dex/pkg/httpclient/httpclient.go

package httpclient

import (
	"crypto/tls"
	"crypto/x509"
	"encoding/base64"
	"fmt"
	"net"
	"net/http"
	"os"
	"time"
)

func extractCAs(input []string) [][]byte {
	result := make([][]byte, 0, len(input))
	for _, ca := range input {
		if ca == "" {
			continue
		}

		pemData, err := os.ReadFile(ca)
		if err != nil {
			pemData, err = base64.StdEncoding.DecodeString(ca)
			if err != nil {
				pemData = []byte(ca)
			}
		}

		result = append(result, pemData)
	}
	return result
}

func NewHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, error) {
	pool, err := x509.SystemCertPool()
	if err != nil {
		return nil, err
	}

	tlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: insecureSkipVerify}
	for index, rootCABytes := range extractCAs(rootCAs) {
		if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
			return nil, fmt.Errorf("rootCAs.%d is not in PEM format, certificate must be "+
				"a PEM encoded string, a base64 encoded bytes that contain PEM encoded string, "+
				"or a path to a PEM encoded certificate", index)
		}
	}

	return &http.Client{
		Transport: &http.Transport{
			TLSClientConfig: &tlsConfig,
			Proxy:           http.ProxyFromEnvironment,
			DialContext: (&net.Dialer{
				Timeout:   30 * time.Second,
				KeepAlive: 30 * time.Second,
				DualStack: true,
			}).DialContext,
			MaxIdleConns:          100,
			IdleConnTimeout:       90 * time.Second,
			TLSHandshakeTimeout:   10 * time.Second,
			ExpectContinueTimeout: 1 * time.Second,
		},
	}, nil
}