pull: Add tls-client-cert-{path,key}

These can be used to present a client certificate when making requests
to a repository.

doc/ostree.repo-config.xml

@@ -104,12 +104,30 @@ Boston, MA 02111-1307, USA.
 
       <varlistentry>
         <term><varname>gpg-verify</varname></term>
-        <listitem><para>A boolean value, defaults to <tt>true</tt>.
+        <listitem><para>A boolean value, defaults to true.
         Controls whether or not OSTree will require commits to be
         signed by a known GPG key.  For more information, see the
         <citerefentry><refentrytitle>ostree</refentrytitle><manvolnum>1</manvolnum></citerefentry>
         manual under GPG.</para></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>tls-permissive</varname></term>
+        <listitem><para>A boolean value, defaults to false.  By
+        default, server TLS certificates will be checked against the
+        system certificate store.  If this variable is set, any
+        certificate will be accepted.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>tls-client-cert-path</varname></term>
+        <listitem><para>Path to file for client-side certificate, to present when making requests to this repository.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>tls-client-key-path</varname></term>
+        <listitem><para>Path to file containing client-side certificate key, to present when making requests to this repository.</para></listitem>
+      </varlistentry>
     </variablelist>
 
   </refsect1>

src/libostree/ostree-fetcher.c

@@ -79,6 +79,8 @@ struct OstreeFetcher
 
   GFile *tmpdir;
 
+  GTlsCertificate *client_cert;
+
   SoupSession *session;
   SoupRequester *requester;
 
@@ -107,6 +109,7 @@ ostree_fetcher_finalize (GObject *object)
 
   g_clear_object (&self->session);
   g_clear_object (&self->tmpdir);
+  g_clear_object (&self->client_cert);
 
   g_hash_table_destroy (self->sending_messages);
   g_hash_table_destroy (self->message_to_request);
@@ -175,6 +178,9 @@ ostree_fetcher_init (OstreeFetcher *self)
         }
     }
 
+  if (g_getenv ("OSTREE_DEBUG_HTTP"))
+    soup_session_add_feature (self->session, (SoupSessionFeature*)soup_logger_new (SOUP_LOGGER_LOG_BODY, 500));
+
   self->requester = (SoupRequester *)soup_session_get_feature (self->session, SOUP_TYPE_REQUESTER);
   g_object_get (self->session, "max-conns-per-host", &max_conns, NULL);
   self->max_outstanding = 3 * max_conns;
@@ -204,6 +210,14 @@ ostree_fetcher_new (GFile                    *tmpdir,
   return self;
 }
 
+void
+ostree_fetcher_set_client_cert (OstreeFetcher *fetcher,
+                                GTlsCertificate *cert)
+{
+  g_clear_object (&fetcher->client_cert);
+  fetcher->client_cert = g_object_ref (cert);
+}
+
 static void
 on_request_sent (GObject        *object, GAsyncResult   *result, gpointer        user_data);
 
@@ -215,6 +229,13 @@ ostree_fetcher_process_pending_queue (OstreeFetcher *self)
          self->outstanding < self->max_outstanding)
     {
       OstreeFetcherPendingURI *next = g_queue_pop_head (&self->pending_queue);
+
+      if (self->client_cert)
+        {
+          gs_unref_object SoupMessage *message = soup_request_http_get_message ((SoupRequestHTTP*)next->request);
+          g_object_set (message, "tls-certificate", self->client_cert, NULL);
+        }
+
       self->outstanding++;
       soup_request_send_async (next->request, next->cancellable,
                                on_request_sent, next);

src/libostree/ostree-fetcher.h

@@ -54,6 +54,9 @@ GType   ostree_fetcher_get_type (void) G_GNUC_CONST;
 OstreeFetcher *ostree_fetcher_new (GFile                     *tmpdir,
                                    OstreeFetcherConfigFlags   flags);
 
+void ostree_fetcher_set_client_cert (OstreeFetcher *fetcher,
+                                     GTlsCertificate *cert);
+
 char * ostree_fetcher_query_state_text (OstreeFetcher              *self);
 
 guint64 ostree_fetcher_bytes_transferred (OstreeFetcher       *self);

src/libostree/ostree-repo-pull.c

@@ -1086,6 +1086,41 @@ ostree_repo_pull (OstreeRepo               *self,
   pull_data->fetcher = ostree_fetcher_new (pull_data->repo->tmp_dir,
                                            fetcher_flags);
 
+  {
+    gs_free char *tls_client_cert_path = NULL;
+    gs_free char *tls_client_key_path = NULL;
+
+    if (!ot_keyfile_get_value_with_default (config, remote_key,
+                                            "tls-client-cert-path",
+                                            NULL, &tls_client_cert_path, error))
+      goto out;
+    if (!ot_keyfile_get_value_with_default (config, remote_key,
+                                            "tls-client-key-path",
+                                            NULL, &tls_client_key_path, error))
+      goto out;
+
+    if ((tls_client_cert_path != NULL) != (tls_client_key_path != NULL))
+      {
+        g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                     "\"%s\" must specify both \"tls-client-cert-path\" and \"tls-client-key-path\"", remote_key);
+        goto out;
+      }
+    else if (tls_client_cert_path)
+      {
+        gs_unref_object GTlsCertificate *client_cert = NULL;
+
+        g_assert (tls_client_key_path);
+
+        client_cert = g_tls_certificate_new_from_files (tls_client_cert_path,
+                                                        tls_client_key_path,
+                                                        error);
+        if (!client_cert)
+          goto out;
+
+        ostree_fetcher_set_client_cert (pull_data->fetcher, client_cert);
+      }
+  }
+
   if (!pull_data->base_uri)
     {
       g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,