From e398f84595a76a65aad9ef0f993369b3190705c2 Mon Sep 17 00:00:00 2001 From: Daishan Date: Thu, 17 Dec 2020 23:43:07 -0700 Subject: [PATCH] Add insecureSkipTLS and cabundle This PR add insecureSkipTLSVerify and cabundle to any remote http calls so that https repo with private CA signed can be used. This is the equivalent of https.sslVerify and GIT_SSL_CAINFO --- options.go | 20 ++++++++++++++++ plumbing/transport/client/client.go | 37 ++++++++++++++++++++++++++++- plumbing/transport/common.go | 4 ++++ remote.go | 18 +++++++------- repository.go | 14 ++++++----- worktree.go | 12 ++++++---- 6 files changed, 85 insertions(+), 20 deletions(-) diff --git a/options.go b/options.go index 2f9363150..507fc0714 100644 --- a/options.go +++ b/options.go @@ -60,6 +60,10 @@ type CloneOptions struct { // Tags describe how the tags will be fetched from the remote repository, // by default is AllTags. Tags TagMode + // InsecureSkipTLS skips ssl verify if protocol is https + InsecureSkipTLS bool + // CABundle specify additional ca bundle with system cert pool + CABundle []byte } // Validate validates the fields and sets the default values. @@ -105,6 +109,10 @@ type PullOptions struct { // Force allows the pull to update a local branch even when the remote // branch does not descend from it. Force bool + // InsecureSkipTLS skips ssl verify if protocol is https + InsecureSkipTLS bool + // CABundle specify additional ca bundle with system cert pool + CABundle []byte } // Validate validates the fields and sets the default values. @@ -155,6 +163,10 @@ type FetchOptions struct { // Force allows the fetch to update a local branch even when the remote // branch does not descend from it. Force bool + // InsecureSkipTLS skips ssl verify if protocol is https + InsecureSkipTLS bool + // CABundle specify additional ca bundle with system cert pool + CABundle []byte } // Validate validates the fields and sets the default values. @@ -194,6 +206,10 @@ type PushOptions struct { // Force allows the push to update a remote branch even when the local // branch does not descend from it. Force bool + // InsecureSkipTLS skips ssl verify if protocal is https + InsecureSkipTLS bool + // CABundle specify additional ca bundle with system cert pool + CABundle []byte } // Validate validates the fields and sets the default values. @@ -552,6 +568,10 @@ func (o *CreateTagOptions) loadConfigTagger(r *Repository) error { type ListOptions struct { // Auth credentials, if required, to use with the remote repository. Auth transport.AuthMethod + // InsecureSkipTLS skips ssl verify if protocal is https + InsecureSkipTLS bool + // CABundle specify additional ca bundle with system cert pool + CABundle []byte } // CleanOptions describes how a clean should be performed. diff --git a/plumbing/transport/client/client.go b/plumbing/transport/client/client.go index 4f6d210e9..20c3d0560 100644 --- a/plumbing/transport/client/client.go +++ b/plumbing/transport/client/client.go @@ -3,7 +3,10 @@ package client import ( + "crypto/tls" + "crypto/x509" "fmt" + gohttp "net/http" "github.com/go-git/go-git/v5/plumbing/transport" "github.com/go-git/go-git/v5/plumbing/transport/file" @@ -21,6 +24,14 @@ var Protocols = map[string]transport.Transport{ "file": file.DefaultClient, } +var insecureClient = http.NewClient(&gohttp.Client{ + Transport: &gohttp.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + }, +}) + // InstallProtocol adds or modifies an existing protocol. func InstallProtocol(scheme string, c transport.Transport) { if c == nil { @@ -35,6 +46,31 @@ func InstallProtocol(scheme string, c transport.Transport) { // http://, https://, ssh:// and file://. // See `InstallProtocol` to add or modify protocols. func NewClient(endpoint *transport.Endpoint) (transport.Transport, error) { + return getTransport(endpoint) +} + +func getTransport(endpoint *transport.Endpoint) (transport.Transport, error) { + if endpoint.Protocol == "https" { + if endpoint.InsecureSkipTLS { + return insecureClient, nil + } + + if len(endpoint.CaBundle) != 0 { + rootCAs, _ := x509.SystemCertPool() + if rootCAs == nil { + rootCAs = x509.NewCertPool() + } + rootCAs.AppendCertsFromPEM(endpoint.CaBundle) + return http.NewClient(&gohttp.Client{ + Transport: &gohttp.