catching and cleanly reporting SSL errors in Ci::Config::External::Processor

b26fd49e · drew cimino · 95bbcf08 · b26fd49e · b26fd49e · b26fd49e
Commit b26fd49e authored Apr 04, 2019 by drew cimino
3 changed files
--- a/changelogs/unreleased/ci-lint-ssl-error.yml
+++ b/changelogs/unreleased/ci-lint-ssl-error.yml
+---
+title: Catch and report OpenSSL exceptions while fetching external configuration files
+  in CI::Config
+merge_request: 26750
+author: Drew Cimino
+type: fixed
--- a/lib/gitlab/ci/config/external/processor.rb
+++ b/lib/gitlab/ci/config/external/processor.rb
@@ -11,7 +11,8 @@ module Gitlab
            @values = values
            @external_files = External::Mapper.new(values, project: project, sha: sha, user: user, expandset: expandset).process
            @content = {}
-          rescue External::Mapper::Error => e
+          rescue External::Mapper::Error,
+                 OpenSSL::SSL::SSLError => e
            raise IncludeError, e.message
          end


--- a/spec/lib/gitlab/ci/config/external/processor_spec.rb
+++ b/spec/lib/gitlab/ci/config/external/processor_spec.rb
@@ -270,5 +270,27 @@ describe Gitlab::Ci::Config::External::Processor do
        end
      end
    end
+
+    context 'when config includes an external configuration file via SSL web request' do
+      before do
+        stub_request(:get, 'https://sha256.badssl.com/fake.yml').to_return(body: 'image: ruby:2.6', status: 200)
+        stub_request(:get, 'https://self-signed.badssl.com/fake.yml')
+          .to_raise(OpenSSL::SSL::SSLError.new('SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)'))
+      end
+
+      context 'with an acceptable certificate' do
+        let(:values) { { include: 'https://sha256.badssl.com/fake.yml' } }
+
+        it { is_expected.to include(image: 'ruby:2.6') }
+      end
+
+      context 'with a self-signed certificate' do
+        let(:values) { { include: 'https://self-signed.badssl.com/fake.yml' } }
+
+        it 'returns a reportable configuration error' do
+          expect { subject }.to raise_error(described_class::IncludeError, /certificate verify failed/)
+        end
+      end
+    end
  end
 end