feat: add and implement various new http options for the curl backend.

Byron · Byron · commit d59d362f12bf · 2022-12-24T14:36:31.000+01:00
- `schannel_check_revoke` as `curl`-backend specific configuration.
- `ssl_version`
- `ssl_ca_info`
- `http_version`
diff --git a/git-transport/src/client/blocking_io/http/curl/mod.rs b/git-transport/src/client/blocking_io/http/curl/mod.rs
@@ -10,7 +10,20 @@ use crate::client::http::traits::PostBodyDataKind;
 
 mod remote;
 
+/// Options to configure the `curl` HTTP handler.
+#[derive(Default)]
+pub struct Options {
+    /// If `true` and runtime configuration is possible for `curl` backends, certificates revocation will be checked.
+    ///
+    /// This only works on windows apparently. Ignored if `None`.
+    pub schannel_check_revoke: Option<bool>,
+}
+
+/// The error returned by the 'remote' helper, a purely internal construct to perform http requests.
+///
+/// It can be used for downcasting errors, which are boxed to hide the actual implementation.
 #[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
 pub enum Error {
     #[error(transparent)]
     Curl(#[from] curl::Error),
@@ -31,7 +44,7 @@ impl crate::IsSpuriousError for Error {
     }
 }
 
-pub fn curl_is_spurious(err: &curl::Error) -> bool {
+pub(crate) fn curl_is_spurious(err: &curl::Error) -> bool {
     err.is_couldnt_connect()
         || err.is_couldnt_resolve_proxy()
         || err.is_couldnt_resolve_host()
@@ -44,6 +57,7 @@ pub fn curl_is_spurious(err: &curl::Error) -> bool {
         || err.is_partial_file()
 }
 
+/// A utility to abstract interactions with curl handles.
 pub struct Curl {
     req: SyncSender<remote::Request>,
     res: Receiver<remote::Response>,
diff --git a/git-transport/src/client/blocking_io/http/curl/remote.rs b/git-transport/src/client/blocking_io/http/curl/remote.rs
@@ -10,6 +10,7 @@ use curl::easy::{Auth, Easy2};
 use git_features::io::pipe;
 
 use crate::client::http::curl::curl_is_spurious;
+use crate::client::http::options::{HttpVersion, SslVersion};
 use crate::client::http::traits::PostBodyDataKind;
 use crate::client::{
     blocking_io::http::{self, curl::Error, redirect},
@@ -153,7 +154,10 @@ pub fn new() -> (
                     user_agent,
                     proxy_authenticate,
                     verbose,
-                    backend: _,
+                    ssl_ca_info,
+                    ssl_version,
+                    http_version,
+                    backend,
                 },
         } in req_recv
         {
@@ -168,6 +172,35 @@ pub fn new() -> (
             headers.append("Expect:")?;
             handle.verbose(verbose)?;
 
+            if let Some(ca_info) = ssl_ca_info {
+                handle.cainfo(ca_info)?;
+            }
+
+            if let Some(ref mut curl_options) = backend.as_ref().and_then(|backend| backend.lock().ok()) {
+                if let Some(opts) = curl_options.downcast_mut::<super::Options>() {
+                    if let Some(enabled) = opts.schannel_check_revoke {
+                        handle.ssl_options(curl::easy::SslOpt::new().no_revoke(!enabled))?;
+                    }
+                }
+            }
+
+            if let Some(ssl_version) = ssl_version {
+                let (min, max) = ssl_version.min_max();
+                if min == max {
+                    handle.ssl_version(to_curl_ssl_version(min))?;
+                } else {
+                    handle.ssl_min_max_version(to_curl_ssl_version(min), to_curl_ssl_version(max))?;
+                }
+            }
+
+            if let Some(http_version) = http_version {
+                let version = match http_version {
+                    HttpVersion::V1_1 => curl::easy::HttpVersion::V11,
+                    HttpVersion::V2 => curl::easy::HttpVersion::V2,
+                };
+                handle.http_version(version)?;
+            }
+
             let mut proxy_auth_action = None;
             if let Some(proxy) = proxy {
                 handle.proxy(&proxy)?;
@@ -321,6 +354,20 @@ pub fn new() -> (
     (handle, req_send, res_recv)
 }
 
