feat(httpclient): add proxy/TLS-aware http client factory (OD-30)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: andrzej-janczak

utils/httpclient/client.go

@@ -0,0 +1,32 @@
+package httpclient
+
+import "net/http"
+
+// New returns an *http.Client whose transport honors proxy environment
+// variables (HTTP_PROXY/HTTPS_PROXY/NO_PROXY) and applies CA/TLS configuration
+// from SSL_CERT_FILE and CODACY_CLI_INSECURE.
+//
+// It returns an error if a configured CA bundle cannot be read or parsed, so
+// callers fail loudly on misconfiguration rather than silently falling back to
+// the system trust store.
+func New(opts ...Option) (*http.Client, error) {
+	o := &Options{}
+	for _, fn := range opts {
+		fn(o)
+	}
+
+	tlsCfg, err := buildTLSConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	transport := &http.Transport{
+		Proxy:           http.ProxyFromEnvironment,
+		TLSClientConfig: tlsCfg,
+	}
+
+	return &http.Client{
+		Timeout:   o.Timeout,
+		Transport: transport,
+	}, nil
+}

utils/httpclient/httpclient_test.go

@@ -0,0 +1,124 @@
+package httpclient
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// certToPEM encodes the test server's leaf certificate as PEM.
+func certToPEM(t *testing.T, srv *httptest.Server) []byte {
+	t.Helper()
+	return encodeCertPEM(srv.Certificate().Raw)
+}
+
+func TestBuildTLSConfig_DefaultRejectsSelfSigned(t *testing.T) {
+	os.Unsetenv(EnvInsecure)
+	os.Unsetenv(EnvCABundle)
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	defer srv.Close()
+
+	cfg, err := buildTLSConfig()
+	require.NoError(t, err)
+	c := &http.Client{Transport: &http.Transport{TLSClientConfig: cfg}}
+	_, err = c.Get(srv.URL)
+	assert.Error(t, err, "self-signed server must be rejected without a custom CA")
+}
+
+func TestBuildTLSConfig_CustomCASucceeds(t *testing.T) {
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer srv.Close()
+
+	caPath := filepath.Join(t.TempDir(), "ca.pem")
+	require.NoError(t, os.WriteFile(caPath, certToPEM(t, srv), 0o600))
+	t.Setenv(EnvCABundle, caPath)
+	os.Unsetenv(EnvInsecure)
+
+	cfg, err := buildTLSConfig()
+	require.NoError(t, err)
+	require.NotNil(t, cfg.RootCAs)
+	c := &http.Client{Transport: &http.Transport{TLSClientConfig: cfg}}
+	resp, err := c.Get(srv.URL)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+}
+
+func TestBuildTLSConfig_InsecureSkipsVerify(t *testing.T) {
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	defer srv.Close()
+	t.Setenv(EnvInsecure, "1")
+	os.Unsetenv(EnvCABundle)
+
+	cfg, err := buildTLSConfig()
+	require.NoError(t, err)
+	assert.True(t, cfg.InsecureSkipVerify)
+	c := &http.Client{Transport: &http.Transport{TLSClientConfig: cfg}}
+	resp, err := c.Get(srv.URL)
+	require.NoError(t, err)
+	resp.Body.Close()
+}
+
+func TestBuildTLSConfig_MissingBundleErrors(t *testing.T) {
+	t.Setenv(EnvCABundle, filepath.Join(t.TempDir(), "does-not-exist.pem"))
+	os.Unsetenv(EnvInsecure)
+	_, err := buildTLSConfig()
+	assert.Error(t, err)
+}
+
+func TestBuildTLSConfig_BadBundleErrors(t *testing.T) {
+	bad := filepath.Join(t.TempDir(), "bad.pem")
+	require.NoError(t, os.WriteFile(bad, []byte("not a certificate"), 0o600))
+	t.Setenv(EnvCABundle, bad)
+	os.Unsetenv(EnvInsecure)
+	_, err := buildTLSConfig()
+	assert.Error(t, err)
+}
+
+func TestNew_SetsProxyAndTimeout(t *testing.T) {
+	os.Unsetenv(EnvInsecure)
+	os.Unsetenv(EnvCABundle)
+	c, err := New(WithTimeout(7 * time.Second))
+	require.NoError(t, err)
+	assert.Equal(t, 7*time.Second, c.Timeout)
+
+	tr, ok := c.Transport.(*http.Transport)
+	require.True(t, ok)
+	// Proxy resolver must be wired. Env resolution itself is covered by the
+	// real-life harness; ProxyFromEnvironment caches and is unsafe to unit-test.
+	assert.NotNil(t, tr.Proxy)
+	assert.NotNil(t, tr.TLSClientConfig)
+}
+
+func TestNew_PropagatesCABundleError(t *testing.T) {
+	t.Setenv(EnvCABundle, filepath.Join(t.TempDir(), "missing.pem"))
+	os.Unsetenv(EnvInsecure)
+	_, err := New()
+	assert.Error(t, err)
+}
+
+func TestNew_CustomCAEndToEnd(t *testing.T) {
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer srv.Close()
+	caPath := filepath.Join(t.TempDir(), "ca.pem")
+	require.NoError(t, os.WriteFile(caPath, certToPEM(t, srv), 0o600))
+	t.Setenv(EnvCABundle, caPath)
+	os.Unsetenv(EnvInsecure)
+
+	c, err := New()
+	require.NoError(t, err)
+	resp, err := c.Get(srv.URL)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+}

