Do not warn http sources in push/delete scenarios when allowInsecureC…

…onnections is set to true. (#5381)
NuGet · Sep 8, 2023 · 9014d80 · 9014d80
1 parent c871727
commit 9014d80
Show file tree

Hide file tree

Showing 9 changed files with 179 additions and 38 deletions.
diff --git a/src/NuGet.Core/NuGet.Commands/CommandRunners/DeleteRunner.cs b/src/NuGet.Core/NuGet.Commands/CommandRunners/DeleteRunner.cs
@@ -29,7 +29,7 @@ public static async Task Run(
             source = CommandRunnerUtility.ResolveSource(sourceProvider, source);
             PackageSource packageSource = CommandRunnerUtility.GetOrCreatePackageSource(sourceProvider, source);
             // Only warn for V3 style sources because they have a service index which is different from the final push url.
-            if (packageSource.IsHttp && !packageSource.IsHttps &&
+            if (packageSource.IsHttp && !packageSource.IsHttps && !packageSource.AllowInsecureConnections &&
                 (packageSource.ProtocolVersion == 3 || packageSource.Source.EndsWith("json", StringComparison.OrdinalIgnoreCase)))
             {
                 logger.LogWarning(string.Format(CultureInfo.CurrentCulture, Strings.Warning_HttpServerUsage, "delete", packageSource.Source));
@@ -42,6 +42,7 @@ await packageUpdateResource.Delete(
                 endpoint => apiKey ?? CommandRunnerUtility.GetApiKey(settings, endpoint, source),
                 desc => nonInteractive || confirmFunc(desc),
                 noServiceEndpoint,
+                packageSource.AllowInsecureConnections,
                 logger);
         }
     }

diff --git a/src/NuGet.Core/NuGet.Commands/CommandRunners/PushRunner.cs b/src/NuGet.Core/NuGet.Commands/CommandRunners/PushRunner.cs
@@ -42,7 +42,7 @@ public static async Task Run(
             var packageUpdateResource = await CommandRunnerUtility.GetPackageUpdateResource(sourceProvider, packageSource);
 
             // Only warn for V3 style sources because they have a service index which is different from the final push url.
-            if (packageSource.IsHttp && !packageSource.IsHttps &&
+            if (packageSource.IsHttp && !packageSource.IsHttps && !packageSource.AllowInsecureConnections &&
                 (packageSource.ProtocolVersion == 3 || packageSource.Source.EndsWith("json", StringComparison.OrdinalIgnoreCase)))
             {
                 logger.LogWarning(string.Format(CultureInfo.CurrentCulture, Strings.Warning_HttpServerUsage, "push", packageSource.Source));
@@ -90,6 +90,7 @@ await packageUpdateResource.Push(
                 noServiceEndpoint,
                 skipDuplicate,
                 symbolPackageUpdateResource,
+                packageSource.AllowInsecureConnections,
                 logger);
         }
 

