTTP_PROXY`); proxyEnv != `` {
@@ -110,17 +113,35 @@ func New(L *lua.LState) int {
 	transport.IdleConnTimeout = DefaultTimeout
 	// parse config
 	if config != nil {
+		// Client Cert and Key go together and handling in loop is challenging - just pull them out here
+		clientPublicCertPEMFile := L.GetField(config, `client_public_cert_pem_file`)
+		clientPrivateKeyPemFile := L.GetField(config, `client_private_key_pem_file`)
+		if clientPublicCertPEMFile != lua.LNil && clientPrivateKeyPemFile != lua.LNil {
+			if _, ok := clientPublicCertPEMFile.(lua.LString); !ok {
+				L.ArgError(1, "client_public_cert_pem_file must be string")
+			}
+			if _, ok := clientPrivateKeyPemFile.(lua.LString); !ok {
+				L.ArgError(1, "client_private_key_pem_file must be string")
+			}
+			clientCert, err := tls.LoadX509KeyPair(clientPublicCertPEMFile.String(), clientPrivateKeyPemFile.String())
+			if err != nil {
+				L.RaiseError("error loading client certificate from %s and %s: %v",
+					clientPublicCertPEMFile, clientPrivateKeyPemFile, err)
+			}
+			tlsConfig.Certificates = []tls.Certificate{clientCert}
+			transport.TLSClientConfig = tlsConfig
+		}
 		config.ForEach(func(k lua.LValue, v lua.LValue) {
+			switch k.String() {
 			// parse timeout
-			if k.String() == `timeout` {
+			case `timeout`:
 				if value, ok := v.(lua.LNumber); ok {
 					client.Timeout = time.Duration(value) * time.Second
 				} else {
 					L.ArgError(1, "timeout must be number")
 				}
-			}
 			// parse proxy
-			if k.String() == `proxy` {
+			case `proxy`:
 				if value, ok := v.(lua.LString); ok {
 					proxyUrl, err := url.Parse(value.String())
 					if err == nil {
@@ -131,51 +152,59 @@ func New(L *lua.LState) int {
 				} else {
 					L.ArgError(1, "http_proxy must be string")
 				}
-			}
 			// parse insecure_ssl
-			if k.String() == `insecure_ssl` {
+			case `insecure_ssl`:
 				if value, ok := v.(lua.LBool); ok {
-					transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: bool(value)}
+					tlsConfig.InsecureSkipVerify = bool(value)
+					transport.TLSClientConfig = tlsConfig
 				} else {
 					L.ArgError(1, "insecure_ssl must be bool")
 				}
-			}
+			// parse root_cas
+			case `root_cas_pem_file`:
+				if value, ok := v.(lua.LString); ok {
+					pemData, err := os.ReadFile(string(value))
+					if err != nil {
+						L.RaiseError("error loading root_cas_pem_file from %s: %v", value, err)
+					}
+					tlsConfig.RootCAs = x509.NewCertPool()
+					tlsConfig.RootCAs.AppendCertsFromPEM(pemData)
+					transport.TLSClientConfig = tlsConfig
+				} else {
+					L.ArgError(1, "root_cas_pem_file must be string")
