Introduce GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY=1 to skip SSL cert verification for the runner. (#1616)

TingluoHuang · web-flow · commit ac31fd10b26b · 2022-01-19T10:31:17.000-05:00
diff --git a/src/Runner.Common/HostContext.cs b/src/Runner.Common/HostContext.cs
@@ -193,6 +193,11 @@ public HostContext(string hostType, string logFile = null)
                 _trace.Info($"No proxy settings were found based on environmental variables (http_proxy/https_proxy/HTTP_PROXY/HTTPS_PROXY)");
             }
 
+            if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY")))
+            {
+                _trace.Warning($"Runner is running under insecure mode: HTTPS server certifcate validation has been turned off by GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY environment variable.");
+            }
+
             var credFile = GetConfigFile(WellKnownConfigFile.Credentials);
             if (File.Exists(credFile))
             {
@@ -350,7 +355,7 @@ public string GetConfigFile(WellKnownConfigFile configFile)
                         GetDirectory(WellKnownDirectory.Root),
                         ".setup_info");
                     break;
-                
+
                 case WellKnownConfigFile.Telemetry:
                     path = Path.Combine(
                         GetDirectory(WellKnownDirectory.Diag),
diff --git a/src/Runner.Common/HttpClientHandlerFactory.cs b/src/Runner.Common/HttpClientHandlerFactory.cs
@@ -1,3 +1,4 @@
+using System;
 using System.Net.Http;
 using GitHub.Runner.Sdk;
 
@@ -13,7 +14,14 @@ public class HttpClientHandlerFactory : RunnerService, IHttpClientHandlerFactory
     {
         public HttpClientHandler CreateClientHandler(RunnerWebProxy webProxy)
         {
-            return new HttpClientHandler() { Proxy = webProxy };
+            var client = new HttpClientHandler() { Proxy = webProxy };
+
+            if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY")))
+            {
+                client.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
+            }
+
+            return client;
         }
     }
 }
diff --git a/src/Runner.Sdk/Util/VssUtil.cs b/src/Runner.Sdk/Util/VssUtil.cs
@@ -27,6 +27,11 @@ public static void InitializeVssClientSettings(List<ProductInfoHeaderValue> addi
 
             VssClientHttpRequestSettings.Default.UserAgent = headerValues;
             VssHttpMessageHandler.DefaultWebProxy = proxy;
+
+            if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY")))
+            {
+                VssClientHttpRequestSettings.Default.ServerCertificateValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
+            }
         }
 
         public static VssConnection CreateConnection(Uri serverUri, VssCredentials credentials, IEnumerable<DelegatingHandler> additionalDelegatingHandler = null, TimeSpan? timeout = null)

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+using System;`
`1`	`2`	`using System.Net.Http;`
`2`	`3`	`using GitHub.Runner.Sdk;`
`3`	`4`
`@@ -13,7 +14,14 @@ public class HttpClientHandlerFactory : RunnerService, IHttpClientHandlerFactory`
`13`	`14`	`{`
`14`	`15`	`public HttpClientHandler CreateClientHandler(RunnerWebProxy webProxy)`
`15`	`16`	`{`
`16`		`- return new HttpClientHandler() { Proxy = webProxy };`
	`17`	`+ var client = new HttpClientHandler() { Proxy = webProxy };`
	`18`	`+`
	`19`	`+ if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY")))`
	`20`	`+ {`
	`21`	`+ client.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;`
	`22`	`+ }`
	`23`	`+`
	`24`	`+ return client;`
`17`	`25`	`}`
`18`	`26`	`}`
`19`	`27`	`}`