feat: support self-signed certificates for remote taskfiles

Author: vmaerten

executor.go

@@ -36,6 +36,10 @@ type (
 		Offline             bool
 		Timeout             time.Duration
 		CacheExpiryDuration time.Duration
+		CACert              string
+		Cert                string
+		CertKey             string
+		CertKeyPass         string
 		Watch               bool
 		Verbose             bool
 		Silent              bool
@@ -253,6 +257,58 @@ func (o *cacheExpiryDurationOption) ApplyToExecutor(r *Executor) {
 	r.CacheExpiryDuration = o.duration
 }
 
+// WithCACert sets the path to a custom CA certificate for TLS connections.
+func WithCACert(caCert string) ExecutorOption {
+	return &caCertOption{caCert: caCert}
+}
+
+type caCertOption struct {
+	caCert string
+}
+
+func (o *caCertOption) ApplyToExecutor(e *Executor) {
+	e.CACert = o.caCert
+}
+
+// WithCert sets the path to a client certificate for TLS connections.
+func WithCert(cert string) ExecutorOption {
+	return &certOption{cert: cert}
+}
+
+type certOption struct {
+	cert string
+}
+
+func (o *certOption) ApplyToExecutor(e *Executor) {
+	e.Cert = o.cert
+}
+
+// WithCertKey sets the path to a client certificate key for TLS connections.
+func WithCertKey(certKey string) ExecutorOption {
+	return &certKeyOption{certKey: certKey}
+}
+
+type certKeyOption struct {
+	certKey string
+}
+
+func (o *certKeyOption) ApplyToExecutor(e *Executor) {
+	e.CertKey = o.certKey
+}
+
+// WithCertKeyPass sets the passphrase for the client certificate key.
+func WithCertKeyPass(certKeyPass string) ExecutorOption {
+	return &certKeyPassOption{certKeyPass: certKeyPass}
+}
+
+type certKeyPassOption struct {
+	certKeyPass string
+}
+
+func (o *certKeyPassOption) ApplyToExecutor(e *Executor) {
+	e.CertKeyPass = o.certKeyPass
+}
+
 // WithWatch tells the [Executor] to keep running in the background and watch
 // for changes to the fingerprint of the tasks that are run. When changes are
 // detected, a new task run is triggered.

internal/flags/flags.go

@@ -76,6 +76,10 @@ var (
 	ClearCache          bool
 	Timeout             time.Duration
 	CacheExpiryDuration time.Duration
+	CACert              string
+	Cert                string
+	CertKey             string
+	CertKeyPass         string
 )
 
 func init() {
@@ -155,6 +159,10 @@ func init() {
 		pflag.DurationVar(&Timeout, "timeout", getConfig(config, func() *time.Duration { return config.Remote.Timeout }, time.Second*10), "Timeout for downloading remote Taskfiles.")
 		pflag.BoolVar(&ClearCache, "clear-cache", false, "Clear the remote cache.")
 		pflag.DurationVar(&CacheExpiryDuration, "expiry", getConfig(config, func() *time.Duration { return config.Remote.CacheExpiry }, 0), "Expiry duration for cached remote Taskfiles.")
+		pflag.StringVar(&CACert, "cacert", getConfig(config, func() *string { return config.Remote.CACert }, ""), "Path to a custom CA certificate for HTTPS connections.")
+		pflag.StringVar(&Cert, "cert", getConfig(config, func() *string { return config.Remote.Cert }, ""), "Path to a client certificate for HTTPS connections.")
+		pflag.StringVar(&CertKey, "cert-key", getConfig(config, func() *string { return config.Remote.CertKey }, ""), "Path to a client certificate key for HTTPS connections.")
+		pflag.StringVar(&CertKeyPass, "cert-key-pass", getConfig(config, func() *string { return config.Remote.CertKeyPass }, ""), "Passphrase for the client certificate key.")
 	}
 	pflag.Parse()
 }
@@ -200,6 +208,15 @@ func Validate() error {
 		return errors.New("task: --nested only applies to --json with --list or --list-all")
 	}
 
+	// Validate certificate flags
+	if (Cert != "" && CertKey == "") || (Cert == "" && CertKey != "") {
+		return errors.New("task: --cert and --cert-key must be provided together")
+	}
+
+	if CertKeyPass != "" && Cert == "" {
+		return errors.New("task: --cert-key-pass requires --cert and --cert-key")
+	}
+
 	return nil
 }
 