diff --git a/src/NuGet.Core/NuGet.Protocol/PublicAPI/net472/PublicAPI.Unshipped.txt b/src/NuGet.Core/NuGet.Protocol/PublicAPI/net472/PublicAPI.Unshipped.txt
@@ -8,3 +8,5 @@ NuGet.Protocol.PackageVulnerabilitySeverity.Low = 0 -> NuGet.Protocol.PackageVul
 NuGet.Protocol.PackageVulnerabilitySeverity.Moderate = 1 -> NuGet.Protocol.PackageVulnerabilitySeverity
 NuGet.Protocol.PackageVulnerabilitySeverity.Unknown = -1 -> NuGet.Protocol.PackageVulnerabilitySeverity
 ~const NuGet.Protocol.JsonProperties.Url = "url" -> string
+~NuGet.Protocol.Core.Types.PackageUpdateResource.Delete(string packageId, string packageVersion, System.Func<string, string> getApiKey, System.Func<string, bool> confirm, bool noServiceEndpoint, bool allowInsecureConnections, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task
+~NuGet.Protocol.Core.Types.PackageUpdateResource.Push(System.Collections.Generic.IList<string> packagePaths, string symbolSource, int timeoutInSecond, bool disableBuffering, System.Func<string, string> getApiKey, System.Func<string, string> getSymbolApiKey, bool noServiceEndpoint, bool skipDuplicate, NuGet.Protocol.Core.Types.SymbolPackageUpdateResourceV3 symbolPackageUpdateResource, bool allowInsecureConnections, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task
diff --git a/src/NuGet.Core/NuGet.Protocol/PublicAPI/netcoreapp5.0/PublicAPI.Unshipped.txt b/src/NuGet.Core/NuGet.Protocol/PublicAPI/netcoreapp5.0/PublicAPI.Unshipped.txt
@@ -8,3 +8,5 @@ NuGet.Protocol.PackageVulnerabilitySeverity.Low = 0 -> NuGet.Protocol.PackageVul
 NuGet.Protocol.PackageVulnerabilitySeverity.Moderate = 1 -> NuGet.Protocol.PackageVulnerabilitySeverity
 NuGet.Protocol.PackageVulnerabilitySeverity.Unknown = -1 -> NuGet.Protocol.PackageVulnerabilitySeverity
 ~const NuGet.Protocol.JsonProperties.Url = "url" -> string
+~NuGet.Protocol.Core.Types.PackageUpdateResource.Delete(string packageId, string packageVersion, System.Func<string, string> getApiKey, System.Func<string, bool> confirm, bool noServiceEndpoint, bool allowInsecureConnections, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task
+~NuGet.Protocol.Core.Types.PackageUpdateResource.Push(System.Collections.Generic.IList<string> packagePaths, string symbolSource, int timeoutInSecond, bool disableBuffering, System.Func<string, string> getApiKey, System.Func<string, string> getSymbolApiKey, bool noServiceEndpoint, bool skipDuplicate, NuGet.Protocol.Core.Types.SymbolPackageUpdateResourceV3 symbolPackageUpdateResource, bool allowInsecureConnections, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task
diff --git a/src/NuGet.Core/NuGet.Protocol/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt b/src/NuGet.Core/NuGet.Protocol/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt
@@ -8,3 +8,5 @@ NuGet.Protocol.PackageVulnerabilitySeverity.Low = 0 -> NuGet.Protocol.PackageVul
 NuGet.Protocol.PackageVulnerabilitySeverity.Moderate = 1 -> NuGet.Protocol.PackageVulnerabilitySeverity
 NuGet.Protocol.PackageVulnerabilitySeverity.Unknown = -1 -> NuGet.Protocol.PackageVulnerabilitySeverity
 ~const NuGet.Protocol.JsonProperties.Url = "url" -> string
+~NuGet.Protocol.Core.Types.PackageUpdateResource.Delete(string packageId, string packageVersion, System.Func<string, string> getApiKey, System.Func<string, bool> confirm, bool noServiceEndpoint, bool allowInsecureConnections, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task
+~NuGet.Protocol.Core.Types.PackageUpdateResource.Push(System.Collections.Generic.IList<string> packagePaths, string symbolSource, int timeoutInSecond, bool disableBuffering, System.Func<string, string> getApiKey, System.Func<string, string> getSymbolApiKey, bool noServiceEndpoint, bool skipDuplicate, NuGet.Protocol.Core.Types.SymbolPackageUpdateResourceV3 symbolPackageUpdateResource, bool allowInsecureConnections, NuGet.Common.ILogger log) -> System.Threading.Tasks.Task
diff --git a/src/NuGet.Core/NuGet.Protocol/Resources/PackageUpdateResource.cs b/src/NuGet.Core/NuGet.Protocol/Resources/PackageUpdateResource.cs
@@ -52,6 +52,21 @@ public Uri SourceUri
             get { return UriUtility.CreateSourceUri(_source); }
         }
 
+        public async Task Push(
+           IList<string> packagePaths,
+           string symbolSource, // empty to not push symbols
+           int timeoutInSecond,
+           bool disableBuffering,
+           Func<string, string> getApiKey,
+           Func<string, string> getSymbolApiKey,
+           bool noServiceEndpoint,
+           bool skipDuplicate,
+           SymbolPackageUpdateResourceV3 symbolPackageUpdateResource,
+           ILogger log)
+        {
+            await Push(packagePaths, symbolSource, timeoutInSecond, disableBuffering, getApiKey, getSymbolApiKey, noServiceEndpoint, skipDuplicate, symbolPackageUpdateResource, allowInsecureConnections: false, log);
+        }
+
         public async Task Push(
             IList<string> packagePaths,
             string symbolSource, // empty to not push symbols
@@ -62,6 +77,7 @@ public async Task Push(
             bool noServiceEndpoint,
             bool skipDuplicate,
             SymbolPackageUpdateResourceV3 symbolPackageUpdateResource,
+            bool allowInsecureConnections,
             ILogger log)
         {
             // TODO: Figure out how to hook this up with the HTTP request
@@ -78,7 +94,7 @@ public async Task Push(
                 {
                     // Push nupkgs and possibly the corresponding snupkgs.
                     await PushPackagePath(packagePath, _source, symbolSource, apiKey, getSymbolApiKey, noServiceEndpoint, skipDuplicate,
-                        symbolPackageUpdateResource, requestTimeout, log, tokenSource.Token);
+                        symbolPackageUpdateResource, allowInsecureConnections, requestTimeout, log, tokenSource.Token);
                 }
                 else // Explicit snupkg push
                 {
@@ -90,7 +106,7 @@ await PushPackagePath(packagePath, _source, symbolSource, apiKey, getSymbolApiKe
                         string symbolApiKey = getSymbolApiKey(symbolSource);
 
