0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2025-01-06 22:40:28 -05:00

Use InsecureSkipVerify only with https upstreams

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
This commit is contained in:
Petu Eusebiu 2022-01-27 14:45:46 +02:00 committed by Ramkumar Chinchani
parent e0a1a82890
commit b9250a783a
2 changed files with 24 additions and 2 deletions

View file

@ -143,13 +143,17 @@ func TestSyncInternal(t *testing.T) {
var tlsVerify bool
updateDuration := time.Microsecond
port := GetFreePort()
baseURL := GetBaseURL(port)
baseSecureURL := GetSecureBaseURL(port)
syncRegistryConfig := RegistryConfig{
Content: []Content{
{
Prefix: testImage,
},
},
URL: BaseURL,
URL: baseURL,
PollInterval: updateDuration,
TLSVerify: &tlsVerify,
CertDir: badCertsDir,
@ -158,6 +162,17 @@ func TestSyncInternal(t *testing.T) {
_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
So(err, ShouldNotBeNil)
syncRegistryConfig.CertDir = "/path/to/invalid/cert"
_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
So(err, ShouldNotBeNil)
syncRegistryConfig.CertDir = ""
syncRegistryConfig.URL = baseSecureURL
_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
So(err, ShouldBeNil)
syncRegistryConfig.URL = BaseURL
_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
So(err, ShouldNotBeNil)
})

View file

@ -104,6 +104,13 @@ func getFileCredentials(filepath string) (CredentialsFile, error) {
func getHTTPClient(regCfg *RegistryConfig, credentials Credentials, log log.Logger) (*resty.Client, error) {
client := resty.New()
registryURL, err := url.Parse(regCfg.URL)
if err != nil {
log.Error().Err(err).Str("url", regCfg.URL).Msg("couldn't parse url")
return nil, err
}
if regCfg.CertDir != "" {
log.Debug().Msgf("sync: using certs directory: %s", regCfg.CertDir)
clientCert := path.Join(regCfg.CertDir, "client.cert")
@ -133,7 +140,7 @@ func getHTTPClient(regCfg *RegistryConfig, credentials Credentials, log log.Logg
}
// nolint: gosec
if regCfg.TLSVerify != nil && !*regCfg.TLSVerify {
if regCfg.TLSVerify != nil && !*regCfg.TLSVerify && registryURL.Scheme == "https" {
client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
}