From 1b1a61ad07f40197d3b9164821a096abd1710628 Mon Sep 17 00:00:00 2001
From: Daishan Peng <StrongMonkey@users.noreply.github.com>
Date: Wed, 27 Jan 2021 02:48:41 -0700
Subject: Add insecureSkipTLS and cabundle (#228)

This PR add insecureSkipTLSVerify and cabundle to any remote http calls
so that https repo with private CA signed can be used. This is the
equivalent of https.sslVerify and GIT_SSL_CAINFO
---
 plumbing/transport/client/client.go | 37 ++++++++++++++++++++++++++++++++++++-
 plumbing/transport/common.go        |  4 ++++
 2 files changed, 40 insertions(+), 1 deletion(-)

(limited to 'plumbing/transport')

diff --git a/plumbing/transport/client/client.go b/plumbing/transport/client/client.go
index 4f6d210..20c3d05 100644
--- a/plumbing/transport/client/client.go
+++ b/plumbing/transport/client/client.go
@@ -3,7 +3,10 @@
 package client
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	gohttp "net/http"
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/file"
@@ -21,6 +24,14 @@ var Protocols = map[string]transport.Transport{
 	"file":  file.DefaultClient,
 }
 
+var insecureClient = http.NewClient(&gohttp.Client{
+	Transport: &gohttp.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	},
+})
+
 // InstallProtocol adds or modifies an existing protocol.
 func InstallProtocol(scheme string, c transport.Transport) {
 	if c == nil {
@@ -35,6 +46,31 @@ func InstallProtocol(scheme string, c transport.Transport) {
 // http://, https://, ssh:// and file://.
 // See `InstallProtocol` to add or modify protocols.
 func NewClient(endpoint *transport.Endpoint) (transport.Transport, error) {
+	return getTransport(endpoint)
+}
+
+func getTransport(endpoint *transport.Endpoint) (transport.Transport, error) {
+	if endpoint.Protocol == "https" {
+		if endpoint.InsecureSkipTLS {
+			return insecureClient, nil
+		}
+
+		if len(endpoint.CaBundle) != 0 {
+			rootCAs, _ := x509.SystemCertPool()
+			if rootCAs == nil {
+				rootCAs = x509.NewCertPool()
+			}
+			rootCAs.AppendCertsFromPEM(endpoint.CaBundle)
+			return http.NewClient(&gohttp.Client{
+				Transport: &gohttp.Transport{
+					TLSClientConfig: &tls.Config{
+						RootCAs: rootCAs,
+					},
+				},
+			}), nil
+		}
+	}
+
 	f, ok := Protocols[endpoint.Protocol]
 	if !ok {
 		return nil, fmt.Errorf("unsupported scheme %q", endpoint.Protocol)
@@ -43,6 +79,5 @@ func NewClient(endpoint *transport.Endpoint) (transport.Transport, error) {
 	if f == nil {
 		return nil, fmt.Errorf("malformed client for scheme %q, client is defined as nil", endpoint.Protocol)
 	}
-
 	return f, nil
 }
diff --git a/plumbing/transport/common.go b/plumbing/transport/common.go
index ead2155..b993c4e 100644
--- a/plumbing/transport/common.go
+++ b/plumbing/transport/common.go
@@ -107,6 +107,10 @@ type Endpoint struct {
 	Port int
 	// Path is the repository path.
 	Path string
+	// InsecureSkipTLS skips ssl verify if protocal is https
+	InsecureSkipTLS bool
+	// CaBundle specify additional ca bundle with system cert pool
+	CaBundle []byte
 }
 
 var defaultPorts = map[string]int{
-- 
cgit