@@ -240,6 +257,10 @@ func (o *flagsOption) ApplyToExecutor(e *task.Executor) {
 		task.WithOffline(Offline),
 		task.WithTimeout(Timeout),
 		task.WithCacheExpiryDuration(CacheExpiryDuration),
+		task.WithCACert(CACert),
+		task.WithCert(Cert),
+		task.WithCertKey(CertKey),
+		task.WithCertKeyPass(CertKeyPass),
 		task.WithWatch(Watch),
 		task.WithVerbose(Verbose),
 		task.WithSilent(Silent),

setup.go

@@ -56,7 +56,12 @@ func (e *Executor) Setup() error {
 }
 
 func (e *Executor) getRootNode() (taskfile.Node, error) {
-	node, err := taskfile.NewRootNode(e.Entrypoint, e.Dir, e.Insecure, e.Timeout)
+	node, err := taskfile.NewRootNode(e.Entrypoint, e.Dir, e.Insecure, e.Timeout,
+		taskfile.WithCACert(e.CACert),
+		taskfile.WithCert(e.Cert),
+		taskfile.WithCertKey(e.CertKey),
+		taskfile.WithCertKeyPass(e.CertKeyPass),
+	)
 	if os.IsNotExist(err) {
 		return nil, errors.TaskfileNotFoundError{
 			URI:     fsext.DefaultDir(e.Entrypoint, e.Dir),
@@ -86,6 +91,10 @@ func (e *Executor) readTaskfile(node taskfile.Node) error {
 		taskfile.WithOffline(e.Offline),
 		taskfile.WithTempDir(e.TempDir.Remote),
 		taskfile.WithCacheExpiryDuration(e.CacheExpiryDuration),
+		taskfile.WithReaderCACert(e.CACert),
+		taskfile.WithReaderCert(e.Cert),
+		taskfile.WithReaderCertKey(e.CertKey),
+		taskfile.WithReaderCertKeyPass(e.CertKeyPass),
 		taskfile.WithDebugFunc(debugFunc),
 		taskfile.WithPromptFunc(promptFunc),
 	)

taskfile/node.go

@@ -34,13 +34,14 @@ func NewRootNode(
 	dir string,
 	insecure bool,
 	timeout time.Duration,
+	opts ...NodeOption,
 ) (Node, error) {
 	dir = fsext.DefaultDir(entrypoint, dir)
 	// If the entrypoint is "-", we read from stdin
 	if entrypoint == "-" {
 		return NewStdinNode(dir)
 	}
-	return NewNode(entrypoint, dir, insecure)
+	return NewNode(entrypoint, dir, insecure, opts...)
 }
 
 func NewNode(

taskfile/node_base.go

@@ -7,9 +7,13 @@ type (
 	// designed to be embedded in other node types so that this boilerplate code
 	// does not need to be repeated.
 	baseNode struct {
-		parent   Node
-		dir      string
-		checksum string
+		parent      Node
+		dir         string
+		checksum    string
+		caCert      string
+		cert        string
+		certKey     string
+		certKeyPass string
 	}
 )
 
@@ -54,3 +58,27 @@ func (node *baseNode) Checksum() string {
 func (node *baseNode) Verify(checksum string) bool {
 	return node.checksum == "" || node.checksum == checksum
 }
+
+func WithCACert(caCert string) NodeOption {
+	return func(node *baseNode) {
+		node.caCert = caCert
+	}
+}
+
+func WithCert(cert string) NodeOption {
+	return func(node *baseNode) {
+		node.cert = cert
+	}
+}
+
+func WithCertKey(certKey string) NodeOption {
+	return func(node *baseNode) {
+		node.certKey = certKey
+	}
+}
+
+func WithCertKeyPass(certKeyPass string) NodeOption {
+	return func(node *baseNode) {
+		node.certKeyPass = certKeyPass
+	}
+}

