Address issue #612

New `—cert-file`, `—key-file` and `—ca-file` global flags added that allow customer certificates to be loaded and used.

Author: daveshanley

cmd/build_results.go

@@ -6,7 +6,9 @@ import (
 	"github.com/daveshanley/vacuum/model"
 	"github.com/daveshanley/vacuum/motor"
 	"github.com/daveshanley/vacuum/rulesets"
+	"github.com/daveshanley/vacuum/utils"
 	"github.com/pterm/pterm"
+	"net/http"
 	"os"
 	"strings"
 	"time"
@@ -20,8 +22,9 @@ func BuildResults(
 	customFunctions map[string]model.RuleFunction,
 	base string,
 	remote bool,
-	timeout time.Duration) (*model.RuleResultSet, *motor.RuleSetExecutionResult, error) {
-	return BuildResultsWithDocCheckSkip(silent, hardMode, rulesetFlag, specBytes, customFunctions, base, remote, false, timeout)
+	timeout time.Duration,
+	httpClientConfig utils.HTTPClientConfig) (*model.RuleResultSet, *motor.RuleSetExecutionResult, error) {
+	return BuildResultsWithDocCheckSkip(silent, hardMode, rulesetFlag, specBytes, customFunctions, base, remote, false, timeout, httpClientConfig)
 }
 
 func BuildResultsWithDocCheckSkip(
@@ -33,7 +36,8 @@ func BuildResultsWithDocCheckSkip(
 	base string,
 	remote bool,
 	skipCheck bool,
-	timeout time.Duration) (*model.RuleResultSet, *motor.RuleSetExecutionResult, error) {
+	timeout time.Duration,
+	httpClientConfig utils.HTTPClientConfig) (*model.RuleResultSet, *motor.RuleSetExecutionResult, error) {
 
 	// read spec and parse
 	defaultRuleSets := rulesets.BuildDefaultRuleSets()
@@ -62,24 +66,35 @@ func BuildResultsWithDocCheckSkip(
 	// if ruleset has been supplied, lets make sure it exists, then load it in
 	// and see if it's valid. If so - let's go!
 	if rulesetFlag != "" {
+		
+		// Create HTTP client for remote ruleset downloads if needed
+		var httpClient *http.Client
+		if utils.ShouldUseCustomHTTPClient(httpClientConfig) {
+			var clientErr error
+			httpClient, clientErr = utils.CreateCustomHTTPClient(httpClientConfig)
+			if clientErr != nil {
+				return nil, nil, fmt.Errorf("failed to create custom HTTP client: %w", clientErr)
+			}
+		}
 
 		if strings.HasPrefix(rulesetFlag, "http") {
 			// Handle remote ruleset URL
 			if !remote {
 				return nil, nil, fmt.Errorf("remote ruleset specified but remote flag is disabled (use --remote=true or -u=true)")
 			}
-			downloadedRS, rsErr := rulesets.DownloadRemoteRuleSet(context.Background(), rulesetFlag)
+			
+			downloadedRS, rsErr := rulesets.DownloadRemoteRuleSet(context.Background(), rulesetFlag, httpClient)
 			if rsErr != nil {
 				return nil, nil, rsErr
 			}
-			selectedRS = defaultRuleSets.GenerateRuleSetFromSuppliedRuleSet(downloadedRS)
+			selectedRS = defaultRuleSets.GenerateRuleSetFromSuppliedRuleSetWithHTTPClient(downloadedRS, httpClient)
 		} else {
 			// Handle local ruleset file
 			rsBytes, rsErr := os.ReadFile(rulesetFlag)
 			if rsErr != nil {
 				return nil, nil, rsErr
 			}
-			selectedRS, rsErr = BuildRuleSetFromUserSuppliedSet(rsBytes, defaultRuleSets)
+			selectedRS, rsErr = BuildRuleSetFromUserSuppliedSetWithHTTPClient(rsBytes, defaultRuleSets, httpClient)
 			if rsErr != nil {
 				return nil, nil, rsErr
 			}
@@ -96,6 +111,7 @@ func BuildResultsWithDocCheckSkip(
 		SkipDocumentCheck: skipCheck,
 		AllowLookup:       remote,
 		Timeout:           timeout,
+		HTTPClientConfig:  httpClientConfig,
 	})
 