utils/httpclient/options.go

@@ -0,0 +1,45 @@
+package httpclient
+
+import (
+	"os"
+	"strings"
+	"time"
+)
+
+// Env vars controlling TLS/CA behavior.
+const (
+	// EnvInsecure, when truthy, disables TLS certificate verification.
+	EnvInsecure = "CODACY_CLI_INSECURE"
+	// EnvCABundle points to a PEM bundle appended to the system trust pool.
+	// SSL_CERT_FILE is the OpenSSL-standard name corporate tooling already sets.
+	EnvCABundle = "SSL_CERT_FILE"
+)
+
+// Options configure a client built by New.
+type Options struct {
+	// Timeout is the http.Client timeout. Zero means no timeout.
+	Timeout time.Duration
+}
+
+// Option mutates Options.
+type Option func(*Options)
+
+// WithTimeout sets the client timeout. Pass 0 for no timeout (large downloads).
+func WithTimeout(d time.Duration) Option {
+	return func(o *Options) { o.Timeout = d }
+}
+
+// insecureEnv reports whether TLS verification is disabled via EnvInsecure.
+func insecureEnv() bool {
+	switch strings.ToLower(strings.TrimSpace(os.Getenv(EnvInsecure))) {
+	case "1", "true", "yes":
+		return true
+	default:
+		return false
+	}
+}
+
+// caBundlePath returns the configured CA bundle path, or "" if unset.
+func caBundlePath() string {
+	return strings.TrimSpace(os.Getenv(EnvCABundle))
+}

utils/httpclient/tls.go

@@ -0,0 +1,47 @@
+package httpclient
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+)
+
+// buildTLSConfig assembles the TLS config from env:
+//   - CODACY_CLI_INSECURE truthy -> InsecureSkipVerify (with a stderr warning)
+//   - SSL_CERT_FILE set           -> its PEM certs appended to the system pool
+func buildTLSConfig() (*tls.Config, error) {
+	cfg := &tls.Config{MinVersion: tls.VersionTLS12}
+
+	if insecureEnv() {
+		cfg.InsecureSkipVerify = true
+		fmt.Fprintln(os.Stderr,
+			"WARNING: TLS certificate verification is DISABLED (CODACY_CLI_INSECURE set). "+
+				"Traffic can be intercepted. Prefer setting SSL_CERT_FILE to your proxy's CA instead.")
+		return cfg, nil
+	}
+
+	pool, err := x509.SystemCertPool()
+	if err != nil || pool == nil {
+		pool = x509.NewCertPool()
+	}
+
+	if path := caBundlePath(); path != "" {
+		pemBytes, err := os.ReadFile(path)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read CA bundle from %s (%s): %w", EnvCABundle, path, err)
+		}
+		if !pool.AppendCertsFromPEM(pemBytes) {
+			return nil, fmt.Errorf("no valid certificates found in CA bundle %s (%s)", EnvCABundle, path)
+		}
+	}
+
+	cfg.RootCAs = pool
+	return cfg, nil
+}
+
+// encodeCertPEM encodes DER certificate bytes as PEM. Used by tests.
+func encodeCertPEM(der []byte) []byte {
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
+}