Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue 1880: Adds ability to disable certificate validation in pullrequest resource #1881

Merged
merged 1 commit into from
Jan 22, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions cmd/pullrequest-init/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,18 @@ import (
"context"
"flag"
"fmt"
"os"

"github.com/tektoncd/pipeline/pkg/pullrequest"
"go.uber.org/zap"
"knative.dev/pkg/logging"
"os"
)

var (
prURL = flag.String("url", "", "The url of the pull request to initialize.")
path = flag.String("path", "", "Path of directory under which PR will be copied")
mode = flag.String("mode", "download", "Whether to operate in download or upload mode")
provider = flag.String("provider", "", "The SCM provider to use. Optional")
prURL = flag.String("url", "", "The url of the pull request to initialize.")
path = flag.String("path", "", "Path of directory under which PR will be copied")
mode = flag.String("mode", "download", "Whether to operate in download or upload mode")
provider = flag.String("provider", "", "The SCM provider to use. Optional")
skipTLSVerify = flag.Bool("insecure-skip-tls-verify", false, "Enable skipping TLS certificate verification in the git client. Defaults to false")
)

func main() {
Expand All @@ -45,7 +45,7 @@ func main() {
ctx := context.Background()

token := os.Getenv("AUTH_TOKEN")
client, err := pullrequest.NewSCMHandler(logger, *prURL, *provider, token)
client, err := pullrequest.NewSCMHandler(logger, *prURL, *provider, token, *skipTLSVerify)
if err != nil {
logger.Fatalf("error creating GitHub client: %v", err)
}
Expand Down
5 changes: 5 additions & 0 deletions docs/resources.md
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,9 @@ Params that can be added are the following:
1. `url`: represents the location of the pull request to fetch.
1. `provider`: represents the SCM provider to use. This will be "guessed" based
on the url if not set. Valid values are `github` or `gitlab` today.
1. `insecure-skip-tls-verify`: represents whether to skip verification of certificates
from the git server. Valid values are `"true"` or `"false"`, the default being
`"false"`.

#### Statuses

Expand All @@ -456,6 +459,8 @@ URLs should be of the form: https://github.com/tektoncd/pipeline/pull/1

