update to fallback to insecure on bootstrap

rlmcpherson · rlmcpherson · commit 139e9e4a7eed · 2026-04-02T13:12:30.000-06:00
1. loginViaCLI (the pen-test finding) — Implemented try-secure-then-fallback: attempts a TLS-verified connection first, and only falls back to insecure if a TLS verification error occurs (matching the existing pattern in
client.go:LoginWithAccessKey). This is the only function that sends credentials (admin password), so it gets the strongest treatment.
2. Readiness probes (port_forwarding.go, pingLoftRouter, IsLoftReachable bootstrap callers, docker.go) — Reverted to insecure: true with explicit comments documenting why: these are bootstrap-only health checks against just-installed
platforms with self-signed certs, and no credentials are transmitted.
diff --git a/pkg/cli/start/docker.go b/pkg/cli/start/docker.go
@@ -133,7 +133,8 @@ func (l *LoftStarter) successDocker(ctx context.Context, containerID string) err
 			return false, fmt.Errorf("container failed (status: %s):\n %s", containerDetails.State.Status, logs)
 		}
 
-		return clihelper.IsLoftReachable(ctx, host, l.LoadedConfig(l.Log).Platform.Insecure)
+		// Bootstrap reachability check: self-signed cert expected.
+		return clihelper.IsLoftReachable(ctx, host, true)
 	})
 	if err != nil {
 		return fmt.Errorf(product.Replace("error waiting for loft: %v%w"), err)
diff --git a/pkg/cli/start/login.go b/pkg/cli/start/login.go
@@ -3,6 +3,7 @@ package start
 import (
 	"bytes"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -66,51 +67,87 @@ func (l *LoftStarter) loginViaCLI(url string) error {
 		return err
 	}
 
+	// Try a secure connection first. During bootstrap the platform typically
+	// serves a self-signed certificate, so fall back to insecure if the secure
+	// attempt fails with a TLS error.
+	accessKey, insecure, err := l.passwordLogin(url, loginRequestBytes, false)
+	if err != nil {
+		if !isTLSError(err) {
+			return err
+		}
+		l.Log.Infof("TLS verification failed, retrying without verification (self-signed certificate expected during bootstrap)")
+		accessKey, insecure, err = l.passwordLogin(url, loginRequestBytes, true)
+		if err != nil {
+			return err
+		}
+	}
+
+	// log into loft
 	config := l.LoadedConfig(l.Log)
+	loginClient := platform.NewLoginClientFromConfig(config)
+	url = strings.TrimSuffix(url, "/")
+	err = loginClient.LoginWithAccessKey(url, accessKey, insecure)
+	if err != nil {
+		return err
+	}
+
+	l.Log.WriteString(logrus.InfoLevel, "\n")
+	l.Log.Donef(product.Replace("Successfully logged in via CLI into Loft instance %s"), ansi.Color(url, "white+b"))
+
+	return nil
+}
+
+// passwordLogin posts the admin credentials to the platform's password login
+// endpoint and returns the access key. The insecure parameter controls whether
+// TLS certificate verification is skipped.
+func (l *LoftStarter) passwordLogin(url string, loginRequestBytes []byte, insecure bool) (string, bool, error) {
 	httpClient := &http.Client{Transport: &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: config.Platform.Insecure},
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure},
 	}}
 
-	// try a couple of times to login
 	accessKey := &types.AccessKey{}
 	for i := 0; i < 3; i++ {
 		resp, err := httpClient.Post(url+"/auth/password/login", "application/json", bytes.NewBuffer(loginRequestBytes))
 		if err != nil {
-			return err
+			return "", insecure, err
 		}
 
 		body, err := io.ReadAll(resp.Body)
 		if err != nil {
 			_ = resp.Body.Close()
-			return err
+			return "", insecure, err
 		}
 		_ = resp.Body.Close()
 
 		err = json.Unmarshal(body, accessKey)
 		if err != nil {
-			return err
+			return "", insecure, err
 		}
 		if accessKey.AccessKey == "" {
 			continue
 		}
 		break
 	}
 	if accessKey.AccessKey == "" {
-		return fmt.Errorf("couldn't retrieve access key from platform to login")
-	}
-
-	// log into loft
-	loginClient := platform.NewLoginClientFromConfig(config)
-	url = strings.TrimSuffix(url, "/")
-	err = loginClient.LoginWithAccessKey(url, accessKey.AccessKey, config.Platform.Insecure)
-	if err != nil {
-		return err
+		return "", insecure, fmt.Errorf("couldn't retrieve access key from platform to login")
 	}
 
-	l.Log.WriteString(logrus.InfoLevel, "\n")
-	l.Log.Donef(product.Replace("Successfully logged in via CLI into Loft instance %s"), ansi.Color(url, "white+b"))
+	return accessKey.AccessKey, insecure, nil
+}
 