 	resultSet := model.NewRuleResultSet(ruleset.Results)

cmd/build_results_test.go

@@ -1,16 +1,17 @@
 package cmd
 
 import (
+	"github.com/daveshanley/vacuum/utils"
 	"github.com/stretchr/testify/assert"
 	"testing"
 )
 
 func TestBuildResults(t *testing.T) {
-	_, _, err := BuildResults(false, false, "nuggets", nil, nil, "", true, 5)
+	_, _, err := BuildResults(false, false, "nuggets", nil, nil, "", true, 5, utils.HTTPClientConfig{})
 	assert.Error(t, err)
 }
 
 func TestBuildResults_SkipCheck(t *testing.T) {
-	_, _, err := BuildResultsWithDocCheckSkip(false, false, "nuggets", nil, nil, "", true, true, 5)
+	_, _, err := BuildResultsWithDocCheckSkip(false, false, "nuggets", nil, nil, "", true, true, 5, utils.HTTPClientConfig{})
 	assert.Error(t, err)
 }

cmd/dashboard.go

@@ -8,6 +8,7 @@ import (
 	"github.com/daveshanley/vacuum/cui"
 	"github.com/daveshanley/vacuum/model"
 	"github.com/daveshanley/vacuum/motor"
+	"github.com/daveshanley/vacuum/utils"
 	vacuum_report "github.com/daveshanley/vacuum/vacuum-report"
 	"github.com/pb33f/libopenapi/datamodel"
 	"github.com/pb33f/libopenapi/index"
@@ -67,8 +68,19 @@ func GetDashboardCommand() *cobra.Command {
 				customFunctions, _ := LoadCustomFunctions(functionsFlag, silent)
 
 				rulesetFlag, _ := cmd.Flags().GetString("ruleset")
+			
+			// Certificate/TLS configuration
+			certFile, _ := cmd.Flags().GetString("cert-file")
+			keyFile, _ := cmd.Flags().GetString("key-file")
+			caFile, _ := cmd.Flags().GetString("ca-file")
+			insecure, _ := cmd.Flags().GetBool("insecure")
 				resultSet, ruleset, err = BuildResultsWithDocCheckSkip(false, hardModeFlag, rulesetFlag, specBytes, customFunctions,
-					baseFlag, remoteFlag, skipCheckFlag, time.Duration(timeoutFlag)*time.Second)
+					baseFlag, remoteFlag, skipCheckFlag, time.Duration(timeoutFlag)*time.Second, utils.HTTPClientConfig{
+						CertFile: certFile,
+						KeyFile:  keyFile,
+						CAFile:   caFile,
+						Insecure: insecure,
+					})
 				if err != nil {
 					pterm.Error.Printf("Failed to render dashboard: %v\n\n", err)
 					return err

cmd/html_report.go

@@ -10,6 +10,7 @@ import (
 	"github.com/daveshanley/vacuum/model/reports"
 	"github.com/daveshanley/vacuum/motor"
 	"github.com/daveshanley/vacuum/statistics"
+	"github.com/daveshanley/vacuum/utils"
 	vacuum_report "github.com/daveshanley/vacuum/vacuum-report"
 	"github.com/pb33f/libopenapi/datamodel"
 	"github.com/pb33f/libopenapi/index"
@@ -96,8 +97,20 @@ func GetHTMLReportCommand() *cobra.Command {
 				customFunctions, _ := LoadCustomFunctions(functionsFlag, silent)
 
