Add allowinsecureconnections option (#5742)

src/NuGet.Clients/NuGet.CommandLine/Commands/SourcesCommand.cs

@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Globalization;
 using System.Linq;
 using NuGet.Commands;
 
@@ -36,6 +35,9 @@ public class SourcesCommand : Command
         [Option(typeof(NuGetCommand), "SourcesCommandFormatDescription")]
         public SourcesListFormat Format { get; set; }
 
+        [Option(typeof(NuGetCommand), "SourcesCommandAllowInsecureConnectionsDescription")]
+        public bool AllowInsecureConnections { get; set; }
+
 
         public override void ExecuteCommand()
         {
@@ -61,11 +63,33 @@ public override void ExecuteCommand()
             switch (action)
             {
                 case SourcesAction.Add:
-                    var addArgs = new AddSourceArgs() { Name = Name, Source = Source, Username = Username, Password = Password, StorePasswordInClearText = StorePasswordInClearText, ValidAuthenticationTypes = ValidAuthenticationTypes, Configfile = ConfigFile, ProtocolVersion = ProtocolVersion };
+                    var addArgs = new AddSourceArgs()
+                    {
+                        Name = Name,
+                        Source = Source,
+                        Username = Username,
+                        Password = Password,
+                        StorePasswordInClearText = StorePasswordInClearText,
+                        ValidAuthenticationTypes = ValidAuthenticationTypes,
+                        Configfile = ConfigFile,
+                        ProtocolVersion = ProtocolVersion,
+                        AllowInsecureConnections = AllowInsecureConnections
+                    };
                     AddSourceRunner.Run(addArgs, () => Console);
                     break;
                 case SourcesAction.Update:
-                    var updateSourceArgs = new UpdateSourceArgs() { Name = Name, Source = Source, Username = Username, Password = Password, StorePasswordInClearText = StorePasswordInClearText, ValidAuthenticationTypes = ValidAuthenticationTypes, Configfile = ConfigFile, ProtocolVersion = ProtocolVersion };
+                    var updateSourceArgs = new UpdateSourceArgs()
+                    {
+                        Name = Name,
+                        Source = Source,
+                        Username = Username,
+                        Password = Password,
+                        StorePasswordInClearText = StorePasswordInClearText,
+                        ValidAuthenticationTypes = ValidAuthenticationTypes,
+                        Configfile = ConfigFile,
+                        ProtocolVersion = ProtocolVersion,
+                        AllowInsecureConnections = AllowInsecureConnections
+                    };
                     UpdateSourceRunner.Run(updateSourceArgs, () => Console);
                     break;
                 case SourcesAction.Remove:

src/NuGet.Clients/NuGet.CommandLine/NuGetCommand.resx

@@ -934,4 +934,7 @@ nuget client-certs List</value>
   <data name="EulaDescription" xml:space="preserve">
     <value>Display NuGet.exe's End User Liscence Agreement (EULA)</value>
   </data>
+  <data name="SourcesCommandAllowInsecureConnectionsDescription" xml:space="preserve">
+    <value>Allows HTTP connections for adding or updating packages. Note: This method is not secure. For secure options, see https://aka.ms/nuget-https-everywhere for more information.</value>
+  </data>
 </root>

src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/Verbs.cs

@@ -51,6 +51,10 @@ internal partial class AddVerbParser
                         "--configfile",
                         Strings.Option_ConfigFile,
                         CommandOptionType.SingleValue);
+                    CommandOption allowInsecureConnections = SourceCmd.Option(
+                        "--allowInsecureConnections",
+                        Strings.SourcesCommandAllowInsecureConnectionsDescription,
+                        CommandOptionType.NoValue);
                     SourceCmd.HelpOption("-h|--help");
                     SourceCmd.Description = Strings.AddSourceCommandDescription;
                     SourceCmd.OnExecute(() =>
@@ -65,6 +69,7 @@ internal partial class AddVerbParser
                             ValidAuthenticationTypes = validAuthenticationTypes.Value(),
                             ProtocolVersion = protocolVersion.Value(),
                             Configfile = configfile.Value(),
+                            AllowInsecureConnections = allowInsecureConnections.HasValue(),
                         };
 