-	return nil
+// isTLSError returns true if the error is caused by a TLS certificate
+// verification failure.
+func isTLSError(err error) bool {
+	var urlErr *netUrl.Error
+	if !errors.As(err, &urlErr) {
+		return false
+	}
+	var certErr *tls.CertificateVerificationError
+	if errors.As(urlErr.Err, &certErr) {
+		return true
+	}
+	var unknownAuthErr x509.UnknownAuthorityError
+	return errors.As(urlErr.Err, &unknownAuthErr)
 }
 
 func (l *LoftStarter) loginUI(url string) error {
diff --git a/pkg/cli/start/login_test.go b/pkg/cli/start/login_test.go
@@ -0,0 +1,143 @@
+package start
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	netUrl "net/url"
+	"strings"
+	"testing"
+
+	types "github.com/loft-sh/api/v4/pkg/auth"
+	"gotest.tools/v3/assert"
+)
+
+func TestIsTLSError(t *testing.T) {
+	tests := []struct {
+		name     string
+		err      error
+		expected bool
+	}{
+		{
+			name:     "nil error",
+			err:      nil,
+			expected: false,
+		},
+		{
+			name: "URL error with certificate verification error",
+			err: &netUrl.Error{
+				Op:  "Get",
+				URL: "https://localhost:9898",
+				Err: &tls.CertificateVerificationError{
+					UnverifiedCertificates: []*x509.Certificate{},
+					Err:                    x509.UnknownAuthorityError{},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "URL error with unknown authority",
+			err: &netUrl.Error{
+				Op:  "Get",
+				URL: "https://localhost:9898",
+				Err: x509.UnknownAuthorityError{},
+			},
+			expected: true,
+		},
+		{
+			name: "URL error with non-TLS error",
+			err: &netUrl.Error{
+				Op:  "Get",
+				URL: "https://localhost:9898",
+				Err: &netUrl.Error{Op: "dial", URL: "localhost", Err: nil},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.err == nil {
+				assert.Assert(t, !isTLSError(nil))
+				return
+			}
+			assert.Equal(t, isTLSError(tt.err), tt.expected)
+		})
+	}
+}
+
+func TestPasswordLogin_SecureSuccess(t *testing.T) {
+	expectedKey := "test-access-key-123"
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/auth/password/login" {
+			resp := types.AccessKey{AccessKey: expectedKey}
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(resp)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	// passwordLogin with insecure=true should succeed against self-signed cert.
+	l := &LoftStarter{}
+	key, insecure, err := l.passwordLogin(server.URL, []byte(`{}`), true)
+	assert.NilError(t, err)
+	assert.Equal(t, key, expectedKey)
+	assert.Assert(t, insecure)
+}
+
+func TestPasswordLogin_InsecureFalseFailsAgainstSelfSigned(t *testing.T) {
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		resp := types.AccessKey{AccessKey: "key"}
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	defer server.Close()
+
+	// passwordLogin with insecure=false should fail against self-signed cert.
+	l := &LoftStarter{}
+	_, _, err := l.passwordLogin(server.URL, []byte(`{}`), false)
+	assert.Assert(t, err != nil, "expected TLS error")
+	assert.Assert(t, isTLSError(err), "error should be a TLS error, got: %v", err)
+}
+
+func TestPasswordLogin_FallbackBehavior(t *testing.T) {
+	expectedKey := "fallback-key"
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/auth/password/login" {
+			resp := types.AccessKey{AccessKey: expectedKey}
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(resp)
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	l := &LoftStarter{}
+
+	// Simulate the try-secure-then-fallback pattern from loginViaCLI.
+	key, insecure, err := l.passwordLogin(server.URL, []byte(`{}`), false)
+	if err != nil && isTLSError(err) {
+		// Fall back to insecure — this is the expected path for self-signed certs.
+		key, insecure, err = l.passwordLogin(server.URL, []byte(`{}`), true)
+	}
+	assert.NilError(t, err)
+	assert.Equal(t, key, expectedKey)
+	assert.Assert(t, insecure, "should have fallen back to insecure")
+}
+
+func TestPasswordLogin_EmptyAccessKey(t *testing.T) {
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		resp := types.AccessKey{AccessKey: ""}
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	defer server.Close()
+
+	l := &LoftStarter{}
+	_, _, err := l.passwordLogin(server.URL, []byte(`{}`), true)
+	assert.Assert(t, err != nil, "expected error for empty access key")
+	assert.Assert(t, strings.Contains(err.Error(), "couldn't retrieve access key"))
+}
diff --git a/pkg/cli/start/port_forwarding.go b/pkg/cli/start/port_forwarding.go
@@ -19,9 +19,11 @@ func (l *LoftStarter) startPortForwarding(ctx context.Context, loftPod *corev1.P
 	}
 	go l.restartPortForwarding(ctx, stopChan)
 
