Add --insecure flag to skip TLS certificate validation

mattt · mattt · commit 1e6d3fa45988 · 2025-10-09T03:41:20.000-07:00
diff --git a/cmd/emcee/main.go b/cmd/emcee/main.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"log/slog"
+	"crypto/tls"
 	"net/http"
 	"os"
 	"os/signal"
@@ -97,7 +98,11 @@ Authentication values can be provided directly or as 1Password secret references
 				}
 
 				// Make HTTP request
-				resp, err := http.DefaultClient.Do(req)
+				client := http.DefaultClient
+				if insecure {
+					client = &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+				}
+				resp, err := client.Do(req)
 				if err != nil {
 					return fmt.Errorf("error downloading spec: %w", err)
 				}
@@ -144,7 +149,13 @@ Authentication values can be provided directly or as 1Password secret references
 			}
 
 			// Build HTTP client with optional auth header
-			client, err := internal.RetryableClient(retries, timeout, rps, logger)
+			client, err := internal.RetryableClient(internal.RetryableClientOptions{
+				Retries:  retries,
+				Timeout:  timeout,
+				RPS:      rps,
+				Logger:   logger,
+				Insecure: insecure,
+			})
 			if err != nil {
 				return fmt.Errorf("error creating client: %w", err)
 			}
@@ -216,6 +227,7 @@ var (
 	retries int
 	timeout time.Duration
 	rps     int
+	insecure bool
 
 	verbose       bool
 	silent        bool
@@ -235,6 +247,7 @@ func init() {
 	rootCmd.Flags().IntVar(&retries, "retries", 3, "Maximum number of retries for failed requests")
 	rootCmd.Flags().DurationVar(&timeout, "timeout", 60*time.Second, "HTTP request timeout")
 	rootCmd.Flags().IntVarP(&rps, "rps", "r", 0, "Maximum requests per second (0 for no limit)")
+	rootCmd.Flags().BoolVar(&insecure, "insecure", false, "Allow insecure TLS connections (skip certificate verification)")
 
 	rootCmd.Flags().BoolVarP(&verbose, "verbose", "v", false, "Enable debug level logging to stderr")
 	rootCmd.Flags().BoolVarP(&silent, "silent", "s", false, "Disable all logging")
diff --git a/internal/http.go b/internal/http.go
@@ -1,11 +1,12 @@
 package internal
 
 import (
-	"fmt"
-	"net/http"
-	"time"
+    "fmt"
+    "crypto/tls"
+    "net/http"
+    "time"
 
-	"github.com/hashicorp/go-retryablehttp"
+    "github.com/hashicorp/go-retryablehttp"
 )
 
 // HeaderTransport is a custom RoundTripper that adds default headers to requests
@@ -28,29 +29,43 @@ func (t *HeaderTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	return base.RoundTrip(req)
 }
 
-// RetryableClient returns a new http.Client with a retryablehttp.Client
-// configured with the provided parameters.
-func RetryableClient(retries int, timeout time.Duration, rps int, logger interface{}) (*http.Client, error) {
-	if retries < 0 {
+// RetryableClientOptions configures the retryable HTTP client.
+type RetryableClientOptions struct {
+    Retries  int
+    Timeout  time.Duration
+    RPS      int
+    Logger   interface{}
+    Insecure bool
+}
+
+// RetryableClient returns a new http.Client with a retryablehttp.Client configured per opts.
+func RetryableClient(opts RetryableClientOptions) (*http.Client, error) {
+    if opts.Retries < 0 {
 		return nil, fmt.Errorf("retries must be greater than 0")
 	}
-	if timeout < 0 {
+    if opts.Timeout < 0 {
 		return nil, fmt.Errorf("timeout must be greater than 0")
 	}
-	if rps < 0 {
+    if opts.RPS < 0 {
 		return nil, fmt.Errorf("rps must be greater than 0")
 	}
 
 	retryClient := retryablehttp.NewClient()
-	retryClient.RetryMax = retries
+    retryClient.RetryMax = opts.Retries
 	retryClient.RetryWaitMin = 1 * time.Second
 	retryClient.RetryWaitMax = 30 * time.Second
-	retryClient.HTTPClient.Timeout = timeout
-	retryClient.Logger = logger
-	if rps > 0 {
-		retryClient.Backoff = func(min, max time.Duration, attemptNum int, resp *http.Response) time.Duration {
+    retryClient.HTTPClient.Timeout = opts.Timeout
+    retryClient.Logger = opts.Logger
+    if opts.Insecure {
+		// Minimal transport overriding to skip TLS verification.
+		retryClient.HTTPClient.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+	}
+    if opts.RPS > 0 {
+        retryClient.Backoff = func(min, max time.Duration, attemptNum int, resp *http.Response) time.Duration {
 			// Ensure we wait at least 1/rps between requests
-			minWait := time.Second / time.Duration(rps)
+            minWait := time.Second / time.Duration(opts.RPS)
 			if min < minWait {
 				min = minWait
 			}
