aminueza · aminueza · Feb 17, 2022 · Apr 4, 2020 · Apr 14, 2020 · Apr 14, 2020
diff --git a/README.md b/README.md
@@ -132,3 +132,23 @@ Distributed under the Apache License. See [LICENSE](./LICENSE) for more informat
 - [HashiCorp Terraform](https://www.hashicorp.com/products/terraform)
 - [MinIO](https://min.io)
 - [Best Readme](https://github.com/othneildrew/Best-README-Template)
+
+## Contributors
+
+Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+<table>
+  <tr>
+    <td align="center"><a href="http://amandasouza.app"><img src="https://avatars0.githubusercontent.com/u/15249711?v=4" width="100px;" alt=""/><br /><sub><b>Amanda Souza</b></sub></a><br /><a href="https://github.com/aminueza/terraform-provider-minio/commits?author=aminueza" title="Code">💻</a> <a href="https://github.com/aminueza/terraform-provider-minio/pulls?q=is%3Apr+reviewed-by%3Aaminueza" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/aminueza/terraform-provider-minio/commits?author=aminueza" title="Tests">⚠️</a> <a href="#projectManagement-aminueza" title="Project Management">📆</a> <a href="#infra-aminueza" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="#ideas-aminueza" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/aminueza/terraform-provider-minio/commits?author=aminueza" title="Documentation">📖</a></td>
+    <td align="center"><a href="https://victornogueira.app"><img src="https://avatars2.githubusercontent.com/u/418083?v=4" width="100px;" alt=""/><br /><sub><b>Victor Nogueira</b></sub></a><br /><a href="https://github.com/aminueza/terraform-provider-minio/commits?author=felladrin" title="Documentation">📖</a> <a href="https://github.com/aminueza/terraform-provider-minio/commits?author=felladrin" title="Tests">⚠️</a> <a href="https://github.com/aminueza/terraform-provider-minio/commits?author=felladrin" title="Code">💻</a></td>
+    <td align="center"><a href="https://github.com/nolte"><img src="https://avatars1.githubusercontent.com/u/538808?v=4" width="100px;" alt=""/><br /><sub><b>nolte</b></sub></a><br /><a href="https://github.com/aminueza/terraform-provider-minio/commits?author=nolte" title="Code">💻</a> <a href="#ideas-nolte" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/aminueza/terraform-provider-minio/commits?author=nolte" title="Documentation">📖</a></td>
+  </tr>
+</table>
+<!-- markdownlint-enable -->
+<!-- prettier-ignore-end -->
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!
diff --git a/minio/check_config.go b/minio/check_config.go
@@ -23,12 +23,16 @@ func BucketConfig(d *schema.ResourceData, meta interface{}) *S3MinioBucket {
 //NewConfig creates a new config for minio
 func NewConfig(d *schema.ResourceData) *S3MinioConfig {
 	return &S3MinioConfig{
-		S3HostPort:     d.Get("minio_server").(string),
-		S3Region:       d.Get("minio_region").(string),
-		S3UserAccess:   d.Get("minio_access_key").(string),
-		S3UserSecret:   d.Get("minio_secret_key").(string),
-		S3APISignature: d.Get("minio_api_version").(string),
-		S3SSL:          d.Get("minio_ssl").(bool),
+		S3HostPort:      d.Get("minio_server").(string),
+		S3Region:        d.Get("minio_region").(string),
+		S3UserAccess:    d.Get("minio_access_key").(string),
+		S3UserSecret:    d.Get("minio_secret_key").(string),
+		S3APISignature:  d.Get("minio_api_version").(string),
+		S3SSL:           d.Get("minio_ssl").(bool),
+		S3SSLCACertFile: d.Get("minio_cert_file").(string),
+		S3SSLCertFile:   d.Get("minio_cert_file").(string),
+		S3SSLKeyFile:    d.Get("minio_key_file").(string),
+		S3SSLSkipVerify: d.Get("minio_insecure").(bool),
 	}
 }
 

diff --git a/minio/new_client.go b/minio/new_client.go
@@ -1,56 +1,133 @@
 package minio
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
 	"log"
-
-	"github.com/minio/minio-go/v7/pkg/credentials"
+	"net/http"
 
 	"github.com/minio/madmin-go"
-	minio "github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/credentials"
 )
 
 //NewClient returns a new minio client
-func (config *S3MinioConfig) NewClient() (interface{}, error) {
+func (config *S3MinioConfig) NewClient() (client interface{}, err error) {
 
