Merge pull request #74 from StackVista/STAC-0-skipssl

STAC-20220: Allow to skip SSL validation

Author: hierynomus

cmd/context/context_validate_test.go

@@ -37,6 +37,7 @@ func TestValidationToJson(t *testing.T) {
 		"--api-token",
 		"blaat",
 		"-o", "json",
+		"--skip-ssl",
 	)
 	assert.Equal(t,
 		[]map[string]interface{}{{

internal/client/client.go

@@ -2,6 +2,7 @@ package client
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"strings"
@@ -27,13 +28,14 @@ func NewStackStateClient(ctx context.Context,
 	adminApiPath string,
 	apiToken string,
 	serviceToken string,
-	k8sServiceAccountToken string) (StackStateClient, context.Context) {
+	k8sServiceAccountToken string,
+	skipSSL bool) (StackStateClient, context.Context) {
 	userAgent := fmt.Sprintf("StackStateCLI/%s", version)
 	apiURL := combineURLandPath(url, apiPath)
-	client, clientAuth := NewApiClient(isVerbose, pr, userAgent, apiURL, apiToken, serviceToken, k8sServiceAccountToken)
+	client, clientAuth := NewApiClient(ctx, isVerbose, pr, userAgent, apiURL, apiToken, serviceToken, k8sServiceAccountToken, skipSSL)
 
 	adminApiURL := combineURLandPath(url, adminApiPath)
-	adminClient, adminAuth := NewAdminApiClient(isVerbose, pr, userAgent, adminApiURL, apiToken, serviceToken, k8sServiceAccountToken)
+	adminClient, adminAuth := NewAdminApiClient(ctx, isVerbose, pr, userAgent, adminApiURL, apiToken, serviceToken, k8sServiceAccountToken, skipSSL)
 
 	withClient := context.WithValue(
 		ctx,
@@ -57,15 +59,21 @@ func NewStackStateClient(ctx context.Context,
 
 //nolint:dupl
 func NewApiClient(
+	ctx context.Context,
 	isVerbose bool,
 	pr printer.Printer,
 	userAgent string,
 	apiURL string,
 	apiToken string,
 	serviceToken string,
 	k8sServiceAccountToken string,
+	skipSSL bool,
 ) (*stackstate_api.APIClient, map[string]stackstate_api.APIKey) {
 	configuration := stackstate_api.NewConfiguration()
+	if skipSSL {
+		configuration.HTTPClient = insecureHttpClient(ctx)
+	}
+
 	configuration.UserAgent = userAgent
 	configuration.Servers[0] = stackstate_api.ServerConfiguration{
 		URL:         apiURL,
@@ -108,15 +116,20 @@ func NewApiClient(
 
 //nolint:dupl
 func NewAdminApiClient(
+	ctx context.Context,
 	isVerbose bool,
 	pr printer.Printer,
 	userAgent string,
 	apiURL string,
 	apiToken string,
 	serviceToken string,
 	k8sServiceAccountToken string,
+	skipSSL bool,
 ) (*stackstate_admin_api.APIClient, map[string]stackstate_admin_api.APIKey) {
 	configuration := stackstate_admin_api.NewConfiguration()
+	if skipSSL {
+		configuration.HTTPClient = insecureHttpClient(ctx)
+	}
 	configuration.UserAgent = userAgent
 	configuration.Servers[0] = stackstate_admin_api.ServerConfiguration{
 		URL:         apiURL,
@@ -157,6 +170,15 @@ func NewAdminApiClient(
 	return client, auth
 }
 
+func insecureHttpClient(ctx context.Context) *http.Client {
+	log.Ctx(ctx).Warn().Msg("Using insecure HTTP client")
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec
+		},
+	}
+}
+
 type StdStackStateClient struct {
 	client      *stackstate_api.APIClient
 	adminClient *stackstate_admin_api.APIClient

internal/common/persistent_flags.go

@@ -29,6 +29,8 @@ const (
 	ConfigFlag            = "config"
 	ContextFlag           = "context"
 	ContextFlagShort      = "c"
+	SkipSSLFlag           = "skip-ssl"
+	SkipSSLFlagUse        = "Whether to skip SSL certificate verification when connecting to StackState"
 )
 
