feat(userspace/outputs_http): Add option for mTLS

Signed-off-by: Anna Simon <asimon@mercari.com>

falco.yaml

@@ -359,6 +359,12 @@ http_output:
   # Path to a folder that will be used as the CA certificate store. CA certificate need to be
   # stored as indivitual PEM files in this directory.
   ca_path: "/etc/ssl/certs"
+  # Tell Falco to use mTLS
+  mtls: false
+  # Path to the client cert.
+  client_cert: "/etc/ssl/certs/client.crt"
+  # Path to the client key.
+  client_key: "/etc/ssl/certs/client.key"
 
 # [Stable] `program_output`
 #

userspace/falco/configuration.cpp

@@ -207,6 +207,18 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 		ca_path = config.get_scalar<std::string>("http_output.ca_path", "/etc/ssl/certs");
 		http_output.options["ca_path"] = ca_path;
 
+		bool mtls;
+		mtls = config.get_scalar<bool>("http_output.mtls", false);
+		http_output.options["mtls"] = mtls? std::string("true") : std::string("false");
+
+		std::string client_cert;
+		client_cert = config.get_scalar<std::string>("http_output.client_cert", "/etc/ssl/certs/client.crt");
+		http_output.options["client_cert"] = client_cert;
+
+		std::string client_key;
+		client_key = config.get_scalar<std::string>("http_output.client_key", "/etc/ssl/certs/client.key");
+		http_output.options["client_key"] = client_key;
+
 		m_outputs.push_back(http_output);
 	}
 

userspace/falco/outputs_http.cpp

@@ -78,6 +78,19 @@ void falco::outputs::output_http::output(const message *msg)
 			}
 		}
 
+		if(res == CURLE_OK)
+		{
+			if(m_oc.options["mtls"] == std::string("true"))
+			{
+				res = curl_easy_setopt(curl, CURLOPT_SSLCERT, m_oc.options["client_cert"].c_str());
+
+				if(res == CURLE_OK)
+				{
+					res = curl_easy_setopt(curl, CURLOPT_SSLKEY, m_oc.options["client_key"].c_str());
+				}
+			}
+		}
+
 		if(res == CURLE_OK)
 		{
 			if (!m_oc.options["ca_cert"].empty())