Merge pull request #1084 from sdreger/bugfix/1083/gitea-tls-error

fix: pass 'certPool' to Gitea client on creation

Author: stefanprodan

internal/notifier/gitea.go

@@ -69,18 +69,16 @@ func NewGitea(commitStatus string, addr string, token string, certPool *x509.Cer
 		return nil, fmt.Errorf("invalid repository id %q", id)
 	}
 
-	client, err := gitea.NewClient(host, gitea.SetToken(token))
-	if err != nil {
-		return nil, fmt.Errorf("failed creating Gitea client: %w", err)
-	}
-
+	tr := &http.Transport{}
 	if certPool != nil {
-		tr := &http.Transport{
-			TLSClientConfig: &tls.Config{
-				RootCAs: certPool,
-			},
+		tr.TLSClientConfig = &tls.Config{
+			RootCAs: certPool,
 		}
-		client.SetHTTPClient(&http.Client{Transport: tr})
+	}
+
+	client, err := gitea.NewClient(host, gitea.SetToken(token), gitea.SetHTTPClient(&http.Client{Transport: tr}))
+	if err != nil {
+		return nil, fmt.Errorf("failed creating Gitea client: %w", err)
 	}
 
 	return &Gitea{

internal/notifier/gitea_test.go

@@ -18,6 +18,7 @@ package notifier
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -31,30 +32,43 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-// newTestServer returns an HTTP server mimicking parts of Gitea's API so that tests don't
+// newTestHTTPServer returns an HTTP server mimicking parts of Gitea's API so that tests don't
 // need to rely on 3rd-party components to be available (like the try.gitea.io server).
-func newTestServer(t *testing.T) *httptest.Server {
+func newTestHTTPServer(t *testing.T) *httptest.Server {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.URL.Path {
-		case "/api/v1/version":
-			fmt.Fprintf(w, `{"version":"1.18.3"}`)
-		case "/api/v1/repos/foo/bar/commits/69b59063470310ebbd88a9156325322a124e55a3/statuses":
-			fmt.Fprintf(w, "[]")
-		case "/api/v1/repos/foo/bar/statuses/69b59063470310ebbd88a9156325322a124e55a3":
-			fmt.Fprintf(w, "{}")
-		case "/api/v1/repos/foo/bar/commits/8a9156325322a124e55a369b59063470310ebbd8/statuses":
-			fmt.Fprintf(w, "[]")
-		case "/api/v1/repos/foo/bar/statuses/8a9156325322a124e55a369b59063470310ebbd8":
-			fmt.Fprintf(w, "{}")
-		default:
-			t.Logf("unknown %s request at %s", r.Method, r.URL.Path)
-		}
+		handleTestRequest(t, w, r)
 	}))
 	return srv
 }
 
+// newTestHTTPSServer returns an HTTPS server mimicking parts of Gitea's API so that tests don't
+// need to rely on 3rd-party components to be available (like the try.gitea.io server).
+func newTestHTTPSServer(t *testing.T) *httptest.Server {
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		handleTestRequest(t, w, r)
+	}))
+	return srv
+}
+
+func handleTestRequest(t *testing.T, w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case "/api/v1/version":
+		fmt.Fprintf(w, `{"version":"1.18.3"}`)
+	case "/api/v1/repos/foo/bar/commits/69b59063470310ebbd88a9156325322a124e55a3/statuses":
+		fmt.Fprintf(w, "[]")
+	case "/api/v1/repos/foo/bar/statuses/69b59063470310ebbd88a9156325322a124e55a3":
+		fmt.Fprintf(w, "{}")
+	case "/api/v1/repos/foo/bar/commits/8a9156325322a124e55a369b59063470310ebbd8/statuses":
+		fmt.Fprintf(w, "[]")
+	case "/api/v1/repos/foo/bar/statuses/8a9156325322a124e55a369b59063470310ebbd8":
+		fmt.Fprintf(w, "{}")
+	default:
+		t.Logf("unknown %s request at %s", r.Method, r.URL.Path)
+	}
+}
+
 func TestNewGiteaBasic(t *testing.T) {
-	srv := newTestServer(t)
+	srv := newTestHTTPServer(t)
 	defer srv.Close()
 
 	g, err := NewGitea("kustomization/gitops-system/0c9c2e41", srv.URL+"/foo/bar", "foobar", nil)
@@ -64,32 +78,57 @@ func TestNewGiteaBasic(t *testing.T) {
 	assert.Equal(t, g.BaseURL, srv.URL)
 }
 
+func TestNewGiteaWithCertPool(t *testing.T) {
+	srv := newTestHTTPSServer(t)
+	defer srv.Close()
+
+	certpool := x509.NewCertPool()
+	certpool.AddCert(srv.Certificate())
+
+	g, err := NewGitea("kustomization/gitops-system/0c9c2e41", srv.URL+"/foo/bar", "foobar", certpool)
+	assert.NoError(t, err)
+	assert.Equal(t, g.Owner, "foo")
+	assert.Equal(t, g.Repo, "bar")
+	assert.Equal(t, g.BaseURL, srv.URL)
+}
+
+func TestNewGiteaNoCertificate(t *testing.T) {
+	srv := newTestHTTPSServer(t)
+	defer srv.Close()
+
+	certpool := x509.NewCertPool()
+
+	_, err := NewGitea("kustomization/gitops-system/0c9c2e41", srv.URL+"/foo/bar", "foobar", certpool)
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "tls: failed to verify certificate: x509: certificate signed by unknown authority")
+}
+
 func TestNewGiteaInvalidUrl(t *testing.T) {
-	srv := newTestServer(t)
+	srv := newTestHTTPServer(t)
 	defer srv.Close()
 
 	_, err := NewGitea("kustomization/gitops-system/0c9c2e41", srv.URL+"/foo/bar/baz", "foobar", nil)
 	assert.ErrorContains(t, err, "invalid repository id")
 }
 
 func TestNewGiteaEmptyToken(t *testing.T) {
-	srv := newTestServer(t)
+	srv := newTestHTTPServer(t)
 	defer srv.Close()
 
 	_, err := NewGitea("kustomization/gitops-system/0c9c2e41", srv.URL+"/foo/bar", "", nil)
 	assert.ErrorContains(t, err, "gitea token cannot be empty")
 }
 
 func TestNewGiteaEmptyCommitStatus(t *testing.T) {
-	srv := newTestServer(t)
+	srv := newTestHTTPServer(t)
 	defer srv.Close()
 
 	_, err := NewGitea("", srv.URL+"/foo/bar", "foobar", nil)
 	assert.ErrorContains(t, err, "commit status cannot be empty")
 }
 
 func TestGitea_Post(t *testing.T) {
-	srv := newTestServer(t)
+	srv := newTestHTTPServer(t)
 	defer srv.Close()
 
 	g, err := NewGitea("kustomization/gitops-system/0c9c2e41", srv.URL+"/foo/bar", "foobar", nil)