Added experimental.trust_any_certificate to enable making app trust a…

…ny certificate on macOS. Closes #2576
metalbear-co · Jul 11, 2024 · cc085af · cc085af
1 parent 8f5aba5
commit cc085af
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/changelog.d/2576.added.md b/changelog.d/2576.added.md
@@ -0,0 +1 @@
+Added experimental.trust_any_certificate to enable making app trust any certificate on macOS
diff --git a/mirrord/config/src/experimental.rs b/mirrord/config/src/experimental.rs
@@ -10,22 +10,29 @@ use crate::config::source::MirrordConfigSource;
 #[config(map_to = "ExperimentalFileConfig", derive = "JsonSchema")]
 #[cfg_attr(test, config(derive = "PartialEq, Eq"))]
 pub struct ExperimentalConfig {
-    /// ## _experimental_ tcp_ping4_mock {#fexperimental-tcp_ping4_mock}
+    /// ## _experimental_ tcp_ping4_mock {#experimental-tcp_ping4_mock}
     ///
     /// <https://github.com/metalbear-co/mirrord/issues/2421#issuecomment-2093200904>
     #[config(default = true)]
     pub tcp_ping4_mock: bool,
 
-    /// ## _experimental_ readlink {#fexperimental-readlink}
+    /// ## _experimental_ readlink {#experimental-readlink}
     ///
     /// Enables the `readlink` hook.
     #[config(default = false)]
     pub readlink: bool,
+
+    /// # _experimental_ trust_any_certificate {#experimental-trust_any_certificate}
+    ///
+    /// Enables trusting any certificate on macOS, useful for https://github.com/golang/go/issues/51991#issuecomment-2059588252
+    #[config(default = false)]
+    pub trust_any_certificate: bool,
 }
 
 impl CollectAnalytics for &ExperimentalConfig {
     fn collect_analytics(&self, analytics: &mut mirrord_analytics::Analytics) {
         analytics.add("tcp_ping4_mock", self.tcp_ping4_mock);
         analytics.add("readlink", self.readlink);
+        analytics.add("trust_any_certificate", self.trust_any_certificate);
     }
 }
diff --git a/mirrord/layer/src/lib.rs b/mirrord/layer/src/lib.rs
@@ -112,6 +112,8 @@ mod macros;
 mod proxy_connection;
 mod setup;
 mod socket;
+#[cfg(target_os = "macos")]
+mod tls;
 
 #[cfg(all(
     any(target_arch = "x86_64", target_arch = "aarch64"),
@@ -341,11 +343,7 @@ fn layer_start(mut config: LayerConfig) {
     SETUP.set(state).unwrap();
 
     let state = setup();
-    enable_hooks(
-        state.fs_config().is_active(),
-        state.remote_dns_enabled(),
-        state.sip_binaries(),
-    );
+    enable_hooks(state);
 
     let _detour_guard = DetourGuard::new();
     tracing::info!("Initializing mirrord-layer!");
@@ -475,7 +473,11 @@ fn sip_only_layer_start(mut config: LayerConfig, patch_binaries: Vec<String>) {
 ///   `true`, see [`NetworkConfig`](mirrord_config::feature::network::NetworkConfig), and
 ///   [`hooks::enable_socket_hooks`](socket::hooks::enable_socket_hooks).
 #[mirrord_layer_macro::instrument(level = "trace")]
-fn enable_hooks(enabled_file_ops: bool, enabled_remote_dns: bool, patch_binaries: Vec<String>) {
+fn enable_hooks(state: &LayerSetup) {
+    let enabled_file_ops = state.fs_config().is_active();
+    let enabled_remote_dns = state.remote_dns_enabled();
+    let patch_binaries = state.sip_binaries();
+
     let mut hook_manager = HookManager::default();
 
     unsafe {
@@ -526,6 +528,11 @@ fn enable_hooks(enabled_file_ops: bool, enabled_remote_dns: bool, patch_binaries
         exec_utils::enable_execve_hook(&mut hook_manager, patch_binaries)
     };
 
+    #[cfg(target_os = "macos")]
+    if state.experimental().trust_any_certificate {
+        unsafe { tls::enable_tls_hooks(&mut hook_manager) };
+    }
+
     if enabled_file_ops {
         unsafe { file::hooks::enable_file_hooks(&mut hook_manager) };
     }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Added experimental.trust_any_certificate to enable making app trust any certificate on macOS