apollographql · EverlastingBugstopper · Sep 23, 2021 · Sep 21, 2021 · Sep 22, 2021 · Sep 22, 2021
@@ -53,6 +53,7 @@ git-url-parse = "0.3"
 git2 = { version = "0.13", default-features = false, features = ["vendored-openssl"] }
 harmonizer = { version = "0.27.0", optional = true }
 heck = "0.3"
+lazycell = "1"
 opener = "0.5"
 os_info = "3.0"
 prettytable-rs = "0.8"

@@ -265,6 +265,14 @@ If you use a version control system besides Git, you can use the environment var
 
 Currently, only Git is fully supported by Apollo Studio.
 
+## Bypass SSL/TLS Validation
+
+Sometimes, you may want to perform HTTPS requests from Rover, but skip validation checks. This is generally not recommended and insecure, but there are two flags you can use to configure how Rover validates HTTPS requests.
+
+The `--insecure-accept-invalid-hostnames` flag will disable hostname validation. If hostname verification is not used, any valid certificate for any site will be trusted for use from any other. This introduces a significant vulnerability to man-in-the-middle attacks.
+
+The `--insecure-accept-invalid-certs` flag will disable certificate validation. If invalid certificates are trusted, any certificate for any site will be trusted for use. This includes expired certificates. This introduces significant vulnerabilities, and should only be used as a last resort.
+
 ## Supported environment variables
 
 You can configure Rover's behavior by setting the environment variables listed below.

@@ -1,12 +1,13 @@
 use camino::Utf8PathBuf;
+use lazycell::AtomicLazyCell;
 use reqwest::blocking::Client;
 use serde::Serialize;
 use structopt::{clap::AppSettings, StructOpt};
 
 use crate::command::output::JsonOutput;
 use crate::command::{self, RoverOutput};
 use crate::utils::{
-    client::StudioClientConfig,
+    client::{get_configured_client, StudioClientConfig},
     env::{RoverEnv, RoverEnvKey},
     stringify::option_from_display,
     version,
@@ -66,13 +67,40 @@ pub struct Rover {
     #[structopt(long = "output", default_value = "plain", possible_values = &["json", "plain"], case_insensitive = true, global = true)]
     output_type: OutputType,
 
+    /// Accept invalid certificates when performing HTTPS requests.
+    ///
+    /// You should think very carefully before using this flag.
+    ///
+    /// If invalid certificates are trusted, any certificate for any site will be trusted for use.
+    /// This includes expired certificates.
+    /// This introduces significant vulnerabilities, and should only be used as a last resort.
+    #[structopt(
+        long = "insecure-accept-invalid-certs",
+        case_insensitive = true,
+        global = true
+    )]
+    accept_invalid_certs: bool,
+
+    /// Accept invalid hostnames when performing HTTPS requests.
+    ///
+    /// You should think very carefully before using this flag.
+    ///
+    /// If hostname verification is not used, any valid certificate for any site will be trusted for use from any other.
+    /// This introduces a significant vulnerability to man-in-the-middle attacks.
+    #[structopt(
+        long = "insecure-accept-invalid-hostnames",
+        case_insensitive = true,
+        global = true
+    )]
+    accept_invalid_hostnames: bool,
+
     #[structopt(skip)]
     #[serde(skip_serializing)]
     pub(crate) env_store: RoverEnv,
 
     #[structopt(skip)]
     #[serde(skip_serializing)]
-    client: Client,
+    client: AtomicLazyCell<Client>,
 }
 
 impl Rover {
@@ -214,8 +242,20 @@ impl Rover {
     }
 
     pub(crate) fn get_reqwest_client(&self) -> Client {
-        // we can use clone here freely since `reqwest` uses an `Arc` under the hood
-        self.client.clone()
+        // return a clone of the underlying client if it's already been populated
+        if let Some(client) = self.client.borrow() {
+            // we can use clone here freely since `reqwest` uses an `Arc` under the hood
+            client.clone()
+        } else {
+            // if a request hasn't been made yet, this cell won't be populated yet
+            self.client
+                .fill(
+                    get_configured_client(self.accept_invalid_certs, self.accept_invalid_hostnames)
+                        .expect("Could not configure the request client"),
+                )
+                .expect("Could not overwrite the existing request client");
+            self.get_reqwest_client()
+        }
     }
 }
 

@@ -8,6 +8,19 @@ use rover_client::blocking::StudioClient;
 /// the Apollo graph registry's production API endpoint
 const STUDIO_PROD_API_ENDPOINT: &str = "https://graphql.api.apollographql.com/api/graphql";
 
+pub(crate) fn get_configured_client(
+    accept_invalid_certs: bool,
+    accept_invalid_hostnames: bool,
+) -> Result<Client> {
+    let client = Client::builder()
+        .gzip(true)
+        .brotli(true)
+        .danger_accept_invalid_certs(accept_invalid_certs)
+        .danger_accept_invalid_hostnames(accept_invalid_hostnames)
+        .build()?;
+    Ok(client)
+}
+
 pub struct StudioClientConfig {
     pub(crate) config: config::Config,
     client: Client,