diff --git a/lib/mobilizon.ex b/lib/mobilizon.ex index 19c66ede4..1cbff92c9 100644 --- a/lib/mobilizon.ex +++ b/lib/mobilizon.ex @@ -85,7 +85,9 @@ defmodule Mobilizon do ErrorReporting.attach() end - Supervisor.start_link(children, strategy: :one_for_one, name: Mobilizon.Supervisor) + with :ok <- load_certificates() do + Supervisor.start_link(children, strategy: :one_for_one, name: Mobilizon.Supervisor) + end end @spec config_change(keyword, keyword, [atom]) :: :ok @@ -160,4 +162,16 @@ defmodule Mobilizon do end defp setup_ecto_dev_logger(_), do: nil + + defp load_certificates do + custom_cert_path = System.get_env("MOBILIZON_CA_CERT_PATH") + + if is_binary(custom_cert_path) do + with :ok <- :tls_certificate_check.override_trusted_authorities({:file, custom_cert_path}) do + :public_key.cacerts_load(custom_cert_path) + end + else + :ok + end + end end diff --git a/lib/service/http/activity_pub.ex b/lib/service/http/activity_pub.ex index a84b28a89..2b4f29160 100644 --- a/lib/service/http/activity_pub.ex +++ b/lib/service/http/activity_pub.ex @@ -3,7 +3,9 @@ defmodule Mobilizon.Service.HTTP.ActivityPub do Tesla HTTP Client that is preconfigured to get and post ActivityPub content """ + require Logger alias Mobilizon.Config + import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0] @default_opts [ recv_timeout: 20_000 @@ -13,7 +15,11 @@ defmodule Mobilizon.Service.HTTP.ActivityPub do def client(options \\ []) do headers = Keyword.get(options, :headers, []) adapter = Application.get_env(:tesla, __MODULE__, [])[:adapter] || Tesla.Adapter.Hackney - opts = Keyword.merge(@default_opts, Keyword.get(options, :opts, [])) + + opts = + @default_opts + |> Keyword.merge(ssl_options: get_tls_config()) + |> Keyword.merge(Keyword.get(options, :opts, [])) middleware = [ {Tesla.Middleware.Headers, diff --git a/lib/service/http/generic_json_client.ex b/lib/service/http/generic_json_client.ex index 1db2829f1..d055d9f41 100644 --- a/lib/service/http/generic_json_client.ex +++ b/lib/service/http/generic_json_client.ex @@ -4,6 +4,7 @@ defmodule Mobilizon.Service.HTTP.GenericJSONClient do """ alias Mobilizon.Config + import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0] @default_opts [ recv_timeout: 20_000 @@ -13,7 +14,11 @@ defmodule Mobilizon.Service.HTTP.GenericJSONClient do def client(options \\ []) do headers = Keyword.get(options, :headers, []) adapter = Application.get_env(:tesla, __MODULE__, [])[:adapter] || Tesla.Adapter.Hackney - opts = Keyword.merge(@default_opts, Keyword.get(options, :opts, [])) + + opts = + @default_opts + |> Keyword.merge(ssl_options: get_tls_config()) + |> Keyword.merge(Keyword.get(options, :opts, [])) middleware = [ {Tesla.Middleware.Headers, diff --git a/lib/service/http/geospatial_client.ex b/lib/service/http/geospatial_client.ex index 064fee4c4..e2f3f57b8 100644 --- a/lib/service/http/geospatial_client.ex +++ b/lib/service/http/geospatial_client.ex @@ -6,12 +6,13 @@ defmodule Mobilizon.Service.HTTP.GeospatialClient do use Tesla alias Mobilizon.Config + import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0] @default_opts [ recv_timeout: 20_000 ] - adapter(Tesla.Adapter.Hackney, @default_opts) + adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts)) plug(Tesla.Middleware.FollowRedirects) diff --git a/lib/service/http/host_meta_client.ex b/lib/service/http/host_meta_client.ex index 4ebe0cf2d..96b1ba727 100644 --- a/lib/service/http/host_meta_client.ex +++ b/lib/service/http/host_meta_client.ex @@ -6,12 +6,13 @@ defmodule Mobilizon.Service.HTTP.HostMetaClient do use Tesla alias Mobilizon.Config + import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0] @default_opts [ recv_timeout: 20_000 ] - adapter(Tesla.Adapter.Hackney, @default_opts) + adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts)) plug(Tesla.Middleware.FollowRedirects) diff --git a/lib/service/http/remote_media_downloader_client.ex b/lib/service/http/remote_media_downloader_client.ex index f8be88793..6342e3c52 100644 --- a/lib/service/http/remote_media_downloader_client.ex +++ b/lib/service/http/remote_media_downloader_client.ex @@ -5,12 +5,13 @@ defmodule Mobilizon.Service.HTTP.RemoteMediaDownloaderClient do use Tesla alias Mobilizon.Config + import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0] @default_opts [ recv_timeout: 20_000 ] - adapter(Tesla.Adapter.Hackney, @default_opts) + adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts)) plug(Tesla.Middleware.FollowRedirects) diff --git a/lib/service/http/rich_media_preview_client.ex b/lib/service/http/rich_media_preview_client.ex index 520839241..f4ddaf4f1 100644 --- a/lib/service/http/rich_media_preview_client.ex +++ b/lib/service/http/rich_media_preview_client.ex @@ -5,12 +5,13 @@ defmodule Mobilizon.Service.HTTP.RichMediaPreviewClient do use Tesla alias Mobilizon.Config + import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0] @default_opts [ recv_timeout: 20_000 ] - adapter(Tesla.Adapter.Hackney, @default_opts) + adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts)) plug(Tesla.Middleware.FollowRedirects) diff --git a/lib/service/http/utils.ex b/lib/service/http/utils.ex index 64bd24ce1..0a4d85cb4 100644 --- a/lib/service/http/utils.ex +++ b/lib/service/http/utils.ex @@ -3,6 +3,17 @@ defmodule Mobilizon.Service.HTTP.Utils do Utils for HTTP operations """ + def get_tls_config do + cacertfile = + if is_nil(System.get_env("MOBILIZON_CA_CERT_PATH")) do + CAStore.file_path() + else + System.get_env("MOBILIZON_CA_CERT_PATH") + end + + [cacertfile: cacertfile] + end + @spec get_header(Enum.t(), String.t()) :: String.t() | nil def get_header(headers, key) do key = String.downcase(key) diff --git a/lib/service/http/webfinger_client.ex b/lib/service/http/webfinger_client.ex index d5c02e357..5baa63fe9 100644 --- a/lib/service/http/webfinger_client.ex +++ b/lib/service/http/webfinger_client.ex @@ -6,12 +6,13 @@ defmodule Mobilizon.Service.HTTP.WebfingerClient do use Tesla alias Mobilizon.Config + import Mobilizon.Service.HTTP.Utils, only: [get_tls_config: 0] @default_opts [ recv_timeout: 20_000 ] - adapter(Tesla.Adapter.Hackney, @default_opts) + adapter(Tesla.Adapter.Hackney, Keyword.merge([ssl_options: get_tls_config()], @default_opts)) plug(Tesla.Middleware.FollowRedirects)