The PullRequest resource works with self hosted or enterprise GitHub/GitLab
instances. Simply provide the pull request URL and set the `provider` parameter.
If you need to skip certificate validation set the `insecure-skip-tls-verify`
parameter to `"true"`.

```yaml
apiVersion: tekton.dev/v1alpha1
Expand Down
38 changes: 26 additions & 12 deletions pkg/apis/pipeline/v1alpha1/pull_request_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1alpha1

import (
"fmt"
"strconv"
"strings"

"github.com/tektoncd/pipeline/pkg/apis/pipeline"
Expand Down Expand Up @@ -46,25 +47,34 @@ type PullRequestResource struct {
// Secrets holds a struct to indicate a field name and corresponding secret name to populate it.
Secrets []SecretParam `json:"secrets"`

PRImage string `json:"-"`
PRImage string `json:"-"`
InsecureSkipTLSVerify bool `json:"insecure-skip-tls-verify"`
}

// NewPullRequestResource create a new git resource to pass to a Task
func NewPullRequestResource(prImage string, r *PipelineResource) (*PullRequestResource, error) {
if r.Spec.Type != PipelineResourceTypePullRequest {
return nil, fmt.Errorf("PipelineResource: Cannot create a PR resource from a %s Pipeline Resource", r.Spec.Type)
return nil, fmt.Errorf("cannot create a PR resource from a %s Pipeline Resource", r.Spec.Type)
}
prResource := PullRequestResource{
Name: r.Name,
Type: r.Spec.Type,
Secrets: r.Spec.SecretParams,
PRImage: prImage,
Name: r.Name,
Type: r.Spec.Type,
Secrets: r.Spec.SecretParams,
PRImage: prImage,
InsecureSkipTLSVerify: false,
}
for _, param := range r.Spec.Params {
if strings.EqualFold(param.Name, "URL") {
switch {
case strings.EqualFold(param.Name, "URL"):
prResource.URL = param.Value
} else if strings.EqualFold(param.Name, "Provider") {
case strings.EqualFold(param.Name, "Provider"):
prResource.Provider = param.Value
case strings.EqualFold(param.Name, "insecure-skip-tls-verify"):
verify, err := strconv.ParseBool(param.Value)
if err != nil {
return nil, fmt.Errorf("error occurred converting %q to boolean in Pipeline Resource %s", param.Value, r.Name)
}
prResource.InsecureSkipTLSVerify = verify
}
}

Expand All @@ -89,10 +99,11 @@ func (s *PullRequestResource) GetURL() string {
// Replacements is used for template replacement on a PullRequestResource inside of a Taskrun.
func (s *PullRequestResource) Replacements() map[string]string {
return map[string]string{
"name": s.Name,
"type": string(s.Type),
"url": s.URL,
"provider": s.Provider,
"name": s.Name,
"type": string(s.Type),
"url": s.URL,
"provider": s.Provider,
"insecure-skip-tls-verify": strconv.FormatBool(s.InsecureSkipTLSVerify),
}
}

Expand All @@ -115,6 +126,9 @@ func (s *PullRequestResource) getSteps(mode string, sourcePath string) []Step {
if s.Provider != "" {
args = append(args, []string{"-provider", s.Provider}...)
}
if s.InsecureSkipTLSVerify {
args = append(args, "-insecure-skip-tls-verify=true")
}

evs := []corev1.EnvVar{}
for _, sec := range s.Secrets {
Expand Down
40 changes: 29 additions & 11 deletions pkg/apis/pipeline/v1alpha1/pull_request_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,13 @@ func TestPullRequest_NewResource(t *testing.T) {
}

want := &v1alpha1.PullRequestResource{
Name: pr.Name,
Type: v1alpha1.PipelineResourceTypePullRequest,
URL: url,
Provider: "github",
Secrets: pr.Spec.SecretParams,
PRImage: "override-with-pr:latest",
Name: pr.Name,
Type: v1alpha1.PipelineResourceTypePullRequest,
URL: url,
Provider: "github",
Secrets: pr.Spec.SecretParams,
PRImage: "override-with-pr:latest",
InsecureSkipTLSVerify: false,
}
if diff := cmp.Diff(want, got); diff != "" {
t.Error(diff)
Expand All @@ -70,9 +71,10 @@ const workspace = "/workspace"
func containerTestCases(mode string) []testcase {
return []testcase{{
in: &v1alpha1.PullRequestResource{
Name: "nocreds",
URL: "https://example.com",
PRImage: "override-with-pr:latest",
Name: "nocreds",
URL: "https://example.com",
PRImage: "override-with-pr:latest",
InsecureSkipTLSVerify: false,
},
out: []v1alpha1.Step{{Container: corev1.Container{
Name: "pr-source-nocreds-9l9zj",
Expand All @@ -84,8 +86,9 @@ func containerTestCases(mode string) []testcase {
}}},
}, {
