Git custom tls

docs/dependency-specification.md

@@ -125,6 +125,15 @@ poetry config http-basic.git-org-project username token
 poetry add git+https://github.com/org/project.git
 ```
 
+To use custom CA/client certificates or disable TLS verifications altogether, you can configure certificates similar to
+how [repository certificates]({{< relref "repositories#Certificates" >}}) are configured.
+For example, for the repository "https://myprivaterepo.com/org/project.git"
+
+```bash
+poetry config certificates.myprivaterepo.cert /path/to/ca.pem
+poetry config certificates.myprivaterepo.client-cert /path/to/client.pem
+```
+
 {{% note %}}
 With Poetry 1.2 releases, the default git client used is [Dulwich](https://www.dulwich.io/).
 
@@ -195,6 +204,8 @@ These activate extra defined for the dependency, to configure an optional depend
 for extras in your project refer to [`extras`]({{< relref "pyproject#extras" >}}).
 {{% /note %}}
 
+### Certificates
+
 ## `source` dependencies
 
 To depend on a package from an [alternate repository]({{< relref "repositories/#install-dependencies-from-a-private-repository" >}}),

src/poetry/vcs/git/backend.py

@@ -11,6 +11,7 @@
 from dulwich import porcelain
 from dulwich.client import HTTPUnauthorized
 from dulwich.client import get_transport_and_path
+from dulwich.config import ConfigDict
 from dulwich.config import ConfigFile
 from dulwich.config import parse_submodules
 from dulwich.errors import NotGitRepository
@@ -187,14 +188,24 @@ def _fetch_remote_refs(cls, url: str, local: Repo) -> FetchPackResult:
         path: str
 
         kwargs: dict[str, str] = {}
-        credentials = get_default_authenticator().get_credentials_for_git_url(url=url)
+        authenticator = get_default_authenticator()
+        credentials = authenticator.get_credentials_for_git_url(url)
+        certs = authenticator.get_certs_for_url(url)
 
         if credentials.password and credentials.username:
             # we do this conditionally as otherwise, dulwich might complain if these
             # parameters are passed in for an ssh url
             kwargs["username"] = credentials.username
             kwargs["password"] = credentials.password
 
+        config: ConfigDict = ConfigDict()  # type: ignore[no-untyped-call]
+
+        config.set("http", "sslCAInfo", certs.cert)  # type: ignore[no-untyped-call]
+        kwargs["cert_file"] = str(certs.client_cert)
+
+        if not certs.verify:
+            config.set("http", "sslVerify", False)  # type: ignore[no-untyped-call]
+
         client, path = get_transport_and_path(url, **kwargs)
 
         with local:

tests/integration/test_utils_vcs_git.py

@@ -7,11 +7,13 @@
 from hashlib import sha1
 from pathlib import Path
 from typing import TYPE_CHECKING
+from urllib.parse import urlparse
 
 import pytest
 
 from dulwich.client import HTTPUnauthorized
 from dulwich.client import get_transport_and_path
+from dulwich.config import ConfigDict
 from dulwich.repo import Repo
 from poetry.core.pyproject.toml import PyProjectTOML
 
@@ -298,6 +300,77 @@ def test_configured_repository_http_auth(
     spy_get_transport_and_path.assert_called_once()
 
 
+def test_configured_repository_certificates(
+    mocker: MockerFixture, source_url: str, config: Config
+) -> None:
+    from poetry.vcs.git import backend
+
+    spy_clone_legacy = mocker.spy(Git, "_clone_legacy")
+    spy_get_transport_and_path = mocker.spy(backend, "get_transport_and_path")
+
+    configured_cert = "/path/to/cert"
+    configured_client_cert = "/path/to/client-cert"
+    netloc = urlparse(source_url).netloc
+    config.merge(
+        {
+            "repositories": {"git-repo": {"url": source_url}},
+            "certificates": {
+                netloc: {"cert": configured_cert, "client-cert": configured_client_cert}
+            },
+        }
+    )
+
+    mocker.patch(
+        "poetry.vcs.git.backend.get_default_authenticator",
+        return_value=Authenticator(config=config),
+    )
+
+    with Git.clone(url=source_url, branch="0.1") as repo:
+        assert_version(repo, BRANCH_TO_REVISION_MAP["0.1"])
+
+    spy_clone_legacy.assert_not_called()
+    git_config = ConfigDict()
+    git_config.set("http", "sslCAInfo", configured_cert)
+
+    spy_get_transport_and_path.assert_called_with(
+        location=source_url, config=git_config, cert_file=configured_client_cert
+    )
+    spy_get_transport_and_path.assert_called_once()
+
+
+def test_configured_repository_tls_disabled(
+    mocker: MockerFixture, source_url: str, config: Config
+) -> None:
+    from poetry.vcs.git import backend
+
+    spy_clone_legacy = mocker.spy(Git, "_clone_legacy")
+    spy_get_transport_and_path = mocker.spy(backend, "get_transport_and_path")
+    netloc = urlparse(source_url).netloc
+    config.merge(
+        {
+            "repositories": {"git-repo": {"url": source_url}},
+            "certificates": {netloc: {"cert": False}},
+        }
+    )
+
+    mocker.patch(
+        "poetry.vcs.git.backend.get_default_authenticator",
+        return_value=Authenticator(config=config),
+    )
+
+    with Git.clone(url=source_url, branch="0.1") as repo:
+        assert_version(repo, BRANCH_TO_REVISION_MAP["0.1"])
+
+    spy_clone_legacy.assert_not_called()
+    git_config = ConfigDict()
+    git_config.set("http", "sslVerify", False)
+
+    spy_get_transport_and_path.assert_called_with(
+        location=source_url, config=git_config
+    )
+    spy_get_transport_and_path.assert_called_once()
+
+
 def test_username_password_parameter_is_not_passed_to_dulwich(
     mocker: MockerFixture, source_url: str, config: Config
 ) -> None: