feat: add secure flag to gitlab config (#1129)

* feat: add secure flag to gitlab config * refactor: use lodash pickBy instead of merge * test: add ca options tests * docs: fix typo * test: refactor gitlab test --------- Co-authored-by: Alexandre von Brasche Figueiredo <alexandre.vonbraschefigueiredo@aconso.com>
release-it · Jul 10, 2024 · 7a3ce98 · 7a3ce98
1 parent 0ac44ba
commit 7a3ce98
Show file tree

Hide file tree

Showing 6 changed files with 83 additions and 4 deletions.
diff --git a/config/release-it.json b/config/release-it.json
@@ -63,6 +63,7 @@
     "tokenRef": "GITLAB_TOKEN",
     "tokenHeader": "Private-Token",
     "certificateAuthorityFile": null,
+    "secure": null,
     "assets": null,
     "origin": null,
     "skipChecks": false

diff --git a/docs/gitlab-releases.md b/docs/gitlab-releases.md
@@ -109,6 +109,23 @@ specify the root CA certificate with `certificateAuthorityFile`, for example:
 }
 ```
 
+Alternatively, if you want to disable the server certificate verification against the list of supplied CAs, you can set
+the `secure` flag to false:
+
+```json
+{
+  "gitlab": {
+    "release": true,
+    "tokenHeader": "PRIVATE-TOKEN",
+    "secure": false
+  }
+}
+```
+
+The `secure` option is passed down to [got](https://github.com/sindresorhus/got), which in turn also forwards it to node's
+[`https.request`](https://nodejs.org/api/https.html#httpsrequestoptions-callback) method as the `rejectUnauthorized` option.
+The default value of `rejectUnauthorized` is `true`.
+
 ## Update the latest release
 
 The latest GitLab release can be updated, e.g. to update the releases notes or add release assets.

diff --git a/lib/plugin/gitlab/GitLab.js b/lib/plugin/gitlab/GitLab.js
@@ -17,10 +17,17 @@ class GitLab extends Release {
     super(...args);
     this.registerPrompts(prompts);
     this.assets = [];
-    const { certificateAuthorityFile } = this.options;
-    this.certificateAuthorityOption = certificateAuthorityFile
-      ? { https: { certificateAuthority: fs.readFileSync(certificateAuthorityFile) } }
-      : {};
+    const { certificateAuthorityFile, secure } = this.options;
+
+    const httpsOptions = {
+      certificateAuthority: certificateAuthorityFile ? fs.readFileSync(certificateAuthorityFile) : undefined,
+      rejectUnauthorized: typeof secure === 'boolean' ? secure : undefined
+    };
+
+    // Remove keys with undefined values
+    const https = _.pickBy(httpsOptions, value => value !== undefined);
+
+    this.certificateAuthorityOption = _.isEmpty(https) ? {} : { https };
   }
 
   get client() {

diff --git a/schema/gitlab.json b/schema/gitlab.json
@@ -46,6 +46,9 @@
     "certificateAuthorityFile": {
       "default": null
     },
+    "secure": {
+      "default": null
+    },
     "assets": {
       "default": null
     },

diff --git a/test/gitlab.js b/test/gitlab.js
@@ -1,3 +1,4 @@
+import fs from 'node:fs';
 import test from 'ava';
 import sinon from 'sinon';
 import nock from 'nock';
@@ -250,3 +251,50 @@ test('should skip checks', async t => {
 
   t.is(gitlab.log.exec.args.filter(entry => /checkReleaseMilestones/.test(entry[0])).length, 0);
 });
+
+test('should handle certificate authority options', t => {
+  const sandbox = sinon.createSandbox();
+  sandbox.stub(fs, 'readFileSync').returns('test certificate');
+
+  {
+    const options = { gitlab: {} };
+    const gitlab = factory(GitLab, { options });
+    t.deepEqual(gitlab.certificateAuthorityOption, {});
+  }
+
+  {
+    const options = { gitlab: { certificateAuthorityFile: 'cert.crt' } };
+    const gitlab = factory(GitLab, { options });
+    t.deepEqual(gitlab.certificateAuthorityOption, { https: { certificateAuthority: 'test certificate' } });
+  }
+
+  {
+    const options = { gitlab: { secure: false } };
+    const gitlab = factory(GitLab, { options });
+    t.deepEqual(gitlab.certificateAuthorityOption, { https: { rejectUnauthorized: false } });
+  }
+
+  {
+    const options = { gitlab: { secure: true } };
+    const gitlab = factory(GitLab, { options });
+    t.deepEqual(gitlab.certificateAuthorityOption, { https: { rejectUnauthorized: true } });
+  }
+
+  {
+    const options = { gitlab: { certificateAuthorityFile: 'cert.crt', secure: true } };
+    const gitlab = factory(GitLab, { options });
+    t.deepEqual(gitlab.certificateAuthorityOption, {
+      https: { certificateAuthority: 'test certificate', rejectUnauthorized: true }
+    });
+  }
+
+  {
+    const options = { gitlab: { certificateAuthorityFile: 'cert.crt', secure: false } };
+    const gitlab = factory(GitLab, { options });
+    t.deepEqual(gitlab.certificateAuthorityOption, {
+      https: { certificateAuthority: 'test certificate', rejectUnauthorized: false }
+    });
+  }
+
+  sandbox.restore();
+});
diff --git a/types/config.d.ts b/types/config.d.ts
@@ -170,6 +170,9 @@ export interface Config {
 
     /** @default null */
     certificateAuthorityFile?: any;
+
+    /** @default null */
+    secure?: boolean;
 
     /** @default null */
     assets?: any;