flipt_client 1.0.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8cfa993fb8a7521e64c37cef82bf58088f8961d9779e6c5dc9092696a127c6ff
-  data.tar.gz: 2cddbf45abafabd21660a60ab64378a2b1c4bfdafee4b931805ca8b2a1c2d002
+  metadata.gz: 2759b9ac786742b26aa0805c4d4861a1ccb9cb82c903a1bcab6c0ea3c446dfab
+  data.tar.gz: b1a8467e4bed68e87efef88a3228020e2600391d3f529ed2a10cc3abfc1b6b56
 SHA512:
-  metadata.gz: b2cc595e3b40f37c420b920415d65e439a6295ddc1d1b4c22dc0fb2cb98e43e36912842568e1eb47246a088f15eb6bcce530e020daf0c2d34253fec9fa18347d
-  data.tar.gz: 26c75eb569c0e0df06cf287ae7f9cb5beb0466be5e1c1cb8ec49252d38277914afa842f56650d7dd857cb3696d73d17a68ea6082ada6101f3bbfa729142c934f
+  metadata.gz: a818447135c3e62fe0bc0d4931225896778526df2f883f5484c61992f92de5366dff9186a277799a34be5bc75beb14ff2e9fa85fefdf393d848e50d5fc62eb9c
+  data.tar.gz: 76e27417733c3ce583316ac3cda586cd090dbcb824bdfa611335f4edc42b7b764e8ce1bf912bc5878db683bcfe81304f93771abd2ab1d590077c08551972980a

data/README.md

@@ -114,6 +114,7 @@ The `Flipt::Client` constructor accepts the following keyword arguments:
 - `fetch_mode`: The fetch mode to use. Defaults to polling.
 - `error_strategy`: The error strategy to use. Defaults to fail. See [Error Strategies](#error-strategies).
 - `snapshot`: The snapshot to use when initializing the client. Defaults to no snapshot. See [Snapshotting](#snapshotting).
+- `tls_config`: The TLS configuration for connecting to servers with custom certificates. See [TLS Configuration](#tls-configuration).
 
 ### Authentication
 
@@ -123,6 +124,126 @@ The `Flipt::Client` supports the following authentication strategies:
 - [Client Token Authentication](https://docs.flipt.io/authentication/using-tokens)
 - [JWT Authentication](https://docs.flipt.io/authentication/using-jwts)
 
+### TLS Configuration
+
+The `Flipt::Client` supports configuring TLS settings for secure connections to Flipt servers. This is useful when:
+
+- Connecting to Flipt servers with self-signed certificates
+- Using custom Certificate Authorities (CAs)  
+- Implementing mutual TLS authentication
+- Testing with insecure connections (development only)
+
+#### Basic TLS with Custom CA Certificate
+
+```ruby
+# Using a CA certificate file
+tls_config = Flipt::TlsConfig.with_ca_cert_file('/path/to/ca.pem')
+
+client = Flipt::Client.new(
+  url: 'https://flipt.example.com',
+  tls_config: tls_config
+)
+```
+
+```ruby
+# Using CA certificate data directly
+ca_cert_data = File.read('/path/to/ca.pem')
+tls_config = Flipt::TlsConfig.with_ca_cert_data(ca_cert_data)
+
+client = Flipt::Client.new(
+  url: 'https://flipt.example.com',
+  tls_config: tls_config
+)
+```
+
+#### Mutual TLS Authentication
+
+```ruby
+# Using certificate and key files
+tls_config = Flipt::TlsConfig.with_mutual_tls('/path/to/client.pem', '/path/to/client.key')
+
+client = Flipt::Client.new(
+  url: 'https://flipt.example.com',
+  tls_config: tls_config
+)
+```
+
+```ruby
+# Using certificate and key data directly
+client_cert_data = File.read('/path/to/client.pem')
+client_key_data = File.read('/path/to/client.key')
+
+tls_config = Flipt::TlsConfig.with_mutual_tls_data(client_cert_data, client_key_data)
+
+client = Flipt::Client.new(
+  url: 'https://flipt.example.com',
+  tls_config: tls_config
+)
+```
+
+#### Advanced TLS Configuration
+
+```ruby
+# Full TLS configuration with all options
+tls_config = Flipt::TlsConfig.new(
+  ca_cert_file: '/path/to/ca.pem',
+  client_cert_file: '/path/to/client.pem',
+  client_key_file: '/path/to/client.key',
+  insecure_skip_verify: false
+)
+
+client = Flipt::Client.new(
+  url: 'https://flipt.example.com',
+  tls_config: tls_config
+)
+```
+
+#### Development Mode (Insecure)
+
+**⚠️ WARNING: Only use this in development environments!**
+
+```ruby
+# Skip certificate verification (NOT for production)
+tls_config = Flipt::TlsConfig.insecure
+
+client = Flipt::Client.new(
+  url: 'https://localhost:8443',
+  tls_config: tls_config
+)
+```
+
+#### Self-Signed Certificates
+
+For self-signed certificates where you need to skip hostname verification while still validating the certificate chain:
+
+```ruby
+# Skip hostname verification for self-signed certificates
+tls_config = Flipt::TlsConfig.new(
+  ca_cert_file: '/path/to/ca.pem',
+  insecure_skip_hostname_verify: true
+)
+
+client = Flipt::Client.new(
+  url: 'https://flipt.example.com',
+  tls_config: tls_config
+)
+```
+
+#### TLS Configuration Options
+
+The `TlsConfig` class supports the following options:
+
+- `ca_cert_file`: Path to custom CA certificate file (PEM format)
+- `ca_cert_data`: Raw CA certificate content (PEM format) - takes precedence over `ca_cert_file`
+- `insecure_skip_verify`: Skip certificate verification (development only)
+- `insecure_skip_hostname_verify`: Skip hostname verification while maintaining certificate validation (development only)
+- `client_cert_file`: Client certificate file for mutual TLS (PEM format)
+- `client_key_file`: Client private key file for mutual TLS (PEM format)
+- `client_cert_data`: Raw client certificate content (PEM format) - takes precedence over `client_cert_file`
+- `client_key_data`: Raw client private key content (PEM format) - takes precedence over `client_key_file`
+
+> **Note**: When both file paths and data are provided, the data fields take precedence. For example, if both `ca_cert_file` and `ca_cert_data` are set, `ca_cert_data` will be used.
+
 ### Error Strategies
 