                         await PushSymbolsPath(packagePath, symbolSource, symbolApiKey,
-                            noServiceEndpoint, skipDuplicate, symbolPackageUpdateResource,
+                            noServiceEndpoint, skipDuplicate, symbolPackageUpdateResource, allowInsecureConnections,
                             requestTimeout, log, tokenSource.Token);
                     }
                 }
@@ -144,6 +160,17 @@ public async Task Delete(string packageId,
             Func<string, bool> confirm,
             bool noServiceEndpoint,
             ILogger log)
+        {
+            await Delete(packageId, packageVersion, getApiKey, confirm, noServiceEndpoint, allowInsecureConnections: false, log);
+        }
+
+        public async Task Delete(string packageId,
+            string packageVersion,
+            Func<string, string> getApiKey,
+            Func<string, bool> confirm,
+            bool noServiceEndpoint,
+            bool allowInsecureConnections,
+            ILogger log)
         {
             var sourceDisplayName = GetSourceDisplayName(_source);
             var apiKey = getApiKey(_source);
@@ -163,7 +190,7 @@ public async Task Delete(string packageId,
                     packageVersion,
                     sourceDisplayName
                     ));
-                await DeletePackage(_source, apiKey, packageId, packageVersion, noServiceEndpoint, log, CancellationToken.None);
+                await DeletePackage(_source, apiKey, packageId, packageVersion, noServiceEndpoint, allowInsecureConnections, log, CancellationToken.None);
                 log.LogInformation(string.Format(CultureInfo.CurrentCulture,
                     Strings.DeleteCommandDeletedPackage,
                     packageId,
@@ -181,6 +208,7 @@ private async Task PushSymbolsPath(string packagePath,
             bool noServiceEndpoint,
             bool skipDuplicate,
             SymbolPackageUpdateResourceV3 symbolPackageUpdateResource,
+            bool allowInsecureConnections,
             TimeSpan requestTimeout,
             ILogger log,
             CancellationToken token)
@@ -214,7 +242,7 @@ private async Task PushSymbolsPath(string packagePath,
                 bool warnForHttpSources = true;
                 foreach (string packageToPush in symbolsToPush)
                 {
-                    await PushPackageCore(symbolSource, apiKey, packageToPush, noServiceEndpoint, skipDuplicate, requestTimeout, warnForHttpSources, log, token);
+                    await PushPackageCore(symbolSource, apiKey, packageToPush, noServiceEndpoint, skipDuplicate, requestTimeout, warnForHttpSources, allowInsecureConnections, log, token);
                     warnForHttpSources = false;
                 }
             }
@@ -232,6 +260,7 @@ private async Task PushPackagePath(string packagePath,
             bool noServiceEndpoint,
             bool skipDuplicate,
             SymbolPackageUpdateResourceV3 symbolPackageUpdateResource,
+            bool allowInsecureConnections,
             TimeSpan requestTimeout,
             ILogger log,
             CancellationToken token)
@@ -257,7 +286,7 @@ private async Task PushPackagePath(string packagePath,
             bool warnForHttpSources = true;
             foreach (string nupkgToPush in nupkgsToPush)
             {
-                bool packageWasPushed = await PushPackageCore(source, apiKey, nupkgToPush, noServiceEndpoint, skipDuplicate, requestTimeout, warnForHttpSources, log, token);
+                bool packageWasPushed = await PushPackageCore(source, apiKey, nupkgToPush, noServiceEndpoint, skipDuplicate, requestTimeout, warnForHttpSources, allowInsecureConnections, log, token);
                 // Push corresponding symbols, if successful.
                 if (packageWasPushed && !string.IsNullOrEmpty(symbolSource))
                 {
@@ -287,7 +316,7 @@ private async Task PushPackagePath(string packagePath,
                     }
 
                     string symbolApiKey = getSymbolApiKey(symbolSource);
-                    await PushPackageCore(symbolSource, symbolApiKey, symbolPackagePath, noServiceEndpoint, skipDuplicate, requestTimeout, warnForHttpSources, log, token);
+                    await PushPackageCore(symbolSource, symbolApiKey, symbolPackagePath, noServiceEndpoint, skipDuplicate, requestTimeout, warnForHttpSources, allowInsecureConnections, log, token);
                 }
                 warnForHttpSources = false;
             }
@@ -300,6 +329,7 @@ private async Task<bool> PushPackageCore(string source,
             bool skipDuplicate,
             TimeSpan requestTimeout,
             bool warnForHttpSources,
+            bool allowInsecureConnections,
             ILogger log,
             CancellationToken token)
         {
@@ -320,7 +350,7 @@ private async Task<bool> PushPackageCore(string source,
             else
             {
                 wasPackagePushed = await PushPackageToServer(source, apiKey, packageToPush, noServiceEndpoint, skipDuplicate,
-                    requestTimeout, warnForHttpSources, log, token);
+                    requestTimeout, warnForHttpSources, allowInsecureConnections, log, token);
             }
 