-	// wait until loft is reachable at the given url
+	// Bootstrap readiness probe over localhost port-forward: the just-installed
+	// platform always serves a self-signed certificate, so TLS verification is
+	// skipped. No credentials are sent in this request.
 	httpClient := &http.Client{
-		Transport: utilhttp.Transport(l.LoadedConfig(l.Log).Platform.Insecure),
+		Transport: utilhttp.InsecureTransport(),
 	}
 	l.Log.Infof(product.Replace("Waiting until loft is reachable at https://localhost:%s"), l.LocalPort)
 	err = wait.PollUntilContextTimeout(ctx, time.Second, clihelper.Timeout(), true, func(ctx context.Context) (bool, error) {
diff --git a/pkg/cli/start/success.go b/pkg/cli/start/success.go
@@ -67,9 +67,9 @@ func (l *LoftStarter) success(ctx context.Context) error {
 		return err
 	}
 
-	// check if loft is reachable
-	insecure := l.LoadedConfig(l.Log).Platform.Insecure
-	reachable, err := clihelper.IsLoftReachable(ctx, host, insecure)
+	// Bootstrap reachability check: the just-installed platform typically serves
+	// a self-signed certificate, so TLS verification is skipped.
+	reachable, err := clihelper.IsLoftReachable(ctx, host, true)
 	if !reachable || err != nil {
 		const (
 			YesOption = "Yes"
@@ -123,12 +123,13 @@ func (l *LoftStarter) pingLoftRouter(ctx context.Context, loftPod *corev1.Pod) (
 	// get the domain from secret
 	loftRouterDomain := string(loftRouterSecret.Data["domain"])
 
-	// wait until loft is reachable at the given url
-	insecure := l.LoadedConfig(l.Log).Platform.Insecure
+	// Bootstrap readiness probe: the just-installed platform always serves a
+	// self-signed certificate, so TLS verification is skipped. No credentials
+	// are sent in this request.
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: insecure,
+				InsecureSkipVerify: true,
 			},
 		},
 	}
@@ -192,8 +193,9 @@ func (l *LoftStarter) isLoggedIn(url string) bool {
 }
 
 func (l *LoftStarter) successRemote(ctx context.Context, host string) error {
-	insecure := l.LoadedConfig(l.Log).Platform.Insecure
-	ready, err := clihelper.IsLoftReachable(ctx, host, insecure)
+	// Bootstrap reachability check: the just-installed platform typically serves
+	// a self-signed certificate, so TLS verification is skipped.
+	ready, err := clihelper.IsLoftReachable(ctx, host, true)
 	if err != nil {
 		return err
 	} else if ready {
@@ -206,7 +208,7 @@ func (l *LoftStarter) successRemote(ctx context.Context, host string) error {
 
 	l.Log.Info("Waiting for you to configure DNS, so loft can be reached on https://" + host)
 	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, clihelper.Timeout(), true, func(ctx context.Context) (done bool, err error) {
-		return clihelper.IsLoftReachable(ctx, host, insecure)
+		return clihelper.IsLoftReachable(ctx, host, true)
 	})
 	if err != nil {
 		return err

Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,8 @@ func (l *LoftStarter) successDocker(ctx context.Context, containerID string) err`
`133`	`133`	`return false, fmt.Errorf("container failed (status: %s):\n %s", containerDetails.State.Status, logs)`
`134`	`134`	`}`
`135`	`135`
`136`		`- return clihelper.IsLoftReachable(ctx, host, l.LoadedConfig(l.Log).Platform.Insecure)`
	`136`	`+ // Bootstrap reachability check: self-signed cert expected.`
	`137`	`+ return clihelper.IsLoftReachable(ctx, host, true)`
`137`	`138`	`})`
`138`	`139`	`if err != nil {`
`139`	`140`	`return fmt.Errorf(product.Replace("error waiting for loft: %v%w"), err)`
Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,11 @@ func (l LoftStarter) startPortForwarding(ctx context.Context, loftPod corev1.P`
`19`	`19`	`}`
`20`	`20`	`go l.restartPortForwarding(ctx, stopChan)`
`21`	`21`
`22`		`- // wait until loft is reachable at the given url`
	`22`	`+ // Bootstrap readiness probe over localhost port-forward: the just-installed`
	`23`	`+ // platform always serves a self-signed certificate, so TLS verification is`
	`24`	`+ // skipped. No credentials are sent in this request.`
`23`	`25`	`httpClient := &http.Client{`
`24`		`- Transport: utilhttp.Transport(l.LoadedConfig(l.Log).Platform.Insecure),`
	`26`	`+ Transport: utilhttp.InsecureTransport(),`
`25`	`27`	`}`
`26`	`28`	`l.Log.Infof(product.Replace("Waiting until loft is reachable at https://localhost:%s"), l.LocalPort)`
`27`	`29`	`err = wait.PollUntilContextTimeout(ctx, time.Second, clihelper.Timeout(), true, func(ctx context.Context) (bool, error) {`