Add ClientOption.allow_insecure (#3600)

* Add ClientOption.allow_insecure

Add option to allow insecure https connections.
In local isolated test environments, it is normal to use self signed, local
certificates for automated integration testing.

* clarify  with_allow_invalid_certificates

Co-authored-by: Raphael Taylor-Davies <[email protected]>

Co-authored-by: Raphael Taylor-Davies <[email protected]>

Author: poelzi

object_store/src/client/mod.rs

@@ -52,6 +52,7 @@ pub struct ClientOptions {
     default_headers: Option<HeaderMap>,
     proxy_url: Option<String>,
     allow_http: bool,
+    allow_insecure: bool,
     timeout: Option<Duration>,
     connect_timeout: Option<Duration>,
     pool_idle_timeout: Option<Duration>,
@@ -106,6 +107,21 @@ impl ClientOptions {
         self.allow_http = allow_http;
         self
     }
+    /// Allows connections to invalid SSL certificates
+    /// * false (default):  Only valid HTTPS certificates are allowed
+    /// * true:  All HTTPS certificates are allowed
+    ///
+    /// # Warning
+    ///
+    /// You should think very carefully before using this method. If
+    /// invalid certificates are trusted, *any* certificate for *any* site
+    /// will be trusted for use. This includes expired certificates. This
+    /// introduces significant vulnerabilities, and should only be used
+    /// as a last resort or for testing
+    pub fn with_allow_invalid_certificates(mut self, allow_insecure: bool) -> Self {
+        self.allow_insecure = allow_insecure;
+        self
+    }
 
     /// Only use http1 connections
     pub fn with_http1_only(mut self) -> Self {
@@ -259,6 +275,10 @@ impl ClientOptions {
             builder = builder.http2_prior_knowledge()
         }
 
+        if self.allow_insecure {
+            builder = builder.danger_accept_invalid_certs(self.allow_insecure)
+        }
+
         builder
             .https_only(!self.allow_http)
             .build()