feat: add insecure mode (ignore unknown certificate authorities)

Mattlk13 · Jan 18, 2018 · 5ae3182 · 5ae3182
1 parent cdd907c
commit 5ae3182
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 1 deletion.
diff --git a/cli/args.js b/cli/args.js
@@ -132,6 +132,10 @@ function args(processargv) {
     }
   });
 
+  if (argv.insecure) {
+    global.ignoreUnknownCA = true;
+  }
+
   debug(command, argv);
 
   return {

diff --git a/help/help.txt b/help/help.txt
@@ -39,6 +39,7 @@ Options:
                        to true). Applicable to `snyk test`.
   --project-name=<string>
                        Specify a custom Snyk project name (`snyk monitor` only).
+  --insecure ......... Ignore unknown certificate authorities.
   --dry-run .......... Don't apply updates or patches during protect.
   -q, --quiet ........ Silence all output.
   -h, --help ......... This help information.

diff --git a/lib/request/request.js b/lib/request/request.js
@@ -76,6 +76,11 @@ function makeRequest(payload) {
       options.proxy = proxy;
     }
 
+    if (global.ignoreUnknownCA) {
+      debug('Using insecure mode (ignore unkown certificate authority)');
+      options.rejectUnauthorized = false;
+    }
+
     needle.request(method, url, bodyStream, options, function (err, res, body) {
       debug(err);
       debug('response (%s): ', (res || {}).statusCode, JSON.stringify(body));

diff --git a/test/acceptance/cli.acceptance.test.js b/test/acceptance/cli.acceptance.test.js
@@ -13,6 +13,7 @@ var server = require('./fake-server')(process.env.SNYK_API, apiKey);
 var subProcess = require('../../lib/sub-process');
 var plugins = require('../../lib/plugins');
 var nock = require('nock');
+var needle = require('needle');
 
 // ensure this is required *after* the demo server, since this will
 // configure our fake configuration too
@@ -1411,6 +1412,42 @@ test('proxy environment variables', function (t) {
   });
 });
 
+test('`test --insecure`', function (t) {
+  t.plan(2);
+  chdirWorkspaces('npm-package');
+
+  t.test('default (insecure false)', function (t) {
+    sinon.stub(needle, 'request', function () {
+      throw 'bail';
+    });
+    t.teardown(needle.request.restore);
+    return cli.test('npm-package')
+    .catch(function () {
+      t.notOk(needle.request.firstCall.args[3].rejectUnauthorized,
+        'rejectUnauthorized not present (same as true)');
+    });
+  });
+
+  t.test('insecure true', function (t) {
+    // Unfortunately, all acceptance tests run through cli/commands
+    // which bypasses `args`, and `ignoreUnknownCA` is a global set
+    // by `args`, so we simply set the global here.
+    // NOTE: due to this we add tests to `args.test.js`
+    global.ignoreUnknownCA = true;
+    sinon.stub(needle, 'request', function () {
+      throw 'bail';
+    });
+    t.teardown(function () {
+      delete global.ignoreUnknownCA;
+      needle.request.restore();
+    });
+    return cli.test('npm-package')
+    .catch(function () {
+      t.false(needle.request.firstCall.args[3].rejectUnauthorized,
+        'rejectUnauthorized false');
+    });
+  });
+});
 
 /**
  * We can't expect all test environments to have Maven installed

diff --git a/test/args.test.js b/test/args.test.js
@@ -37,4 +37,19 @@ test('test command line monitor --package-manager', function(t) {
   var result = args(cliArgs);
   t.equal(result.options.packageManager, 'pip');
   t.end();
-});
+});
+
+test('test --insecure', function(t) {
+  t.plan(1);
+  t.teardown(function () {
+    delete global.ignoreUnknownCA;
+  });
+  var cliArgs = [ '/Users/dror/.nvm/versions/node/v6.9.2/bin/node',
+    '/Users/dror/work/snyk/snyk-internal/cli',
+    'test',
+    '--insecure',
+  ];
+  var result = args(cliArgs);
+  t.equal(global.ignoreUnknownCA, true, 'ignoreUnknownCA true');
+  t.end();
+});