gitlab
/
cli
mirror of https://gitlab.com/gitlab-org/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'gmh-adding-security-auto-mirroring' into 'main' 

Adding security MRs to setup auto mirroring

See merge request https://gitlab.com/gitlab-org/cli/-/merge_requests/1050

Merged-by: Gary Holtz <gholtz@gitlab.com>
Co-authored-by: Brian Williams <bwilliams@gitlab.com>
This commit is contained in:
Gary Holtz 2022-10-13 05:01:52 +00:00
parent 546aac834d 89f20eeafe
commit 5d27234aa2
2 changed files with 68 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
api/client.go
View File

@ -105,6 +105,26 @@ func (c *Client) SetProtocol(protocol string) {
c.Protocol = protocol
}
var secureCipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
}
func tlsConfig(host string) *tls.Config {
config := &tls.Config{
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: apiClient.allowInsecure,
}
if host == "gitlab.com" {
config.CipherSuites = secureCipherSuites
}
return config
}
// NewClient initializes a api client for use throughout glab.
func NewClient(host, token string, allowInsecure bool, isGraphQL bool) (*Client, error) {
apiClient.host = host
@ -125,9 +145,7 @@ func NewClient(host, token string, allowInsecure bool, isGraphQL bool) (*Client,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: apiClient.allowInsecure,
},
TLSClientConfig: tlsConfig(host),
},
}
}

47
api/client_test.go Normal file
View File

@ -0,0 +1,47 @@
package api
import (
"crypto/tls"
"testing"
"github.com/stretchr/testify/assert"
)
func Test_tlsConfig(t *testing.T) {
type args struct {
host string
}
var tests = []struct {
name string
args args
want []uint16
}{
{
name: "GitLab.com uses secure ciphers",
args: args{
host: "gitlab.com",
},
want: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
},
},
{
name: "Other hosts aren't limited to secure ciphers",
args: args{
host: "gitlab.selfhosted.com",
},
want: nil,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client := tlsConfig(tt.args.host)
assert.Equal(t, tt.want, client.CipherSuites)
})
}
}