                         AddSourceRunner.Run(args, getLogger);
@@ -390,6 +395,10 @@ internal partial class UpdateVerbParser
                         "--configfile",
                         Strings.Option_ConfigFile,
                         CommandOptionType.SingleValue);
+                    CommandOption allowInsecureConnections = SourceCmd.Option(
+                        "--allowInsecureConnections",
+                        Strings.SourcesCommandAllowInsecureConnectionsDescription,
+                        CommandOptionType.NoValue);
                     SourceCmd.HelpOption("-h|--help");
                     SourceCmd.Description = Strings.UpdateSourceCommandDescription;
                     SourceCmd.OnExecute(() =>
@@ -404,6 +413,7 @@ internal partial class UpdateVerbParser
                             ValidAuthenticationTypes = validAuthenticationTypes.Value(),
                             ProtocolVersion = protocolVersion.Value(),
                             Configfile = configfile.Value(),
+                            AllowInsecureConnections = allowInsecureConnections.HasValue(),
                         };
 
                         UpdateSourceRunner.Run(args, getLogger);

src/NuGet.Core/NuGet.CommandLine.XPlat/Strings.resx

@@ -966,4 +966,7 @@ Non-HTTPS access will be removed in a future version. Consider migrating to 'HTT
   <data name="WhyCommand_Message_NoDependencyGraphsFoundForFramework" xml:space="preserve">
     <value>No dependency graph(s) found for this target framework.</value>
   </data>
+  <data name="SourcesCommandAllowInsecureConnectionsDescription" xml:space="preserve">
+    <value>Allows HTTP connections for adding or updating packages. Note: This method is not secure. For secure options, see https://aka.ms/nuget-https-everywhere for more information.</value>
+  </data>
 </root>

src/NuGet.Core/NuGet.Commands/CommandArgs/VerbArgs.cs

@@ -5,10 +5,6 @@
 // instead modify the neighboring .tt file (text template) and/or NuGet.CommandLine.Xplat\Commands\Commands.xml (data file),
 // then re-execute the text template via "run custom tool" on VS context menu for .tt file, or via dotnet-t4 global tool.
 
-using System;
-using System.Threading.Tasks;
-using NuGet.Common;
-
 namespace NuGet.Commands
 {
     public partial class AddSourceArgs
@@ -21,6 +17,7 @@ public partial class AddSourceArgs
         public string ValidAuthenticationTypes { get; set; }
         public string ProtocolVersion { get; set; }
         public string Configfile { get; set; }
+        public bool AllowInsecureConnections { get; set; }
     }
 
     public partial class AddClientCertArgs
@@ -82,6 +79,7 @@ public partial class UpdateSourceArgs
         public string ValidAuthenticationTypes { get; set; }
         public string ProtocolVersion { get; set; }
         public string Configfile { get; set; }
+        public bool AllowInsecureConnections { get; set; }
     }
 
     public partial class UpdateClientCertArgs

src/NuGet.Core/NuGet.Commands/PublicAPI/net472/PublicAPI.Unshipped.txt

@@ -1,2 +1,6 @@
 #nullable enable
 ~static NuGet.Commands.MSBuildRestoreUtility.GetRestoreAuditProperties(NuGet.Commands.IMSBuildItem specItem, System.Collections.Generic.HashSet<string> suppressionItems) -> NuGet.ProjectModel.RestoreAuditProperties
+NuGet.Commands.UpdateSourceArgs.AllowInsecureConnections.set -> void
+NuGet.Commands.UpdateSourceArgs.AllowInsecureConnections.get -> bool
+NuGet.Commands.AddSourceArgs.AllowInsecureConnections.set -> void
+NuGet.Commands.AddSourceArgs.AllowInsecureConnections.get -> bool

src/NuGet.Core/NuGet.Commands/PublicAPI/netcoreapp5.0/PublicAPI.Unshipped.txt

@@ -1,2 +1,6 @@
 #nullable enable
 ~static NuGet.Commands.MSBuildRestoreUtility.GetRestoreAuditProperties(NuGet.Commands.IMSBuildItem specItem, System.Collections.Generic.HashSet<string> suppressionItems) -> NuGet.ProjectModel.RestoreAuditProperties
+NuGet.Commands.UpdateSourceArgs.AllowInsecureConnections.set -> void
+NuGet.Commands.UpdateSourceArgs.AllowInsecureConnections.get -> bool
+NuGet.Commands.AddSourceArgs.AllowInsecureConnections.set -> void
+NuGet.Commands.AddSourceArgs.AllowInsecureConnections.get -> bool

src/NuGet.Core/NuGet.Commands/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt

@@ -1,2 +1,6 @@
 #nullable enable
 ~static NuGet.Commands.MSBuildRestoreUtility.GetRestoreAuditProperties(NuGet.Commands.IMSBuildItem specItem, System.Collections.Generic.HashSet<string> suppressionItems) -> NuGet.ProjectModel.RestoreAuditProperties
+NuGet.Commands.UpdateSourceArgs.AllowInsecureConnections.set -> void
+NuGet.Commands.UpdateSourceArgs.AllowInsecureConnections.get -> bool
+NuGet.Commands.AddSourceArgs.AllowInsecureConnections.set -> void
+NuGet.Commands.AddSourceArgs.AllowInsecureConnections.get -> bool

src/NuGet.Core/NuGet.Commands/SourcesCommands/SourceRunners.cs

@@ -62,6 +62,7 @@ public static void Run(AddSourceArgs args, Func<ILogger> getLogger)
             }
 
             var newPackageSource = new Configuration.PackageSource(args.Source, args.Name);
+            newPackageSource.AllowInsecureConnections = args.AllowInsecureConnections;
 
             if (newPackageSource.IsHttp && !newPackageSource.IsHttps && !newPackageSource.AllowInsecureConnections)
             {
@@ -262,6 +263,7 @@ public static void Run(UpdateSourceArgs args, Func<ILogger> getLogger)
             var sourceProvider = RunnerHelper.GetSourceProvider(settings);
 
             var existingSource = sourceProvider.GetPackageSourceByName(args.Name);
+            existingSource.AllowInsecureConnections = args.AllowInsecureConnections;
             if (existingSource == null)
             {
                 throw new CommandException(Strings.SourcesCommandNoMatchingSourcesFound, args.Name);
@@ -282,6 +284,7 @@ public static void Run(UpdateSourceArgs args, Func<ILogger> getLogger)
                 }
 
                 existingSource = new Configuration.PackageSource(args.Source, existingSource.Name);
+                existingSource.AllowInsecureConnections = args.AllowInsecureConnections;
 
                 // If the existing source is not http, warn the user
                 if (existingSource.IsHttp && !existingSource.IsHttps && !existingSource.AllowInsecureConnections)

test/NuGet.Clients.Tests/NuGet.CommandLine.Test/NuGetSourcesCommandTest.cs

@@ -50,6 +50,44 @@ public void SourcesCommandTest_AddSource(string source, bool shouldWarn)
             }
         }
 
+        [Theory]
+        [InlineData("http://test_source")]
+        [InlineData("https://test_source")]
+        public void SourcesCommandTest_AddSource_AllowInsecureConnections(string source)
+        {
+            using (var pathContext = new SimpleTestPathContext())
+            {
+                TestDirectory workingPath = pathContext.WorkingDirectory;
+                SimpleTestSettingsContext settings = pathContext.Settings;
+
+                // Arrange
+                var nugetexe = Util.GetNuGetExePath();
+                var args = new string[] {
+                    "sources",
+                    "Add",
+                    "-Name",
+                    "test_source",
+                    "-Source",
+                    source,
+                    "-ConfigFile",
+                    settings.ConfigPath,
+                    "-AllowInsecureConnections"
+                };
+
+                // Act
+                CommandRunnerResult result = CommandRunner.Run(nugetexe, workingPath, string.Join(" ", args));
+
+                // Assert
+                Assert.Equal(0, result.ExitCode);
+                ISettings loadedSettings = Configuration.Settings.LoadDefaultSettings(workingPath, null, null);
+                SettingSection packageSourcesSection = loadedSettings.GetSection("packageSources");
+                SourceItem sourceItem = packageSourcesSection?.GetFirstItemWithAttribute<SourceItem>("key", "test_source");
+                Assert.Equal(source, sourceItem.GetValueAsPath());
+                Assert.Equal("True", sourceItem.AllowInsecureConnections);
+                Assert.False(result.Output.Contains("WARNING: You are running the 'add source' operation with an 'HTTP' source"));
+            }
+        }
+
         [Theory]
         [InlineData("http://source.test", true)]
         [InlineData("https://source.test", false)]
@@ -98,6 +136,105 @@ public void SourcesCommandTest_UpdateSource(string source, bool shouldWarn)
             }
         }
 
