Merge pull request #132 from fluxcd/custom-ca-option

stefanprodan · web-flow · commit eb559262c8b8 · 2021-11-22T16:55:15.000+02:00
Add support for self-signed certificates
diff --git a/gitprovider/client_options.go b/gitprovider/client_options.go
@@ -17,6 +17,8 @@ limitations under the License.
 package gitprovider
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 
@@ -59,6 +61,9 @@ type CommonClientOptions struct {
 
 	// Logger allows the caller to pass a logger for use by the provider
 	Logger *logr.Logger
+
+	// CABundle is a []byte containing the CA bundle to use for the client.
+	CABundle []byte
 }
 
 // ApplyToCommonClientOptions applies the currently set fields in opts to target. If both opts and
@@ -106,6 +111,14 @@ func (opts *CommonClientOptions) ApplyToCommonClientOptions(target *CommonClient
 		}
 		target.Logger = opts.Logger
 	}
+
+	if opts.CABundle != nil {
+		if target.CABundle != nil {
+			return fmt.Errorf("option CABundle already configured: %w", ErrInvalidClientOptions)
+		}
+		target.CABundle = opts.CABundle
+	}
+
 	return nil
 }
 
@@ -292,3 +305,32 @@ func MakeClientOptions(opts ...ClientOption) (*ClientOptions, error) {
 	}
 	return o, nil
 }
+
+// WithCustomCAPostChainTransportHook registers a ChainableRoundTripperFunc "after" the cache and authentication
+// transports in the chain.
+func WithCustomCAPostChainTransportHook(caBundle []byte) ClientOption {
+	// Don't allow an empty value
+	if len(caBundle) == 0 {
+		return optionError(fmt.Errorf("caBundle cannot be empty: %w", ErrInvalidClientOptions))
+	}
+
+	return buildCommonOption(CommonClientOptions{CABundle: caBundle, PostChainTransportHook: caCustomTransport(caBundle)})
+}
+
+func caCustomTransport(caBundle []byte) ChainableRoundTripperFunc {
+	return func(_ http.RoundTripper) http.RoundTripper {
+		// discard error, as we're only using it to check if rootCA is empty
+		rootCAs, _ := x509.SystemCertPool()
+		if rootCAs == nil {
+			rootCAs = x509.NewCertPool()
+		}
+
+		rootCAs.AppendCertsFromPEM(caBundle)
+
+		return &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs: rootCAs,
+			},
+		}
+	}
+}
diff --git a/gitprovider/client_options_test.go b/gitprovider/client_options_test.go
@@ -18,6 +18,7 @@ package gitprovider
 
 import (
 	"net/http"
+	"os"
 	"reflect"
 	"testing"
 
@@ -212,6 +213,10 @@ func Test_clientOptions_getTransportChain(t *testing.T) {
 }
 
 func Test_makeCientOptions(t *testing.T) {
+	ca, err := os.ReadFile("./testdata/ca.pem")
+	if err != nil {
+		t.Fatal(err)
+	}
 	tests := []struct {
 		name         string
 		opts         []ClientOption
@@ -257,6 +262,16 @@ func Test_makeCientOptions(t *testing.T) {
 			opts:         []ClientOption{WithPostChainTransportHook(nil)},
 			expectedErrs: []error{ErrInvalidClientOptions},
 		},
+		{
+			name: "WithCustomCAPostChainTransportHook",
+			opts: []ClientOption{WithCustomCAPostChainTransportHook(ca)},
+			want: buildCommonOption(CommonClientOptions{CABundle: ca, PostChainTransportHook: caCustomTransport(ca)}),
+		},
+		{
+			name:         "WithCustomCAPostChainTransportHook, nil",
+			opts:         []ClientOption{WithCustomCAPostChainTransportHook(nil)},
+			expectedErrs: []error{ErrInvalidClientOptions},
+		},
 		{
 			name: "WithOAuth2Token",
 			opts: []ClientOption{WithOAuth2Token("foo")},
diff --git a/gitprovider/testdata/ca.pem b/gitprovider/testdata/ca.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBhzCCAS2gAwIBAgIUdsAtiX3gN0uk7ddxASWYE/tdv0wwCgYIKoZIzj0EAwIw
+GTEXMBUGA1UEAxMOZXhhbXBsZS5jb20gQ0EwHhcNMjAwNDE3MDgxODAwWhcNMjUw
+NDE2MDgxODAwWjAZMRcwFQYDVQQDEw5leGFtcGxlLmNvbSBDQTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABK7h/5D8bV93MmEdhu02JsS6ugB8s6PzRl3PV4xs3Sbr
+RNkkM59+x3b0iWx/i76qPYpNLoiVUVXQmA9Y+4DbMxijUzBRMA4GA1UdDwEB/wQE
+AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQGyUiU1QEZiMAqjsnIYTwZ
+4yp5wzAPBgNVHREECDAGhwR/AAABMAoGCCqGSM49BAMCA0gAMEUCIQDzdtvKdE8O
+1+WRTZ9MuSiFYcrEz7Zne7VXouDEKqKEigIgM4WlbDeuNCKbqhqj+xZV0pa3rweb
+OD8EjjCMY69RMO0=
+-----END CERTIFICATE-----
diff --git a/stash/auth.go b/stash/auth.go
@@ -58,7 +58,13 @@ func NewStashClient(username, token string, optFns ...gitprovider.ClientOption)
 		return nil, err
 	}
 