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: rootCAs, + }, + }, + }), nil + } + } + f, ok := Protocols[endpoint.Protocol] if !ok { return nil, fmt.Errorf("unsupported scheme %q", endpoint.Protocol) @@ -43,6 +79,5 @@ func NewClient(endpoint *transport.Endpoint) (transport.Transport, error) { if f == nil { return nil, fmt.Errorf("malformed client for scheme %q, client is defined as nil", endpoint.Protocol) } - return f, nil } diff --git a/plumbing/transport/common.go b/plumbing/transport/common.go index ead215557..b993c4e9f 100644 --- a/plumbing/transport/common.go +++ b/plumbing/transport/common.go @@ -107,6 +107,10 @@ type Endpoint struct { Port int // Path is the repository path. Path string + // InsecureSkipTLS skips ssl verify if protocal is https + InsecureSkipTLS bool + // CaBundle specify additional ca bundle with system cert pool + CaBundle []byte } var defaultPorts = map[string]int{ diff --git a/remote.go b/remote.go index d88e8e6ff..66ba71edc 100644 --- a/remote.go +++ b/remote.go @@ -102,7 +102,7 @@ func (r *Remote) PushContext(ctx context.Context, o *PushOptions) (err error) { return fmt.Errorf("remote names don't match: %s != %s", o.RemoteName, r.c.Name) } - s, err := newSendPackSession(r.c.URLs[0], o.Auth) + s, err := newSendPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.CABundle) if err != nil { return err } @@ -309,7 +309,7 @@ func (r *Remote) fetch(ctx context.Context, o *FetchOptions) (sto storer.Referen o.RefSpecs = r.c.Fetch } - s, err := newUploadPackSession(r.c.URLs[0], o.Auth) + s, err := newUploadPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.CABundle) if err != nil { return nil, err } @@ -369,8 +369,8 @@ func (r *Remote) fetch(ctx context.Context, o *FetchOptions) (sto storer.Referen return remoteRefs, nil } -func newUploadPackSession(url string, auth transport.AuthMethod) (transport.UploadPackSession, error) { - c, ep, err := newClient(url) +func newUploadPackSession(url string, auth transport.AuthMethod, insecure bool, cabundle []byte) (transport.UploadPackSession, error) { + c, ep, err := newClient(url, auth, insecure, cabundle) if err != nil { return nil, err } @@ -378,8 +378,8 @@ func newUploadPackSession(url string, auth transport.AuthMethod) (transport.Uplo return c.NewUploadPackSession(ep, auth) } -func newSendPackSession(url string, auth transport.AuthMethod) (transport.ReceivePackSession, error) { - c, ep, err := newClient(url) +func newSendPackSession(url string, auth transport.AuthMethod, insecure bool, cabundle []byte) (transport.ReceivePackSession, error) { + c, ep, err := newClient(url, auth, insecure, cabundle) if err != nil { return nil, err } @@ -387,11 +387,13 @@ func newSendPackSession(url string, auth transport.AuthMethod) (transport.Receiv return c.NewReceivePackSession(ep, auth) } -func newClient(url string) (transport.Transport, *transport.Endpoint, error) { +func newClient(url string, auth transport.AuthMethod, insecure bool, cabundle []byte) (transport.Transport, *transport.Endpoint, error) { ep, err := transport.NewEndpoint(url) if err != nil { return nil, nil, err } + ep.InsecureSkipTLS = insecure + ep.CaBundle = cabundle c, err := client.NewClient(ep) if err != nil { @@ -1025,7 +1027,7 @@ func (r *Remote) buildFetchedTags(refs memory.ReferenceStorage) (updated bool, e // List the references on the remote repository. func (r *Remote) List(o *ListOptions) (rfs []*plumbing.Reference, err error) { - s, err := newUploadPackSession(r.c.URLs[0], o.Auth) + s, err := newUploadPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.CABundle) if err != nil { return nil, err } diff --git a/repository.go b/repository.go index 36fc1f5bd..cc487d48b 100644 --- a/repository.go +++ b/repository.go @@ -841,12 +841,14 @@ func (r *Repository) clone(ctx context.Context, o *CloneOptions) error { } ref, err := r.fetchAndUpdateReferences(ctx, &FetchOptions{ - RefSpecs: c.Fetch, - Depth: o.Depth, - Auth: o.Auth, - Progress: o.Progress, - Tags: o.Tags, - RemoteName: o.RemoteName, + RefSpecs: c.Fetch, + Depth: o.Depth, + Auth: o.Auth, + Progress: o.Progress, + Tags: o.Tags, + RemoteName: o.RemoteName, + InsecureSkipTLS: o.InsecureSkipTLS, + CABundle: o.CABundle, }, o.ReferenceName) if err != nil { return err diff --git a/worktree.go b/worktree.go index 1c89a0221..73e638a2c 100644 --- a/worktree.go +++ b/worktree.go @@ -72,11 +72,13 @@ func (w *Worktree) PullContext(ctx context.Context, o *PullOptions) error { } fetchHead, err := remote.fetch(ctx, &FetchOptions{ - RemoteName: o.RemoteName, - Depth: o.Depth, - Auth: o.Auth, - Progress: o.Progress, - Force: o.Force, + RemoteName: o.RemoteName, + Depth: o.Depth, + Auth: o.Auth, + Progress: o.Progress, + Force: o.Force, + InsecureSkipTLS: o.InsecureSkipTLS, + CABundle: o.CABundle, }) updated := true