Merge pull request #768 from SquirrelCorporation/746-bug---selfhosted…

…-git-server-certificate-verification-failed [FEAT] Add support for custom Git environments and SSL error handling.
SquirrelCorporation · Feb 22, 2025 · 99e8b8a · 99e8b8a
2 parents f4f1ae8 + 1a5a8d9
commit 99e8b8a
Show file tree

Hide file tree

Showing 23 changed files with 279 additions and 90 deletions.
diff --git a/client/src/pages/Admin/Settings/components/subcomponents/forms/GitForm.tsx b/client/src/pages/Admin/Settings/components/subcomponents/forms/GitForm.tsx
@@ -1,6 +1,7 @@
 import { capitalizeFirstLetter } from '@/utils/strings';
 import {
   ProForm,
+  ProFormCheckbox,
   ProFormSelect,
   ProFormText,
 } from '@ant-design/pro-components';
@@ -55,20 +56,24 @@ const GitForm: React.FC<GitFormProps> = ({ selectedRecord, repositories }) => (
       name={'email'}
       label={'Git Email'}
       initialValue={selectedRecord?.email}
-      rules={[{ required: true }]}
+      rules={[{ required: true }, { type: 'email' }]}
     />
     <ProFormText
       width={'md'}
       name={'userName'}
       label={'Git Username'}
       initialValue={selectedRecord?.userName}
+      tooltip={'The username to use when connecting to the remote repository.'}
       rules={[{ required: true }]}
     />
     <ProFormText
       width={'md'}
       name={'remoteUrl'}
       label={'Remote Url'}
       initialValue={selectedRecord?.remoteUrl}
+      tooltip={
+        'The remote URL to clone from. E.g: https://github.com/user/repo.git'
+      }
       rules={[
         { required: true },
         { type: 'url' },
@@ -92,6 +97,7 @@ const GitForm: React.FC<GitFormProps> = ({ selectedRecord, repositories }) => (
       name={'branch'}
       label={'Branch'}
       initialValue={selectedRecord?.branch}
+      tooltip={'The branch to pull from. E.g: main, develop, master, etc.'}
       rules={[{ required: true }]}
     />
     <ProFormText.Password
@@ -100,6 +106,15 @@ const GitForm: React.FC<GitFormProps> = ({ selectedRecord, repositories }) => (
       label={'Access Token'}
       rules={[{ required: true }]}
     />
+    <ProFormCheckbox
+      width={'md'}
+      name={'ignoreSSLErrors'}
+      label={'Ignore SSL Errors'}
+      tooltip={
+        'Ignore SSL errors when connecting to the remote repository, for example, self-signed certificates.'
+      }
+      initialValue={selectedRecord?.ignoreSSLErrors}
+    />
   </ProForm.Group>
 );
 

diff --git a/server/package-lock.json b/server/package-lock.json
diff --git a/server/src/controllers/rest/containers-stacks-repository/git.ts b/server/src/controllers/rest/containers-stacks-repository/git.ts
@@ -17,6 +17,7 @@ export const addGitRepository = async (req, res) => {
     remoteUrl,
     matchesList,
     gitService,
+    ignoreSSLErrors,
   }: API.GitContainerStacksRepository = req.body;
   await GitRepositoryUseCases.addGitRepository(
     name,
@@ -27,6 +28,7 @@ export const addGitRepository = async (req, res) => {
     remoteUrl,
     gitService,
     matchesList,
+    ignoreSSLErrors,
   );
   new SuccessResponse('Added container stacks git repository').send(res);
 };
@@ -51,6 +53,7 @@ export const updateGitRepository = async (req, res) => {
     remoteUrl,
     matchesList,
     gitService,
+    ignoreSSLErrors,
   }: API.GitContainerStacksRepository = req.body;
   await GitRepositoryUseCases.updateGitRepository(
     uuid,
@@ -62,6 +65,7 @@ export const updateGitRepository = async (req, res) => {
     remoteUrl,
     gitService,
     matchesList,
+    ignoreSSLErrors,
   );
   new SuccessResponse('Updated container stacks git repository').send(res);
 };

