From 5ae3182e16929b0d6ac87a976194c599b22835e3 Mon Sep 17 00:00:00 2001 From: Shaun Smith Date: Wed, 17 Jan 2018 12:44:03 +0200 Subject: [PATCH] feat: add insecure mode (ignore unknown certificate authorities) --- cli/args.js | 4 +++ help/help.txt | 1 + lib/request/request.js | 5 ++++ test/acceptance/cli.acceptance.test.js | 37 ++++++++++++++++++++++++++ test/args.test.js | 17 +++++++++++- 5 files changed, 63 insertions(+), 1 deletion(-) diff --git a/cli/args.js b/cli/args.js index f8dd938093..9daf1ad3ee 100644 --- a/cli/args.js +++ b/cli/args.js @@ -132,6 +132,10 @@ function args(processargv) { } }); + if (argv.insecure) { + global.ignoreUnknownCA = true; + } + debug(command, argv); return { diff --git a/help/help.txt b/help/help.txt index 8678a1bfaa..b9f62c134f 100644 --- a/help/help.txt +++ b/help/help.txt @@ -39,6 +39,7 @@ Options: to true). Applicable to `snyk test`. --project-name= Specify a custom Snyk project name (`snyk monitor` only). + --insecure ......... Ignore unknown certificate authorities. --dry-run .......... Don't apply updates or patches during protect. -q, --quiet ........ Silence all output. -h, --help ......... This help information. diff --git a/lib/request/request.js b/lib/request/request.js index ef8172f4d4..14dea40567 100644 --- a/lib/request/request.js +++ b/lib/request/request.js @@ -76,6 +76,11 @@ function makeRequest(payload) { options.proxy = proxy; } + if (global.ignoreUnknownCA) { + debug('Using insecure mode (ignore unkown certificate authority)'); + options.rejectUnauthorized = false; + } + needle.request(method, url, bodyStream, options, function (err, res, body) { debug(err); debug('response (%s): ', (res || {}).statusCode, JSON.stringify(body)); diff --git a/test/acceptance/cli.acceptance.test.js b/test/acceptance/cli.acceptance.test.js index c23ced8e31..10fcddf971 100644 --- a/test/acceptance/cli.acceptance.test.js +++ b/test/acceptance/cli.acceptance.test.js @@ -13,6 +13,7 @@ var server = require('./fake-server')(process.env.SNYK_API, apiKey); var subProcess = require('../../lib/sub-process'); var plugins = require('../../lib/plugins'); var nock = require('nock'); +var needle = require('needle'); // ensure this is required *after* the demo server, since this will // configure our fake configuration too @@ -1411,6 +1412,42 @@ test('proxy environment variables', function (t) { }); }); +test('`test --insecure`', function (t) { + t.plan(2); + chdirWorkspaces('npm-package'); + + t.test('default (insecure false)', function (t) { + sinon.stub(needle, 'request', function () { + throw 'bail'; + }); + t.teardown(needle.request.restore); + return cli.test('npm-package') + .catch(function () { + t.notOk(needle.request.firstCall.args[3].rejectUnauthorized, + 'rejectUnauthorized not present (same as true)'); + }); + }); + + t.test('insecure true', function (t) { + // Unfortunately, all acceptance tests run through cli/commands + // which bypasses `args`, and `ignoreUnknownCA` is a global set + // by `args`, so we simply set the global here. + // NOTE: due to this we add tests to `args.test.js` + global.ignoreUnknownCA = true; + sinon.stub(needle, 'request', function () { + throw 'bail'; + }); + t.teardown(function () { + delete global.ignoreUnknownCA; + needle.request.restore(); + }); + return cli.test('npm-package') + .catch(function () { + t.false(needle.request.firstCall.args[3].rejectUnauthorized, + 'rejectUnauthorized false'); + }); + }); +}); /** * We can't expect all test environments to have Maven installed diff --git a/test/args.test.js b/test/args.test.js index dc6614c548..b32a98000d 100644 --- a/test/args.test.js +++ b/test/args.test.js @@ -37,4 +37,19 @@ test('test command line monitor --package-manager', function(t) { var result = args(cliArgs); t.equal(result.options.packageManager, 'pip'); t.end(); -}); \ No newline at end of file +}); + +test('test --insecure', function(t) { + t.plan(1); + t.teardown(function () { + delete global.ignoreUnknownCA; + }); + var cliArgs = [ '/Users/dror/.nvm/versions/node/v6.9.2/bin/node', + '/Users/dror/work/snyk/snyk-internal/cli', + 'test', + '--insecure', + ]; + var result = args(cliArgs); + t.equal(global.ignoreUnknownCA, true, 'ignoreUnknownCA true'); + t.end(); +});