Skip to content

Commit 8bebca4

Browse files
matheuscscpgithub-actions[bot]
authored andcommitted
oci: fix insecure not skipping tls verification
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> (cherry picked from commit 49c22f0)
1 parent 17a05ff commit 8bebca4

2 files changed

Lines changed: 98 additions & 2 deletions

File tree

oci/retry_transport.go

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ package oci
1919

2020
import (
2121
"context"
22+
"crypto/tls"
2223
"errors"
2324
"io"
2425
"net/http"
@@ -42,8 +43,14 @@ func WithRetryTransport(ctx context.Context,
4243
backoff remote.Backoff,
4344
scopes []string,
4445
insecure bool) (crane.Option, error) {
45-
var retryTransport http.RoundTripper
46-
retryTransport = remote.DefaultTransport.(*http.Transport).Clone()
46+
httpTransport := remote.DefaultTransport.(*http.Transport).Clone()
47+
if insecure {
48+
if httpTransport.TLSClientConfig == nil {
49+
httpTransport.TLSClientConfig = &tls.Config{}
50+
}
51+
httpTransport.TLSClientConfig.InsecureSkipVerify = true //nolint:gosec
52+
}
53+
var retryTransport http.RoundTripper = httpTransport
4754
if logs.Enabled(logs.Debug) {
4855
retryTransport = transport.NewLogger(retryTransport)
4956
}

oci/retry_transport_test.go

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
/*
2+
Copyright 2026 The Flux authors
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
package oci
18+
19+
import (
20+
"context"
21+
"io"
22+
"log"
23+
"net/http"
24+
"net/http/httptest"
25+
"strings"
26+
"testing"
27+
"time"
28+
29+
"github.com/google/go-containerregistry/pkg/authn"
30+
"github.com/google/go-containerregistry/pkg/name"
31+
"github.com/google/go-containerregistry/pkg/v1/remote"
32+
"github.com/google/go-containerregistry/pkg/v1/remote/transport"
33+
)
34+
35+
func TestWithRetryTransportInsecureTLS(t *testing.T) {
36+
registry := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
37+
if r.URL.Path != "/v2/" {
38+
http.NotFound(w, r)
39+
return
40+
}
41+
w.WriteHeader(http.StatusOK)
42+
}))
43+
registry.Config.ErrorLog = log.New(io.Discard, "", 0)
44+
registry.StartTLS()
45+
t.Cleanup(registry.Close)
46+
47+
registryHost := strings.TrimPrefix(registry.URL, "https://")
48+
ref, err := name.ParseReference(registryHost + "/test:latest")
49+
if err != nil {
50+
t.Fatalf("failed to parse registry reference: %v", err)
51+
}
52+
53+
backoff := remote.Backoff{
54+
Duration: time.Millisecond,
55+
Factor: 1,
56+
Steps: 1,
57+
}
58+
scopes := []string{ref.Context().Scope(transport.PushScope)}
59+
60+
tests := []struct {
61+
name string
62+
insecure bool
63+
wantError bool
64+
}{
65+
{
66+
name: "certificate verification enabled",
67+
wantError: true,
68+
},
69+
{
70+
name: "certificate verification disabled",
71+
insecure: true,
72+
},
73+
}
74+
75+
for _, tt := range tests {
76+
t.Run(tt.name, func(t *testing.T) {
77+
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
78+
defer cancel()
79+
80+
_, err := WithRetryTransport(ctx, ref, authn.Anonymous, backoff, scopes, tt.insecure)
81+
if tt.wantError && err == nil {
82+
t.Fatal("expected TLS certificate verification to fail")
83+
}
84+
if !tt.wantError && err != nil {
85+
t.Fatalf("expected insecure TLS connection to succeed: %v", err)
86+
}
87+
})
88+
}
89+
}

0 commit comments

Comments
 (0)