 				rulesetFlag, _ := cmd.Flags().GetString("ruleset")
+				
+				// Certificate/TLS configuration
+				certFile, _ := cmd.Flags().GetString("cert-file")
+				keyFile, _ := cmd.Flags().GetString("key-file")
+				caFile, _ := cmd.Flags().GetString("ca-file")
+				insecure, _ := cmd.Flags().GetBool("insecure")
+				
 				resultSet, ruleset, err = BuildResultsWithDocCheckSkip(false, hardModeFlag, rulesetFlag, specBytes, customFunctions,
-					baseFlag, remoteFlag, skipCheckFlag, time.Duration(timeoutFlag)*time.Second)
+					baseFlag, remoteFlag, skipCheckFlag, time.Duration(timeoutFlag)*time.Second, utils.HTTPClientConfig{
+						CertFile: certFile,
+						KeyFile:  keyFile,
+						CAFile:   caFile,
+						Insecure: insecure,
+					})
 				if err != nil {
 					pterm.Error.Printf("Failed to generate report: %v\n\n", err)
 					return err

cmd/language_server.go

@@ -12,6 +12,7 @@ import (
 	"github.com/spf13/cobra"
 	"io"
 	"log/slog"
+	"net/http"
 )
 
 func GetLanguageServerCommand() *cobra.Command {
@@ -60,8 +61,31 @@ IDE and start linting your OpenAPI documents in real-time.`,
 
 			if rulesetFlag != "" {
 				remoteFlag, _ := cmd.Flags().GetBool("remote")
+				
+				// Certificate/TLS configuration for language server
+				certFile, _ := cmd.Flags().GetString("cert-file")
+				keyFile, _ := cmd.Flags().GetString("key-file")
+				caFile, _ := cmd.Flags().GetString("ca-file")
+				insecure, _ := cmd.Flags().GetBool("insecure")
+				
+				// Create HTTP client for remote ruleset downloads if needed
+				var httpClient *http.Client
+				httpClientConfig := utils.HTTPClientConfig{
+					CertFile: certFile,
+					KeyFile:  keyFile,
+					CAFile:   caFile,
+					Insecure: insecure,
+				}
+				if utils.ShouldUseCustomHTTPClient(httpClientConfig) {
+					var clientErr error
+					httpClient, clientErr = utils.CreateCustomHTTPClient(httpClientConfig)
+					if clientErr != nil {
+						return clientErr
+					}
+				}
+				
 				var rsErr error
-				selectedRS, rsErr = BuildRuleSetFromUserSuppliedLocation(rulesetFlag, defaultRuleSets, remoteFlag)
+				selectedRS, rsErr = BuildRuleSetFromUserSuppliedLocation(rulesetFlag, defaultRuleSets, remoteFlag, httpClient)
 				if rsErr != nil {
 					return rsErr
 				}

cmd/lint.go

@@ -10,6 +10,7 @@ import (
 	"github.com/daveshanley/vacuum/statistics"
 	"gopkg.in/yaml.v3"
 	"log/slog"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -73,6 +74,12 @@ func GetLintCommand() *cobra.Command {
 			// https://github.com/daveshanley/vacuum/issues/636
 			showRules, _ := cmd.Flags().GetBool("show-rules")
 
+			// Certificate/TLS configuration
+			certFile, _ := cmd.Flags().GetString("cert-file")
+			keyFile, _ := cmd.Flags().GetString("key-file")
+			caFile, _ := cmd.Flags().GetString("ca-file")
+			insecure, _ := cmd.Flags().GetBool("insecure")
+
 			// disable color and styling, for CI/CD use.
 			// https://github.com/daveshanley/vacuum/issues/234
 			if noStyleFlag || pipelineOutput {
@@ -180,8 +187,25 @@ func GetLintCommand() *cobra.Command {
 			// and see if it's valid. If so - let's go!
 			if rulesetFlag != "" {
 
