From 73d4a2995b48193cd015272fc3266c8adfbf5084 Mon Sep 17 00:00:00 2001
From: Maciej Barelkowski <maciej.barelkowski@camunda.com>
Date: Mon, 17 Oct 2022 18:38:08 +0200
Subject: [PATCH] fix: set explicitly `useTLS=false` for http endpoints

Closes #3152
---
 app/lib/zeebe-api/zeebe-api.js  | 12 +++----
 app/test/spec/zeebe-api-spec.js | 64 +++++++++++++++++++++++++++++++--
 2 files changed, 67 insertions(+), 9 deletions(-)

diff --git a/app/lib/zeebe-api/zeebe-api.js b/app/lib/zeebe-api/zeebe-api.js
index 0e9564c11e..6f847b6d93 100644
--- a/app/lib/zeebe-api/zeebe-api.js
+++ b/app/lib/zeebe-api/zeebe-api.js
@@ -283,8 +283,7 @@ class ZeebeAPI {
           clientId: endpoint.clientId,
           clientSecret: endpoint.clientSecret,
           cacheOnDisk: false
-        },
-        useTLS: true
+        }
       };
     } else if (type === endpointTypes.CAMUNDA_CLOUD) {
       options = {
@@ -308,11 +307,10 @@ class ZeebeAPI {
   async _withTLSConfig(url, options) {
     const rootCerts = [];
 
-    // (0) force TLS only for https endpoints; don't parse the URL to avoid errors at this step
-    const tlsOptions = {};
-    if (/^https:\/\//.test(url)) {
-      tlsOptions.useTLS = true;
-    }
+    // (0) set `useTLS` according to the protocol
+    const tlsOptions = {
+      useTLS: options.useTLS || /^https:\/\//.test(url)
+    };
 
     // (1) use certificate from flag
     const customCertificatePath = this._flags.get('zeebe-ssl-certificate');
diff --git a/app/test/spec/zeebe-api-spec.js b/app/test/spec/zeebe-api-spec.js
index 9d60943054..33f8c77915 100644
--- a/app/test/spec/zeebe-api-spec.js
+++ b/app/test/spec/zeebe-api-spec.js
@@ -1469,7 +1469,7 @@ describe('ZeebeAPI', function() {
     });
 
 
-    it('should NOT set `useTLS` for http endpoint', async () => {
+    it('should set `useTLS=false` for http endpoint (no auth)', async () => {
 
       // given
       let usedConfig;
@@ -1495,7 +1495,67 @@ describe('ZeebeAPI', function() {
       await zeebeAPI.deploy(parameters);
 
       // then
-      expect(usedConfig[1]).not.to.have.property('useTLS');
+      expect(usedConfig[1]).to.have.property('useTLS', false);
+    });
+
+
+    it('should set `useTLS=false` for http endpoint (oauth)', async () => {
+
+      // given
+      let usedConfig;
+
+      const zeebeAPI = mockZeebeNode({
+        ZBClient: function(...args) {
+          usedConfig = args;
+
+          return {
+            deployProcess: noop
+          };
+        }
+      });
+
+      const parameters = {
+        endpoint: {
+          type: 'oauth',
+          url: 'http://camunda.com'
+        }
+      };
+
+      // when
+      await zeebeAPI.deploy(parameters);
+
+      // then
+      expect(usedConfig[1]).to.have.property('useTLS', false);
+    });
+
+
+    it('should set NOT `useTLS=false` for no protocol endpoint (cloud)', async () => {
+
+      // given
+      let usedConfig;
+
+      const zeebeAPI = mockZeebeNode({
+        ZBClient: function(...args) {
+          usedConfig = args;
+
+          return {
+            deployProcess: noop
+          };
+        }
+      });
+
+      const parameters = {
+        endpoint: {
+          type: 'camundaCloud',
+          url: 'camunda.com'
+        }
+      };
+
+      // when
+      await zeebeAPI.deploy(parameters);
+
+      // then
+      expect(usedConfig[1]).to.have.property('useTLS', true);
     });
   });