mirror of https://gitlab.com/gitlab-org/cli.git
Merge branch 'gmh-adding-security-auto-mirroring' into 'main'
Adding security MRs to setup auto mirroring See merge request https://gitlab.com/gitlab-org/cli/-/merge_requests/1050 Merged-by: Gary Holtz <gholtz@gitlab.com> Co-authored-by: Brian Williams <bwilliams@gitlab.com>
This commit is contained in:
commit
5d27234aa2
|
@ -105,6 +105,26 @@ func (c *Client) SetProtocol(protocol string) {
|
|||
c.Protocol = protocol
|
||||
}
|
||||
|
||||
var secureCipherSuites = []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
}
|
||||
|
||||
func tlsConfig(host string) *tls.Config {
|
||||
config := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
InsecureSkipVerify: apiClient.allowInsecure,
|
||||
}
|
||||
|
||||
if host == "gitlab.com" {
|
||||
config.CipherSuites = secureCipherSuites
|
||||
}
|
||||
|
||||
return config
|
||||
}
|
||||
|
||||
// NewClient initializes a api client for use throughout glab.
|
||||
func NewClient(host, token string, allowInsecure bool, isGraphQL bool) (*Client, error) {
|
||||
apiClient.host = host
|
||||
|
@ -125,9 +145,7 @@ func NewClient(host, token string, allowInsecure bool, isGraphQL bool) (*Client,
|
|||
IdleConnTimeout: 90 * time.Second,
|
||||
TLSHandshakeTimeout: 10 * time.Second,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: apiClient.allowInsecure,
|
||||
},
|
||||
TLSClientConfig: tlsConfig(host),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
package api
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func Test_tlsConfig(t *testing.T) {
|
||||
type args struct {
|
||||
host string
|
||||
}
|
||||
var tests = []struct {
|
||||
name string
|
||||
args args
|
||||
want []uint16
|
||||
}{
|
||||
{
|
||||
name: "GitLab.com uses secure ciphers",
|
||||
args: args{
|
||||
host: "gitlab.com",
|
||||
},
|
||||
want: []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Other hosts aren't limited to secure ciphers",
|
||||
args: args{
|
||||
host: "gitlab.selfhosted.com",
|
||||
},
|
||||
want: nil,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
||||
client := tlsConfig(tt.args.host)
|
||||
|
||||
assert.Equal(t, tt.want, client.CipherSuites)
|
||||
})
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue