Support gitconfig sslverify for specific host
This commit is contained in:
parent
b419488b47
commit
3a59d8202d
17
lfs/certs.go
17
lfs/certs.go
@ -9,6 +9,23 @@ import (
|
||||
"github.com/github/git-lfs/vendor/_nuts/github.com/rubyist/tracerx"
|
||||
)
|
||||
|
||||
// isCertVerificationDisabledForHost returns whether SSL certificate verification
|
||||
// has been disabled for the given host, or globally
|
||||
func isCertVerificationDisabledForHost(host string) bool {
|
||||
hostSslVerify, _ := Config.GitConfig(fmt.Sprintf("http.https://%v/.sslverify", host))
|
||||
if hostSslVerify == "false" {
|
||||
return true
|
||||
}
|
||||
|
||||
globalSslVerify, _ := Config.GitConfig("http.sslverify")
|
||||
if globalSslVerify == "false" || Config.GetenvBool("GIT_SSL_NO_VERIFY", false) {
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
|
||||
}
|
||||
|
||||
// getRootCAsForHost returns a certificate pool for that specific host (which may
|
||||
// be "host:port" loaded from either the gitconfig or from a platform-specific
|
||||
// source which is not included by default in the golang certificate search)
|
||||
|
@ -154,3 +154,44 @@ func TestCertFromSSLCAPathEnv(t *testing.T) {
|
||||
assert.NotEqual(t, (*x509.CertPool)(nil), pool)
|
||||
|
||||
}
|
||||
|
||||
func TestCertVerifyDisabledGlobalEnv(t *testing.T) {
|
||||
|
||||
assert.Equal(t, false, isCertVerificationDisabledForHost("anyhost.com"))
|
||||
|
||||
oldEnv := Config.envVars
|
||||
defer func() {
|
||||
Config.envVars = oldEnv
|
||||
}()
|
||||
Config.envVars = map[string]string{"GIT_SSL_NO_VERIFY": "1"}
|
||||
|
||||
assert.Equal(t, true, isCertVerificationDisabledForHost("anyhost.com"))
|
||||
}
|
||||
|
||||
func TestCertVerifyDisabledGlobalConfig(t *testing.T) {
|
||||
|
||||
assert.Equal(t, false, isCertVerificationDisabledForHost("anyhost.com"))
|
||||
|
||||
oldGitConfig := Config.gitConfig
|
||||
defer func() {
|
||||
Config.gitConfig = oldGitConfig
|
||||
}()
|
||||
Config.gitConfig = map[string]string{"http.sslverify": "false"}
|
||||
|
||||
assert.Equal(t, true, isCertVerificationDisabledForHost("anyhost.com"))
|
||||
}
|
||||
|
||||
func TestCertVerifyDisabledHostConfig(t *testing.T) {
|
||||
|
||||
assert.Equal(t, false, isCertVerificationDisabledForHost("specifichost.com"))
|
||||
assert.Equal(t, false, isCertVerificationDisabledForHost("otherhost.com"))
|
||||
|
||||
oldGitConfig := Config.gitConfig
|
||||
defer func() {
|
||||
Config.gitConfig = oldGitConfig
|
||||
}()
|
||||
Config.gitConfig = map[string]string{"http.https://specifichost.com/.sslverify": "false"}
|
||||
|
||||
assert.Equal(t, true, isCertVerificationDisabledForHost("specifichost.com"))
|
||||
assert.Equal(t, false, isCertVerificationDisabledForHost("otherhost.com"))
|
||||
}
|
||||
|
@ -124,9 +124,8 @@ func (c *Configuration) HttpClient(host string) *HttpClient {
|
||||
MaxIdleConnsPerHost: c.ConcurrentTransfers(),
|
||||
}
|
||||
|
||||
sslVerify, _ := c.GitConfig("http.sslverify")
|
||||
tr.TLSClientConfig = &tls.Config{}
|
||||
if sslVerify == "false" || Config.GetenvBool("GIT_SSL_NO_VERIFY", false) {
|
||||
if isCertVerificationDisabledForHost(host) {
|
||||
tr.TLSClientConfig.InsecureSkipVerify = true
|
||||
} else {
|
||||
tr.TLSClientConfig.RootCAs = getRootCAsForHost(host)
|
||||
|
Loading…
Reference in New Issue
Block a user