Merge branch 'try-fix-macos-auth-test' into 'master'

Fix TLS client code on macOS

See merge request gitlab-org/gitaly!994

5 files changed, 74 insertions, 5 deletions

diff --git a/changelogs/unreleased/try-fix-macos-auth-test.yml b/changelogs/unreleased/try-fix-macos-auth-test.yml
new file mode 100644
index 000000000..f58357cd8
--- /dev/null
+++ b/changelogs/unreleased/try-fix-macos-auth-test.yml
@@ -0,0 +1,5 @@
+---
+title: Fix TLS client code on macOS
+merge_request: 994
+author:
+type: fixed
diff --git a/client/dial.go b/client/dial.go
index e8a3a5f44..d0a51c0c1 100644
--- a/client/dial.go
+++ b/client/dial.go
@@ -1,8 +1,6 @@
 package client
 
 import (
-	"crypto/x509"
-
 	"google.golang.org/grpc/credentials"
 
 	"net/url"
@@ -21,7 +19,7 @@ func Dial(rawAddress string, connOpts []grpc.DialOption) (*grpc.ClientConn, erro
 	}
 
 	if isTLS(rawAddress) {
-		certPool, err := x509.SystemCertPool()
+		certPool, err := systemCertPool()
 		if err != nil {
 			return nil, err
 		}
diff --git a/client/pool-darwin.go b/client/pool-darwin.go
new file mode 100644
index 000000000..e392a4d70
--- /dev/null
+++ b/client/pool-darwin.go
@@ -0,0 +1,58 @@
+// +build darwin
+
+package client
+
+import (
+	"crypto/x509"
+	"io/ioutil"
+	"os"
+	"path"
+)
+
+// systemCertPool circumvents the fact that Go on macOS does not support
+// SSL_CERT_{DIR,FILE}.
+func systemCertPool() (*x509.CertPool, error) {
+	var certPem []byte
+	count := 0
+
+	if f := os.Getenv("SSL_CERT_FILE"); len(f) > 0 {
+		pem, err := ioutil.ReadFile(f)
+		if err != nil {
+			return nil, err
+		}
+
+		pem = append(pem, '\n')
+		certPem = append(certPem, pem...)
+		count++
+	}
+
+	if d := os.Getenv("SSL_CERT_DIR"); len(d) > 0 {
+		entries, err := ioutil.ReadDir(d)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, entry := range entries {
+			if entry.IsDir() {
+				continue
+			}
+
+			pem, err := ioutil.ReadFile(path.Join(d, entry.Name()))
+			if err != nil {
+				return nil, err
+			}
+
+			pem = append(pem, '\n')
+			certPem = append(certPem, pem...)
+			count++
+		}
+	}
+
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+
+	pool.AppendCertsFromPEM(certPem)
+	return pool, nil
+}
diff --git a/client/pool.go b/client/pool.go
new file mode 100644
index 000000000..e4d216427
--- /dev/null
+++ b/client/pool.go
@@ -0,0 +1,8 @@
+// +build !darwin
+
+package client
+
+import "crypto/x509"
+
+// systemCertPool has an override on macOS.
+func systemCertPool() (*x509.CertPool, error) { return x509.SystemCertPool() }
diff --git a/cmd/gitaly-ssh/auth_test.go b/cmd/gitaly-ssh/auth_test.go
index 83a6bc9ac..432c8f207 100644
--- a/cmd/gitaly-ssh/auth_test.go
+++ b/cmd/gitaly-ssh/auth_test.go
@@ -75,7 +75,7 @@ func TestConnectivity(t *testing.T) {
 	require.NoError(t, err)
 	for _, testcase := range testCases {
 		cmd := exec.Command("git", "ls-remote", "git@localhost:test/test.git", "refs/heads/master")
-
+		cmd.Stderr = os.Stderr
 		cmd.Env = []string{
 			fmt.Sprintf("GITALY_PAYLOAD=%s", payload),
 			fmt.Sprintf("GITALY_ADDRESS=%s", testcase.addr),
@@ -86,7 +86,7 @@ func TestConnectivity(t *testing.T) {
 
 		output, err := cmd.Output()
 
-		require.NoError(t, err)
+		require.NoError(t, err, "git ls-remote exit status")
 		require.True(t, strings.HasSuffix(strings.TrimSpace(string(output)), "refs/heads/master"))
 	}
 }