+fn to_curl_ssl_version(vers: SslVersion) -> curl::easy::SslVersion {
+    use curl::easy::SslVersion::*;
+    match vers {
+        SslVersion::Default => Default,
+        SslVersion::TlsV1 => Tlsv1,
+        SslVersion::SslV2 => Sslv2,
+        SslVersion::SslV3 => Sslv3,
+        SslVersion::TlsV1_0 => Tlsv10,
+        SslVersion::TlsV1_1 => Tlsv11,
+        SslVersion::TlsV1_2 => Tlsv12,
+        SslVersion::TlsV1_3 => Tlsv13,
+    }
+}
+
 impl From<Error> for http::Error {
     fn from(err: Error) -> Self {
         http::Error::Detail {
diff --git a/git-transport/src/client/blocking_io/http/mod.rs b/git-transport/src/client/blocking_io/http/mod.rs
@@ -1,3 +1,4 @@
+use std::path::PathBuf;
 use std::{
     any::Any,
     borrow::Cow,
@@ -10,6 +11,7 @@ use git_packetline::PacketLineRef;
 pub use traits::{Error, GetResponse, Http, PostResponse};
 
 use crate::client::blocking_io::bufread_ext::ReadlineBufRead;
+use crate::client::http::options::{HttpVersion, SslVersionRangeInclusive};
 use crate::{
     client::{self, capabilities, Capabilities, ExtendedBufRead, HandleProgress, MessageKind, RequestWriter},
     Protocol, Service,
@@ -19,7 +21,8 @@ use crate::{
 compile_error!("Cannot set both 'http-client-reqwest' and 'http-client-curl' features as they are mutually exclusive");
 
 #[cfg(feature = "http-client-curl")]
-mod curl;
+///
+pub mod curl;
 
 /// The experimental `reqwest` backend.
 ///
@@ -73,6 +76,51 @@ pub mod options {
             ProxyAuthMethod::AnyAuth
         }
     }
+
+    /// Available SSL version numbers.
+    #[derive(Debug, Copy, Clone, PartialEq, Eq, Ord, PartialOrd)]
+    #[allow(missing_docs)]
+    pub enum SslVersion {
+        /// The implementation default, which is unknown to this layer of abstraction.
+        Default,
+        TlsV1,
+        SslV2,
+        SslV3,
+        TlsV1_0,
+        TlsV1_1,
+        TlsV1_2,
+        TlsV1_3,
+    }
+
+    /// Available HTTP version numbers.
+    #[derive(Debug, Copy, Clone, PartialEq, Eq, Ord, PartialOrd)]
+    #[allow(missing_docs)]
+    pub enum HttpVersion {
+        /// Equivalent to HTTP/1.1
+        V1_1,
+        /// Equivalent to HTTP/2
+        V2,
+    }
+
+    /// The desired range of acceptable SSL versions, or the single version to allow if both are set to the same value.
+    #[derive(Debug, Copy, Clone, PartialEq, Eq)]
+    pub struct SslVersionRangeInclusive {
+        /// The smallest allowed ssl version to use.
+        pub min: SslVersion,
+        /// The highest allowed ssl version to use.
+        pub max: SslVersion,
+    }
+
+    impl SslVersionRangeInclusive {
+        /// Return `min` and `max` fields in the right order so `min` is smaller or equal to `max`.
+        pub fn min_max(&self) -> (SslVersion, SslVersion) {
+            if self.min > self.max {
+                (self.max, self.min)
+            } else {
+                (self.min, self.max)
+            }
+        }
+    }
 }
 
 /// Options to configure http requests.
@@ -131,6 +179,12 @@ pub struct Options {
     pub connect_timeout: Option<std::time::Duration>,
     /// If enabled, emit additional information about connections and possibly the data received or written.
     pub verbose: bool,
+    /// If set, use this path to point to a file with CA certificates to verify peers.
+    pub ssl_ca_info: Option<PathBuf>,
+    /// The SSL version or version range to use, or `None` to let the TLS backend determine which versions are acceptable.
+    pub ssl_version: Option<SslVersionRangeInclusive>,
+    /// The HTTP version to enforce. If unset, it is implementation defined.
+    pub http_version: Option<HttpVersion>,
     /// Backend specific options, if available.
     pub backend: Option<Arc<Mutex<dyn Any + Send + Sync + 'static>>>,
 }