+				}
 			// parse user_agent
-			if k.String() == `user_agent` {
+			case `user_agent`:
 				if _, ok := v.(lua.LString); ok {
 					client.userAgent = v.String()
 				} else {
 					L.ArgError(1, "user_agent must be string")
 				}
-			}
 			// parse basic_auth_user
-			if k.String() == `basic_auth_user` {
+			case `basic_auth_user`:
 				if _, ok := v.(lua.LString); ok {
 					user := v.String()
 					client.basicAuthUser = &user
 				} else {
 					L.ArgError(1, "basic_auth_user must be string")
 				}
-			}
 			// parse basic_auth_password
-			if k.String() == `basic_auth_password` {
+			case `basic_auth_password`:
 				if _, ok := v.(lua.LString); ok {
 					password := v.String()
 					client.basicAuthPasswd = &password
 				} else {
 					L.ArgError(1, "basic_auth_password must be string")
 				}
-			}
 			// parse debug
-			if k.String() == `debug` {
+			case `debug`:
 				if value, ok := v.(lua.LBool); ok {
 					client.debug = bool(value)
 				} else {
 					L.ArgError(1, "debug must be bool")
 				}
-			}
 			// parse headers
-			if k.String() == `headers` {
+			case `headers`:
 				if tbl, ok := v.(*lua.LTable); ok {
 					headers := make(map[string]string, 0)
 					data, err := lua_json.ValueEncode(tbl)

http/test/data/mkcert.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Make a test cert and key
+
+readonly MY_DIR="$(dirname "${BASH_SOURCE[0]}")"
+
+openssl req -nodes -x509 -newkey rsa:4096 -keyout "${MY_DIR}/test.key.pem" -out "${MY_DIR}/test.cert.pem" -sha256 \
+  -days 365000 -addext 'subjectAltName = IP:127.0.0.1'

http/test/data/test.cert.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFEjCCAvqgAwIBAgIUJ3t8SQ3EvM+tOP+FKeiYTu9kOlAwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEdGVzdDAgFw0yMjExMDIyMDQ3MjdaGA8zMDIyMDMwNTIw
+NDcyN1owDzENMAsGA1UEAwwEdGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBALg2f7EsfQoZWX0P7T2laOmOKMP+ciwVpV82yVC6CqlP7f85gyWjCqp/
++KcMAfxYWGWA64tz1F7IOVBNW85hR7aeQA9dG3x8541c31uJxaZuBz9+vMZ67+YZ
+ToSsDez1LYxRlW2+afTsAMBD8YGgsishCbCUA29UxO/JiMsSnZa+39QKQ1ent1gX
+VHQMblQTqyKpnetAnU3al/YWCqOe2kAxW+u2JMfycWxX3szkpzEMADzrXYvd1Gf4
+0wiYaxSRbmv2g2nM5czJjkAfJNRNVCbtL8Ih+8Qfv7JiMVfrbz6qkOOdaHkP1H13
+Hvv0ts0bPmNKDtxrobmRvV0bTcCnuQ2w9zBWNFRd3eP7Mj5ptwkQ8THtfBKgCTdl
+r0UvgIJWK2/t/riSWc7YdZ9Os0t+bwGGfgJiwy5YHl9ZOn0qzbNvlRv/m0Trzyl8
+z07APY7CgoqnS2wOhT0nT4ihVYQPch41xYKM9Y/el7M2P1IN5dHoZTqp/zP5xygV
+/xdCPMW4eFJucS1fiKAwQSd0RdxDM8wz6uq0AEZcc7Slxb24s6TMjTUPA2uDVw+r
+uXcW7ApxByasDNHHm9pfPuwUYAeKMhYDLhueImSiyU6R0xnfBKPM3DDqME2Dp941
+TyIU9RAG/uxIdpCygQcyJhCcXJIn9sp9/qapUwlNVMu1a2h6pHSxAgMBAAGjZDBi
