Gerrit: Support certificate validation

Certificate should be validated by default. Only if it fails, and the user approves, we may skip validation. Change-Id: I7696cd7dda2d6d7ef1aa616557d5619b63372028 Reviewed-by: Leena Miettinen <riitta-leena.miettinen@qt.io>

Gerrit: Support certificate validation
Certificate should be validated by default. Only if it fails, and the user approves, we may skip validation. Change-Id: I7696cd7dda2d6d7ef1aa616557d5619b63372028 Reviewed-by: Leena Miettinen <riitta-leena.miettinen@qt.io>
73f210da · Orgad Shaneh · Orgad Shaneh · 9443f710 · 73f210da · 73f210da
Commit 73f210da authored Apr 14, 2017 by Orgad Shaneh Committed by Orgad Shaneh Apr 25, 2017
3 changed files
--- a/src/plugins/git/gerrit/gerritmodel.cpp
+++ b/src/plugins/git/gerrit/gerritmodel.cpp
@@ -275,7 +275,7 @@ QueryContext::QueryContext(const QString &query,
        const QString url = server.url(GerritServer::RestUrl) + "/changes/?q="
                + QString::fromUtf8(QUrl::toPercentEncoding(query))
                + "&o=CURRENT_REVISION&o=DETAILED_LABELS&o=DETAILED_ACCOUNTS";
-        m_arguments = GerritServer::curlArguments() << url;
+        m_arguments = server.curlArguments() << url;
    }
    connect(&m_process, &QProcess::readyReadStandardError, this, [this] {
        const QString text = QString::fromLocal8Bit(m_process.readAllStandardError());

--- a/src/plugins/git/gerrit/gerritserver.cpp
+++ b/src/plugins/git/gerrit/gerritserver.cpp
@@ -35,6 +35,7 @@

 #include <QFile>
 #include <QJsonDocument>
+#include <QMessageBox>
 #include <QRegularExpression>
 #include <QSettings>

@@ -51,9 +52,11 @@ static const char rootPathKey[] = "RootPath";
 static const char userNameKey[] = "UserName";
 static const char fullNameKey[] = "FullName";
 static const char isAuthenticatedKey[] = "IsAuthenticated";
+static const char validateCertKey[] = "ValidateCert";

 enum ErrorCodes
 {
+    CertificateError = 60,
    Success = 200,
    UnknownError = 400,
    AuthenticationFailure = 401,
@@ -182,6 +185,7 @@ GerritServer::StoredHostValidity GerritServer::loadSettings()
        user.userName = settings->value(userNameKey).toString();
        user.fullName = settings->value(fullNameKey).toString();
        authenticated = settings->value(isAuthenticatedKey).toBool();
+        validateCert = settings->value(validateCertKey, true).toBool();
        validity = Valid;
    }
    settings->endGroup();
@@ -201,6 +205,7 @@ void GerritServer::saveSettings(StoredHostValidity validity) const
        settings->setValue(userNameKey, user.userName);
        settings->setValue(fullNameKey, user.fullName);
        settings->setValue(isAuthenticatedKey, authenticated);
+        settings->setValue(validateCertKey, validateCert);
        break;
    case Invalid:
        settings->clear();
@@ -210,14 +215,16 @@ void GerritServer::saveSettings(StoredHostValidity validity) const
    settings->endGroup();
 }

-QStringList GerritServer::curlArguments()
+QStringList GerritServer::curlArguments() const
 {
-    // -k - insecure - do not validate certificate
    // -f - fail silently on server error
    // -n - use credentials from ~/.netrc (or ~/_netrc on Windows)
    // -sS - silent, except server error (no progress)
    // --basic, --digest - try both authentication types
-    return {"-kfnsS", "--basic", "--digest"};
+    QStringList res = {"-fnsS", "--basic", "--digest"};
+    if (!validateCert)
+        res << "-k"; // -k - insecure - do not validate certificate
+    return res;
 }

 int GerritServer::testConnection()
@@ -240,6 +247,8 @@ int GerritServer::testConnection()
        }
        return Success;
    }
+    if (resp.exitCode == CertificateError)
+        return CertificateError;
    const QRegularExpression errorRegexp("returned error: (\\d+)");
    QRegularExpressionMatch match = errorRegexp.match(resp.stdErr());
    if (match.hasMatch())
@@ -274,6 +283,23 @@ bool GerritServer::resolveRoot()
            saveSettings(Valid);
            return true;
        case AuthenticationFailure:
+        case CertificateError:
+            if (QMessageBox::question(
+                        Core::ICore::mainWindow(),
+                        QCoreApplication::translate(
+                            "Gerrit::Internal::GerritDialog", "Certificate Error"),
+                        QCoreApplication::translate(
+                            "Gerrit::Internal::GerritDialog",
+                            "Server certificate for %1 cannot be authenticated.\n"
+                            "Do you want to disable SSL verification for this server?\n"
+                            "Note: This can expose you to man-in-the-middle attack.")
+                        .arg(host))
+                    == QMessageBox::Yes) {
+                validateCert = false;
+            } else {
+                return false;
+            }
+            break;
            return setupAuthentication();
        case PageNotFound:
            if (!ascendPath()) {

--- a/src/plugins/git/gerrit/gerritserver.h
+++ b/src/plugins/git/gerrit/gerritserver.h
@@ -78,7 +78,7 @@ public:
    StoredHostValidity loadSettings();
    void saveSettings(StoredHostValidity validity) const;
    int testConnection();
-    static QStringList curlArguments();
+    QStringList curlArguments() const;

    QString host;
    GerritUser user;
@@ -86,6 +86,7 @@ public:
    unsigned short port = 0;
    HostType type = Ssh;
    bool authenticated = true;
+    bool validateCert = true;

 private:
    QString curlBinary;