[Code] Add a security flag for git certificate check (#35445)

Author: mw-ding

x-pack/plugins/code/index.ts

@@ -64,6 +64,7 @@ export const code = (kibana: any) =>
           gitProtocolWhitelist: Joi.array()
             .items(Joi.string())
             .default(['https', 'git', 'ssh']),
+          enableGitCertCheck: Joi.boolean().default(true),
         }).default(),
         maxWorkspace: Joi.number().default(5), // max workspace folder for each language server
         disableIndexScheduler: Joi.boolean().default(true), // Temp option to disable index scheduler.

x-pack/plugins/code/server/__tests__/repository_service.ts

@@ -29,7 +29,7 @@ describe('repository service test', () => {
   after(() => {
     return rimraf.sync(baseDir);
   });
-  const service = new RepositoryService(repoDir, credsDir, log);
+  const service = new RepositoryService(repoDir, credsDir, log, false /* enableGitCertCheck */);
 
   it('can not clone a repo by ssh without a key', async () => {
     const repo = RepositoryUtils.buildRepository(

x-pack/plugins/code/server/queue/clone_worker.ts

@@ -58,7 +58,8 @@ export class CloneWorker extends AbstractGitWorker {
     const repoService = this.repoServiceFactory.newInstance(
       this.serverOptions.repoPath,
       this.serverOptions.credsPath,
-      this.log
+      this.log,
+      this.serverOptions.security.enableGitCertCheck
     );
     const repo = RepositoryUtils.buildRepository(url);
     return await repoService.clone(repo, (progress: number, cloneProgress?: CloneProgress) => {

x-pack/plugins/code/server/queue/delete_worker.test.ts

@@ -66,7 +66,11 @@ test('Execute delete job.', async () => {
     esQueue as Esqueue,
     log,
     esClient as EsClient,
-    {} as ServerOptions,
+    {
+      security: {
+        enableGitCertCheck: false,
+      },
+    } as ServerOptions,
     (cancellationService as any) as CancellationSerivce,
     (lspService as any) as LspService,
     (repoServiceFactory as any) as RepositoryServiceFactory

x-pack/plugins/code/server/queue/delete_worker.ts

@@ -47,7 +47,8 @@ export class DeleteWorker extends AbstractWorker {
     const repoService = this.repoServiceFactory.newInstance(
       this.serverOptions.repoPath,
       this.serverOptions.credsPath,
-      this.log
+      this.log,
+      this.serverOptions.security.enableGitCertCheck
     );
     const deleteRepoPromise = this.deletePromiseWrapper(repoService.remove(uri), 'git data', uri);
 

x-pack/plugins/code/server/queue/update_worker.test.ts

@@ -41,7 +41,11 @@ test('Execute update job', async () => {
     esQueue as Esqueue,
     log,
     esClient as EsClient,
-    {} as ServerOptions,
+    {
+      security: {
+        enableGitCertCheck: false,
+      },
+    } as ServerOptions,
     (repoServiceFactory as any) as RepositoryServiceFactory
   );
 

x-pack/plugins/code/server/queue/update_worker.ts

@@ -31,7 +31,8 @@ export class UpdateWorker extends AbstractGitWorker {
     const repoService = this.repoServiceFactory.newInstance(
       this.serverOptions.repoPath,
       this.serverOptions.credsPath,
-      this.log
+      this.log,
+      this.serverOptions.security.enableGitCertCheck
     );
     return await repoService.update(repo);
   }

x-pack/plugins/code/server/repository_service.ts

@@ -28,11 +28,10 @@ export class RepositoryService {
   constructor(
     private readonly repoVolPath: string,
     private readonly credsPath: string,
-    private log: Logger
+    private readonly log: Logger,
+    private readonly enableGitCertCheck: boolean
   ) {}
 
-  private isProd = process.env.NODE_ENV === 'production';
-
   public async clone(repo: Repository, handler?: CloneProgressHandler): Promise<CloneWorkerResult> {
     if (!repo) {
       throw new Error(`Invalid repository.`);
@@ -108,7 +107,7 @@ export class RepositoryService {
         credentials: this.credentialFunc(key),
       };
       // Ignore cert check on testing environment.
-      if (!this.isProd) {
+      if (!this.enableGitCertCheck) {
         cbs.certificateCheck = () => {
           // Ignore cert check failures.
           return 0;
@@ -205,7 +204,7 @@ export class RepositoryService {
         credentials: this.credentialFunc(keyFile),
       };
       // Ignore cert check on testing environment.
-      if (!this.isProd) {
+      if (!this.enableGitCertCheck) {
         cbs.certificateCheck = () => {
           // Ignore cert check failures.
           return 0;

x-pack/plugins/code/server/repository_service_factory.ts

@@ -8,7 +8,12 @@ import { Logger } from './log';
 import { RepositoryService } from './repository_service';
 
 export class RepositoryServiceFactory {
-  public newInstance(repoPath: string, credsPath: string, log: Logger): RepositoryService {
-    return new RepositoryService(repoPath, credsPath, log);
+  public newInstance(
+    repoPath: string,
+    credsPath: string,
+    log: Logger,
+    enableGitCertCheck: boolean
+  ): RepositoryService {
+    return new RepositoryService(repoPath, credsPath, log, enableGitCertCheck);
   }
 }

x-pack/plugins/code/server/server_options.ts

@@ -19,6 +19,7 @@ export interface SecurityOptions {
   installNodeDependency: boolean;
   gitHostWhitelist: string[];
   gitProtocolWhitelist: string[];
+  enableGitCertCheck: boolean;
 }
 
 export class ServerOptions {