forked from qt-creator/qt-creator
Gerrit: Support certificate validation
Certificate should be validated by default. Only if it fails, and the user approves, we may skip validation. Change-Id: I7696cd7dda2d6d7ef1aa616557d5619b63372028 Reviewed-by: Leena Miettinen <riitta-leena.miettinen@qt.io>
This commit is contained in:
Orgad Shaneh
committed by
Orgad Shaneh
Orgad Shaneh
parent
9443f7104b
commit
73f210dad6
@@ -275,7 +275,7 @@ QueryContext::QueryContext(const QString &query,
|
|||||||
const QString url = server.url(GerritServer::RestUrl) + "/changes/?q="
|
const QString url = server.url(GerritServer::RestUrl) + "/changes/?q="
|
||||||
+ QString::fromUtf8(QUrl::toPercentEncoding(query))
|
+ QString::fromUtf8(QUrl::toPercentEncoding(query))
|
||||||
+ "&o=CURRENT_REVISION&o=DETAILED_LABELS&o=DETAILED_ACCOUNTS";
|
+ "&o=CURRENT_REVISION&o=DETAILED_LABELS&o=DETAILED_ACCOUNTS";
|
||||||
m_arguments = GerritServer::curlArguments() << url;
|
m_arguments = server.curlArguments() << url;
|
||||||
}
|
}
|
||||||
connect(&m_process, &QProcess::readyReadStandardError, this, [this] {
|
connect(&m_process, &QProcess::readyReadStandardError, this, [this] {
|
||||||
const QString text = QString::fromLocal8Bit(m_process.readAllStandardError());
|
const QString text = QString::fromLocal8Bit(m_process.readAllStandardError());
|
||||||
|
|||||||
@@ -35,6 +35,7 @@
|
|||||||
|
|
||||||
#include <QFile>
|
#include <QFile>
|
||||||
#include <QJsonDocument>
|
#include <QJsonDocument>
|
||||||
|
#include <QMessageBox>
|
||||||
#include <QRegularExpression>
|
#include <QRegularExpression>
|
||||||
#include <QSettings>
|
#include <QSettings>
|
||||||
|
|
||||||
@@ -51,9 +52,11 @@ static const char rootPathKey[] = "RootPath";
|
|||||||
static const char userNameKey[] = "UserName";
|
static const char userNameKey[] = "UserName";
|
||||||
static const char fullNameKey[] = "FullName";
|
static const char fullNameKey[] = "FullName";
|
||||||
static const char isAuthenticatedKey[] = "IsAuthenticated";
|
static const char isAuthenticatedKey[] = "IsAuthenticated";
|
||||||
|
static const char validateCertKey[] = "ValidateCert";
|
||||||
|
|
||||||
enum ErrorCodes
|
enum ErrorCodes
|
||||||
{
|
{
|
||||||
|
CertificateError = 60,
|
||||||
Success = 200,
|
Success = 200,
|
||||||
UnknownError = 400,
|
UnknownError = 400,
|
||||||
AuthenticationFailure = 401,
|
AuthenticationFailure = 401,
|
||||||
@@ -182,6 +185,7 @@ GerritServer::StoredHostValidity GerritServer::loadSettings()
|
|||||||
user.userName = settings->value(userNameKey).toString();
|
user.userName = settings->value(userNameKey).toString();
|
||||||
user.fullName = settings->value(fullNameKey).toString();
|
user.fullName = settings->value(fullNameKey).toString();
|
||||||
authenticated = settings->value(isAuthenticatedKey).toBool();
|
authenticated = settings->value(isAuthenticatedKey).toBool();
|
||||||
|
validateCert = settings->value(validateCertKey, true).toBool();
|
||||||
validity = Valid;
|
validity = Valid;
|
||||||
}
|
}
|
||||||
settings->endGroup();
|
settings->endGroup();
|
||||||
@@ -201,6 +205,7 @@ void GerritServer::saveSettings(StoredHostValidity validity) const
|
|||||||
settings->setValue(userNameKey, user.userName);
|
settings->setValue(userNameKey, user.userName);
|
||||||
settings->setValue(fullNameKey, user.fullName);
|
settings->setValue(fullNameKey, user.fullName);
|
||||||
settings->setValue(isAuthenticatedKey, authenticated);
|
settings->setValue(isAuthenticatedKey, authenticated);
|
||||||
|
settings->setValue(validateCertKey, validateCert);
|
||||||
break;
|
break;
|
||||||
case Invalid:
|
case Invalid:
|
||||||
settings->clear();
