Support gitconfig sslverify for specific host

2016-03-17 16:33:48 +00:00 · 2016-03-17 16:33:48 +00:00 · 3a59d8202d
commit 3a59d8202d
parent b419488b47
3 changed files with 59 additions and 2 deletions
--- a/lfs/certs.go
+++ b/lfs/certs.go
@ -9,6 +9,23 @@ import (
 	"github.com/github/git-lfs/vendor/_nuts/github.com/rubyist/tracerx"
 )

+// isCertVerificationDisabledForHost returns whether SSL certificate verification
+// has been disabled for the given host, or globally
+func isCertVerificationDisabledForHost(host string) bool {
+	hostSslVerify, _ := Config.GitConfig(fmt.Sprintf("http.https://%v/.sslverify", host))
+	if hostSslVerify == "false" {
+		return true
+	}
+
+	globalSslVerify, _ := Config.GitConfig("http.sslverify")
+	if globalSslVerify == "false" || Config.GetenvBool("GIT_SSL_NO_VERIFY", false) {
+		return true
+	}
+
+	return false
+
+}
+
 // getRootCAsForHost returns a certificate pool for that specific host (which may
 // be "host:port" loaded from either the gitconfig or from a platform-specific
 // source which is not included by default in the golang certificate search)
--- a/lfs/certs_test.go
+++ b/lfs/certs_test.go
@ -154,3 +154,44 @@ func TestCertFromSSLCAPathEnv(t *testing.T) {
 	assert.NotEqual(t, (*x509.CertPool)(nil), pool)

 }
+
+func TestCertVerifyDisabledGlobalEnv(t *testing.T) {
+
+	assert.Equal(t, false, isCertVerificationDisabledForHost("anyhost.com"))
+
+	oldEnv := Config.envVars
+	defer func() {
+		Config.envVars = oldEnv
+	}()
+	Config.envVars = map[string]string{"GIT_SSL_NO_VERIFY": "1"}
+
+	assert.Equal(t, true, isCertVerificationDisabledForHost("anyhost.com"))
+}
+
+func TestCertVerifyDisabledGlobalConfig(t *testing.T) {
+
+	assert.Equal(t, false, isCertVerificationDisabledForHost("anyhost.com"))
+
+	oldGitConfig := Config.gitConfig
+	defer func() {
+		Config.gitConfig = oldGitConfig
+	}()
+	Config.gitConfig = map[string]string{"http.sslverify": "false"}
+
+	assert.Equal(t, true, isCertVerificationDisabledForHost("anyhost.com"))
+}
+
+func TestCertVerifyDisabledHostConfig(t *testing.T) {
+
+	assert.Equal(t, false, isCertVerificationDisabledForHost("specifichost.com"))
+	assert.Equal(t, false, isCertVerificationDisabledForHost("otherhost.com"))
+
+	oldGitConfig := Config.gitConfig
+	defer func() {
+		Config.gitConfig = oldGitConfig
+	}()
+	Config.gitConfig = map[string]string{"http.https://specifichost.com/.sslverify": "false"}
+
+	assert.Equal(t, true, isCertVerificationDisabledForHost("specifichost.com"))
+	assert.Equal(t, false, isCertVerificationDisabledForHost("otherhost.com"))
+}
--- a/lfs/http.go
+++ b/lfs/http.go
@ -124,9 +124,8 @@ func (c *Configuration) HttpClient(host string) *HttpClient {
 		MaxIdleConnsPerHost: c.ConcurrentTransfers(),
 	}

-	sslVerify, _ := c.GitConfig("http.sslverify")
 	tr.TLSClientConfig = &tls.Config{}
-	if sslVerify == "false" || Config.GetenvBool("GIT_SSL_NO_VERIFY", false) {
+	if isCertVerificationDisabledForHost(host) {
 		tr.TLSClientConfig.InsecureSkipVerify = true
 	} else {
 		tr.TLSClientConfig.RootCAs = getRootCAsForHost(host)