Commit 73f210da authored by Orgad Shaneh's avatar Orgad Shaneh Committed by Orgad Shaneh

Gerrit: Support certificate validation

Certificate should be validated by default. Only if it fails, and the
user approves, we may skip validation.

Change-Id: I7696cd7dda2d6d7ef1aa616557d5619b63372028
Reviewed-by: Riitta-Leena Miettinen's avatarLeena Miettinen <riitta-leena.miettinen@qt.io>
parent 9443f710
......@@ -275,7 +275,7 @@ QueryContext::QueryContext(const QString &query,
const QString url = server.url(GerritServer::RestUrl) + "/changes/?q="
+ QString::fromUtf8(QUrl::toPercentEncoding(query))
+ "&o=CURRENT_REVISION&o=DETAILED_LABELS&o=DETAILED_ACCOUNTS";
m_arguments = GerritServer::curlArguments() << url;
m_arguments = server.curlArguments() << url;
}
connect(&m_process, &QProcess::readyReadStandardError, this, [this] {
const QString text = QString::fromLocal8Bit(m_process.readAllStandardError());
......
......@@ -35,6 +35,7 @@
#include <QFile>
#include <QJsonDocument>
#include <QMessageBox>
#include <QRegularExpression>
#include <QSettings>
......@@ -51,9 +52,11 @@ static const char rootPathKey[] = "RootPath";
static const char userNameKey[] = "UserName";
static const char fullNameKey[] = "FullName";
static const char isAuthenticatedKey[] = "IsAuthenticated";
static const char validateCertKey[] = "ValidateCert";
enum ErrorCodes
{
CertificateError = 60,
Success = 200,
UnknownError = 400,
AuthenticationFailure = 401,
......@@ -182,6 +185,7 @@ GerritServer::StoredHostValidity GerritServer::loadSettings()
user.userName = settings->value(userNameKey).toString();
user.fullName = settings->value(fullNameKey).toString();
authenticated = settings->value(isAuthenticatedKey).toBool();
validateCert = settings->value(validateCertKey, true).toBool();
validity = Valid;
}
settings->endGroup();
......@@ -201,6 +205,7 @@ void GerritServer::saveSettings(StoredHostValidity validity) const
settings->setValue(userNameKey, user.userName);
settings->setValue(fullNameKey, user.fullName);
settings->setValue(isAuthenticatedKey, authenticated);
settings->setValue(validateCertKey, validateCert);
break;
case Invalid:
settings->clear();
......@@ -210,14 +215,16 @@ void GerritServer::saveSettings(StoredHostValidity validity) const
settings->endGroup();
}
QStringList GerritServer::curlArguments()
QStringList GerritServer::curlArguments() const
{
// -k - insecure - do not validate certificate
// -f - fail silently on server error
// -n - use credentials from ~/.netrc (or ~/_netrc on Windows)
// -sS - silent, except server error (no progress)
// --basic, --digest - try both authentication types
return {"-kfnsS", "--basic", "--digest"};
QStringList res = {"-fnsS", "--basic", "--digest"};
if (!validateCert)
res << "-k"; // -k - insecure - do not validate certificate
return res;
}
int GerritServer::testConnection()
......@@ -240,6 +247,8 @@ int GerritServer::testConnection()
}
return Success;
}
if (resp.exitCode == CertificateError)
return CertificateError;
const QRegularExpression errorRegexp("returned error: (\\d+)");
QRegularExpressionMatch match = errorRegexp.match(resp.stdErr());
if (match.hasMatch())
......@@ -274,6 +283,23 @@ bool GerritServer::resolveRoot()
saveSettings(Valid);
return true;
case AuthenticationFailure:
case CertificateError:
if (QMessageBox::question(
Core::ICore::mainWindow(),
QCoreApplication::translate(
"Gerrit::Internal::GerritDialog", "Certificate Error"),
QCoreApplication::translate(
"Gerrit::Internal::GerritDialog",
"Server certificate for %1 cannot be authenticated.\n"
"Do you want to disable SSL verification for this server?\n"
"Note: This can expose you to man-in-the-middle attack.")
.arg(host))
== QMessageBox::Yes) {
validateCert = false;
} else {
return false;
}
break;
return setupAuthentication();
case PageNotFound:
if (!ascendPath()) {
......
......@@ -78,7 +78,7 @@ public:
StoredHostValidity loadSettings();
void saveSettings(StoredHostValidity validity) const;
int testConnection();
static QStringList curlArguments();
QStringList curlArguments() const;
QString host;
GerritUser user;
......@@ -86,6 +86,7 @@ public:
unsigned short port = 0;
HostType type = Ssh;
bool authenticated = true;
bool validateCert = true;
private:
QString curlBinary;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment