feat: accept self-signed certificates (#2801) (#2923)

benches/impl_path_string_for_evaluation_context.rs

@@ -39,7 +39,8 @@ impl Http {
             .http2_keep_alive_while_idle(upstream.keep_alive_while_idle)
             .pool_idle_timeout(Some(Duration::from_secs(upstream.pool_idle_timeout)))
             .pool_max_idle_per_host(upstream.pool_max_idle_per_host)
-            .user_agent(upstream.user_agent.clone());
+            .user_agent(upstream.user_agent.clone())
+            .danger_accept_invalid_certs(!upstream.verify_ssl);
 
         // Add Http2 Prior Knowledge
         if upstream.http2_only {

generated/.tailcallrc.graphql

@@ -452,6 +452,13 @@ directive @upstream(
   The User-Agent header value to be used in HTTP requests. @default `Tailcall/1.0`
   """
   userAgent: String
+  """
+  A boolean value that determines whether to verify certificates. Setting this as `false` 
+  will make tailcall accept self-signed certificates. NOTE: use this *only* during 
+  development or testing. It is highly recommended to keep this enabled (`true`) in 
+  production.
+  """
+  verifySSL: Boolean
 ) on SCHEMA
 
 """

generated/.tailcallrc.schema.json

@@ -1682,6 +1682,13 @@
             "string",
             "null"
           ]
+        },
+        "verifySSL": {
+          "description": "A boolean value that determines whether to verify certificates. Setting this as `false` will make tailcall accept self-signed certificates. NOTE: use this *only* during development or testing. It is highly recommended to keep this enabled (`true`) in production.",
+          "type": [
+            "boolean",
+            "null"
+          ]
         }
       },
       "additionalProperties": false

src/cli/runtime/http.rs

@@ -95,7 +95,8 @@ impl NativeHttp {
             .http2_keep_alive_while_idle(upstream.keep_alive_while_idle)
             .pool_idle_timeout(Some(Duration::from_secs(upstream.pool_idle_timeout)))
             .pool_max_idle_per_host(upstream.pool_max_idle_per_host)
-            .user_agent(upstream.user_agent.clone());
+            .user_agent(upstream.user_agent.clone())
+            .danger_accept_invalid_certs(!upstream.verify_ssl);
 
         // Add Http2 Prior Knowledge
         if upstream.http2_only {

src/core/blueprint/upstream.rs

@@ -28,6 +28,7 @@ pub struct Upstream {
     pub batch: Option<Batch>,
     pub http2_only: bool,
     pub on_request: Option<String>,
+    pub verify_ssl: bool,
 }
 
 impl Upstream {
@@ -82,6 +83,7 @@ impl TryFrom<&ConfigModule> for Upstream {
                 batch,
                 http2_only: (config_upstream).get_http_2_only(),
                 on_request: (config_upstream).get_on_request(),
+                verify_ssl: (config_upstream).get_verify_ssl(),
             })
             .to_result()
     }

src/core/config/upstream.rs

@@ -4,9 +4,9 @@ use derive_setters::Setters;
 use serde::{Deserialize, Serialize};
 use tailcall_macros::{DirectiveDefinition, InputDefinition};
 
-use crate::core::is_default;
 use crate::core::macros::MergeRight;
 use crate::core::merge_right::MergeRight;
+use crate::core::{default_verify_ssl, is_default, verify_ssl_is_default};
 
 const DEFAULT_MAX_SIZE: usize = 100;
 
@@ -144,6 +144,18 @@ pub struct Upstream {
     /// The User-Agent header value to be used in HTTP requests. @default
     /// `Tailcall/1.0`
     pub user_agent: Option<String>,
+
+    #[serde(
+        default = "default_verify_ssl",
+        rename = "verifySSL",
+        skip_serializing_if = "verify_ssl_is_default"
+    )]
+    /// A boolean value that determines whether to verify certificates.
+    /// Setting this as `false` will make tailcall accept self-signed
+    /// certificates. NOTE: use this *only* during development or testing.
+    /// It is highly recommended to keep this enabled (`true`) in
+    /// production.
+    pub verify_ssl: Option<bool>,
 }
 
 impl Upstream {
@@ -191,14 +203,16 @@ impl Upstream {
             .as_ref()
             .map_or(DEFAULT_MAX_SIZE, |b| b.max_size.unwrap_or(DEFAULT_MAX_SIZE))
     }
-
     pub fn get_http_2_only(&self) -> bool {
         self.http2_only.unwrap_or(false)
     }
 
     pub fn get_on_request(&self) -> Option<String> {
         self.on_request.clone()
     }
+    pub fn get_verify_ssl(&self) -> bool {
+        self.verify_ssl.unwrap_or(true)
+    }
 }
 
 #[cfg(test)]

src/core/mod.rs

@@ -57,6 +57,11 @@ pub use mustache::Mustache;
 pub use tailcall_macros as macros;
 pub use transform::Transform;
 
+const DEFAULT_VERIFY_SSL: bool = true;
+pub const fn default_verify_ssl() -> Option<bool> {
+    Some(DEFAULT_VERIFY_SSL)
+}
+
 pub trait EnvIO: Send + Sync + 'static {
     fn get(&self, key: &str) -> Option<Cow<'_, str>>;
 }
@@ -102,6 +107,10 @@ pub fn is_default<T: Default + Eq>(val: &T) -> bool {
     *val == T::default()
 }
 
+pub fn verify_ssl_is_default(val: &Option<bool>) -> bool {
+    val.is_none() || val.unwrap()
+}
+
 #[cfg(test)]
 pub mod tests {
     use std::collections::HashMap;

src/core/runtime.rs

@@ -86,7 +86,8 @@ pub mod test {
                 .http2_keep_alive_while_idle(upstream.keep_alive_while_idle)
                 .pool_idle_timeout(Some(Duration::from_secs(upstream.pool_idle_timeout)))
                 .pool_max_idle_per_host(upstream.pool_max_idle_per_host)
-                .user_agent(upstream.user_agent.clone());
+                .user_agent(upstream.user_agent.clone())
+                .danger_accept_invalid_certs(!upstream.verify_ssl);
 
             // Add Http2 Prior Knowledge
             if upstream.http2_only {

tests/server_spec.rs

@@ -43,7 +43,8 @@ pub mod test {
                 .http2_keep_alive_while_idle(upstream.keep_alive_while_idle)
                 .pool_idle_timeout(Some(Duration::from_secs(upstream.pool_idle_timeout)))
                 .pool_max_idle_per_host(upstream.pool_max_idle_per_host)
-                .user_agent(upstream.user_agent.clone());
+                .user_agent(upstream.user_agent.clone())
+                .danger_accept_invalid_certs(!upstream.verify_ssl);
 
             // Add Http2 Prior Knowledge
             if upstream.http2_only {