+        [Theory]
+        [InlineData("http://source.test", true)]
+        [InlineData("https://source.test", false)]
+        public void SourcesCommandTest_UpdateSource_RemoveAllowInsecureConnections(string source, bool shouldWarn)
+        {
+            using (TestDirectory configFileDirectory = TestDirectory.Create())
+            {
+                var nugetexe = Util.GetNuGetExePath();
+                var configFileName = "nuget.config";
+                var configFilePath = Path.Combine(configFileDirectory, configFileName);
+
+                var nugetConfig = string.Format(
+                    @"<?xml version=""1.0"" encoding=""utf-8""?>
+<configuration>
+  <packageSources>
+    <add key=""test_source"" value=""http://source.test.initial"" AllowInsecureConnections=""True""/>
+  </packageSources>
+</configuration>", source);
+                Util.CreateFile(configFileDirectory, configFileName, nugetConfig);
+
+                // Arrange
+                var args = new string[] {
+                    "sources",
+                    "Update",
+                    "-Name",
+                    "test_source",
+                    "-Source",
+                    source,
+                    "-ConfigFile",
+                    configFilePath
+                };
+
+                // Act
+                CommandRunnerResult result = CommandRunner.Run(
+                    nugetexe,
+                    configFileDirectory,
+                    string.Join(" ", args));
+
+                // Assert
+                Assert.Equal(0, result.ExitCode);
+                ISettings loadedSettings = Configuration.Settings.LoadDefaultSettings(configFileDirectory, configFileName, null);
+                SettingSection packageSourcesSection = loadedSettings.GetSection("packageSources");
+                SourceItem sourceItem = packageSourcesSection?.GetFirstItemWithAttribute<SourceItem>("key", "test_source");
+                Assert.Equal(source, sourceItem.GetValueAsPath());
+                Assert.Null(sourceItem.AllowInsecureConnections);
+                Assert.Equal(shouldWarn, result.Output.Contains("WARNING: You are running the 'update source' operation with an 'HTTP' source"));
+            }
+        }
+
+        [Theory]
+        [InlineData("http://source.test")]
+        [InlineData("https://source.test")]
+        public void SourcesCommandTest_UpdateSource_AddAllowInsecureConnections(string source)
+        {
+            using (TestDirectory configFileDirectory = TestDirectory.Create())
+            {
+                var nugetexe = Util.GetNuGetExePath();
+                var configFileName = "nuget.config";
+                var configFilePath = Path.Combine(configFileDirectory, configFileName);
+
+                var nugetConfig = string.Format(
+                    @"<?xml version=""1.0"" encoding=""utf-8""?>
+<configuration>
+  <packageSources>
+    <add key=""test_source"" value=""http://source.test.initial"" />
+  </packageSources>
+</configuration>", source);
+                Util.CreateFile(configFileDirectory, configFileName, nugetConfig);
+
+                // Arrange
+                var args = new string[] {
+                    "sources",
+                    "Update",
+                    "-Name",
+                    "test_source",
+                    "-Source",
+                    source,
+                    "-ConfigFile",
+                    configFilePath,
+                    "-AllowInsecureConnections"
+                };
+
+                // Act
+                CommandRunnerResult result = CommandRunner.Run(
+                    nugetexe,
+                    configFileDirectory,
+                    string.Join(" ", args));
+
+                // Assert
+                Assert.Equal(0, result.ExitCode);
+                ISettings loadedSettings = Configuration.Settings.LoadDefaultSettings(configFileDirectory, configFileName, null);
+                SettingSection packageSourcesSection = loadedSettings.GetSection("packageSources");
+                SourceItem sourceItem = packageSourcesSection?.GetFirstItemWithAttribute<SourceItem>("key", "test_source");
+                Assert.Equal(source, sourceItem.GetValueAsPath());
+                Assert.Equal("True", sourceItem.AllowInsecureConnections);
+                Assert.False(result.Output.Contains("WARNING: You are running the 'update source' operation with an 'HTTP' source"));
+            }
+        }
+
         [Fact]
         public void SourcesCommandTest_EnableSource_WarnWhenUsingHttp()
         {