-	st, err := NewClient(client, host, nil, logger, WithAuth(username, token))
+	var stashClient *Client
+	if len(opts.CABundle) != 0 {
+		stashClient, err = NewClient(client, host, nil, logger, WithAuth(username, token), WithCABundle(opts.CABundle))
+	} else {
+		stashClient, err = NewClient(client, host, nil, logger, WithAuth(username, token))
+	}
+
 	if err != nil {
 		return nil, err
 	}
@@ -69,5 +75,5 @@ func NewStashClient(username, token string, optFns ...gitprovider.ClientOption)
 		destructiveActions = *opts.EnableDestructiveAPICalls
 	}
 
-	return newClient(st, host, token, destructiveActions, logger), nil
+	return newClient(stashClient, host, token, destructiveActions, logger), nil
 }
diff --git a/stash/client.go b/stash/client.go
@@ -100,6 +100,8 @@ type Client struct {
 	username string
 	// Token used to make authenticated API calls.
 	token string
+	// caBundle is the CA bundle used to authenticate the server.
+	caBundle []byte
 
 	// Services are used to communicate with the different stash endpoints.
 	Users        Users
@@ -119,6 +121,18 @@ type RateLimiter interface {
 	Wait(context.Context) error
 }
 
+// WithCABundle is used to setup the client authentication.
+func WithCABundle(caBundle []byte) ClientOptionsFunc {
+	return func(c *Client) error {
+		if len(caBundle) == 0 {
+			return errors.New("caBundle cannot be empty")
+		}
+
+		c.caBundle = caBundle
+		return nil
+	}
+}
+
 // WithAuth is used to setup the client authentication.
 func WithAuth(username string, token string) ClientOptionsFunc {
 	return func(c *Client) error {
diff --git a/stash/git.go b/stash/git.go
@@ -317,8 +317,9 @@ func (s *GitService) CloneRepository(ctx context.Context, URL string) (r *git.Re
 	}
 
 	r, err = git.PlainCloneContext(ctx, dir, false, &git.CloneOptions{
-		URL:  URL,
-		Auth: &githttp.BasicAuth{Username: s.Client.username, Password: s.Client.token},
+		URL:      URL,
+		Auth:     &githttp.BasicAuth{Username: s.Client.username, Password: s.Client.token},
+		CABundle: s.Client.caBundle,
 	})
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to clone repository: %v", err)
@@ -327,6 +328,7 @@ func (s *GitService) CloneRepository(ctx context.Context, URL string) (r *git.Re
 	err = r.Fetch(&git.FetchOptions{
 		RefSpecs: []config.RefSpec{"refs/*:refs/*", "HEAD:refs/heads/HEAD"},
 		Auth:     &githttp.BasicAuth{Username: s.Client.username, Password: s.Client.token},
+		CABundle: s.Client.caBundle,
 	})
 
 	if err != nil {
@@ -538,6 +540,7 @@ func (s *GitService) Push(ctx context.Context, r *git.Repository) error {
 	options := &git.PushOptions{
 		RemoteName: "origin",
 		Auth:       &githttp.BasicAuth{Username: s.Client.username, Password: s.Client.token},
+		CABundle:   s.Client.caBundle,
 	}
 
 	err := r.PushContext(ctx, options)

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,13 @@ func NewStashClient(username, token string, optFns ...gitprovider.ClientOption)`
`58`	`58`	`return nil, err`
`59`	`59`	`}`
`60`	`60`
`61`		`- st, err := NewClient(client, host, nil, logger, WithAuth(username, token))`
	`61`	`+ var stashClient *Client`
	`62`	`+ if len(opts.CABundle) != 0 {`
	`63`	`+ stashClient, err = NewClient(client, host, nil, logger, WithAuth(username, token), WithCABundle(opts.CABundle))`
	`64`	`+ } else {`
	`65`	`+ stashClient, err = NewClient(client, host, nil, logger, WithAuth(username, token))`
	`66`	`+ }`
	`67`	`+`
`62`	`68`	`if err != nil {`
`63`	`69`	`return nil, err`
`64`	`70`	`}`
`@@ -69,5 +75,5 @@ func NewStashClient(username, token string, optFns ...gitprovider.ClientOption)`
`69`	`75`	`destructiveActions = *opts.EnableDestructiveAPICalls`
`70`	`76`	`}`
`71`	`77`
`72`		`- return newClient(st, host, token, destructiveActions, logger), nil`
	`78`	`+ return newClient(stashClient, host, token, destructiveActions, logger), nil`
`73`	`79`	`}`