From c17a1a7ce0893d57a18e8876623adb0353b242ba Mon Sep 17 00:00:00 2001
From: witchard <witchard@hotmail.co.uk>
Date: Wed, 22 Apr 2020 07:20:31 +0100
Subject: [PATCH 1/3] cmd/go/internal/get: add GOINSECURE support

Adds support for the GOINSECURE environment variable to GOPATH mode.
---
 src/cmd/go/alldocs.go                         |  5 +++-
 src/cmd/go/internal/get/get.go                | 16 +++++-----
 .../go/testdata/script/get_insecure_env.txt   | 29 +++++++++++++++++++
 3 files changed, 42 insertions(+), 8 deletions(-)
 create mode 100644 src/cmd/go/testdata/script/get_insecure_env.txt

diff --git a/src/cmd/go/alldocs.go b/src/cmd/go/alldocs.go
index 98861c8a0d204e..8ad4f66d09ac37 100644
--- a/src/cmd/go/alldocs.go
+++ b/src/cmd/go/alldocs.go
@@ -2172,7 +2172,10 @@
 // before resolving dependencies or building the code.
 //
 // The -insecure flag permits fetching from repositories and resolving
-// custom domains using insecure schemes such as HTTP. Use with caution.
+// custom domains using insecure schemes such as HTTP. Use with caution. The
+// GOINSECURE environment variable is usually a better alternative, since it
+// provides control over which modules may be retrieved using an insecure scheme.
+// See 'go help environment' for details.
 //
 // The -t flag instructs get to also download the packages required to build
 // the tests for the specified packages.
diff --git a/src/cmd/go/internal/get/get.go b/src/cmd/go/internal/get/get.go
index e5bacadaa324c4..b214f172cb8c6e 100644
--- a/src/cmd/go/internal/get/get.go
+++ b/src/cmd/go/internal/get/get.go
@@ -41,7 +41,10 @@ The -fix flag instructs get to run the fix tool on the downloaded packages
 before resolving dependencies or building the code.
 
 The -insecure flag permits fetching from repositories and resolving
-custom domains using insecure schemes such as HTTP. Use with caution.
+custom domains using insecure schemes such as HTTP. Use with caution. The
+GOINSECURE environment variable is usually a better alternative, since it
+provides control over which modules may be retrieved using an insecure scheme.
+See 'go help environment' for details.
 
 The -t flag instructs get to also download the packages required to build
 the tests for the specified packages.
@@ -409,11 +412,6 @@ func downloadPackage(p *load.Package) error {
 		blindRepo      bool // set if the repo has unusual configuration
 	)
 
-	security := web.SecureOnly
-	if Insecure {
-		security = web.Insecure
-	}
-
 	// p can be either a real package, or a pseudo-package whose “import path” is
 	// actually a wildcard pattern.
 	// Trim the path at the element containing the first wildcard,
@@ -430,6 +428,10 @@ func downloadPackage(p *load.Package) error {
 	if err := CheckImportPath(importPrefix); err != nil {
 		return fmt.Errorf("%s: invalid import path: %v", p.ImportPath, err)
 	}
+	security := web.SecureOnly
+	if Insecure || str.GlobsMatchPath(cfg.GOINSECURE, importPrefix) {
+		security = web.Insecure
+	}
 
 	if p.Internal.Build.SrcRoot != "" {
 		// Directory exists. Look for checkout along path to src.
@@ -473,7 +475,7 @@ func downloadPackage(p *load.Package) error {
 		}
 		vcs, repo, rootPath = rr.vcs, rr.Repo, rr.Root
 	}
-	if !blindRepo && !vcs.isSecure(repo) && !Insecure {
+	if !blindRepo && !vcs.isSecure(repo) && security == web.SecureOnly {
 		return fmt.Errorf("cannot download, %v uses insecure protocol", repo)
 	}
 