+MB0GA1UdDgQWBBTWF7oiC4wRJCLlw/OW9Vi+/HHlQTAfBgNVHSMEGDAWgBTWF7oi
+C4wRJCLlw/OW9Vi+/HHlQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdEQQIMAaHBH8A
+AAEwDQYJKoZIhvcNAQELBQADggIBADWzGv8QptQc0HQ6yeCcYaV1QdHqmBAJuShQ
+QoX2+Bn7nMyhEiRCbG087HcTOz90AKn9h+SiEe8M2F6KF/k/y/0D28e9OHC35NIr
+alKqm/BPrcXcIqw6ZjdQt8fJV3SJecz0qZykBuyZX1yLviHoGTd3Yu9wi2qNat4O
+HzcNJDlXWoUgULKmeJFgaLqByI7XUCnPLVFJEyyPFhSGdkg0LmpTmSO06sU/o6Ru
+zEVE6HjuVCTXcI3cME56/658dEKOiPN0zpFSHrTe2StoQDcXPr5CnPr6j7W7dPt4
+ihr7ivLyRQLrhsWknSJgzs39YvXpz/Cif1UeI6AZY5HVAxiAIr4+wdeFvG1aA6fs
+Dv41gU9Xkv8mULVjqyQ8fF77KpHlOG+qz/9GsyttH1V/HhvuBSRr8QYaCW4ljmoO
+QG603kjsdWRAyOolsTh1Y7wxJ3kxsGu4NTTPRyrKo6VnIsEk06feDo6vanmTd6Qz
+B/kkQZ+CPFcFUMibfvtWv/o+2/XVFvaT+/Z7U9K2Kl0AZ5eP5GEyDvAPfsE7MQeq
+orBCNS9GOcQRJfgAOCOafn9hYmCz+aTUE6HJ8tawN6ObCo9sFdl1Dd8LY2y4+5nm
+BNU3892vjGhERmbaQluqUsTCGfCNsszw8aiyQSrSrf1GsSJD8BslHprojCMk8Oi2
+6lzZcLrN
+-----END CERTIFICATE-----

http/test/data/test.key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC4Nn+xLH0KGVl9
+D+09pWjpjijD/nIsFaVfNslQugqpT+3/OYMlowqqf/inDAH8WFhlgOuLc9ReyDlQ
+TVvOYUe2nkAPXRt8fOeNXN9bicWmbgc/frzGeu/mGU6ErA3s9S2MUZVtvmn07ADA
+Q/GBoLIrIQmwlANvVMTvyYjLEp2Wvt/UCkNXp7dYF1R0DG5UE6siqZ3rQJ1N2pf2
+FgqjntpAMVvrtiTH8nFsV97M5KcxDAA8612L3dRn+NMImGsUkW5r9oNpzOXMyY5A
+HyTUTVQm7S/CIfvEH7+yYjFX628+qpDjnWh5D9R9dx779LbNGz5jSg7ca6G5kb1d
+G03Ap7kNsPcwVjRUXd3j+zI+abcJEPEx7XwSoAk3Za9FL4CCVitv7f64klnO2HWf
+TrNLfm8Bhn4CYsMuWB5fWTp9Ks2zb5Ub/5tE688pfM9OwD2OwoKKp0tsDoU9J0+I
+oVWED3IeNcWCjPWP3pezNj9SDeXR6GU6qf8z+ccoFf8XQjzFuHhSbnEtX4igMEEn
+dEXcQzPMM+rqtABGXHO0pcW9uLOkzI01DwNrg1cPq7l3FuwKcQcmrAzRx5vaXz7s
+FGAHijIWAy4bniJkoslOkdMZ3wSjzNww6jBNg6feNU8iFPUQBv7sSHaQsoEHMiYQ
+nFySJ/bKff6mqVMJTVTLtWtoeqR0sQIDAQABAoICAAJhYuhIU8PRBMrkzSskI21M
+Mtrog3NuIq1OrQ6L3uYl9CR9iuQuPY2rOmx3L2HiRt8l6bVLPYHtiq8O1to9f9Kc
+bCW+rWOgDhJxsimxx7HxP0r64WfbsBSsPEti2Um399sVtU1+HcqmT5KsdhcXm2HL
+Cx/i48H5KZPTKf88yfhIFmacLNdZwZjj8UmQHQ9dUzNvF20yMC4wvlC143SOkZGt
+iZtrxsEmMQDGSGjjpgTwW6Lt5C8x4kQnLxvv80dIY1HGFVflR81sB9hshppvNuCL
+ZVf3/jPAOMcOdYaGMnFv/RAR6UcSNSvbYZU+KewP13ArRXKj+eqm11h4CTrNeArP
+fyyDqhWshxE6A4EE+pr94ROqPnkg6oZSFQUj/oie1i0TF9t0pNiuJYXR0acfDfqy
+vunVnSz3OAMra6FbOxgVREk7iOouXKI47a7RK0N1BGAGq83DxsgcpPBQwEJmf193
+8Iz2IRziLRJmdp8lMAvkgUS+h6GpG704MefnYuV4aLpgPOzlAhMcOBBRGygxNGtp
+fjoEhwqZO/IAjpFaRvXAXJqbAVUZuccvf8ESFQgiUGTqmAqKEOC7avtIS1O6zvfS
+f0kH9RNZvTmHSSZNhfUUu/kLwmojmlaYEYsxrtKB/g860SC/VtB2XCaqowt0aq5v
+33TOaQSwjOfGHf1e4uWBAoIBAQDqDiu2Rq3S5J8aGwW0Snwb6+ocZEN+H9bb7G00
+7NY1sMeDdQV0ldl3LERc/j30zK9DzVH3B/fqOSYkJaqZB7XxUyt1BQQpfN30xsbc
+44XiM4Udr0vKYwNB0o6y7X9IbSIjlQnY6WUKXoHYdy4pZo2YJU/fuOBHVLoP7NUp
