Store certpool inside the client object (#38)

* Store certpool inside the client object

This allows us to use multiple certificates using the `WithCertificate` option.

* Update CHANGELOG.md

Update the changelog file with details on what's changed.

* Use hashicorp/go-cleanhttp for creating http client

Use cleanhttp to create a unique Default client instead of mutating
http.DefaultCient.

* Add error checks if transport type is unexpected

Error out if Transport is not of type http.Transport

* Update CHANGELOG.md

Update the changelog with info about cleanhttp.

Author: thunderboltsid

CHANGELOG.md

@@ -12,6 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Add license header to generated file and add a makefile target for generate
 - `NUTANIX_INSECURE` and `NUTANIX_ADDITIONAL_TRUST_BUNDLE` environment variables are used to hydrate environment/local provider
+- Store the certpool in the client to allow injecting multiple certificates using the `WithCertificate` option
+- Use `hashicorp/go-cleanhttp` as the underlying http client constructor
 
 ## [0.3.0] - 2022-09-27
 ### Added

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/go-logr/logr v1.2.3
 	github.com/go-logr/zapr v1.2.3
 	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/keploy/go-sdk v0.4.3
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/onsi/ginkgo/v2 v2.1.4

go.sum

@@ -243,6 +243,8 @@ github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB7
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=

internal/client.go

@@ -18,6 +18,7 @@ import (
 	"github.com/PaesslerAG/jsonpath"
 	"github.com/go-logr/logr"
 	"github.com/go-logr/zapr"
+	"github.com/hashicorp/go-cleanhttp"
 	"go.uber.org/zap"
 
 	"github.com/nutanix-cloud-native/prism-go-client"
@@ -62,7 +63,8 @@ type Client struct {
 	// error message, incase httpClient is in error state
 	ErrorMsg string
 
-	logger *logr.Logger
+	logger   *logr.Logger
+	certpool *x509.CertPool
 }
 
 type ClientOption func(*Client) error
@@ -80,15 +82,23 @@ func WithCredentials(credentials *prismgoclient.Credentials) ClientOption {
 	return func(c *Client) error {
 		c.credentials = credentials
 		if c.credentials.Insecure {
-			c.httpClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify = true
+			transport, ok := c.httpClient.Transport.(*http.Transport)
+			if !ok {
+				return fmt.Errorf("transport is not of type http.Transport: %T", c.httpClient.Transport)
+			}
+			transport.TLSClientConfig.InsecureSkipVerify = true
 		}
 		if c.credentials.ProxyURL != "" {
 			c.logger.V(1).Info("Using proxy:", "proxy", c.credentials.ProxyURL)
 			proxy, err := url.Parse(c.credentials.ProxyURL)
 			if err != nil {
 				return fmt.Errorf("error parsing proxy url: %s", err)
 			}
-			c.httpClient.Transport.(*http.Transport).Proxy = http.ProxyURL(proxy)
+			transport, ok := c.httpClient.Transport.(*http.Transport)
+			if !ok {
+				return fmt.Errorf("transport is not of type http.Transport: %T", c.httpClient.Transport)
+			}
+			transport.Proxy = http.ProxyURL(proxy)
 		}
 		return nil
 	}
@@ -143,13 +153,10 @@ func WithAbsolutePath(absolutePath string) ClientOption {
 // WithCertificate adds the certificate to the certificate pool in tls config
 func WithCertificate(cert *x509.Certificate) ClientOption {
 	return func(c *Client) error {
-		certPool, err := x509.SystemCertPool()
-		if err != nil {
-			return fmt.Errorf("failed to get system cert pool: %s", err)
+		if cert == nil {
+			return fmt.Errorf("certificate is nil")
 		}
-
-		certPool.AddCert(cert)
-		c.httpClient.Transport.(*http.Transport).TLSClientConfig.RootCAs = certPool
+		c.certpool.AddCert(cert)
 		return nil
 	}
 }
@@ -167,10 +174,18 @@ func WithRoundTripper(transport http.RoundTripper) ClientOption {
 // NewClient returns a wrapper around http/https (as per isHTTP flag) httpClient with additions of proxy & session_auth if given
 func NewClient(opts ...ClientOption) (*Client, error) {
 	c := &Client{
-		httpClient: http.DefaultClient,
+		httpClient: cleanhttp.DefaultClient(),
 	}
+
+	certPool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get system cert pool: %s", err)
+	}
+	c.certpool = certPool
+
 	c.httpClient.Transport = http.DefaultTransport
 	c.httpClient.Transport.(*http.Transport).TLSClientConfig = &tls.Config{}
+	c.httpClient.Transport.(*http.Transport).TLSClientConfig.RootCAs = c.certpool
 
 	// If the user does not specify a logger, then we'll use zap for a default one
 	// If the user specified a logger, then we'll use that logger