diff --git a/server/src/controllers/rest/playbooks-repository/git.ts b/server/src/controllers/rest/playbooks-repository/git.ts
@@ -19,6 +19,7 @@ export const addGitRepository = async (req, res) => {
     directoryExclusionList,
     gitService,
     vaults,
+    ignoreSSLErrors,
   }: API.GitPlaybooksRepository = req.body;
   await GitRepositoryUseCases.addGitRepository(
     name,
@@ -30,6 +31,7 @@ export const addGitRepository = async (req, res) => {
     gitService,
     directoryExclusionList,
     vaults,
+    ignoreSSLErrors,
   );
   new SuccessResponse('Added playbooks git repository').send(res);
 };
@@ -57,6 +59,7 @@ export const updateGitRepository = async (req, res) => {
     directoryExclusionList,
     gitService,
     vaults,
+    ignoreSSLErrors,
   }: API.GitPlaybooksRepository = req.body;
 
   await GitRepositoryUseCases.updateGitRepository(
@@ -70,6 +73,7 @@ export const updateGitRepository = async (req, res) => {
     gitService,
     directoryExclusionList,
     vaults,
+    ignoreSSLErrors,
   );
   new SuccessResponse('Updated playbooks git repository').send(res);
 };

diff --git a/server/src/data/database/model/ContainerCustomStackRepository.ts b/server/src/data/database/model/ContainerCustomStackRepository.ts
@@ -20,6 +20,7 @@ export default interface ContainerCustomStackRepository {
   onError?: boolean;
   onErrorMessage?: string;
   gitService: SsmGit.Services;
+  ignoreSSLErrors?: boolean;
 }
 
 const schema = new Schema<ContainerCustomStackRepository>(
@@ -73,6 +74,10 @@ const schema = new Schema<ContainerCustomStackRepository>(
       type: Schema.Types.String,
       required: true,
     },
+    ignoreSSLErrors: {
+      type: Schema.Types.Boolean,
+      default: false,
+    },
   },
   {
     timestamps: true,

diff --git a/server/src/data/database/model/PlaybooksRepository.ts b/server/src/data/database/model/PlaybooksRepository.ts
@@ -19,6 +19,7 @@ export default interface PlaybooksRepository {
   directory?: string;
   enabled: boolean;
   default?: boolean;
+  ignoreSSLErrors?: boolean;
   tree?: any;
   directoryExclusionList?: string[];
   onError?: boolean;
@@ -107,6 +108,10 @@ const schema = new Schema<PlaybooksRepository>(
       type: Schema.Types.String,
       required: false,
     },
+    ignoreSSLErrors: {
+      type: Schema.Types.Boolean,
+      default: false,
+    },
     vaults: [
       {
         type: Schema.Types.ObjectId,

diff --git a/server/src/helpers/git/clone.ts b/server/src/helpers/git/clone.ts
@@ -19,7 +19,7 @@ export async function clone(options: {
   userInfo?: IGitUserInfos;
 }): Promise<void> {
   const { dir, remoteUrl, userInfo, logger, defaultGitInfo = defaultDefaultGitInfo } = options;
-  const { gitUserName, branch, gitService } = userInfo ?? defaultGitInfo;
+  const { gitUserName, branch, gitService, env } = userInfo ?? defaultGitInfo;
   const { accessToken } = userInfo ?? {};
 
   if (accessToken === '' || accessToken === undefined) {
@@ -57,23 +57,24 @@ export async function clone(options: {
     GitStep.PrepareClone,
   );
   logDebug(`Running git init for clone in dir ${dir}`, GitStep.PrepareClone);
-  await initGitWithBranch(dir, branch, { initialCommit: false });
-  const remoteName = await getRemoteName(dir, branch);
+  await initGitWithBranch(dir, branch, { initialCommit: false, env: env });
+  const remoteName = await getRemoteName(dir, branch, env);
   logDebug(`Successfully Running git init for clone in dir ${dir}`, GitStep.PrepareClone);
   logProgress(GitStep.StartConfiguringGithubRemoteRepository);
-  await credentialOn(dir, remoteUrl, gitUserName, accessToken, remoteName, gitService);
+  await credentialOn(dir, remoteUrl, gitUserName, accessToken, remoteName, gitService, env);
   try {
     logProgress(GitStep.StartFetchingFromGithubRemote);
     const { stderr: pullStdError, exitCode } = await GitProcess.exec(
       ['pull', remoteName, `${branch}:${branch}`],
       dir,
+      { env },
     );
     if (exitCode === 0) {
       logProgress(GitStep.SynchronizationFinish);
     } else {
       throw new GitPullPushError(options, pullStdError);
     }
   } finally {
-    await credentialOff(dir, remoteName, remoteUrl);
+    await credentialOff(dir, remoteName, remoteUrl, undefined, env);
   }
 }
diff --git a/server/src/helpers/git/commitAndSync.ts b/server/src/helpers/git/commitAndSync.ts
@@ -52,10 +52,10 @@ export async function commitAndSync(options: ICommitAndSyncOptions): Promise<voi
     commitOnly,
   } = options;
   const { gitUserName, email, branch, gitService } = userInfo ?? defaultGitInfo;
-  const { accessToken } = userInfo ?? {};
+  const { accessToken, env } = userInfo ?? {};
 
-  const defaultBranchName = (await getDefaultBranchName(dir)) ?? branch;
-  const remoteName = await getRemoteName(dir, defaultBranchName);
+  const defaultBranchName = (await getDefaultBranchName(dir, env)) ?? branch;
+  const remoteName = await getRemoteName(dir, defaultBranchName, env);
 
   const logProgress = (step: GitStep): unknown =>
     logger?.info?.(step, {
@@ -92,8 +92,10 @@ export async function commitAndSync(options: ICommitAndSyncOptions): Promise<voi
     userInfo,
   });
 
-  await GitProcess.exec(['config', 'user.email', `"${email ?? defaultGitInfo.email}"`], dir);
-  await GitProcess.exec(['config', `user.name`, `"${gitUserName}"`], dir);
+  await GitProcess.exec(['config', 'user.email', `"${email ?? defaultGitInfo.email}"`], dir, {
+    env,
+  });
+  await GitProcess.exec(['config', `user.name`, `"${gitUserName}"`], dir, { env });
 
   if (await haveLocalChanges(dir)) {
     logProgress(GitStep.HaveThingsToCommit);
@@ -104,6 +106,8 @@ export async function commitAndSync(options: ICommitAndSyncOptions): Promise<voi
       email ?? defaultGitInfo.email,
       commitMessage,
       filesToIgnore,
+      undefined,
+      env,
     );
     if (commitExitCode !== 0) {
       logWarn(`commit failed ${commitStdError}`, GitStep.CommitComplete);
@@ -120,13 +124,19 @@ export async function commitAndSync(options: ICommitAndSyncOptions): Promise<voi
   if (remoteUrl === '' || remoteUrl === undefined) {
     throw new SyncParameterMissingError('remoteUrl');
   }
-  await credentialOn(dir, remoteUrl, gitUserName, accessToken, remoteName, gitService);
+  await credentialOn(dir, remoteUrl, gitUserName, accessToken, remoteName, gitService, env);
   logProgress(GitStep.FetchingData);
   try {
-    await fetchRemote(dir, remoteName, defaultBranchName);
+    await fetchRemote(dir, remoteName, defaultBranchName, env);
     let exitCode = 0;
     let stderr: string | undefined;
-    const syncStateAfterCommit = await getSyncState(dir, defaultBranchName, remoteName, logger);
+    const syncStateAfterCommit = await getSyncState(
+      dir,
+      defaultBranchName,
+      remoteName,
+      logger,
+      env,
+    );
     switch (syncStateAfterCommit) {
       case 'equal': {
         logProgress(GitStep.NoNeedToSync);
@@ -161,6 +171,7 @@ export async function commitAndSync(options: ICommitAndSyncOptions): Promise<voi
         ({ exitCode, stderr } = await GitProcess.exec(
           ['rebase', `${remoteName}/${defaultBranchName}`],
           dir,
+          { env },
         ));
         logProgress(GitStep.RebaseResultChecking);
         if (exitCode !== 0) {
@@ -171,12 +182,19 @@ export async function commitAndSync(options: ICommitAndSyncOptions): Promise<voi
         }
         if (
           exitCode === 0 &&
-          (await getGitRepositoryState(dir, logger)).length === 0 &&
-          (await getSyncState(dir, defaultBranchName, remoteName, logger)) === 'ahead'
+          (await getGitRepositoryState(dir, logger, env)).length === 0 &&
+          (await getSyncState(dir, defaultBranchName, remoteName, logger, env)) === 'ahead'
         ) {
           logProgress(GitStep.RebaseSucceed);
         } else {
-          await continueRebase(dir, gitUserName, email ?? defaultGitInfo.email, logger);
+          await continueRebase(
+            dir,
+            gitUserName,
+            email ?? defaultGitInfo.email,
+            logger,
+            undefined,
+            env,
+          );
           logProgress(GitStep.RebaseConflictNeedsResolve);
         }
         await pushUpstream(dir, defaultBranchName, remoteName, userInfo, logger);
@@ -189,7 +207,7 @@ export async function commitAndSync(options: ICommitAndSyncOptions): Promise<voi
 