             if (wasPackagePushed)
@@ -370,14 +400,15 @@ private async Task<bool> PushPackageToServer(string source,
             bool skipDuplicate,
             TimeSpan requestTimeout,
             bool warnForHttpSources,
+            bool allowInsecureConnections,
             ILogger logger,
             CancellationToken token)
         {
             Uri serviceEndpointUrl = GetServiceEndpointUrl(source, string.Empty, noServiceEndpoint);
             bool useTempApiKey = IsSourceNuGetSymbolServer(source);
             HttpStatusCode? codeNotToThrow = ConvertSkipDuplicateParamToHttpStatusCode(skipDuplicate);
             bool showPushCommandPackagePushed = true;
-            if (warnForHttpSources && serviceEndpointUrl.Scheme == Uri.UriSchemeHttp)
+            if (warnForHttpSources && serviceEndpointUrl.Scheme == Uri.UriSchemeHttp && !allowInsecureConnections)
             {
                 logger.LogWarning(string.Format(CultureInfo.CurrentCulture, Strings.Warning_HttpServerUsage, "push", serviceEndpointUrl));
             }
@@ -668,6 +699,7 @@ private async Task DeletePackage(string source,
             string packageId,
             string packageVersion,
             bool noServiceEndpoint,
+            bool allowInsecureConnections,
             ILogger logger,
             CancellationToken token)
         {
@@ -678,7 +710,7 @@ private async Task DeletePackage(string source,
             }
             else
             {
-                if (sourceUri.Scheme == Uri.UriSchemeHttp)
+                if (sourceUri.Scheme == Uri.UriSchemeHttp && !allowInsecureConnections)
                 {
                     logger.LogWarning(string.Format(CultureInfo.CurrentCulture, Strings.Warning_HttpServerUsage, "delete", sourceUri));
                 }

diff --git a/test/NuGet.Clients.Tests/NuGet.CommandLine.Test/NuGetDeleteCommandTest.cs b/test/NuGet.Clients.Tests/NuGet.CommandLine.Test/NuGetDeleteCommandTest.cs
@@ -414,8 +414,10 @@ public void DeleteCommand_Failure_InvalidArguments(string args)
             Util.TestCommandInvalidArguments(args);
         }
 
-        [Fact]
-        public void DeleteCommand_WhenDeleteWithHttpSource_Warns()
+        [Theory]
+        [InlineData("true", false)]
+        [InlineData("false", true)]
+        public void DeleteCommand_WhenDeleteWithHttpSourceAndAllowInsecureConnections_WarnsCorrectly(string allowInsecureConnections, bool isHttpWarningExpected)
         {
             var nugetexe = Util.GetNuGetExePath();
 
@@ -431,10 +433,23 @@ public void DeleteCommand_WhenDeleteWithHttpSource_Warns()
                     return HttpStatusCode.OK;
                 });
 
+                using SimpleTestPathContext config = new SimpleTestPathContext();
+
+                // Arrange the NuGet.Config file
+                string nugetConfigContent =
+    $@"<configuration>
+    <packageSources>
+        <clear />
+        <add key='http-feed' value='{server.Uri}nuget' protocalVersion=""3"" allowInsecureConnections=""{allowInsecureConnections}"" />
+    </packageSources>
+</configuration>";
+                File.WriteAllText(config.NuGetConfig, nugetConfigContent);
+
                 // Act
                 string[] args = new string[] {
                     "delete", "testPackage1", "1.1.0",
-                    "-Source", server.Uri + "nuget", "-NonInteractive" };
+                    "-Source", server.Uri + "nuget",
+                    "-ConfigFile", config.NuGetConfig, "-NonInteractive" };
 
                 var r = CommandRunner.Run(
                     nugetexe,
@@ -444,7 +459,16 @@ public void DeleteCommand_WhenDeleteWithHttpSource_Warns()
                 // Assert
                 Assert.Equal(0, r.ExitCode);
                 Assert.True(deleteRequestIsCalled);
-                Assert.Contains("WARNING: You are running the 'delete' operation with an 'HTTP' source", r.AllOutput);
+
+                string expectedWarning = "WARNING: You are running the 'delete' operation with an 'HTTP' source";
+                if (isHttpWarningExpected)
+                {
+                    Assert.Contains(expectedWarning, r.AllOutput);
+                }
+                else
+                {
+                    Assert.DoesNotContain(expectedWarning, r.AllOutput);
+                }
             }
         }