authentication: add TLS and mTLS support

1 files changed, 23 insertions, 0 deletions

diff --git a/src/buildtool/common/cli.hpp b/src/buildtool/common/cli.hpp
index 4650f749..b9c2feb9 100644
--- a/src/buildtool/common/cli.hpp
+++ b/src/buildtool/common/cli.hpp
@@ -125,6 +125,14 @@ struct GraphArguments {
     std::optional<std::filesystem::path> git_cas{};
 };
 
+/// \brief Arguments for authentication methods.
+struct AuthArguments {
+    // CA certificate used to verify server's identity
+    std::optional<std::filesystem::path> tls_ca_cert{std::nullopt};
+    std::optional<std::filesystem::path> tls_client_cert{std::nullopt};
+    std::optional<std::filesystem::path> tls_client_key{std::nullopt};
+};
+
 static inline auto SetupCommonArguments(
     gsl::not_null<CLI::App*> const& app,
     gsl::not_null<CommonArguments*> const& clargs) {
@@ -457,4 +465,19 @@ static inline auto SetupCompatibilityArguments(
         "remote build execution protocol. As the change affects identifiers, "
         "the flag must be used consistently for all related invocations.");
 }
+
+static inline auto SetupAuthArguments(
+    gsl::not_null<CLI::App*> const& app,
+    gsl::not_null<AuthArguments*> const& authargs) {
+    app->add_option("--tls-ca-cert",
+                    authargs->tls_ca_cert,
+                    "Path to a TLS CA certificate that is trusted to sign the "
+                    "server certificate.");
+    app->add_option("--tls-client-cert",
+                    authargs->tls_client_cert,
+                    "Path to the TLS client certificate.");
+    app->add_option("--tls-client-key",
+                    authargs->tls_client_key,
+                    "Path to the TLS client key.");
+}
 #endif  // INCLUDED_SRC_BUILDTOOL_COMMON_CLI_HPP