diff --git a/src/cmd/go/testdata/script/get_insecure_env.txt b/src/cmd/go/testdata/script/get_insecure_env.txt
new file mode 100644
index 00000000000000..9864f128ce2903
--- /dev/null
+++ b/src/cmd/go/testdata/script/get_insecure_env.txt
@@ -0,0 +1,29 @@
+[!net] skip
+[!exec:git] skip
+
+# GOPATH: Set up
+env GO111MODULE=off
+
+# GOPATH: Try go get -d of HTTP-only repo (should fail).
+! go get -d insecure.go-get-issue-15410.appspot.com/pkg/p
+
+# GOPATH: Try again with invalid GOINSECURE (should fail).
+env GOINSECURE=insecure.go-get-issue-15410.appspot.com/pkg/q
+! go get -d insecure.go-get-issue-15410.appspot.com/pkg/p
+
+# GOPATH: Try with correct GOINSECURE (should succeed).
+env GOINSECURE=insecure.go-get-issue-15410.appspot.com/pkg/p
+go get -d insecure.go-get-issue-15410.appspot.com/pkg/p
+
+# GOPATH: Try updating without GOINSECURE (should fail).
+env GOINSECURE=
+! go get -d -u -f insecure.go-get-issue-15410.appspot.com/pkg/p
+
+# GOPATH: Try updating with GOINSECURE glob (should succeed).
+env GOINSECURE=insecure.go-get-*
+go get -d -u -f insecure.go-get-issue-15410.appspot.com/pkg/p
+
+# GOPATH: Try updating with GOINSECURE base URL (should succeed).
+env GOINSECURE=insecure.go-get-issue-15410.appspot.com
+go get -d -u -f insecure.go-get-issue-15410.appspot.com/pkg/p
+

From 08657ede9873312515aff72cba842dcff33fce8e Mon Sep 17 00:00:00 2001
From: witchard <witchard@hotmail.co.uk>
Date: Fri, 24 Apr 2020 06:59:19 +0100
Subject: [PATCH 2/3] Make logic in security check more robust, make tests more
 realistic.

---
 src/cmd/go/internal/get/get.go                  | 2 +-
 src/cmd/go/testdata/script/get_insecure_env.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/cmd/go/internal/get/get.go b/src/cmd/go/internal/get/get.go
index b214f172cb8c6e..102c585291f9c8 100644
--- a/src/cmd/go/internal/get/get.go
+++ b/src/cmd/go/internal/get/get.go
@@ -475,7 +475,7 @@ func downloadPackage(p *load.Package) error {
 		}
 		vcs, repo, rootPath = rr.vcs, rr.Repo, rr.Root
 	}
-	if !blindRepo && !vcs.isSecure(repo) && security == web.SecureOnly {
+	if !blindRepo && !vcs.isSecure(repo) && security != web.Insecure {
 		return fmt.Errorf("cannot download, %v uses insecure protocol", repo)
 	}
 
diff --git a/src/cmd/go/testdata/script/get_insecure_env.txt b/src/cmd/go/testdata/script/get_insecure_env.txt
index 9864f128ce2903..8d88427c319d22 100644
--- a/src/cmd/go/testdata/script/get_insecure_env.txt
+++ b/src/cmd/go/testdata/script/get_insecure_env.txt
@@ -20,7 +20,7 @@ env GOINSECURE=
 ! go get -d -u -f insecure.go-get-issue-15410.appspot.com/pkg/p
 
 # GOPATH: Try updating with GOINSECURE glob (should succeed).
-env GOINSECURE=insecure.go-get-*
+env GOINSECURE=*.go-get-*.appspot.com
 go get -d -u -f insecure.go-get-issue-15410.appspot.com/pkg/p
 
 # GOPATH: Try updating with GOINSECURE base URL (should succeed).

From e298c0009eb5eba537bb00185a8778d2aab696ba Mon Sep 17 00:00:00 2001
From: witchard <witchard@hotmail.co.uk>
Date: Sun, 30 Aug 2020 19:13:50 +0100
Subject: [PATCH 3/3] Modified to use extracted MatchPrefixPatterns function.

---
 src/cmd/go/internal/get/get.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/cmd/go/internal/get/get.go b/src/cmd/go/internal/get/get.go
index 102c585291f9c8..0f314fd4aac9b7 100644
--- a/src/cmd/go/internal/get/get.go
+++ b/src/cmd/go/internal/get/get.go
@@ -20,6 +20,8 @@ import (
 	"cmd/go/internal/str"
 	"cmd/go/internal/web"
 	"cmd/go/internal/work"
+
+	"golang.org/x/mod/module"
 )
 
 var CmdGet = &base.Command{
@@ -429,7 +431,7 @@ func downloadPackage(p *load.Package) error {
 		return fmt.Errorf("%s: invalid import path: %v", p.ImportPath, err)
 	}
 	security := web.SecureOnly
-	if Insecure || str.GlobsMatchPath(cfg.GOINSECURE, importPrefix) {
+	if Insecure || module.MatchPrefixPatterns(cfg.GOINSECURE, importPrefix) {
 		security = web.Insecure
 	}