     if (exitCode === 0) {
       logProgress(GitStep.PerformLastCheckBeforeSynchronizationFinish);
-      await assumeSync(dir, defaultBranchName, remoteName, logger);
+      await assumeSync(dir, defaultBranchName, remoteName, logger, env);
       logProgress(GitStep.SynchronizationFinish);
     } else {
       switch (exitCode) {
@@ -205,7 +223,7 @@ export async function commitAndSync(options: ICommitAndSyncOptions): Promise<voi
     }
   } finally {
     // always restore original remoteUrl without token
-    await credentialOff(dir, remoteName, remoteUrl);
+    await credentialOff(dir, remoteName, remoteUrl, undefined, env);
   }
 }
 
@@ -231,9 +249,9 @@ export async function syncPreflightCheck(configs: {
     defaultGitInfo = defaultDefaultGitInfo,
     userInfo,
   } = configs;
-  const { gitUserName, email } = userInfo ?? defaultGitInfo;
+  const { gitUserName, email, env } = userInfo ?? defaultGitInfo;
 
-  const repoStartingState = await getGitRepositoryState(dir, logger);
+  const repoStartingState = await getGitRepositoryState(dir, logger, env);
   if (repoStartingState.length === 0 || repoStartingState === '|DIRTY') {
     logProgress?.(GitStep.PrepareSync);
     logDebug?.(
@@ -250,6 +268,7 @@ export async function syncPreflightCheck(configs: {
       email ?? defaultGitInfo.email,
       logger,
       repoStartingState,
+      env,
     );
   }
 }
diff --git a/server/src/helpers/git/credential.ts b/server/src/helpers/git/credential.ts
@@ -71,6 +71,7 @@ const getUrlWithOutCredential = (urlWithCredential: string): string =>
  * @param remoteName
  * @param serviceType
  * @param domain
+ * @param env
  */
 export async function credentialOn(
   directory: string,
@@ -79,6 +80,7 @@ export async function credentialOn(
   accessToken: string,
   remoteName: string,
   serviceType: SsmGit.Services,
+  env?: Record<string, string>,
 ): Promise<void> {
   let gitUrlWithCredential;
   switch (serviceType) {
@@ -106,21 +108,25 @@ export async function credentialOn(
       throw new Error(`Unknown service type ${serviceType}`);
     }
   }
-  await GitProcess.exec(['remote', 'add', remoteName, gitUrlWithCredential], directory);
-  await GitProcess.exec(['remote', 'set-url', remoteName, gitUrlWithCredential], directory);
+  await GitProcess.exec(['remote', 'add', remoteName, gitUrlWithCredential], directory, { env });
+  await GitProcess.exec(['remote', 'set-url', remoteName, gitUrlWithCredential], directory, {
+    env,
+  });
 }
 /**
  *  Add remote without credential
  * @param {string} directory
  * @param remoteName
  * @param remoteUrl
  * @param serviceType
+ * @param env
  */
 export async function credentialOff(
   directory: string,
   remoteName: string,
   remoteUrl?: string,
   serviceType = SsmGit.Services.Github,
+  env?: Record<string, string>,
 ): Promise<void> {
   const gitRepoUrl = remoteUrl ?? (await getRemoteUrl(directory, remoteName));
   let gitUrlWithOutCredential: string;
@@ -137,5 +143,5 @@ export async function credentialOff(
       throw new Error(`Unknown service type ${serviceType}`);
     }
   }
-  await GitProcess.exec(['remote', 'set-url', remoteName, gitUrlWithOutCredential], directory);
+  await GitProcess.exec(['remote', 'set-url', remoteName, gitUrlWithOutCredential], directory, env);
 }
diff --git a/server/src/helpers/git/defaultGitInfo.ts b/server/src/helpers/git/defaultGitInfo.ts
@@ -6,4 +6,7 @@ export const defaultGitInfo = {
   branch: 'main',
   remote: 'origin',
   gitService: SsmGit.Services.Github,
+  env: {
+    GIT_SSL_NO_VERIFY: 'false',
+  },
 };