replace --insecure with --git-server-crt

Signed-off-by: Noam Gal <[email protected]>

cmd/commands/app.go

@@ -181,7 +181,7 @@ func RunAppCreate(ctx context.Context, opts *AppCreateOptions) error {
 		if opts.AppsCloneOpts.Auth.Password == "" {
 			opts.AppsCloneOpts.Auth.Username = opts.CloneOpts.Auth.Username
 			opts.AppsCloneOpts.Auth.Password = opts.CloneOpts.Auth.Password
-			opts.AppsCloneOpts.Auth.Insecure = opts.CloneOpts.Auth.Insecure
+			opts.AppsCloneOpts.Auth.CertFile = opts.CloneOpts.Auth.CertFile
 			opts.AppsCloneOpts.Provider = opts.CloneOpts.Provider
 		}
 

pkg/git/provider.go

@@ -3,8 +3,10 @@ package git
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
+	"os"
 	"sort"
 )
 
@@ -28,7 +30,7 @@ type (
 	Auth struct {
 		Username string
 		Password string
-		Insecure bool
+		CertFile string
 	}
 
 	// ProviderOptions for a new git provider
@@ -89,8 +91,48 @@ func Providers() []string {
 	return res
 }
 
-func DefaultTransportWithInsecure() *http.Transport {
+func DefaultTransportWithCa(certFile string) (*http.Transport, error) {
+	rootCAs, err := getRootCas(certFile)
+	if err != nil {
+		return nil, err
+	}
+
 	transport := http.DefaultTransport.(*http.Transport).Clone()
-	transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	return transport
+	transport.TLSClientConfig = &tls.Config{RootCAs: rootCAs}
+	return transport, nil
+}
+
+func getRootCas(certFile string) (*x509.CertPool, error) {
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed getting system certificates: %w", err)
+	}
+
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	if certFile == "" {
+		return rootCAs, nil
+	}
+
+	certs, err := os.ReadFile(certFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed reading certificate from %s: %w", certFile, err)
+	}
+
+	// Append our cert to the system pool
+	if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+		return nil, fmt.Errorf("failed adding certificate to rootCAs")
+	}
+
+	return rootCAs, nil
+}
+
+func (a *Auth) getCertificate() ([]byte, error) {
+	if a.CertFile == "" {
+		return nil, nil
+	}
+
+	return os.ReadFile(a.CertFile)
 }

pkg/git/provider_ado.go

@@ -2,7 +2,6 @@ package git
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
 	"net/url"
 	"strings"
@@ -48,10 +47,12 @@ func newAdo(opts *ProviderOptions) (Provider, error) {
 	}
 
 	connection := azuredevops.NewPatConnection(adoUrl.loginUrl, opts.Auth.Password)
-	if opts.Auth.Insecure {
-		connection.TlsConfig = &tls.Config{InsecureSkipVerify: true}
+	rootCAs, err := getRootCas(opts.Auth.CertFile)
+	if err != nil {
+		return nil, err
 	}
 
+	connection.TlsConfig.RootCAs = rootCAs
 	ctx, cancel := context.WithTimeout(context.Background(), timeoutTime)
 	defer cancel()
 	// FYI: ado also has a "core" client that can be used to update project, teams, and other ADO constructs

pkg/git/provider_bitbucket-server.go

@@ -85,8 +85,9 @@ func newBitbucketServer(opts *ProviderOptions) (Provider, error) {
 	}
 
 	httpClient := &http.Client{}
-	if opts.Auth.Insecure {
-		httpClient.Transport = DefaultTransportWithInsecure()
+	httpClient.Transport, err = DefaultTransportWithCa(opts.Auth.CertFile)
+	if err != nil {
+		return nil, err
 	}
 
 	g := &bitbucketServer{

pkg/git/provider_bitbucket.go

@@ -29,13 +29,15 @@ type (
 )
 
 func newBitbucket(opts *ProviderOptions) (Provider, error) {
+	var err error
 	c := bb.NewBasicAuth(opts.Auth.Username, opts.Auth.Password)
 	if c == nil {
 		return nil, errors.New("Authentication info is invalid")
 	}
 
-	if opts.Auth.Insecure {
-		c.HttpClient.Transport = DefaultTransportWithInsecure()
+	c.HttpClient.Transport, err = DefaultTransportWithCa(opts.Auth.CertFile)
+	if err != nil {
+		return nil, err
 	}
 
 	g := &bitbucket{

pkg/git/provider_gitea.go

@@ -29,12 +29,15 @@ func newGitea(opts *ProviderOptions) (Provider, error) {
 		return nil, err
 	}
 
-	if opts.Auth.Insecure {
-		c.SetHTTPClient(&http.Client{
-			Transport: DefaultTransportWithInsecure(),
-		})
+	transport, err := DefaultTransportWithCa(opts.Auth.CertFile)
+	if err != nil {
+		return nil, err
 	}
 
