From 1b1a61ad07f40197d3b9164821a096abd1710628 Mon Sep 17 00:00:00 2001
From: Daishan Peng <StrongMonkey@users.noreply.github.com>
Date: Wed, 27 Jan 2021 02:48:41 -0700
Subject: [PATCH] Add insecureSkipTLS and cabundle (#228)

This PR add insecureSkipTLSVerify and cabundle to any remote http calls
so that https repo with private CA signed can be used. This is the
equivalent of https.sslVerify and GIT_SSL_CAINFO
---
 options.go                          | 20 ++++++++++++++++
 plumbing/transport/client/client.go | 37 ++++++++++++++++++++++++++++-
 plumbing/transport/common.go        |  4 ++++
 remote.go                           | 18 +++++++-------
 repository.go                       | 14 ++++++-----
 worktree.go                         | 12 ++++++----
 6 files changed, 85 insertions(+), 20 deletions(-)

diff --git a/options.go b/options.go
index 2f9363150..507fc0714 100644
--- a/options.go
+++ b/options.go
@@ -60,6 +60,10 @@ type CloneOptions struct {
 	// Tags describe how the tags will be fetched from the remote repository,
 	// by default is AllTags.
 	Tags TagMode
+	// InsecureSkipTLS skips ssl verify if protocol is https
+	InsecureSkipTLS bool
+	// CABundle specify additional ca bundle with system cert pool
+	CABundle []byte
 }
 
 // Validate validates the fields and sets the default values.
@@ -105,6 +109,10 @@ type PullOptions struct {
 	// Force allows the pull to update a local branch even when the remote
 	// branch does not descend from it.
 	Force bool
+	// InsecureSkipTLS skips ssl verify if protocol is https
+	InsecureSkipTLS bool
+	// CABundle specify additional ca bundle with system cert pool
+	CABundle []byte
 }
 
 // Validate validates the fields and sets the default values.
@@ -155,6 +163,10 @@ type FetchOptions struct {
 	// Force allows the fetch to update a local branch even when the remote
 	// branch does not descend from it.
 	Force bool
+	// InsecureSkipTLS skips ssl verify if protocol is https
+	InsecureSkipTLS bool
+	// CABundle specify additional ca bundle with system cert pool
+	CABundle []byte
 }
 
 // Validate validates the fields and sets the default values.
@@ -194,6 +206,10 @@ type PushOptions struct {
 	// Force allows the push to update a remote branch even when the local
 	// branch does not descend from it.
 	Force bool
+	// InsecureSkipTLS skips ssl verify if protocal is https
+	InsecureSkipTLS bool
+	// CABundle specify additional ca bundle with system cert pool
+	CABundle []byte
 }
 
 // Validate validates the fields and sets the default values.
@@ -552,6 +568,10 @@ func (o *CreateTagOptions) loadConfigTagger(r *Repository) error {
 type ListOptions struct {
 	// Auth credentials, if required, to use with the remote repository.
 	Auth transport.AuthMethod
+	// InsecureSkipTLS skips ssl verify if protocal is https
+	InsecureSkipTLS bool
+	// CABundle specify additional ca bundle with system cert pool
+	CABundle []byte
 }
 
 // CleanOptions describes how a clean should be performed.
diff --git a/plumbing/transport/client/client.go b/plumbing/transport/client/client.go
index 4f6d210e9..20c3d0560 100644
--- a/plumbing/transport/client/client.go
+++ b/plumbing/transport/client/client.go
@@ -3,7 +3,10 @@
 package client
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	gohttp "net/http"
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/file"
@@ -21,6 +24,14 @@ var Protocols = map[string]transport.Transport{
 	"file":  file.DefaultClient,
 }
 
+var insecureClient = http.NewClient(&gohttp.Client{
+	Transport: &gohttp.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	},
+})
+
 // InstallProtocol adds or modifies an existing protocol.
 func InstallProtocol(scheme string, c transport.Transport) {
 	if c == nil {
@@ -35,6 +46,31 @@ func InstallProtocol(scheme string, c transport.Transport) {
 // http://, https://, ssh:// and file://.
 // See `InstallProtocol` to add or modify protocols.
 func NewClient(endpoint *transport.Endpoint) (transport.Transport, error) {
+	return getTransport(endpoint)
+}
+
+func getTransport(endpoint *transport.Endpoint) (transport.Transport, error) {
+	if endpoint.Protocol == "https" {
+		if endpoint.InsecureSkipTLS {
+			return insecureClient, nil
+		}
+
+		if len(endpoint.CaBundle) != 0 {
+			rootCAs, _ := x509.SystemCertPool()
+			if rootCAs == nil {
+				rootCAs = x509.NewCertPool()
+			}
+			rootCAs.AppendCertsFromPEM(endpoint.CaBundle)
+			return http.NewClient(&gohttp.Client{
+				Transport: &gohttp.Transport{
+					TLSClientConfig: &tls.Config{
+						RootCAs: rootCAs,
+					},
+				},
+			}), nil
+		}
+	}
+
 	f, ok := Protocols[endpoint.Protocol]
 	if !ok {
 		return nil, fmt.Errorf("unsupported scheme %q", endpoint.Protocol)
@@ -43,6 +79,5 @@ func NewClient(endpoint *transport.Endpoint) (transport.Transport, error) {
 	if f == nil {
 		return nil, fmt.Errorf("malformed client for scheme %q, client is defined as nil", endpoint.Protocol)
 	}
-
 	return f, nil
 }
diff --git a/plumbing/transport/common.go b/plumbing/transport/common.go
index ead215557..b993c4e9f 100644
--- a/plumbing/transport/common.go
+++ b/plumbing/transport/common.go
@@ -107,6 +107,10 @@ type Endpoint struct {
 	Port int
 	// Path is the repository path.
 	Path string
+	// InsecureSkipTLS skips ssl verify if protocal is https
+	InsecureSkipTLS bool
+	// CaBundle specify additional ca bundle with system cert pool
+	CaBundle []byte
 }
 
