Support ca_file for http client in curl mode

With curl simulation mode the parameters from curl needs to be passed The parameters from uaac target xxx are not used here. Therefore, ca cert was missing. -b for --skip-ssl-validation is available For uaac target --ca-cert there is was no setting. Added -C or --cacert because these are the parameters from curl
cloudfoundry · Nov 18, 2023 · 5b82609 · 5b82609
1 parent f7a7eb5
commit 5b82609
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/lib/uaa/cli/curl.rb b/lib/uaa/cli/curl.rb
@@ -27,9 +27,10 @@ class CurlCli < CommonCli
     define_option :data, "-d", "--data <data>", "data included in request body"
     define_option :header, "-H", "--header <header>", "header to be included in the request"
     define_option :insecure, "-k", "--insecure", "makes request without verifying SSL certificates"
+    define_option :cacert, "-C", "--cacert <ca_file>", "CA certificate to verify peer against"
     define_option :bodyonly, "-b", "--bodyonly", "show body only in response"
 
-    desc "curl [path]", "CURL to a UAA endpoint", :request, :data, :header, :insecure , :bodyonly do |path|
+    desc "curl [path]", "CURL to a UAA endpoint", :request, :data, :header, :insecure , :bodyonly, :cacert do |path|
       return say_command_help(["curl"]) unless path
 
       uri = parse_uri(path)
@@ -65,6 +66,9 @@ def make_request(uri, options)
         http.use_ssl = true
         if options[:insecure]
           http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        elsif options[:cacert]
+          http.ca_file = File.expand_path(options[:cacert])
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
         end
       end
       request_class = Net::HTTP.const_get("#{options[:request][0]}#{options[:request][1..-1].downcase}")

diff --git a/spec/curl_spec.rb b/spec/curl_spec.rb
@@ -37,6 +37,7 @@ module CF::UAA
       Cli.output.string.should include "-d | --data <data>"
       Cli.output.string.should include "-k | --insecure"
       Cli.output.string.should include "-b | --bodyonly"
+      Cli.output.string.should include "-C | --cacert"
     end
 
     it "hits the URL on the UAA target" do
@@ -108,5 +109,19 @@ module CF::UAA
       Cli.output.string.should_not include "ECONNRESET"
       Cli.output.string.should include "200 OK"
     end
+
+    it "makes insecure requests without the -k flag" do
+      Cli.run("curl https://example.com/")
+
+      Cli.output.string.should_not include "ECONNRESET"
+      Cli.output.string.should include "200 OK"
+    end
+
+    it "makes requests using invalid custom ca cert file with the -C flag" do
+      Cli.run("curl https://example.com/ -C ca.pem")
+
+      Cli.output.string.should_not include "200 OK"
+      Cli.output.string.should include "SSLError"
+    end
   end
 end