github.com/git-lfs/git-lfs@v2.5.2+incompatible/lfsapi/certs_test.go (about) 1 package lfsapi 2 3 import ( 4 "fmt" 5 "io/ioutil" 6 "net/http" 7 "os" 8 "path/filepath" 9 "testing" 10 11 "github.com/stretchr/testify/assert" 12 ) 13 14 var testCert = `-----BEGIN CERTIFICATE----- 15 MIIDyjCCArKgAwIBAgIJAMi9TouXnW+ZMA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV 16 BAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRAwDgYDVQQKEwdnaXQtbGZzMRYw 17 FAYDVQQDEw1naXQtbGZzLmxvY2FsMB4XDTE2MDMwOTEwNTk1NFoXDTI2MDMwNzEw 18 NTk1NFowTDELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxEDAOBgNV 19 BAoTB2dpdC1sZnMxFjAUBgNVBAMTDWdpdC1sZnMubG9jYWwwggEiMA0GCSqGSIb3 20 DQEBAQUAA4IBDwAwggEKAoIBAQCXmsI2w44nOsP7n3kL1Lz04U5FMZRErBSXLOE+ 21 dpd4tMpgrjOncJPD9NapHabsVIOnuVvMDuBbWYwU9PwbN4tjQzch8DRxBju6fCp/ 22 Pm+QF6p2Ga+NuSHWoVfNFuF2776aF9gSLC0rFnBekD3HCz+h6I5HFgHBvRjeVyAs 23 PRw471Y28Je609SoYugxaQNzRvahP0Qf43tE74/WN3FTGXy1+iU+uXpfp8KxnsuB 24 gfj+Wi6mPt8Q2utcA1j82dJ0K8ZbHSbllzmI+N/UuRLsbTUEdeFWYdZ0AlZNd/Vc 25 PlOSeoExwvOHIuUasT/cLIrEkdXNud2QLg2GpsB6fJi3NEUhAgMBAAGjga4wgasw 26 HQYDVR0OBBYEFC8oVPRQbekTwfkntgdL7PADXNDbMHwGA1UdIwR1MHOAFC8oVPRQ 27 bekTwfkntgdL7PADXNDboVCkTjBMMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29t 28 ZS1TdGF0ZTEQMA4GA1UEChMHZ2l0LWxmczEWMBQGA1UEAxMNZ2l0LWxmcy5sb2Nh 29 bIIJAMi9TouXnW+ZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBACIl 30 /CBLIhC3drrYme4cGArhWyXIyRpMoy9Z+9Dru8rSuOr/RXR6sbYhlE1iMGg4GsP8 31 4Cj7aIct6Vb9NFv5bGNyFJAmDesm3SZlEcWxU3YBzNPiJXGiUpQHCkp0BH+gvsXc 32 tb58XoiDZPVqrl0jNfX/nHpHR9c3DaI3Tjx0F/No0ZM6mLQ1cNMikFyEWQ4U0zmW 33 LvV+vvKuOixRqbcVnB5iTxqMwFG0X3tUql0cftGBgoCoR1+FSBOs0EXLODCck6ql 34 aW6vZwkA+ccj/pDTx8LBe2lnpatrFeIt6znAUJW3G8r6SFHKVBWHwmESZS4kxhjx 35 NpW5Hh0w4/5iIetCkJ0= 36 -----END CERTIFICATE-----` 37 38 var sslCAInfoConfigHostNames = []string{ 39 "git-lfs.local", 40 "git-lfs.local/", 41 } 42 var sslCAInfoMatchedHostTests = []struct { 43 hostName string 44 shouldMatch bool 45 }{ 46 {"git-lfs.local", true}, 47 {"git-lfs.local:8443", false}, 48 {"wronghost.com", false}, 49 } 50 51 func TestCertFromSSLCAInfoConfig(t *testing.T) { 52 tempfile, err := ioutil.TempFile("", "testcert") 53 assert.Nil(t, err, "Error creating temp cert file") 54 defer os.Remove(tempfile.Name()) 55 56 _, err = tempfile.WriteString(testCert) 57 assert.Nil(t, err, "Error writing temp cert file") 58 tempfile.Close() 59 60 // Test http.<url>.sslcainfo 61 for _, hostName := range sslCAInfoConfigHostNames { 62 hostKey := fmt.Sprintf("http.https://%v.sslcainfo", hostName) 63 c, err := NewClient(NewContext(nil, nil, map[string]string{ 64 hostKey: tempfile.Name(), 65 })) 66 assert.Nil(t, err) 67 68 for _, matchedHostTest := range sslCAInfoMatchedHostTests { 69 pool := getRootCAsForHost(c, matchedHostTest.hostName) 70 71 var shouldOrShouldnt string 72 if matchedHostTest.shouldMatch { 73 shouldOrShouldnt = "should" 74 } else { 75 shouldOrShouldnt = "should not" 76 } 77 78 assert.Equal(t, matchedHostTest.shouldMatch, pool != nil, 79 "Cert lookup for \"%v\" %v have succeeded with \"%v\"", 80 matchedHostTest.hostName, shouldOrShouldnt, hostKey) 81 } 82 } 83 84 // Test http.sslcainfo 85 c, err := NewClient(NewContext(nil, nil, map[string]string{ 86 "http.sslcainfo": tempfile.Name(), 87 })) 88 assert.Nil(t, err) 89 90 // Should match any host at all 91 for _, matchedHostTest := range sslCAInfoMatchedHostTests { 92 pool := getRootCAsForHost(c, matchedHostTest.hostName) 93 assert.NotNil(t, pool) 94 } 95 } 96 97 func TestCertFromSSLCAInfoEnv(t *testing.T) { 98 tempfile, err := ioutil.TempFile("", "testcert") 99 assert.Nil(t, err, "Error creating temp cert file") 100 defer os.Remove(tempfile.Name()) 101 102 _, err = tempfile.WriteString(testCert) 103 assert.Nil(t, err, "Error writing temp cert file") 104 tempfile.Close() 105 106 c, err := NewClient(NewContext(nil, map[string]string{ 107 "GIT_SSL_CAINFO": tempfile.Name(), 108 }, nil)) 109 assert.Nil(t, err) 110 111 // Should match any host at all 112 for _, matchedHostTest := range sslCAInfoMatchedHostTests { 113 pool := getRootCAsForHost(c, matchedHostTest.hostName) 114 assert.NotNil(t, pool) 115 } 116 } 117 118 func TestCertFromSSLCAPathConfig(t *testing.T) { 119 tempdir, err := ioutil.TempDir("", "testcertdir") 120 assert.Nil(t, err, "Error creating temp cert dir") 121 defer os.RemoveAll(tempdir) 122 123 err = ioutil.WriteFile(filepath.Join(tempdir, "cert1.pem"), []byte(testCert), 0644) 124 assert.Nil(t, err, "Error creating cert file") 125 126 c, err := NewClient(NewContext(nil, nil, map[string]string{ 127 "http.sslcapath": tempdir, 128 })) 129 130 assert.Nil(t, err) 131 132 // Should match any host at all 133 for _, matchedHostTest := range sslCAInfoMatchedHostTests { 134 pool := getRootCAsForHost(c, matchedHostTest.hostName) 135 assert.NotNil(t, pool) 136 } 137 } 138 139 func TestCertFromSSLCAPathEnv(t *testing.T) { 140 tempdir, err := ioutil.TempDir("", "testcertdir") 141 assert.Nil(t, err, "Error creating temp cert dir") 142 defer os.RemoveAll(tempdir) 143 144 err = ioutil.WriteFile(filepath.Join(tempdir, "cert1.pem"), []byte(testCert), 0644) 145 assert.Nil(t, err, "Error creating cert file") 146 147 c, err := NewClient(NewContext(nil, map[string]string{ 148 "GIT_SSL_CAPATH": tempdir, 149 }, nil)) 150 assert.Nil(t, err) 151 152 // Should match any host at all 153 for _, matchedHostTest := range sslCAInfoMatchedHostTests { 154 pool := getRootCAsForHost(c, matchedHostTest.hostName) 155 assert.NotNil(t, pool) 156 } 157 } 158 159 func TestCertVerifyDisabledGlobalEnv(t *testing.T) { 160 empty, _ := NewClient(nil) 161 httpClient := empty.httpClient("anyhost.com") 162 tr, ok := httpClient.Transport.(*http.Transport) 163 if assert.True(t, ok) { 164 assert.False(t, tr.TLSClientConfig.InsecureSkipVerify) 165 } 166 167 c, err := NewClient(NewContext(nil, map[string]string{ 168 "GIT_SSL_NO_VERIFY": "1", 169 }, nil)) 170 171 assert.Nil(t, err) 172 173 httpClient = c.httpClient("anyhost.com") 174 tr, ok = httpClient.Transport.(*http.Transport) 175 if assert.True(t, ok) { 176 assert.True(t, tr.TLSClientConfig.InsecureSkipVerify) 177 } 178 } 179 180 func TestCertVerifyDisabledGlobalConfig(t *testing.T) { 181 def, _ := NewClient(nil) 182 httpClient := def.httpClient("anyhost.com") 183 tr, ok := httpClient.Transport.(*http.Transport) 184 if assert.True(t, ok) { 185 assert.False(t, tr.TLSClientConfig.InsecureSkipVerify) 186 } 187 188 c, err := NewClient(NewContext(nil, nil, map[string]string{ 189 "http.sslverify": "false", 190 })) 191 assert.Nil(t, err) 192 193 httpClient = c.httpClient("anyhost.com") 194 tr, ok = httpClient.Transport.(*http.Transport) 195 if assert.True(t, ok) { 196 assert.True(t, tr.TLSClientConfig.InsecureSkipVerify) 197 } 198 } 199 200 func TestCertVerifyDisabledHostConfig(t *testing.T) { 201 def, _ := NewClient(nil) 202 httpClient := def.httpClient("specifichost.com") 203 tr, ok := httpClient.Transport.(*http.Transport) 204 if assert.True(t, ok) { 205 assert.False(t, tr.TLSClientConfig.InsecureSkipVerify) 206 } 207 208 httpClient = def.httpClient("otherhost.com") 209 tr, ok = httpClient.Transport.(*http.Transport) 210 if assert.True(t, ok) { 211 assert.False(t, tr.TLSClientConfig.InsecureSkipVerify) 212 } 213 214 c, err := NewClient(NewContext(nil, nil, map[string]string{ 215 "http.https://specifichost.com/.sslverify": "false", 216 })) 217 assert.Nil(t, err) 218 219 httpClient = c.httpClient("specifichost.com") 220 tr, ok = httpClient.Transport.(*http.Transport) 221 if assert.True(t, ok) { 222 assert.True(t, tr.TLSClientConfig.InsecureSkipVerify) 223 } 224 225 httpClient = c.httpClient("otherhost.com") 226 tr, ok = httpClient.Transport.(*http.Transport) 227 if assert.True(t, ok) { 228 assert.False(t, tr.TLSClientConfig.InsecureSkipVerify) 229 } 230 }