From f1d2df3e73da5f2204e4aad0f143cc3334bae443 Mon Sep 17 00:00:00 2001
From: Ben Johnson <benbjohnson@yahoo.com>
Date: Sat, 27 Mar 2021 08:00:09 -0600
Subject: [PATCH] Add skip-verify flag for using self-signed certificates

This commit adds a `skip-verify` flag to the replica configuration
so that it can be used with self-signed certificates. This is useful
when running a local instance of MinIO with TLS for testing.
---
 cmd/litestream/main.go | 4 +++-
 s3/s3.go               | 9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/cmd/litestream/main.go b/cmd/litestream/main.go
index cad28b4..5d0374b 100644
--- a/cmd/litestream/main.go
+++ b/cmd/litestream/main.go
@@ -276,6 +276,7 @@ type ReplicaConfig struct {
 	Bucket          string `yaml:"bucket"`
 	Endpoint        string `yaml:"endpoint"`
 	ForcePathStyle  *bool  `yaml:"force-path-style"`
+	SkipVerify      bool   `yaml:"skip-verify"`
 }
 
 // NewReplicaFromConfig instantiates a replica for a DB based on a config.
@@ -347,7 +348,7 @@ func newS3ReplicaFromConfig(c *ReplicaConfig, db *litestream.DB) (_ *s3.Replica,
 	}
 
 	bucket, path := c.Bucket, c.Path
-	region, endpoint := c.Region, c.Endpoint
+	region, endpoint, skipVerify := c.Region, c.Endpoint, c.SkipVerify
 
 	// Use path style if an endpoint is explicitly set. This works because the
 	// only service to not use path style is AWS which does not use an endpoint.
@@ -396,6 +397,7 @@ func newS3ReplicaFromConfig(c *ReplicaConfig, db *litestream.DB) (_ *s3.Replica,
 	r.Region = region
 	r.Endpoint = endpoint
 	r.ForcePathStyle = forcePathStyle
+	r.SkipVerify = skipVerify
 
 	if v := c.Retention; v > 0 {
 		r.Retention = v
diff --git a/s3/s3.go b/s3/s3.go
index 3fda9b7..2878b86 100644
--- a/s3/s3.go
+++ b/s3/s3.go
@@ -3,11 +3,13 @@ package s3
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"net"
+	"net/http"
 	"os"
 	"path"
 	"regexp"
@@ -79,6 +81,7 @@ type Replica struct {
 	Path           string
 	Endpoint       string
 	ForcePathStyle bool
+	SkipVerify     bool
 
 	// Time between syncs with the shadow WAL.
 	SyncInterval time.Duration
@@ -769,6 +772,12 @@ func (r *Replica) config() *aws.Config {
 	if r.ForcePathStyle {
 		config.S3ForcePathStyle = aws.Bool(r.ForcePathStyle)
 	}
+	if r.SkipVerify {
+		config.HTTPClient = &http.Client{Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}}
+	}
+
 	return config
 }