3 files changed, 65 insertions, 12 deletions

diff --git a/go/internal/config/config.go b/go/internal/config/config.go
index 6085493..d651744 100644
--- a/go/internal/config/config.go
+++ b/go/internal/config/config.go
@@ -6,7 +6,6 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"strings"
 
 	yaml "gopkg.in/yaml.v2"
 )
@@ -26,6 +25,9 @@ type HttpSettingsConfig struct {
 	User               string `yaml:"user"`
 	Password           string `yaml:"password"`
 	ReadTimeoutSeconds uint64 `yaml:"read_timeout"`
+	CaFile             string `yaml:"ca_file"`
+	CaPath             string `yaml:"ca_path"`
+	SelfSignedCert     bool   `yaml:"self_signed_cert"`
 }
 
 type Config struct {
@@ -59,10 +61,6 @@ func (c *Config) FeatureEnabled(featureName string) bool {
 		return false
 	}
 
-	if !strings.HasPrefix(c.GitlabUrl, "http+unix://") && !strings.HasPrefix(c.GitlabUrl, "http://") {
-		return false
-	}
-
 	for _, enabledFeature := range c.Migration.Features {
 		if enabledFeature == featureName {
 			return true
diff --git a/go/internal/config/config_test.go b/go/internal/config/config_test.go
index d48d3db..aefc145 100644
--- a/go/internal/config/config_test.go
+++ b/go/internal/config/config_test.go
@@ -94,6 +94,13 @@ func TestParseConfig(t *testing.T) {
 			secret:       "default-secret-content",
 			httpSettings: HttpSettingsConfig{User: "user_basic_auth", Password: "password_basic_auth", ReadTimeoutSeconds: 500},
 		},
+		{
+			yaml:         "http_settings:\n  ca_file: /etc/ssl/cert.pem\n  ca_path: /etc/pki/tls/certs\n  self_signed_cert: true",
+			path:         path.Join(testRoot, "gitlab-shell.log"),
+			format:       "text",
+			secret:       "default-secret-content",
+			httpSettings: HttpSettingsConfig{CaFile: "/etc/ssl/cert.pem", CaPath: "/etc/pki/tls/certs", SelfSignedCert: true},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -158,13 +165,13 @@ func TestFeatureEnabled(t *testing.T) {
 			expectEnabled: true,
 		},
 		{
-			desc: "When the protocol is not supported",
+			desc: "When the protocol is https and the feature enabled",
 			config: &Config{
 				GitlabUrl: "https://localhost:3000",
 				Migration: MigrationConfig{Enabled: true, Features: []string{"discover"}},
 			},
 			feature:       "discover",
-			expectEnabled: false,
+			expectEnabled: true,
 		},
 	}
 
diff --git a/go/internal/config/httpclient.go b/go/internal/config/httpclient.go
index 82807a6..c71efad 100644
--- a/go/internal/config/httpclient.go
+++ b/go/internal/config/httpclient.go
@@ -2,16 +2,21 @@ package config
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
 	"net"
 	"net/http"
+	"path/filepath"
 	"strings"
 	"time"
 )
 
 const (
 	socketBaseUrl             = "http://unix"
-	UnixSocketProtocol        = "http+unix://"
-	HttpProtocol              = "http://"
+	unixSocketProtocol        = "http+unix://"
+	httpProtocol              = "http://"
+	httpsProtocol             = "https://"
 	defaultReadTimeoutSeconds = 300
 )
 
@@ -27,10 +32,12 @@ func (c *Config) GetHttpClient() *HttpClient {
 
 	var transport *http.Transport
 	var host string
-	if strings.HasPrefix(c.GitlabUrl, UnixSocketProtocol) {
+	if strings.HasPrefix(c.GitlabUrl, unixSocketProtocol) {
 		transport, host = c.buildSocketTransport()
-	} else if strings.HasPrefix(c.GitlabUrl, HttpProtocol) {
+	} else if strings.HasPrefix(c.GitlabUrl, httpProtocol) {
 		transport, host = c.buildHttpTransport()
+	} else if strings.HasPrefix(c.GitlabUrl, httpsProtocol) {
+		transport, host = c.buildHttpsTransport()
 	} else {
 		return nil
 	}
@@ -48,7 +55,7 @@ func (c *Config) GetHttpClient() *HttpClient {
 }
 
 func (c *Config) buildSocketTransport() (*http.Transport, string) {
-	socketPath := strings.TrimPrefix(c.GitlabUrl, UnixSocketProtocol)
+	socketPath := strings.TrimPrefix(c.GitlabUrl, unixSocketProtocol)
 	transport := &http.Transport{
 		DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
 			dialer := net.Dialer{}
@@ -59,6 +66,47 @@ func (c *Config) buildSocketTransport() (*http.Transport, string) {
 	return transport, socketBaseUrl
 }
 
+func (c *Config) buildHttpsTransport() (*http.Transport, string) {
+	certPool, err := x509.SystemCertPool()
+
+	if err != nil {
+		certPool = x509.NewCertPool()
+	}
+
+	caFile := c.HttpSettings.CaFile
+	if caFile != "" {
+		addCertToPool(certPool, caFile)
+	}
+
+	caPath := c.HttpSettings.CaPath
+	if caPath != "" {
+		fis, _ := ioutil.ReadDir(caPath)
+		for _, fi := range fis {
+			if fi.IsDir() {
+				continue
+			}
+
+			addCertToPool(certPool, filepath.Join(caPath, fi.Name()))
+		}
+	}
+
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs:            certPool,
+			InsecureSkipVerify: c.HttpSettings.SelfSignedCert,
+		},
+	}
+
+	return transport, c.GitlabUrl
+}
+
+func addCertToPool(certPool *x509.CertPool, fileName string) {
+	cert, err := ioutil.ReadFile(fileName)
+	if err == nil {
+		certPool.AppendCertsFromPEM(cert)
+	}
+}
+
 func (c *Config) buildHttpTransport() (*http.Transport, string) {
 	return &http.Transport{}, c.GitlabUrl
 }