|
settings->clear();
|
||||||
@@ -210,14 +215,16 @@ void GerritServer::saveSettings(StoredHostValidity validity) const
|
|||||||
settings->endGroup();
|
settings->endGroup();
|
||||||
}
|
}
|
||||||
|
|
||||||
QStringList GerritServer::curlArguments()
|
QStringList GerritServer::curlArguments() const
|
||||||
{
|
{
|
||||||
// -k - insecure - do not validate certificate
|
|
||||||
// -f - fail silently on server error
|
// -f - fail silently on server error
|
||||||
// -n - use credentials from ~/.netrc (or ~/_netrc on Windows)
|
// -n - use credentials from ~/.netrc (or ~/_netrc on Windows)
|
||||||
// -sS - silent, except server error (no progress)
|
// -sS - silent, except server error (no progress)
|
||||||
// --basic, --digest - try both authentication types
|
// --basic, --digest - try both authentication types
|
||||||
return {"-kfnsS", "--basic", "--digest"};
|
QStringList res = {"-fnsS", "--basic", "--digest"};
|
||||||
|
if (!validateCert)
|
||||||
|
res << "-k"; // -k - insecure - do not validate certificate
|
||||||
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
int GerritServer::testConnection()
|
int GerritServer::testConnection()
|
||||||
@@ -240,6 +247,8 @@ int GerritServer::testConnection()
|
|||||||
}
|
}
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
if (resp.exitCode == CertificateError)
|
||||||
|
return CertificateError;
|
||||||
const QRegularExpression errorRegexp("returned error: (\\d+)");
|
const QRegularExpression errorRegexp("returned error: (\\d+)");
|
||||||
QRegularExpressionMatch match = errorRegexp.match(resp.stdErr());
|
QRegularExpressionMatch match = errorRegexp.match(resp.stdErr());
|
||||||
if (match.hasMatch())
|
if (match.hasMatch())
|
||||||
@@ -274,6 +283,23 @@ bool GerritServer::resolveRoot()
|
|||||||
saveSettings(Valid);
|
saveSettings(Valid);
|
||||||
return true;
|
return true;
|
||||||
case AuthenticationFailure:
|
case AuthenticationFailure:
|
||||||
|
case CertificateError:
|
||||||
|
if (QMessageBox::question(
|
||||||
|
Core::ICore::mainWindow(),
|
||||||
|
QCoreApplication::translate(
|
||||||
|
"Gerrit::Internal::GerritDialog", "Certificate Error"),
|
||||||
|
QCoreApplication::translate(
|
||||||
|
"Gerrit::Internal::GerritDialog",
|
||||||
|
"Server certificate for %1 cannot be authenticated.\n"
|
||||||
|
"Do you want to disable SSL verification for this server?\n"
|
||||||
|
"Note: This can expose you to man-in-the-middle attack.")
|
||||||
|
.arg(host))
|
||||||
|
== QMessageBox::Yes) {
|
||||||
|
validateCert = false;
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
break;
|
||||||
return setupAuthentication();
|
return setupAuthentication();
|
||||||
case PageNotFound:
|
case PageNotFound:
|
||||||
if (!ascendPath()) {
|
if (!ascendPath()) {
|
||||||
|
|||||||
@@ -78,7 +78,7 @@ public:
|
|||||||
StoredHostValidity loadSettings();
|
StoredHostValidity loadSettings();
|
||||||
void saveSettings(StoredHostValidity validity) const;
|
void saveSettings(StoredHostValidity validity) const;
|
||||||
int testConnection();
|
int testConnection();
|
||||||
static QStringList curlArguments();
|
QStringList curlArguments() const;
|
||||||
|
|
||||||
QString host;
|
QString host;
|
||||||
GerritUser user;
|
GerritUser user;
|
||||||
@@ -86,6 +86,7 @@ public:
|
|||||||
unsigned short port = 0;
|
unsigned short port = 0;
|
||||||
HostType type = Ssh;
|
HostType type = Ssh;
|
||||||
bool authenticated = true;
|
bool authenticated = true;
|
||||||
|
bool validateCert = true;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
QString curlBinary;
|
QString curlBinary;
|
||||||
|
|||||||
Reference in New Issue
Block a user