+				// Create HTTP client for remote ruleset downloads if needed
+				var httpClient *http.Client
+				httpClientConfig := utils.HTTPClientConfig{
+					CertFile: certFile,
+					KeyFile:  keyFile,
+					CAFile:   caFile,
+					Insecure: insecure,
+				}
+				if utils.ShouldUseCustomHTTPClient(httpClientConfig) {
+					var clientErr error
+					httpClient, clientErr = utils.CreateCustomHTTPClient(httpClientConfig)
+					if clientErr != nil {
+						pterm.Error.Printf("Failed to create custom HTTP client: %s\n", clientErr.Error())
+						return clientErr
+					}
+				}
+
 				var rsErr error
-				selectedRS, rsErr = BuildRuleSetFromUserSuppliedLocation(rulesetFlag, defaultRuleSets, remoteFlag)
+				selectedRS, rsErr = BuildRuleSetFromUserSuppliedLocation(rulesetFlag, defaultRuleSets, remoteFlag, httpClient)
 				if rsErr != nil {
 					pterm.Error.Printf("Unable to load ruleset '%s': %s\n", rulesetFlag, rsErr.Error())
 					pterm.Println()
@@ -273,6 +297,12 @@ func GetLintCommand() *cobra.Command {
 						ExtensionRefs:            extensionRefsFlag,
 						PipelineOutput:           pipelineOutput,
 						ShowRules:                showRules,
+						HTTPClientConfig:         utils.HTTPClientConfig{
+							CertFile: certFile,
+							KeyFile:  keyFile,
+							CAFile:   caFile,
+							Insecure: insecure,
+						},
 					}
 					st, fs, fp, err := lintFile(lfr)
 
@@ -413,6 +443,7 @@ func lintFile(req utils.LintFileRequest) (*reports.ReportStatistics, int64, int,
 		IgnoreCircularArrayRef:          req.IgnoreArrayCircleRef,
 		IgnoreCircularPolymorphicRef:    req.IgnorePolymorphCircleRef,
 		ExtractReferencesFromExtensions: req.ExtensionRefs,
+		HTTPClientConfig:                req.HTTPClientConfig,
 	})
 
 	result.Results = filterIgnoredResults(result.Results, req.IgnoredResults)

cmd/root.go

@@ -65,6 +65,10 @@ func GetRootCommand() *cobra.Command {
 	rootCmd.PersistentFlags().IntP("timeout", "g", 5, "Rule timeout in seconds, default is 5 seconds")
 	rootCmd.PersistentFlags().BoolP("hard-mode", "z", false, "Enable all the built-in rules, even the OWASP ones. This is the level to beat!")
 	rootCmd.PersistentFlags().BoolP("ext-refs", "", false, "Turn on $ref lookups and resolving for extensions (x-) objects")
+	rootCmd.PersistentFlags().String("cert-file", "", "Path to client certificate file for HTTPS requests")
+	rootCmd.PersistentFlags().String("key-file", "", "Path to client private key file for HTTPS requests")
+	rootCmd.PersistentFlags().String("ca-file", "", "Path to CA certificate file for HTTPS requests")
+	rootCmd.PersistentFlags().Bool("insecure", false, "Skip TLS certificate verification (insecure)")
 
 	if regErr := rootCmd.RegisterFlagCompletionFunc("functions", cobra.FixedCompletions(
 		[]string{"so"}, cobra.ShellCompDirectiveFilterFileExt,
@@ -79,6 +83,24 @@ func GetRootCommand() *cobra.Command {
 	if regErr := rootCmd.RegisterFlagCompletionFunc("timeout", cobra.NoFileCompletions); regErr != nil {
 		panic(regErr)
 	}
+	if regErr := rootCmd.RegisterFlagCompletionFunc("cert-file", cobra.FixedCompletions(
+		[]string{"crt", "pem", "cert"}, cobra.ShellCompDirectiveFilterFileExt,
+	)); regErr != nil {
+		panic(regErr)
+	}
+	if regErr := rootCmd.RegisterFlagCompletionFunc("key-file", cobra.FixedCompletions(
+		[]string{"key", "pem"}, cobra.ShellCompDirectiveFilterFileExt,
+	)); regErr != nil {
+		panic(regErr)
+	}
+	if regErr := rootCmd.RegisterFlagCompletionFunc("ca-file", cobra.FixedCompletions(
+		[]string{"crt", "pem", "cert"}, cobra.ShellCompDirectiveFilterFileExt,
+	)); regErr != nil {
+		panic(regErr)
+	}
+	if regErr := rootCmd.RegisterFlagCompletionFunc("insecure", cobra.NoFileCompletions); regErr != nil {
+		panic(regErr)
+	}
 