 var defaultPorts = map[string]int{
diff --git a/remote.go b/remote.go
index d88e8e6ff..66ba71edc 100644
--- a/remote.go
+++ b/remote.go
@@ -102,7 +102,7 @@ func (r *Remote) PushContext(ctx context.Context, o *PushOptions) (err error) {
 		return fmt.Errorf("remote names don't match: %s != %s", o.RemoteName, r.c.Name)
 	}
 
-	s, err := newSendPackSession(r.c.URLs[0], o.Auth)
+	s, err := newSendPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.CABundle)
 	if err != nil {
 		return err
 	}
@@ -309,7 +309,7 @@ func (r *Remote) fetch(ctx context.Context, o *FetchOptions) (sto storer.Referen
 		o.RefSpecs = r.c.Fetch
 	}
 
-	s, err := newUploadPackSession(r.c.URLs[0], o.Auth)
+	s, err := newUploadPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.CABundle)
 	if err != nil {
 		return nil, err
 	}
@@ -369,8 +369,8 @@ func (r *Remote) fetch(ctx context.Context, o *FetchOptions) (sto storer.Referen
 	return remoteRefs, nil
 }
 
-func newUploadPackSession(url string, auth transport.AuthMethod) (transport.UploadPackSession, error) {
-	c, ep, err := newClient(url)
+func newUploadPackSession(url string, auth transport.AuthMethod, insecure bool, cabundle []byte) (transport.UploadPackSession, error) {
+	c, ep, err := newClient(url, auth, insecure, cabundle)
 	if err != nil {
 		return nil, err
 	}
@@ -378,8 +378,8 @@ func newUploadPackSession(url string, auth transport.AuthMethod) (transport.Uplo
 	return c.NewUploadPackSession(ep, auth)
 }
 
-func newSendPackSession(url string, auth transport.AuthMethod) (transport.ReceivePackSession, error) {
-	c, ep, err := newClient(url)
+func newSendPackSession(url string, auth transport.AuthMethod, insecure bool, cabundle []byte) (transport.ReceivePackSession, error) {
+	c, ep, err := newClient(url, auth, insecure, cabundle)
 	if err != nil {
 		return nil, err
 	}
@@ -387,11 +387,13 @@ func newSendPackSession(url string, auth transport.AuthMethod) (transport.Receiv
 	return c.NewReceivePackSession(ep, auth)
 }
 
-func newClient(url string) (transport.Transport, *transport.Endpoint, error) {
+func newClient(url string, auth transport.AuthMethod, insecure bool, cabundle []byte) (transport.Transport, *transport.Endpoint, error) {
 	ep, err := transport.NewEndpoint(url)
 	if err != nil {
 		return nil, nil, err
 	}
+	ep.InsecureSkipTLS = insecure
+	ep.CaBundle = cabundle
 
 	c, err := client.NewClient(ep)
 	if err != nil {
@@ -1025,7 +1027,7 @@ func (r *Remote) buildFetchedTags(refs memory.ReferenceStorage) (updated bool, e
 
 // List the references on the remote repository.
 func (r *Remote) List(o *ListOptions) (rfs []*plumbing.Reference, err error) {
-	s, err := newUploadPackSession(r.c.URLs[0], o.Auth)
+	s, err := newUploadPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.CABundle)
 	if err != nil {
 		return nil, err
 	}
diff --git a/repository.go b/repository.go
index 36fc1f5bd..cc487d48b 100644
--- a/repository.go
+++ b/repository.go
@@ -841,12 +841,14 @@ func (r *Repository) clone(ctx context.Context, o *CloneOptions) error {
 	}
 
 	ref, err := r.fetchAndUpdateReferences(ctx, &FetchOptions{
-		RefSpecs:   c.Fetch,
-		Depth:      o.Depth,
-		Auth:       o.Auth,
-		Progress:   o.Progress,
-		Tags:       o.Tags,
-		RemoteName: o.RemoteName,
+		RefSpecs:        c.Fetch,
+		Depth:           o.Depth,
+		Auth:            o.Auth,
+		Progress:        o.Progress,
+		Tags:            o.Tags,
+		RemoteName:      o.RemoteName,
+		InsecureSkipTLS: o.InsecureSkipTLS,
+		CABundle:        o.CABundle,
 	}, o.ReferenceName)
 	if err != nil {
 		return err
diff --git a/worktree.go b/worktree.go
index 1c89a0221..73e638a2c 100644
--- a/worktree.go
+++ b/worktree.go
@@ -72,11 +72,13 @@ func (w *Worktree) PullContext(ctx context.Context, o *PullOptions) error {
 	}
 
 	fetchHead, err := remote.fetch(ctx, &FetchOptions{
-		RemoteName: o.RemoteName,
-		Depth:      o.Depth,
-		Auth:       o.Auth,
-		Progress:   o.Progress,
-		Force:      o.Force,
+		RemoteName:      o.RemoteName,
+		Depth:           o.Depth,
+		Auth:            o.Auth,
+		Progress:        o.Progress,
+		Force:           o.Force,
+		InsecureSkipTLS: o.InsecureSkipTLS,
+		CABundle:        o.CABundle,
 	})
 
 	updated := true