+	c.SetHTTPClient(&http.Client{
+		Transport: transport,
+	})
+
 	g := &gitea{
 		client: c,
 	}

pkg/git/provider_github.go

@@ -29,15 +29,17 @@ func newGithub(opts *ProviderOptions) (Provider, error) {
 
 	hc := &http.Client{}
 	if opts.Auth != nil {
+		underlyingTransport, err := DefaultTransportWithCa(opts.Auth.CertFile)
+		if err != nil {
+			return nil, err
+		}
+
 		transport := &gh.BasicAuthTransport{
 			Username: opts.Auth.Username,
 			Password: opts.Auth.Password,
+			Transport: underlyingTransport,
 		}
-
-		if opts.Auth.Insecure {
-			transport.Transport = DefaultTransportWithInsecure()
-		}
-
+
 		hc.Transport = transport
 	}
 

pkg/git/provider_gitlab.go

@@ -33,16 +33,18 @@ type (
 
 func newGitlab(opts *ProviderOptions) (Provider, error) {
 	host, _, _, _, _, _, _ := util.ParseGitUrl(opts.RepoURL)
-	clientOptions := []gl.ClientOptionFunc{
-		gl.WithBaseURL(host),
-	}
-	if opts.Auth.Insecure {
-		clientOptions = append(clientOptions, gl.WithHTTPClient(&http.Client{
-			Transport: DefaultTransportWithInsecure(),
-		}))
+	transport, err := DefaultTransportWithCa(opts.Auth.CertFile)
+	if err != nil {
+		return nil, err
 	}
 
-	c, err := gl.NewClient(opts.Auth.Password, clientOptions...)
+	c, err := gl.NewClient(
+		opts.Auth.Password,
+		gl.WithBaseURL(host),
+		gl.WithHTTPClient(&http.Client{
+			Transport: transport,
+		}),
+	)
 	if err != nil {
 		return nil, err
 	}

pkg/git/repository.go

@@ -156,13 +156,13 @@ func AddFlags(cmd *cobra.Command, opts *AddFlagsOptions) *CloneOptions {
 	envPrefix := strings.ReplaceAll(strings.ToUpper(opts.Prefix), "-", "_")
 	cmd.PersistentFlags().StringVar(&co.Auth.Password, opts.Prefix+"git-token", "", fmt.Sprintf("Your git provider api token [%sGIT_TOKEN]", envPrefix))
 	cmd.PersistentFlags().StringVar(&co.Auth.Username, opts.Prefix+"git-user", "", fmt.Sprintf("Your git provider user name [%sGIT_USER] (not required in GitHub)", envPrefix))
-	cmd.PersistentFlags().BoolVar(&co.Auth.Insecure, opts.Prefix+"insecure-git-server", false, fmt.Sprint("Disable repository server certificate validation", envPrefix))
+	cmd.PersistentFlags().StringVar(&co.Auth.CertFile, opts.Prefix+"git-server-crt", "", fmt.Sprint("Git Server certificate file", envPrefix))
 	cmd.PersistentFlags().StringVar(&co.Repo, opts.Prefix+"repo", "", fmt.Sprintf("Repository URL [%sGIT_REPO]", envPrefix))
 
 	util.Die(viper.BindEnv(opts.Prefix+"git-token", envPrefix+"GIT_TOKEN"))
 	util.Die(viper.BindEnv(opts.Prefix+"git-user", envPrefix+"GIT_USER"))
 	util.Die(viper.BindEnv(opts.Prefix+"repo", envPrefix+"GIT_REPO"))
-	util.Die(cmd.PersistentFlags().MarkHidden(opts.Prefix + "insecure-git-server"))
+	util.Die(cmd.PersistentFlags().MarkHidden(opts.Prefix + "git-server-crt"))
 
 	if opts.Prefix == "" {
 		cmd.Flag("git-token").Shorthand = "t"
@@ -275,16 +275,21 @@ func (r *repo) Persist(ctx context.Context, opts *PushOptions) (string, error) {
 		progress = r.progress
 	}
 
+	cert, err := r.auth.getCertificate()
+	if err != nil {
+		return "", fmt.Errorf("failed reading git certificate file: %w", err)
+	}
+
 	h, err := r.commit(ctx, opts)
 	if err != nil {
 		return "", err
 	}
 
 	for try := 0; try < pushRetries; try++ {
 		err = r.PushContext(ctx, &gg.PushOptions{
-			Auth:            getAuth(r.auth),
-			Progress:        progress,
-			InsecureSkipTLS: r.auth.Insecure,
+			Auth:     getAuth(r.auth),
+			Progress: progress,
+			CABundle: cert,
 		})
 		if err == nil || !errors.Is(err, transport.ErrRepositoryNotFound) {
 			break
@@ -406,12 +411,17 @@ var clone = func(ctx context.Context, opts *CloneOptions) (*repo, error) {
 		progress = os.Stderr
 	}
 
+	cert, err := opts.Auth.getCertificate()
+	if err != nil {
+		return nil, fmt.Errorf("failed reading git certificate file: %w", err)
+	}
+
 	cloneOpts := &gg.CloneOptions{
-		URL:             opts.url,
-		Auth:            getAuth(opts.Auth),
-		Depth:           1,
-		Progress:        progress,
-		InsecureSkipTLS: opts.Auth.Insecure,
+		URL:      opts.url,
+		Auth:     getAuth(opts.Auth),
+		Depth:    1,
+		Progress: progress,
+		CABundle: cert,
 	}
 
 	log.G(ctx).WithField("url", opts.url).Debug("cloning git repo")