From 24d674e2b7f73598a64676fb4b40af58b38de7dc Mon Sep 17 00:00:00 2001
From: Matt Rogers <matt.rogers@snyk.io>
Date: Thu, 15 Aug 2024 10:33:35 +0100
Subject: [PATCH] fix: correctly set tlsRejectUnauthorized

---
 charts/snyk-broker/templates/_helpers.tpl     | 16 ++++
 .../templates/broker_deployment.yaml          |  3 +-
 .../templates/code_agent_deployment.yaml      |  9 +--
 .../snyk-broker/templates/cra_deployment.yaml |  3 +-
 ...roker_cra_deployment_disable_tls_test.yaml | 78 +++++++++++++++++++
 5 files changed, 102 insertions(+), 7 deletions(-)
 create mode 100644 charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml

diff --git a/charts/snyk-broker/templates/_helpers.tpl b/charts/snyk-broker/templates/_helpers.tpl
index 7a7f077..35a850e 100644
--- a/charts/snyk-broker/templates/_helpers.tpl
+++ b/charts/snyk-broker/templates/_helpers.tpl
@@ -135,3 +135,19 @@ include "snyk-broker.genericSecretName" (dict "Context" $ "secretName" "secret-n
 {{- define "snyk-broker.caCertSecretName" -}}
 {{- include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "cacert-secret" ) -}}
 {{- end }}
+
+{{/*
+Handle tlsRejectUnauthorized.
+If this is set to `false` (bool) we _want_ to disable trust. We don't allow `true`.
+If this is set to "" we want to enable trust - any other allowed string value disables.
+Checking for definition is insufficient
+*/}}
+{{- define "snyk-broker.setTlsRejectUnauthorized" -}}
+{{- $tlsRejectUnauthorized := .Values.tlsRejectUnauthorized -}}
+{{- if eq (kindOf $tlsRejectUnauthorized ) "bool" -}}
+true
+{{- end }}
+{{- if ( and ( eq (kindOf $tlsRejectUnauthorized ) "string") ( not ( eq $tlsRejectUnauthorized "" ) ) ) -}}
+true
+{{- end }}
+{{- end }}
diff --git a/charts/snyk-broker/templates/broker_deployment.yaml b/charts/snyk-broker/templates/broker_deployment.yaml
index e38ad34..daf7d2b 100644
--- a/charts/snyk-broker/templates/broker_deployment.yaml
+++ b/charts/snyk-broker/templates/broker_deployment.yaml
@@ -1,3 +1,4 @@
+{{ $setTlsRejectUnauthorized := include "snyk-broker.setTlsRejectUnauthorized" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -428,7 +429,7 @@ spec:
             - name: HTTPS_KEY
               value: /home/node/tls-cert/tls.key
          {{- end }}
-         {{- if or ( and .Values.tlsRejectUnauthorized (not .Values.caCert ) (not .Values.caCertFile) ) ( and (or .Values.caCert .Values.caCertFile ) .Values.disableCaCertTrust ) }}
+         {{- if or ( and $setTlsRejectUnauthorized (not .Values.caCert ) (not .Values.caCertFile) ) ( and (or .Values.caCert .Values.caCertFile ) .Values.disableCaCertTrust ) }}
          # Troubleshooting - Set to 0 for SSL inspection testing
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"
diff --git a/charts/snyk-broker/templates/code_agent_deployment.yaml b/charts/snyk-broker/templates/code_agent_deployment.yaml
index dbd291a..0071a7a 100644
--- a/charts/snyk-broker/templates/code_agent_deployment.yaml
+++ b/charts/snyk-broker/templates/code_agent_deployment.yaml
@@ -1,3 +1,4 @@
+{{ $setTlsRejectUnauthorized := include "snyk-broker.setTlsRejectUnauthorized" . }}
 {{- if .Values.enableCodeAgent }}
 apiVersion: apps/v1
 kind: Deployment
@@ -60,7 +61,7 @@ spec:
                 secretKeyRef:
                   name: snyk-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
                   key: snyk-token-key
-         {{- if .Values.tlsRejectUnauthorized  }}
+         {{- if $setTlsRejectUnauthorized }}
          # Troubleshooting - Set to 0 for SSL inspection testing
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"
@@ -78,10 +79,9 @@ spec:
          {{- range .Values.env }}
          # custom env var in override.yaml
             - name: {{ .name }}
-              value: {{ .value | squote }} 
+              value: {{ .value | squote }}
         {{- end}}
-        
----                     
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -97,5 +97,4 @@ spec:
   selector:
     app.kubernetes.io/name: {{ .Release.Name }}-ca
     app.kubernetes.io/instance: {{ .Release.Name }}
-
 {{- end }}
diff --git a/charts/snyk-broker/templates/cra_deployment.yaml b/charts/snyk-broker/templates/cra_deployment.yaml
index fb83432..6620369 100644
--- a/charts/snyk-broker/templates/cra_deployment.yaml
+++ b/charts/snyk-broker/templates/cra_deployment.yaml
@@ -1,3 +1,4 @@
+{{ $setTlsRejectUnauthorized := include "snyk-broker.setTlsRejectUnauthorized" . }}
 {{- if eq .Values.scmType "container-registry-agent" }}
 apiVersion: apps/v1
 kind: Deployment
@@ -52,7 +53,7 @@ spec:
           env:
             - name: SNYK_PORT
               value: {{ .Values.deployment.container.crSnykPort | squote }}
-         {{- if .Values.tlsRejectUnauthorized  }}
+         {{- if $setTlsRejectUnauthorized }}
          # Troubleshooting - Set to 0 for SSL inspection testing
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"
diff --git a/charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml b/charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml
new file mode 100644
index 0000000..1bee671
--- /dev/null
+++ b/charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml
@@ -0,0 +1,78 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: test broker deployment with CA
+chart:
+  version: 0.0.0
+templates:
+  - broker_deployment.yaml
+  - cra_deployment.yaml
+values:
+  - ./fixtures/default_values.yaml
+  - ./fixtures/default_values_cra.yaml
+
+tests:
+  - it: disables tls trust with "disable" (string)
+    set:
+      tlsRejectUnauthorized: "disable"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_TLS_REJECT_UNAUTHORIZED
+            value: "0"
+        documentSelector:
+          path: kind
+          value: Deployment
+  - it: disables tls trust with "0" (string)
+    set:
+      tlsRejectUnauthorized: "0"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_TLS_REJECT_UNAUTHORIZED
+            value: "0"
+        documentSelector:
+          path: kind
+          value: Deployment
+  - it: disables tls trust with "false" (string)
+    set:
+      tlsRejectUnauthorized: "false"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_TLS_REJECT_UNAUTHORIZED
+            value: "0"
+        documentSelector:
+          path: kind
+          value: Deployment
+  - it: disables tls trust with false (boolean)
+    set:
+      tlsRejectUnauthorized: false
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_TLS_REJECT_UNAUTHORIZED
+            value: "0"
+        documentSelector:
+          path: kind
+          value: Deployment
+  - it: enables tls trust by default "" (string)
+    set:
+      tlsRejectUnauthorized: ""
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: NODE_TLS_REJECT_UNAUTHORIZED
+            value: "0"
+        documentSelector:
+          path: kind
+          value: Deployment
+  - it: does not allow true (bool)
+    set:
+      tlsRejectUnauthorized: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\nsnyk-broker:\n- tlsRejectUnauthorized: tlsRejectUnauthorized must be one of the following: \"\", \"0\", \"false\", false, \"disable\"\n"