in: &v1alpha1.PullRequestResource{
Name: "creds",
URL: "https://example.com",
Name: "creds",
URL: "https://example.com",
InsecureSkipTLSVerify: false,
Secrets: []v1alpha1.SecretParam{{
FieldName: "authToken",
SecretName: "github-creds",
Expand All @@ -112,6 +115,21 @@ func containerTestCases(mode string) []testcase {
},
}},
}}},
}, {
in: &v1alpha1.PullRequestResource{
Name: "nocreds",
URL: "https://example.com",
PRImage: "override-with-pr:latest",
InsecureSkipTLSVerify: true,
},
out: []v1alpha1.Step{{Container: corev1.Container{
Name: "pr-source-nocreds-mssqb",
Image: "override-with-pr:latest",
WorkingDir: pipeline.WorkspaceDir,
Command: []string{"/ko-app/pullrequest-init"},
Args: []string{"-url", "https://example.com", "-path", workspace, "-mode", mode, "-insecure-skip-tls-verify=true"},
Env: []corev1.EnvVar{},
}}},
}}
}

Expand Down
50 changes: 40 additions & 10 deletions pkg/pullrequest/scm.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ limitations under the License.
package pullrequest

import (
"context"
"fmt"
"net/http"
"net/url"
Expand All @@ -26,12 +25,14 @@ import (

"golang.org/x/oauth2"

"crypto/tls"

"github.com/jenkins-x/go-scm/scm/driver/github"
"github.com/jenkins-x/go-scm/scm/driver/gitlab"
"go.uber.org/zap"
)

func NewSCMHandler(logger *zap.SugaredLogger, raw, provider, token string) (*Handler, error) {
func NewSCMHandler(logger *zap.SugaredLogger, raw, provider, token string, skipTLSVerify bool) (*Handler, error) {
u, err := url.Parse(raw)
if err != nil {
return nil, err
Expand All @@ -49,16 +50,16 @@ func NewSCMHandler(logger *zap.SugaredLogger, raw, provider, token string) (*Han
var handler *Handler
switch provider {
case "github":
handler, err = githubHandlerFromURL(u, token, logger)
handler, err = githubHandlerFromURL(u, token, skipTLSVerify, logger)
case "gitlab":
handler, err = gitlabHandlerFromURL(u, token, logger)
handler, err = gitlabHandlerFromURL(u, token, skipTLSVerify, logger)
default:
return nil, fmt.Errorf("unsupported pr url: %s", raw)
}
return handler, err
}

func githubHandlerFromURL(u *url.URL, token string, logger *zap.SugaredLogger) (*Handler, error) {
func githubHandlerFromURL(u *url.URL, token string, skipTLSVerify bool, logger *zap.SugaredLogger) (*Handler, error) {
split := strings.Split(u.Path, "/")
if len(split) < 5 {
return nil, fmt.Errorf("could not determine PR from URL: %v", u)
Expand All @@ -83,17 +84,34 @@ func githubHandlerFromURL(u *url.URL, token string, logger *zap.SugaredLogger) (
}
}
ownerRepo := fmt.Sprintf("%s/%s", owner, repo)
h := NewHandler(logger, client, ownerRepo, prNumber)

if token != "" {
ts := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: token},
)
h.client.Client = oauth2.NewClient(context.Background(), ts)
client.Client = &http.Client{
Transport: &oauth2.Transport{
Source: ts,
Base: &http.Transport{
/* #nosec G402 */
TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
},
},
}
} else {
client.Client = &http.Client{
Transport: &http.Transport{
/* #nosec G402 */
TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
},
}
}

h := NewHandler(logger, client, ownerRepo, prNumber)
return h, nil
}

func gitlabHandlerFromURL(u *url.URL, token string, logger *zap.SugaredLogger) (*Handler, error) {
func gitlabHandlerFromURL(u *url.URL, token string, skipTLSVerify bool, logger *zap.SugaredLogger) (*Handler, error) {
// The project name can be multiple /'s deep, so split on / and work from right to left.
split := strings.Split(u.Path, "/")

Expand Down Expand Up @@ -124,14 +142,26 @@ func gitlabHandlerFromURL(u *url.URL, token string, logger *zap.SugaredLogger) (
return nil, fmt.Errorf("error creating client: %w", err)
}
}

if token != "" {
client.Client = &http.Client{
Transport: &gitlabClient{
token: token,
transport: http.DefaultTransport,
token: token,
transport: &http.Transport{
/* #nosec G402 */
TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
},
},
}
} else {
client.Client = &http.Client{
Transport: &http.Transport{
/* #nosec G402 */
TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify},
},
}
}

return NewHandler(logger, client, project, prInt), nil
}

Expand Down
Loading