skip ssl certificate validation to TFS if needed. (#290)

microsoft · Nov 3, 2017 · 929bc80 · 929bc80
1 parent 5ba1a56
commit 929bc80
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 9 deletions.
diff --git a/node/internal.ts b/node/internal.ts
@@ -961,6 +961,11 @@ export function _exposeCertSettings(): void {
         _debug('expose agent certificate configuration.')
         global['_vsts_task_lib_cert'] = true;
     }
+
+    let skipCertValidation: string = _getVariable('Agent.SkipCertValidation') || 'false';
+    if (skipCertValidation) {
+        global['_vsts_task_lib_skip_cert_validation'] = skipCertValidation.toUpperCase() === 'TRUE';
+    }
 }
 
 // We store the encryption key on disk and hold the encrypted content and key file in memory

diff --git a/powershell/CompiledHelpers/VstsTaskSdk.cs b/powershell/CompiledHelpers/VstsTaskSdk.cs
@@ -1,7 +1,9 @@
 using System;
 using System.Collections.Generic;
 using System.Net;
+using System.Net.Security;
 using System.Runtime.InteropServices;
+using System.Security.Cryptography.X509Certificates;
 using System.Text.RegularExpressions;
 
 namespace VstsTaskSdk
@@ -89,6 +91,17 @@ private bool IsMatchInBypassList(Uri input)
             return false;
         }
     }
+
+    public sealed class VstsHttpHandlerSettings
+    {
+        public static RemoteCertificateValidationCallback UnsafeSkipServerCertificateValidation
+        {
+            get
+            {
+                return ((object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) => { return true; });
+            }
+        }
+    }
 }
 
 namespace VstsTaskSdk.FS

diff --git a/powershell/VstsTaskSdk/ServerOMFunctions.ps1 b/powershell/VstsTaskSdk/ServerOMFunctions.ps1
@@ -330,6 +330,9 @@ If not specified, defaults to the directory of the entry script for the task.
 # .PARAMETER ClientCert
 # ClientCert to use when initializing the HTTP client. If not specified, the default uses the client certificate agent current has.
 
+# .PARAMETER IgnoreSslError
+# Skip SSL server certificate validation on all requests made by this HTTP client. If not specified, the default is to validate SSL server certificate.
+
 .EXAMPLE
 $projectHttpClient = Get-VstsVssHttpClient -TypeName Microsoft.TeamFoundation.Core.WebApi.ProjectHttpClient
 $projectHttpClient.GetProjects().Result
@@ -348,7 +351,9 @@ function Get-VssHttpClient {
 
         $WebProxy = (Get-WebProxy),
 
-        $ClientCert = (Get-ClientCertificate))
+        $ClientCert = (Get-ClientCertificate),
+
+        [switch]$IgnoreSslError)
 
     Trace-EnteringInvocation -InvocationInfo $MyInvocation
     $originalErrorActionPreference = $ErrorActionPreference
@@ -379,13 +384,26 @@ function Get-VssHttpClient {
         $null = Get-OMType -TypeName 'Microsoft.VisualStudio.Services.WebApi.VssClientHttpRequestSettings' -OMKind 'WebApi' -OMDirectory $OMDirectory -Require
         [Microsoft.VisualStudio.Services.Common.VssHttpRequestSettings]$Settings = [Microsoft.VisualStudio.Services.WebApi.VssClientHttpRequestSettings]::Default.Clone()
 
-        if($ClientCert){
+        if ($ClientCert) {
             $null = Get-OMType -TypeName 'Microsoft.VisualStudio.Services.WebApi.VssClientCertificateManager' -OMKind 'WebApi' -OMDirectory $OMDirectory -Require
             $null = [Microsoft.VisualStudio.Services.WebApi.VssClientCertificateManager]::Instance.ClientCertificates.Add($ClientCert)
 
             $Settings.ClientCertificateManager = [Microsoft.VisualStudio.Services.WebApi.VssClientCertificateManager]::Instance
         }        
 
+        # Skip SSL server certificate validation
+        [bool]$SkipCertValidation = (Get-TaskVariable -Name Agent.SkipCertValidation -AsBool) -or $IgnoreSslError
+        if ($SkipCertValidation) {
+            if ($Settings.GetType().GetProperty('ServerCertificateValidationCallback')) {
+                Write-Verbose "Ignore any SSL server certificate validation errors.";
+                $Settings.ServerCertificateValidationCallback = [VstsTaskSdk.VstsHttpHandlerSettings]::UnsafeSkipServerCertificateValidation
+            }
+            else {
+                # OMDirectory has older version of Microsoft.VisualStudio.Services.Common.dll
+                Write-Verbose "The version of 'Microsoft.VisualStudio.Services.Common.dll' does not support skip SSL server certificate validation."
+            }
+        }
+
         # Try to construct the HTTP client.
         Write-Verbose "Constructing HTTP client."
         try {
@@ -416,7 +434,7 @@ function Get-VssHttpClient {
             # dependency on the 6.0.0.0 Newtonsoft.Json DLL, while other parts reference
             # the 8.0.0.0 Newtonsoft.Json DLL.
             Write-Verbose "Adding assembly resolver."
-            $onAssemblyResolve = [System.ResolveEventHandler]{
+            $onAssemblyResolve = [System.ResolveEventHandler] {
                 param($sender, $e)
 
                 if ($e.Name -like 'Newtonsoft.Json, *') {
@@ -464,8 +482,7 @@ function Get-WebProxy {
     param()
 
     Trace-EnteringInvocation -InvocationInfo $MyInvocation
-    try
-    {
+    try {
         # Min agent version that supports proxy
         Assert-Agent -Minimum '2.105.7'
 
@@ -498,15 +515,14 @@ function Get-ClientCertificate {
     param()
 
     Trace-EnteringInvocation -InvocationInfo $MyInvocation
-    try
-    {
+    try {
         # Min agent version that supports client certificate
         Assert-Agent -Minimum '2.122.0'
 
         [string]$clientCert = Get-TaskVariable -Name Agent.ClientCertArchive
         [string]$clientCertPassword = Get-TaskVariable -Name Agent.ClientCertPassword
 
-        if((Test-Path -LiteralPath $clientCert -PathType Leaf)) {
+        if ($clientCert -and (Test-Path -LiteralPath $clientCert -PathType Leaf)) {
             return New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($clientCert, $clientCertPassword)
         }        
     }

diff --git a/powershell/make.js b/powershell/make.js
@@ -28,7 +28,7 @@ target.build = function() {
     var minimatchPackage = util.downloadArchive('https://www.nuget.org/api/v2/package/minimatch/1.1.0');
     util.cp(path.join(minimatchPackage, 'lib', 'portable-net40%2Bsl50%2Bwin%2Bwp80', 'Minimatch.dll'), path.join(buildPath, 'VstsTaskSdk'));
 
-    var compiledHelperPackage = util.downloadArchive('https://vstsagenttools.blob.core.windows.net/tools/VstsTaskSdkCompiledHelpers/2/VstsTaskSdk.zip');
+    var compiledHelperPackage = util.downloadArchive('https://vstsagenttools.blob.core.windows.net/tools/VstsTaskSdkCompiledHelpers/3/VstsTaskSdk.zip');
     util.cp(path.join(compiledHelperPackage, 'VstsTaskSdk.dll'), path.join(buildPath, 'VstsTaskSdk'));
 
     // stamp the version number from the package.json onto the PowerShell module definition