diff options
author | Zeger-Jan van de Weg <git@zjvandeweg.nl> | 2018-12-05 18:54:23 +0300 |
---|---|---|
committer | Zeger-Jan van de Weg <git@zjvandeweg.nl> | 2018-12-05 18:54:23 +0300 |
commit | 643d110bccd5cc2e5123e03f9262388c75fd2c39 (patch) | |
tree | ded0a3f7c3e3ec26f86c47bd43da3fd57417aeb5 | |
parent | d09529276173e55eec782033fb7441d46d050d4c (diff) | |
parent | f62959c5da83f0ca84f1e9f78e39a3273034d81f (diff) |
Merge branch 'try-fix-macos-auth-test' into 'master'
Fix TLS client code on macOS
See merge request gitlab-org/gitaly!994
-rw-r--r-- | changelogs/unreleased/try-fix-macos-auth-test.yml | 5 | ||||
-rw-r--r-- | client/dial.go | 4 | ||||
-rw-r--r-- | client/pool-darwin.go | 58 | ||||
-rw-r--r-- | client/pool.go | 8 | ||||
-rw-r--r-- | cmd/gitaly-ssh/auth_test.go | 4 |
5 files changed, 74 insertions, 5 deletions
diff --git a/changelogs/unreleased/try-fix-macos-auth-test.yml b/changelogs/unreleased/try-fix-macos-auth-test.yml new file mode 100644 index 000000000..f58357cd8 --- /dev/null +++ b/changelogs/unreleased/try-fix-macos-auth-test.yml @@ -0,0 +1,5 @@ +--- +title: Fix TLS client code on macOS +merge_request: 994 +author: +type: fixed diff --git a/client/dial.go b/client/dial.go index e8a3a5f44..d0a51c0c1 100644 --- a/client/dial.go +++ b/client/dial.go @@ -1,8 +1,6 @@ package client import ( - "crypto/x509" - "google.golang.org/grpc/credentials" "net/url" @@ -21,7 +19,7 @@ func Dial(rawAddress string, connOpts []grpc.DialOption) (*grpc.ClientConn, erro } if isTLS(rawAddress) { - certPool, err := x509.SystemCertPool() + certPool, err := systemCertPool() if err != nil { return nil, err } diff --git a/client/pool-darwin.go b/client/pool-darwin.go new file mode 100644 index 000000000..e392a4d70 --- /dev/null +++ b/client/pool-darwin.go @@ -0,0 +1,58 @@ +// +build darwin + +package client + +import ( + "crypto/x509" + "io/ioutil" + "os" + "path" +) + +// systemCertPool circumvents the fact that Go on macOS does not support +// SSL_CERT_{DIR,FILE}. +func systemCertPool() (*x509.CertPool, error) { + var certPem []byte + count := 0 + + if f := os.Getenv("SSL_CERT_FILE"); len(f) > 0 { + pem, err := ioutil.ReadFile(f) + if err != nil { + return nil, err + } + + pem = append(pem, '\n') + certPem = append(certPem, pem...) + count++ + } + + if d := os.Getenv("SSL_CERT_DIR"); len(d) > 0 { + entries, err := ioutil.ReadDir(d) + if err != nil { + return nil, err + } + + for _, entry := range entries { + if entry.IsDir() { + continue + } + + pem, err := ioutil.ReadFile(path.Join(d, entry.Name())) + if err != nil { + return nil, err + } + + pem = append(pem, '\n') + certPem = append(certPem, pem...) + count++ + } + } + + pool, err := x509.SystemCertPool() + if err != nil { + return nil, err + } + + pool.AppendCertsFromPEM(certPem) + return pool, nil +} diff --git a/client/pool.go b/client/pool.go new file mode 100644 index 000000000..e4d216427 --- /dev/null +++ b/client/pool.go @@ -0,0 +1,8 @@ +// +build !darwin + +package client + +import "crypto/x509" + +// systemCertPool has an override on macOS. +func systemCertPool() (*x509.CertPool, error) { return x509.SystemCertPool() } diff --git a/cmd/gitaly-ssh/auth_test.go b/cmd/gitaly-ssh/auth_test.go index 83a6bc9ac..432c8f207 100644 --- a/cmd/gitaly-ssh/auth_test.go +++ b/cmd/gitaly-ssh/auth_test.go @@ -75,7 +75,7 @@ func TestConnectivity(t *testing.T) { require.NoError(t, err) for _, testcase := range testCases { cmd := exec.Command("git", "ls-remote", "git@localhost:test/test.git", "refs/heads/master") - + cmd.Stderr = os.Stderr cmd.Env = []string{ fmt.Sprintf("GITALY_PAYLOAD=%s", payload), fmt.Sprintf("GITALY_ADDRESS=%s", testcase.addr), @@ -86,7 +86,7 @@ func TestConnectivity(t *testing.T) { output, err := cmd.Output() - require.NoError(t, err) + require.NoError(t, err, "git ls-remote exit status") require.True(t, strings.HasSuffix(strings.TrimSpace(string(output)), "refs/heads/master")) } } |