Add possibility to skip TLS server certificate verification

2 files changed, 34 insertions, 13 deletions

diff --git a/src/consul.rs b/src/consul.rs
index cba435a..13b99d8 100644
--- a/src/consul.rs
+++ b/src/consul.rs
@@ -11,6 +11,7 @@ use serde::{Deserialize, Serialize};
 pub struct ConsulConfig {
 	pub addr: String,
 	pub ca_cert: Option<String>,
+	pub tls_skip_verify: bool,
 	pub client_cert: Option<String>,
 	pub client_key: Option<String>,
 }
@@ -88,26 +89,41 @@ pub struct Consul {
 
 impl Consul {
 	pub fn new(config: ConsulConfig, kv_prefix: &str, local_node: &str) -> Result<Self> {
-		let client = match (&config.ca_cert, &config.client_cert, &config.client_key) {
-			(Some(ca_cert), Some(client_cert), Some(client_key)) => {
-				let mut ca_cert_buf = vec![];
-				File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
-
+		let client = match (&config.client_cert, &config.client_key) {
+			(Some(client_cert), Some(client_key)) => {
 				let mut client_cert_buf = vec![];
 				File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
 
 				let mut client_key_buf = vec![];
 				File::open(client_key)?.read_to_end(&mut client_key_buf)?;
 
-				reqwest::Client::builder()
-					.use_rustls_tls()
-					.add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
-					.identity(reqwest::Identity::from_pem(
-						&[&client_cert_buf[..], &client_key_buf[..]].concat()[..],
-					)?)
-					.build()?
+				let identity = reqwest::Identity::from_pem(
+					&[&client_cert_buf[..], &client_key_buf[..]].concat()[..],
+				)?;
+
+				if config.tls_skip_verify {
+					reqwest::Client::builder()
+						.use_rustls_tls()
+						.danger_accept_invalid_certs(true)
+						.identity(identity)
+						.build()?
+				} else if let Some(ca_cert) = &config.ca_cert {
+					let mut ca_cert_buf = vec![];
+					File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
+
+					reqwest::Client::builder()
+						.use_rustls_tls()
+						.add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
+						.identity(identity)
+						.build()?
+				} else {
+					reqwest::Client::builder()
+						.use_rustls_tls()
+						.identity(identity)
+						.build()?
+				}
 			}
-			(None, None, None) => reqwest::Client::new(),
+			(None, None) => reqwest::Client::new(),
 			_ => bail!("Incomplete Consul TLS configuration parameters"),
 		};
 
diff --git a/src/main.rs b/src/main.rs
index dada7e7..edc79b4 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -40,6 +40,10 @@ struct Opt {
 	#[structopt(long = "consul-ca-cert", env = "TRICOT_CONSUL_CA_CERT")]
 	pub consul_ca_cert: Option<String>,
 
+	/// Skip TLS verification for Consul
+	#[structopt(long = "consul-tls-skip-verify", env = "TRICOT_CONSUL_TLS_SKIP_VERIFY")]
+	pub consul_tls_skip_verify: bool,
+
 	/// Client certificate for Consul server with TLS
 	#[structopt(long = "consul-client-cert", env = "TRICOT_CONSUL_CLIENT_CERT")]
 	pub consul_client_cert: Option<String>,
@@ -122,6 +126,7 @@ async fn main() {
 	let consul_config = consul::ConsulConfig {
 		addr: opt.consul_addr.clone(),
 		ca_cert: opt.consul_ca_cert.clone(),
+		tls_skip_verify: opt.consul_tls_skip_verify,
 		client_cert: opt.consul_client_cert.clone(),
 		client_key: opt.consul_client_key.clone(),
 	};