+9Nacyi7hkZ8bAznrjkc5ymfW4HGNVZboOqqlJUYioB7q5AoNa9Hcl7MsWeT2VuKW
+muZU32D0fylYUpO4OHSE2Wf3EhL/ooftyLVxy7Lp1X8NDVR5TDKSqwGCblMiZnOG
+g2C9qY2gfWepXVRFmHbXJNS+R3AYvXM70YQwFohEf3BfiRzBAoIBAQDJfACOEDxe
+PN3s/8jBBjws4qe75B5dh4Py97bpaDi628twHO/Whe3miLuJAribjU+8hCcsgybk
+s345kBKB6xOj2zzPUBg+lHh6WHy/i0T8BMwDaGDudXbxc3dmIKIKYoPkicB65Iaj
+HXj/dhyepgLQmQRH813wrEtbKkxIyHMdlctK4ikifDgxrXYv/FQBvEAdE3QjuET9
+T35rZW4utosx5HLYW5dfc7DD1mksIvoQIYF6p7pQGZ0EcXRD9WeSnKDRj0V5YJTp
+GVZt3BmAiMEeHeiVH67sVgMcPPqDZ9crPEnMQMh29vHcTwTh1Vr0R9NyBVTe9GWe
+I+d2leV6IiPxAoIBAC1o4Gw13EWdW4zqDzpCdT/JjptBjKKstLfob+ujw4+ZI6xK
+iOtso0tuyDiujwCusZZbAHsIDb5gphi/QhD8oP0YIMdMWNlfw4RZCH4UmoYfbsUq
+nG7AtQIRQuROFbLMkaILqWRvK85ONaz0un0Hy5LoMk36hXDxbEPotBa2zOiQhXX4
+FcFc5+DesszwiyLyWrWMFIIr163AxJG1NSpnYdfmwkmlGPsS2cw9YSrNFMEEsb/d
+5/yd0NEeCuU3dOdHl24Hb43fsexJFAYwCL1Uh74c3Xb9PIa8tt5muCUx2hQSEEtB
+6Vm/pLj38p6dI7VjEMmMAA5sANR/mqKHgxrV9EECggEBALTp8R2emnYLtUG/EqWv
+UY0EH5RoapOUwPgDUWwXNwkhnnQWp4w6Sbk8gRevJ9AUfMpK51nikaO9P9Oz98pM
+KCBzFREZXAulCODiX3EmPlUEgaN1r8OuGZUIFufO2XD1sHQe9IPkergwGJtZlK0n
+Z1OiceOhNHKMYkWDn2ejBSpFfHrKxCDA5TxGAt9ndI7yV6dD9n60UM4a+Oq58stj
+AW1VMYHwC+WbXdcayOjmpx6g10ApJvQRa5m3vavfyJYuqYBBYyJvhIYhSCfw/70Y
+Dj9an6J3BnwTZ0uNvWsMbHnX8nPCn72iUt183mdhSgAaFlRFUUW4sR3kI0upoJmf
+2iECggEBAJQezwT/L7PqBXSnpLk0nCJ2BDMScvuNH9E51KXhDI9i2dPswYYkoI2P
+/eCP9xm2Qe/nHmjPiy568JbEAXTjxwZqtZJ8YpS75ObR0uoUfaPWE7BECOgxeOkK
+A8jjmRzXAkmuQz3+LeBikLcRKC3cPnsYgt5ujUV7CwW1HIvFW/lMZ7egPJjoR94g
+laTtMdSQCMJZGOQZQECnSenlqvWZZvfwjuwv8nNGu+G7eTSVAY5013LohPaShQCe
+sR612qqZRWL+a9lLu9DSpwWD013KH0S+axddPlIw2RHkSGZQ1YUlavRPe1wyKoyh
+WixrUGdUTlPU9nWE0s9Eyf+G5gwezYg=
+-----END PRIVATE KEY-----

http/test/test_api.lua

@@ -0,0 +1,26 @@
+local http = require 'http_client'
+
+function TestMTLS(t)
+    assert(tURL, 'tURL global is not set')
+
+    t:Run('no-client-cert fails', function(t)
+        local client = http.client()
+        local req, err = http.request("GET", tURL)
+        assert(not err, tostring(err))
+        local resp, err = client:do_request(req)
+        assert(err, tostring(err))
+    end)
+
+    t:Run('client-cert passes', function(t)
+        local client = http.client {
+            root_cas_pem_file = 'test/data/test.cert.pem',
+            client_public_cert_pem_file = 'test/data/test.cert.pem',
+            client_private_key_pem_file = 'test/data/test.key.pem',
+        }
+        local req, err = http.request("GET", tURL)
+        assert(not err, tostring(err))
+        local resp, err = client:do_request(req)
+        assert(not err, tostring(err))
+        assert(resp.code == 200, tostring(resp.code))
+    end)
+end