 var AllowedOutputs = []string{JSONOutput.String(), TextOutput.String()}
@@ -43,6 +45,7 @@ func AddPersistentFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().Bool(NoColorFlag, false, "Disable color when printing to the terminal")
 	cmd.PersistentFlags().String(ConfigFlag, "", "Override the path to the config file")
 	cmd.PersistentFlags().StringP(ContextFlag, ContextFlagShort, "", "Override the context to use")
+	cmd.PersistentFlags().Bool(SkipSSLFlag, false, SkipSSLFlagUse)
 	pflags.EnumP(cmd.PersistentFlags(), OutputFlag, OutputFlagShort, "text", AllowedOutputs, fmt.Sprintf("Specify the output format (must be { %s })", strings.Join(AllowedOutputs, " | ")))
 
 	// NOTE Add as a dummy `--version` flag and hides it, so that we omit the auto-generated Cobra flag on each versioned command.

internal/config/config.go

@@ -27,6 +27,7 @@ type StsContext struct {
 	K8sSATokenPath string `yaml:"-" json:"-"` // This should only be passed from command line or env variables
 	APIPath        string `yaml:"api-path" default:"/api" json:"api-path"`
 	AdminAPIPath   string `yaml:"admin-api-path" default:"/admin" json:"admin-api-path"`
+	SkipSSL        bool   `yaml:"skip-ssl" default:"false" json:"skip-ssl"`
 }
 
 func EmptyConfig() *Config {
@@ -97,6 +98,7 @@ func (c *StsContext) Merge(fallback *StsContext) *StsContext {
 		APIPath:        util.DefaultIfEmpty(util.DefaultIfEmpty(c.APIPath, fallback.APIPath), "/api"),
 		AdminAPIPath:   util.DefaultIfEmpty(util.DefaultIfEmpty(c.AdminAPIPath, fallback.AdminAPIPath), "/admin"),
 		K8sSATokenPath: util.DefaultIfEmpty(c.K8sSATokenPath, fallback.K8sSATokenPath),
+		SkipSSL:        c.SkipSSL || fallback.SkipSSL,
 	}
 
 	if !c.HasAuthenticationTokenSet() {

internal/config/viper.go

@@ -20,6 +20,7 @@ func Bind(cmd *cobra.Command, vp *viper.Viper) *ViperConfig {
 	vp.BindEnv("k8s-sa-token-path", "STS_CLI_K8S_SA_TOKEN_PATH")
 	vp.BindEnv("api-path", "STS_CLI_API_PATH")
 	vp.BindEnv("context", "STS_CLI_CONTEXT")
+	vp.BindEnv("skip-ssl", "STS_SKIP_SSL")
 
 	// bind flags
 	vp.BindPFlag("url", cmd.Flags().Lookup("url"))
@@ -29,6 +30,7 @@ func Bind(cmd *cobra.Command, vp *viper.Viper) *ViperConfig {
 	vp.BindPFlag("k8s-sa-token-path", cmd.Flags().Lookup("k8s-sa-token-path"))
 	vp.BindPFlag("api-path", cmd.Flags().Lookup("api-path"))
 	vp.BindPFlag("context", cmd.Flags().Lookup("context"))
+	vp.BindPFlag("skip-ssl", cmd.Flags().Lookup("skip-ssl"))
 
 	// bind YAML
 	return &ViperConfig{
@@ -40,6 +42,7 @@ func Bind(cmd *cobra.Command, vp *viper.Viper) *ViperConfig {
 			K8sSAToken:     vp.GetString("k8s-sa-token"),
 			K8sSATokenPath: vp.GetString("k8s-sa-token-path"),
 			APIPath:        vp.GetString("api-path"),
+			SkipSSL:        vp.GetBool("skip-ssl"),
 		},
 	}
 }

internal/di/deps.go

@@ -111,6 +111,7 @@ func (cli *Deps) LoadClient(cmd *cobra.Command, context *config.StsContext) comm
 		context.APIToken,
 		context.ServiceToken,
 		context.K8sSAToken,
+		context.SkipSSL,
 	)
 	return nil
 }