 	rootCmd.AddCommand(GetLintCommand())
 	rootCmd.AddCommand(GetVacuumReportCommand())

cmd/shared_functions.go

@@ -12,6 +12,7 @@ import (
 	"github.com/dustin/go-humanize"
 	"github.com/pb33f/libopenapi/index"
 	"github.com/pterm/pterm"
+	"net/http"
 	"os"
 	"strings"
 	"time"
@@ -21,6 +22,12 @@ import (
 // BuildRuleSetFromUserSuppliedSet creates a ready to run ruleset, augmented or provided by a user
 // configured ruleset. This ruleset could be lifted directly from a Spectral configuration.
 func BuildRuleSetFromUserSuppliedSet(rsBytes []byte, rs rulesets.RuleSets) (*rulesets.RuleSet, error) {
+	return BuildRuleSetFromUserSuppliedSetWithHTTPClient(rsBytes, rs, nil)
+}
+
+// BuildRuleSetFromUserSuppliedSetWithHTTPClient creates a ready to run ruleset, augmented or provided by a user
+// configured ruleset with HTTP client support for certificate authentication.
+func BuildRuleSetFromUserSuppliedSetWithHTTPClient(rsBytes []byte, rs rulesets.RuleSets, httpClient *http.Client) (*rulesets.RuleSet, error) {
 
 	// load in our user supplied ruleset and try to validate it.
 	userRS, userErr := rulesets.CreateRuleSetFromData(rsBytes)
@@ -30,28 +37,28 @@ func BuildRuleSetFromUserSuppliedSet(rsBytes []byte, rs rulesets.RuleSets) (*rul
 		return nil, userErr
 
 	}
-	return rs.GenerateRuleSetFromSuppliedRuleSet(userRS), nil
+	return rs.GenerateRuleSetFromSuppliedRuleSetWithHTTPClient(userRS, httpClient), nil
 }
 
 // BuildRuleSetFromUserSuppliedLocation creates a ready to run ruleset from a location (file path or URL)
-func BuildRuleSetFromUserSuppliedLocation(rulesetFlag string, rs rulesets.RuleSets, remote bool) (*rulesets.RuleSet, error) {
+func BuildRuleSetFromUserSuppliedLocation(rulesetFlag string, rs rulesets.RuleSets, remote bool, httpClient *http.Client) (*rulesets.RuleSet, error) {
 	if strings.HasPrefix(rulesetFlag, "http") {
 		// Handle remote ruleset URL directly
 		if !remote {
 			return nil, fmt.Errorf("remote ruleset specified but remote flag is disabled (use --remote=true or -u=true)")
 		}
-		downloadedRS, rsErr := rulesets.DownloadRemoteRuleSet(context.Background(), rulesetFlag)
+		downloadedRS, rsErr := rulesets.DownloadRemoteRuleSet(context.Background(), rulesetFlag, httpClient)
 		if rsErr != nil {
 			return nil, rsErr
 		}
-		return rs.GenerateRuleSetFromSuppliedRuleSet(downloadedRS), nil
+		return rs.GenerateRuleSetFromSuppliedRuleSetWithHTTPClient(downloadedRS, httpClient), nil
 	} else {
 		// Handle local ruleset file
 		rsBytes, rsErr := os.ReadFile(rulesetFlag)
 		if rsErr != nil {
 			return nil, rsErr
 		}
-		return BuildRuleSetFromUserSuppliedSet(rsBytes, rs)
+		return BuildRuleSetFromUserSuppliedSetWithHTTPClient(rsBytes, rs, httpClient)
 	}
 }