 The client supports the following error strategies:

data/lib/flipt_client/models.rb

@@ -41,6 +41,112 @@ module Flipt
     end
   end
 
+  # TlsConfig provides configuration for TLS connections to Flipt servers
+  class TlsConfig
+    attr_reader :ca_cert_file, :ca_cert_data, :insecure_skip_verify, :insecure_skip_hostname_verify,
+                :client_cert_file, :client_key_file, :client_cert_data, :client_key_data
+
+    # Initialize TLS configuration
+    #
+    # @param ca_cert_file [String, nil] Path to CA certificate file (PEM format)
+    # @param ca_cert_data [String, nil] Raw CA certificate content (PEM format)
+    # @param insecure_skip_verify [Boolean, nil] Skip certificate verification (development only)
+    # @param insecure_skip_hostname_verify [Boolean, nil] Skip hostname verification
+    #                                                   while maintaining certificate validation (development only)
+    # @param client_cert_file [String, nil] Path to client certificate file (PEM format)
+    # @param client_key_file [String, nil] Path to client key file (PEM format)
+    # @param client_cert_data [String, nil] Raw client certificate content (PEM format)
+    # @param client_key_data [String, nil] Raw client key content (PEM format)
+    def initialize(ca_cert_file: nil, ca_cert_data: nil, insecure_skip_verify: nil,
+                   insecure_skip_hostname_verify: nil, client_cert_file: nil, client_key_file: nil,
+                   client_cert_data: nil, client_key_data: nil)
+      @ca_cert_file = ca_cert_file
+      @ca_cert_data = ca_cert_data
+      @insecure_skip_verify = insecure_skip_verify
+      @insecure_skip_hostname_verify = insecure_skip_hostname_verify
+      @client_cert_file = client_cert_file
+      @client_key_file = client_key_file
+      @client_cert_data = client_cert_data
+      @client_key_data = client_key_data
+
+      validate_files!
+    end
+
+    # Create TLS config for insecure connections (development only)
+    # WARNING: Only use this in development environments
+    #
+    # @return [TlsConfig] TLS config with certificate verification disabled
+    # @deprecated Use TlsConfig constructor instead
+    def self.insecure
+      new(insecure_skip_verify: true)
+    end
+
+    # Create TLS config with CA certificate file
+    #
+    # @param ca_cert_file [String] Path to CA certificate file
+    # @return [TlsConfig] TLS config with custom CA certificate
+    def self.with_ca_cert_file(ca_cert_file)
+      new(ca_cert_file: ca_cert_file)
+    end
+
+    # Create TLS config with CA certificate data
+    #
+    # @param ca_cert_data [String] CA certificate content in PEM format
+    # @return [TlsConfig] TLS config with custom CA certificate
+    def self.with_ca_cert_data(ca_cert_data)
+      new(ca_cert_data: ca_cert_data)
+    end
+
+    # Create TLS config for mutual TLS with certificate files
+    #
+    # @param client_cert_file [String] Path to client certificate file
+    # @param client_key_file [String] Path to client key file
+    # @return [TlsConfig] TLS config with mutual TLS
+    def self.with_mutual_tls(client_cert_file, client_key_file)
+      new(client_cert_file: client_cert_file, client_key_file: client_key_file)
+    end
+
+    # Create TLS config for mutual TLS with certificate data
+    #
+    # @param client_cert_data [String] Client certificate content in PEM format
+    # @param client_key_data [String] Client key content in PEM format
