feat(unstable): support in memory certificate data for Deno.createHttpClient (#8739)

cli/dts/lib.deno.unstable.d.ts

@@ -1266,6 +1266,10 @@ declare namespace Deno {
      * Requires `allow-read` permission.
      */
     caFile?: string;
+
+    /** A certificate authority to use when validating TLS certificates. Certificate data must be PEM encoded.
+     */
+    caData?: string;
   }
 
   /** **UNSTABLE**: New API, yet to be vetted.

cli/tests/unit/fetch_test.ts

@@ -959,7 +959,7 @@ unitTest(function fetchResponseEmptyConstructor(): void {
 
 unitTest(
   { perms: { net: true, read: true } },
-  async function fetchCustomHttpClientSuccess(): Promise<
+  async function fetchCustomHttpClientFileCertificateSuccess(): Promise<
     void
   > {
     const client = Deno.createHttpClient(
@@ -974,3 +974,42 @@ unitTest(
     client.close();
   },
 );
+
+unitTest(
+  { perms: { net: true } },
+  async function fetchCustomHttpClientParamCertificateSuccess(): Promise<
+    void
+  > {
+    const client = Deno.createHttpClient(
+      {
+        caData: `-----BEGIN CERTIFICATE-----
+MIIDIzCCAgugAwIBAgIJAMKPPW4tsOymMA0GCSqGSIb3DQEBCwUAMCcxCzAJBgNV
+BAYTAlVTMRgwFgYDVQQDDA9FeGFtcGxlLVJvb3QtQ0EwIBcNMTkxMDIxMTYyODIy
+WhgPMjExODA5MjcxNjI4MjJaMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9FeGFt
+cGxlLVJvb3QtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMH/IO
+2qtHfyBKwANNPB4K0q5JVSg8XxZdRpTTlz0CwU0oRO3uHrI52raCCfVeiQutyZop
+eFZTDWeXGudGAFA2B5m3orWt0s+touPi8MzjsG2TQ+WSI66QgbXTNDitDDBtTVcV
+5G3Ic+3SppQAYiHSekLISnYWgXLl+k5CnEfTowg6cjqjVr0KjL03cTN3H7b+6+0S
+ws4rYbW1j4ExR7K6BFNH6572yq5qR20E6GqlY+EcOZpw4CbCk9lS8/CWuXze/vMs
+OfDcc6K+B625d27wyEGZHedBomT2vAD7sBjvO8hn/DP1Qb46a8uCHR6NSfnJ7bXO
+G1igaIbgY1zXirNdAgMBAAGjUDBOMB0GA1UdDgQWBBTzut+pwwDfqmMYcI9KNWRD
+hxcIpTAfBgNVHSMEGDAWgBTzut+pwwDfqmMYcI9KNWRDhxcIpTAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB9AqSbZ+hEglAgSHxAMCqRFdhVu7MvaQM0
+P090mhGlOCt3yB7kdGfsIrUW6nQcTz7PPQFRaJMrFHPvFvPootkBUpTYR4hTkdce
+H6RCRu2Jxl4Y9bY/uezd9YhGCYfUtfjA6/TH9FcuZfttmOOlxOt01XfNvVMIR6RM
+z/AYhd+DeOXjr35F/VHeVpnk+55L0PYJsm1CdEbOs5Hy1ecR7ACuDkXnbM4fpz9I
+kyIWJwk2zJReKcJMgi1aIinDM9ao/dca1G99PHOw8dnr4oyoTiv8ao6PWiSRHHMi
+MNf4EgWfK+tZMnuqfpfO9740KzfcVoMNo4QJD4yn5YxroUOO/Azi
+-----END CERTIFICATE-----
+`,
+      },
+    );
+    const response = await fetch(
+      "https://localhost:5545/cli/tests/fixture.json",
+      { client },
+    );
+    const json = await response.json();
+    assertEquals(json.name, "deno");
+    client.close();
+  },
+);

op_crates/fetch/lib.rs

@@ -260,6 +260,7 @@ where
   #[serde(default)]
   struct CreateHttpClientOptions {
     ca_file: Option<String>,
+    ca_data: Option<String>,
   }
 
   let args: CreateHttpClientOptions = serde_json::from_value(args)?;
@@ -269,7 +270,9 @@ where
     permissions.check_read(&PathBuf::from(ca_file))?;
   }
 
-  let client = create_http_client(args.ca_file.as_deref()).unwrap();
+  let client =
+    create_http_client(args.ca_file.as_deref(), args.ca_data.as_deref())
+      .unwrap();
 
   let rid = state.resource_table.add(HttpClientResource::new(client));
   Ok(json!(rid))
@@ -277,9 +280,16 @@ where
 
 /// Create new instance of async reqwest::Client. This client supports
 /// proxies and doesn't follow redirects.
-fn create_http_client(ca_file: Option<&str>) -> Result<Client, AnyError> {
+fn create_http_client(
+  ca_file: Option<&str>,
+  ca_data: Option<&str>,
+) -> Result<Client, AnyError> {
   let mut builder = Client::builder().redirect(Policy::none()).use_rustls_tls();
-  if let Some(ca_file) = ca_file {
+  if let Some(ca_data) = ca_data {
+    let ca_data_vec = ca_data.as_bytes().to_vec();
+    let cert = reqwest::Certificate::from_pem(&ca_data_vec)?;
+    builder = builder.add_root_certificate(cert);
+  } else if let Some(ca_file) = ca_file {
     let mut buf = Vec::new();
     File::open(ca_file)?.read_to_end(&mut buf)?;
     let cert = reqwest::Certificate::from_pem(&buf)?;