taskfile/node_http.go

@@ -2,10 +2,13 @@ package taskfile
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -17,7 +20,102 @@ import (
 // An HTTPNode is a node that reads a Taskfile from a remote location via HTTP.
 type HTTPNode struct {
 	*baseNode
-	url *url.URL // stores url pointing actual remote file. (e.g. with Taskfile.yml)
+	url    *url.URL     // stores url pointing actual remote file. (e.g. with Taskfile.yml)
+	client *http.Client // HTTP client with optional TLS configuration
+}
+
+// buildHTTPClient creates an HTTP client with optional TLS configuration.
+// If no certificate options are provided, it returns http.DefaultClient.
+func buildHTTPClient(insecure bool, caCert, cert, certKey, certKeyPass string) (*http.Client, error) {
+	// Validate that cert and certKey are provided together
+	if (cert != "" && certKey == "") || (cert == "" && certKey != "") {
+		return nil, fmt.Errorf("both --cert and --cert-key must be provided together")
+	}
+
+	// If no TLS customization is needed, return the default client
+	if !insecure && caCert == "" && cert == "" {
+		return http.DefaultClient, nil
+	}
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: insecure, //nolint:gosec
+	}
+
+	// Load custom CA certificate if provided
+	if caCert != "" {
+		caCertData, err := os.ReadFile(caCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read CA certificate: %w", err)
+		}
+		caCertPool := x509.NewCertPool()
+		if !caCertPool.AppendCertsFromPEM(caCertData) {
+			return nil, fmt.Errorf("failed to parse CA certificate")
+		}
+		tlsConfig.RootCAs = caCertPool
+	}
+
+	// Load client certificate and key if provided
+	if cert != "" && certKey != "" {
+		var clientCert tls.Certificate
+		var err error
+
+		if certKeyPass != "" {
+			// Load encrypted private key
+			clientCert, err = loadCertWithEncryptedKey(cert, certKey, certKeyPass)
+		} else {
+			clientCert, err = tls.LoadX509KeyPair(cert, certKey)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("failed to load client certificate: %w", err)
+		}
+		tlsConfig.Certificates = []tls.Certificate{clientCert}
+	}
+
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsConfig,
+		},
+	}, nil
+}
+
+// loadCertWithEncryptedKey loads a certificate with an encrypted private key.
+func loadCertWithEncryptedKey(certFile, keyFile, passphrase string) (tls.Certificate, error) {
+	certPEM, err := os.ReadFile(certFile)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to read certificate file: %w", err)
+	}
+
+	keyPEM, err := os.ReadFile(keyFile)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to read key file: %w", err)
+	}
+
+	// Try to decrypt the private key
+	decryptedKey, err := decryptPEMKey(keyPEM, passphrase)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to decrypt private key: %w", err)
+	}
+
+	return tls.X509KeyPair(certPEM, decryptedKey)
+}
+
+// decryptPEMKey attempts to decrypt a PEM-encoded private key.
+func decryptPEMKey(keyPEM []byte, passphrase string) ([]byte, error) {
+	// For PKCS#8 encrypted keys, we need to parse and decrypt them
+	// The standard library doesn't directly support encrypted PKCS#8,
+	// so we try to parse it as-is first (in case it's not actually encrypted)
+	// For now, we support unencrypted keys and return an error for encrypted ones
+	// that require external libraries to decrypt.
+
+	// Try to parse as unencrypted first
+	_, err := tls.X509KeyPair([]byte("-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----"), keyPEM)
+	if err == nil {
+		return keyPEM, nil
+	}
+
+	// TODO: Add support for encrypted PKCS#8 keys using x/crypto/pkcs8
+	// This would require adding a dependency on golang.org/x/crypto
+	return nil, fmt.Errorf("encrypted private keys require the key to be decrypted externally, or use an unencrypted key")
 }
 
 func NewHTTPNode(
@@ -34,9 +132,17 @@ func NewHTTPNode(
 	if url.Scheme == "http" && !insecure {
 		return nil, &errors.TaskfileNotSecureError{URI: url.Redacted()}
 	}
+
+	// Build HTTP client with TLS configuration from node options
+	client, err := buildHTTPClient(insecure, base.caCert, base.cert, base.certKey, base.certKeyPass)
+	if err != nil {
+		return nil, err
+	}
+
 	return &HTTPNode{
 		baseNode: base,
 		url:      url,
+		client:   client,
 	}, nil
 }
 
@@ -49,7 +155,7 @@ func (node *HTTPNode) Read() ([]byte, error) {
 }
 
 func (node *HTTPNode) ReadContext(ctx context.Context) ([]byte, error) {
-	url, err := RemoteExists(ctx, *node.url)
+	url, err := RemoteExists(ctx, *node.url, node.client)
 	if err != nil {
 		return nil, err
 	}
@@ -58,7 +164,7 @@ func (node *HTTPNode) ReadContext(ctx context.Context) ([]byte, error) {
 		return nil, errors.TaskfileFetchFailedError{URI: node.Location()}
 	}
 
-	resp, err := http.DefaultClient.Do(req.WithContext(ctx))
+	resp, err := node.client.Do(req.WithContext(ctx))
 	if err != nil {
 		if ctx.Err() != nil {
 			return nil, err