+    # @return [TlsConfig] TLS config with mutual TLS
+    def self.with_mutual_tls_data(client_cert_data, client_key_data)
+      new(client_cert_data: client_cert_data, client_key_data: client_key_data)
+    end
+
+    # Convert to hash for JSON serialization
+    # @return [Hash] TLS configuration as hash
+    def to_h
+      hash = {}
+      hash[:ca_cert_file] = @ca_cert_file if @ca_cert_file
+      hash[:ca_cert_data] = @ca_cert_data if @ca_cert_data
+      hash[:insecure_skip_verify] = @insecure_skip_verify unless @insecure_skip_verify.nil?
+      hash[:insecure_skip_hostname_verify] = @insecure_skip_hostname_verify unless @insecure_skip_hostname_verify.nil?
+      hash[:client_cert_file] = @client_cert_file if @client_cert_file
+      hash[:client_key_file] = @client_key_file if @client_key_file
+      hash[:client_cert_data] = @client_cert_data if @client_cert_data
+      hash[:client_key_data] = @client_key_data if @client_key_data
+      hash
+    end
+
+    private
+
+    def validate_files!
+      validate_file_exists(@ca_cert_file, 'CA certificate file') if @ca_cert_file
+      validate_file_exists(@client_cert_file, 'Client certificate file') if @client_cert_file
+      validate_file_exists(@client_key_file, 'Client key file') if @client_key_file
+    end
+
+    def validate_file_exists(file_path, description)
+      return if file_path.nil? || file_path.strip.empty?
+
+      return if File.exist?(file_path)
+
+      raise ValidationError, "#{description} does not exist: #{file_path}"
+    end
+  end
+
   # VariantEvaluationResponse
   # @attr_reader [String] flag_key
   # @attr_reader [Boolean] match

data/lib/flipt_client/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Flipt
-  VERSION = '1.0.0'
+  VERSION = '1.2.0'
 end

data/lib/flipt_client.rb

@@ -65,12 +65,14 @@ module Flipt
     #   Note: Streaming is currently only supported when using the SDK with Flipt Cloud or Flipt v2.
     # @option opts [Symbol] :error_strategy error strategy to use for the client (:fail or :fallback).
     # @option opts [String] :snapshot snapshot to use when initializing the client
+    # @option opts [TlsConfig] :tls_config TLS configuration for connecting to servers with custom certificates
     def initialize(**opts)
       @namespace = opts.fetch(:namespace, 'default')
 
       opts[:authentication] = validate_authentication(opts.fetch(:authentication, NoAuthentication.new))
       opts[:fetch_mode] = validate_fetch_mode(opts.fetch(:fetch_mode, :polling))
       opts[:error_strategy] = validate_error_strategy(opts.fetch(:error_strategy, :fail))
+      opts[:tls_config] = validate_tls_config(opts.fetch(:tls_config, nil))
 
       @engine = self.class.initialize_engine(opts.to_json)
       ObjectSpace.define_finalizer(self, self.class.finalize(@engine))
@@ -223,6 +225,13 @@ module Flipt
 
       raise ValidationError, 'invalid error strategy'
     end
+
+    def validate_tls_config(tls_config)
+      return nil if tls_config.nil?
+      return tls_config.to_h if tls_config.is_a?(TlsConfig)
+
+      raise ValidationError, 'invalid tls_config: must be TlsConfig instance'
+    end
   end
 
   # Deprecation shim for EvaluationClient

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: flipt_client
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Flipt Devs
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-06-09 00:00:00.000000000 Z
+date: 2025-07-11 00:00:00.000000000 Z
 dependencies: []
 description: Flipt Client Evaluation SDK
 email: