From bc65c315cc3b0b8777ac83e82f9158afec1c5f39 Mon Sep 17 00:00:00 2001
From: Richard Cox <richard-cox@users.noreply.github.com>
Date: Mon, 4 Jan 2021 16:48:15 +0000
Subject: [PATCH] Honour endpoint's ssl config when cloning private git repos
 (#4852)

* Fix helm chart note for ClusterIP

* CF Push: Ensure git credentials are not stored in env var
- use a specific var for clone url instead of obj that becomes env var
- tidy up logic

* Fix issue where path was unescaped, causing proxy fetch of gitlab projects containing %2f to 404

* Update clone failed text, repo does not now have to be public

* Apply nginx uri substituion fix to nginx.dev.conf as well
- think this is only used by docker compose, which isn't supported anymore

* Honour endpoint's ssl config when cloning private git repos
---
 src/jetstream/plugins/cfapppush/deploy.go | 11 ++++++++++-
 src/jetstream/plugins/cfapppush/types.go  |  1 +
 src/jetstream/plugins/cfapppush/vcs.go    |  7 ++++---
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/jetstream/plugins/cfapppush/deploy.go b/src/jetstream/plugins/cfapppush/deploy.go
index 97617269a9..a0926de151 100644
--- a/src/jetstream/plugins/cfapppush/deploy.go
+++ b/src/jetstream/plugins/cfapppush/deploy.go
@@ -390,6 +390,7 @@ func (cfAppPush *CFAppPush) getGitSCMSource(clientWebSocket *websocket.Conn, tem
 
 	loggerURL := info.URL
 	cloneURL := info.URL
+	skipSLL := false
 
 	// Apply credentials associated with the endpoint
 	if len(info.EndpointGUID) != 0 {
@@ -398,6 +399,13 @@ func (cfAppPush *CFAppPush) getGitSCMSource(clientWebSocket *websocket.Conn, tem
 			return StratosProject{}, tempDir, errors.New("Failed to parse SCM URL")
 		}
 
+		cnsiRecord, err := cfAppPush.portalProxy.GetCNSIRecord(info.EndpointGUID)
+		if err != nil {
+			return StratosProject{}, tempDir, errors.New("Failed to find endpoint with guid " + info.EndpointGUID)
+		}
+
+		skipSLL = cnsiRecord.SkipSSLValidation
+
 		tokenRecord, isTokenFound := cfAppPush.portalProxy.GetCNSITokenRecord(info.EndpointGUID, userGUID)
 		if isTokenFound {
 			authTokenDecodedBytes, err := base64.StdEncoding.DecodeString(tokenRecord.AuthToken)
@@ -443,6 +451,7 @@ func (cfAppPush *CFAppPush) getGitSCMSource(clientWebSocket *websocket.Conn, tem
 		LoggerUrl: loggerURL,
 		Branch:    info.Branch,
 		Commit:    info.CommitHash,
+		SkipSSL:   skipSLL,
 	}
 	info.CommitHash, err = cloneRepository(cloneDetails, clientWebSocket, tempDir)
 	if err != nil {
@@ -601,7 +610,7 @@ func cloneRepository(cloneDetails CloneDetails, clientWebSocket *websocket.Conn,
 
 	vcsGit := GetVCS()
 
-	err := vcsGit.Create(tempDir, cloneDetails.Url, cloneDetails.Branch)
+	err := vcsGit.Create(cloneDetails.SkipSSL, tempDir, cloneDetails.Url, cloneDetails.Branch)
 	if err != nil {
 		log.Infof("Failed to clone repo %s due to %+v", cloneDetails.LoggerUrl, err)
 		sendErrorMessage(clientWebSocket, err, CLOSE_FAILED_CLONE)
diff --git a/src/jetstream/plugins/cfapppush/types.go b/src/jetstream/plugins/cfapppush/types.go
index af56336660..95969d4765 100644
--- a/src/jetstream/plugins/cfapppush/types.go
+++ b/src/jetstream/plugins/cfapppush/types.go
@@ -121,4 +121,5 @@ type CloneDetails struct {
 	LoggerUrl string
 	Branch    string
 	Commit    string
+	SkipSSL   bool
 }
diff --git a/src/jetstream/plugins/cfapppush/vcs.go b/src/jetstream/plugins/cfapppush/vcs.go
index 190149fccd..5e85384688 100644
--- a/src/jetstream/plugins/cfapppush/vcs.go
+++ b/src/jetstream/plugins/cfapppush/vcs.go
@@ -6,6 +6,7 @@ import (
 	"bytes"
 	"os"
 	"os/exec"
+	"strconv"
 	"strings"
 
 	log "github.com/sirupsen/logrus"
@@ -14,7 +15,7 @@ import (
 var vcsGit = &vcsCmd{
 	name:             "Git",
 	cmd:              "git",
-	createCmd:        []string{"clone -b {branch} {repo} {dir}"},
+	createCmd:        []string{"clone -c http.sslVerify={sslVerify} -b {branch} {repo} {dir} "},
 	resetToCommitCmd: []string{"reset --hard {commit}"},
 	checkoutCmd:      []string{"checkout refs/remotes/origin/{branch}"},
 	headCmd:          []string{"rev-parse HEAD"},
@@ -35,9 +36,9 @@ type vcsCmd struct {
 	resetToCommitCmd []string // reset branch to commit
 }
 
-func (vcs *vcsCmd) Create(dir string, repo string, branch string) error {
+func (vcs *vcsCmd) Create(skipSSL bool, dir string, repo string, branch string) error {
 	for _, cmd := range vcs.createCmd {
-		if err := vcs.run(".", cmd, "dir", dir, "repo", repo, "branch", branch); err != nil {
+		if err := vcs.run(".", cmd, "sslVerify", strconv.FormatBool(!skipSSL), "dir", dir, "repo", repo, "branch", branch); err != nil {
 			return err
 		}
 	}