 	var minioClient *minio.Client
 
-	var err error
+	tr, err := config.customTransport()
+	if err != nil {
+		log.Println("[FATAL] Error configuring S3 client transport.")
+		return nil, err
+	}
+
 	if config.S3APISignature == "v2" {
 		minioClient, err = minio.New(config.S3HostPort, &minio.Options{
-			// config.S3UserAccess, config.S3UserSecret, config.S3SSL
-			Creds:  credentials.NewStaticV4(config.S3UserAccess, config.S3UserSecret, ""),
-			Secure: config.S3SSL,
+			Creds:     credentials.NewStaticV2(config.S3UserAccess, config.S3UserSecret, ""),
+			Secure:    config.S3SSL,
+			Transport: tr,
 		})
 	} else if config.S3APISignature == "v4" {
 		minioClient, err = minio.New(config.S3HostPort, &minio.Options{
-			// config.S3UserAccess, config.S3UserSecret, config.S3SSL
-			Creds:  credentials.NewStaticV4(config.S3UserAccess, config.S3UserSecret, ""),
-			Secure: config.S3SSL,
+			Creds:     credentials.NewStaticV4(config.S3UserAccess, config.S3UserSecret, ""),
+			Secure:    config.S3SSL,
+			Transport: tr,
 		})
 	} else {
-		minioClient, err = minio.New(config.S3HostPort, &minio.Options{
-			// config.S3UserAccess, config.S3UserSecret, config.S3SSL
-			Creds:  credentials.NewStaticV4(config.S3UserAccess, config.S3UserSecret, ""),
-			Secure: config.S3SSL,
-		})
+		return nil, fmt.Errorf("Unknown S3 API signature: %s, must be v2 or v4", config.S3APISignature)
 	}
-
-	minioAdmin, _ := madmin.New(config.S3HostPort, config.S3UserAccess, config.S3UserSecret, config.S3SSL)
-	//minioAdmin.TraceOn(nil)
 	if err != nil {
-		log.Println("[FATAL] Error connecting to S3 server.")
+		log.Println("[FATAL] Error building client for S3 server.")
 		return nil, err
 	}
 
-	if config.S3SSL {
-		log.Printf("[DEBUG] S3 client initialized")
+	minioAdmin, err := madmin.New(config.S3HostPort, config.S3UserAccess, config.S3UserSecret, config.S3SSL)
+	//minioAdmin.TraceOn(nil)
+	if err != nil {
+		log.Println("[FATAL] Error building admin client for S3 server.")
+		return nil, err
 	}
+	minioAdmin.SetCustomTransport(tr)
 
 	return &S3MinioClient{
 		S3UserAccess: config.S3UserAccess,
 		S3Region:     config.S3Region,
 		S3Client:     minioClient,
 		S3Admin:      minioAdmin,
 	}, nil
+}
+
+func isValidCertificate(c []byte) bool {
+	p, _ := pem.Decode(c)
+	if p == nil {
+		return false
+	}
+	_, err := x509.ParseCertificates(p.Bytes)
+	if err != nil {
+		return false
+	}
+	return true
+}
+
+func (config *S3MinioConfig) customTransport() (*http.Transport, error) {
+
+	if !config.S3SSL {
+		return minio.DefaultTransport(config.S3SSL)
+	}
+
+	tlsConfig := &tls.Config{
+		// Can't use SSLv3 because of POODLE and BEAST
+		// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
+		// Can't use TLSv1.1 because of RC4 cipher usage
+		MinVersion: tls.VersionTLS12,
+	}
+
+	tr, err := minio.DefaultTransport(config.S3SSL)
+	if err != nil {
+		return nil, err
+	}
+
+	if config.S3SSLCACertFile != "" {
+		minioCACert, err := ioutil.ReadFile(config.S3SSLCACertFile)
+		if err != nil {
+			return nil, err
+		}
+
+		if !isValidCertificate(minioCACert) {
+			return nil, fmt.Errorf("Minio CA Cert is not a valid x509 certificate")
+		}
+
+		rootCAs, _ := x509.SystemCertPool()
+		if rootCAs == nil {
+			// In some systems (like Windows) system cert pool is
+			// not supported or no certificates are present on the
+			// system - so we create a new cert pool.
+			rootCAs = x509.NewCertPool()
+		}
+		rootCAs.AppendCertsFromPEM(minioCACert)
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		tlsConfig.RootCAs = rootCAs
+	}
+
+	if config.S3SSLCertFile != "" && config.S3SSLKeyFile != "" {
+		minioPair, err := tls.LoadX509KeyPair(config.S3SSLCertFile, config.S3SSLKeyFile)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.Certificates = []tls.Certificate{minioPair}
+	}
+
+	if config.S3SSLSkipVerify {
+		tlsConfig.InsecureSkipVerify = true
+	}
+
+	tr.TLSClientConfig = tlsConfig
+
+	log.Printf("[DEBUG] S3 SSL client initialized")
 
+	return tr, nil
 }
diff --git a/minio/payload.go b/minio/payload.go
@@ -8,12 +8,16 @@ import (
 
 //S3MinioConfig defines variable for minio
 type S3MinioConfig struct {
-	S3HostPort     string
-	S3UserAccess   string
-	S3UserSecret   string
-	S3Region       string
-	S3APISignature string
-	S3SSL          bool
+	S3HostPort      string
+	S3UserAccess    string
+	S3UserSecret    string
+	S3Region        string
+	S3APISignature  string
+	S3SSL           bool
+	S3SSLCACertFile string
+	S3SSLCertFile   string
+	S3SSLKeyFile    string
+	S3SSLSkipVerify bool
 }
 
 //S3MinioClient defines default minio

diff --git a/minio/provider.go b/minio/provider.go
@@ -56,6 +56,35 @@ func Provider() *schema.Provider {
 					"MINIO_ENABLE_HTTPS",
 				}, nil),
 			},
+			"minio_insecure": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+					"MINIO_INSECURE",
+				}, nil),
+			},
+			"minio_cacert_file": {
+				Type:     schema.TypeString,
+				Optional: true,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+					"MINIO_CACERT_FILE",
+				}, nil),
+			},
+			"minio_cert_file": {
+				Type:     schema.TypeString,
+				Optional: true,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+					"MINIO_CERT_FILE",
+				}, nil),
+			},
+			"minio_key_file": {
+				Type:     schema.TypeString,
+				Optional: true,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+					"MINIO_KEY_FILE",
+				}, nil),
+			},
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{