Validate that bearer token is not used over http

Signed-off-by: Christian Ihle <[email protected]>

git/gogit/client.go

@@ -254,9 +254,12 @@ func (g *Client) validateUrl(u string) error {
 		return errors.New("URL cannot contain credentials when using HTTP")
 	}
 
-	if httpOrEmpty && g.authOpts != nil &&
-		(g.authOpts.Username != "" || g.authOpts.Password != "") {
-		return errors.New("basic auth cannot be sent over HTTP")
+	if httpOrEmpty && g.authOpts != nil {
+		if g.authOpts.Username != "" || g.authOpts.Password != "" {
+			return errors.New("basic auth cannot be sent over HTTP")
+		} else if g.authOpts.BearerToken != "" {
+			return errors.New("bearer token cannot be sent over HTTP")
+		}
 	}
 
 	return nil

git/gogit/client_test.go

@@ -660,6 +660,7 @@ func TestValidateUrl(t *testing.T) {
 		transport           git.TransportType
 		username            string
 		password            string
+		bearerToken         string
 		url                 string
 		credentialsOverHttp bool
 		expectedError       string
@@ -687,6 +688,26 @@ func TestValidateUrl(t *testing.T) {
 			password:  "pass",
 			url:       "https://url",
 		},
+		{
+			name:          "blocked: bearer token over http",
+			transport:     git.HTTP,
+			bearerToken:   "token",
+			url:           "http://url",
+			expectedError: "bearer token cannot be sent over HTTP",
+		},
+		{
+			name:                "allowed: bearer token over http with insecure enabled",
+			transport:           git.HTTP,
+			bearerToken:         "token",
+			url:                 "http://url",
+			credentialsOverHttp: true,
+		},
+		{
+			name:        "allowed: bearer token over https",
+			transport:   git.HTTPS,
+			bearerToken: "token",
+			url:         "https://url",
+		},
 	}
 
 	for _, tt := range tests {
@@ -699,9 +720,10 @@ func TestValidateUrl(t *testing.T) {
 			}
 
 			ggc, err := NewClient(t.TempDir(), &git.AuthOptions{
-				Transport: tt.transport,
-				Username:  tt.username,
-				Password:  tt.password,
+				Transport:   tt.transport,
+				Username:    tt.username,
+				Password:    tt.password,
+				BearerToken: tt.bearerToken,
 			}, opts...)
 			g.Expect(err).ToNot(HaveOccurred())
 

git/gogit/clone_test.go

@@ -988,6 +988,7 @@ func TestClone_CredentialsOverHttp(t *testing.T) {
 		name                     string
 		username                 string
 		password                 string
+		bearerToken              string
 		allowCredentialsOverHttp bool
 		transformURL             func(string) string
 		expectCloneErr           string
@@ -1009,6 +1010,11 @@ func TestClone_CredentialsOverHttp(t *testing.T) {
 			password:       "pass",
 			expectCloneErr: "basic auth cannot be sent over HTTP",
 		},
+		{
+			name:           "blocked: bearer token over HTTP",
+			bearerToken:    "token",
+			expectCloneErr: "bearer token cannot be sent over HTTP",
+		},
 		{
 			name: "blocked: URL based credential over HTTP (name)",
 			transformURL: func(s string) string {
@@ -1069,6 +1075,13 @@ func TestClone_CredentialsOverHttp(t *testing.T) {
 			allowCredentialsOverHttp: true,
 			expectRequest:            true,
 		},
+		{
+			name:                     "allowed: bearer token over HTTP",
+			bearerToken:              "token",
+			expectCloneErr:           "unable to clone",
+			allowCredentialsOverHttp: true,
+			expectRequest:            true,
+		},
 		{
 			name: "allowed: URL based credential over HTTP (name)",
 			transformURL: func(s string) string {
@@ -1129,9 +1142,10 @@ func TestClone_CredentialsOverHttp(t *testing.T) {
 			}
 
 			ggc, err := NewClient(tmpDir, &git.AuthOptions{
-				Transport: git.HTTP,
-				Username:  tt.username,
-				Password:  tt.password,
+				Transport:   git.HTTP,
+				Username:    tt.username,
+				Password:    tt.password,
+				BearerToken: tt.bearerToken,
 			}, opts...)
 
 			g.Expect(err).ToNot(HaveOccurred())