validation

Signed-off-by: Piotr Janik <piotr.janik@sap.com>

Author: piotrjanik

api/oci/config/httpconfig.go

@@ -31,6 +31,9 @@ func (a *HTTPConfig) ApplyTo(_ cfgcpi.Context, target interface{}) error {
 	if !ok {
 		return cfgcpi.ErrNoContext(HTTPConfigType)
 	}
+	if err := a.HTTPSettings.Validate(); err != nil {
+		return err
+	}
 	s, err := t.GetHTTPSettings()
 	if err != nil {
 		return err

api/oci/config/httpconfig_test.go

@@ -109,12 +109,39 @@ configurations:
 			Expect(err.Error()).To(ContainSubstring("invalid duration: notaduration"))
 		})
 
-		It("rejects negative duration", func() {
+		DescribeTable("rejects negative duration for timeout fields",
+			func(field string, cfg *config.HTTPConfig) {
+				ctx := cpi.New()
+				Expect(cfg.ApplyTo(ctx.ConfigContext(), ctx)).To(MatchError(
+					ContainSubstring("invalid value for " + field),
+				))
+			},
+			Entry("timeout", "timeout",
+				&config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{Timeout: dur("-5m")}}),
+			Entry("tcpDialTimeout", "tcpDialTimeout",
+				&config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{TCPDialTimeout: dur("-5m")}}),
+			Entry("tlsHandshakeTimeout", "tlsHandshakeTimeout",
+				&config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{TLSHandshakeTimeout: dur("-5m")}}),
+			Entry("responseHeaderTimeout", "responseHeaderTimeout",
+				&config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{ResponseHeaderTimeout: dur("-5m")}}),
+			Entry("idleConnTimeout", "idleConnTimeout",
+				&config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{IdleConnTimeout: dur("-5m")}}),
+		)
+
+		It("allows -1 tcpKeepAlive to disable keep-alive probes", func() {
 			ctx := cpi.New()
-			raw := []byte(`{"type":"http.config.ocm.software/v1alpha1","timeout":"-5m"}`)
-			_, err := ctx.ConfigContext().GetConfigForData(raw, nil)
-			Expect(err).To(HaveOccurred())
-			Expect(err.Error()).To(ContainSubstring("negative duration not allowed: -5m"))
+			cfg := &config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{TCPKeepAlive: dur("-1s")}}
+			Expect(cfg.ApplyTo(ctx.ConfigContext(), ctx)).To(Succeed())
+			g := MustGetHTTPSettings(ctx)
+			Expect(g.TCPKeepAlive.TimeDuration()).To(HaveValue(Equal(-1 * time.Second)))
+		})
+
+		It("rejects tcpKeepAlive values more negative than -1", func() {
+			ctx := cpi.New()
+			cfg := &config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{TCPKeepAlive: dur("-2s")}}
+			Expect(cfg.ApplyTo(ctx.ConfigContext(), ctx)).To(MatchError(
+				ContainSubstring("invalid value for tcpKeepAlive"),
+			))
 		})
 
 		It("default settings are nil", func() {

api/oci/extensions/repositories/ocireg/repository.go

@@ -205,6 +205,7 @@ func configureTransport(ctx cpi.Context, scheme string, creds credentials.Creden
 	}
 
 	if scheme == "https" {
+		//nolint:gosec // there are OCI servers (quay.io) not working with min version.
 		baseTransport.TLSClientConfig = &tls.Config{
 			RootCAs: func() *x509.CertPool {
 				rootCAs := rootcertsattr.Get(ctx).GetRootCertPool(true)

api/oci/internal/httpsettings.go

@@ -3,6 +3,7 @@ package internal
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 	"time"
 )
 
@@ -11,20 +12,14 @@ import (
 type Duration string
 
 // UnmarshalJSON implements the json.Unmarshaller interface.
-// Negative durations are rejected because timeout values must be
-// zero (disabled) or positive.
 func (d *Duration) UnmarshalJSON(b []byte) error {
 	var str string
 	if err := json.Unmarshal(b, &str); err != nil {
 		return err
 	}
-	pd, err := time.ParseDuration(str)
-	if err != nil {
+	if _, err := time.ParseDuration(str); err != nil {
 		return fmt.Errorf("invalid duration: %s", str)
 	}
-	if pd < 0 {
-		return fmt.Errorf("negative duration not allowed: %s", str)
-	}
 	*d = Duration(str)
 	return nil
 }
@@ -44,6 +39,30 @@ func (d *Duration) TimeDuration() (*time.Duration, error) {
 	return &pd, nil
 }
 
+// nonNegative requires the duration to be zero or positive.
+func nonNegative(d Duration) bool {
+	return !strings.HasPrefix(string(d), "-")
+}
+
+// nonNegativeOrMinusOne requires the duration to be zero, positive,
+// or -1 (to disable keep-alive probes).
+func nonNegativeOrMinusOne(d Duration) bool {
+	return !strings.HasPrefix(string(d), "-") || strings.HasPrefix(string(d), "-1")
+}
+
+func validateDuration(name string, d *Duration, valid func(Duration) bool) error {
+	if d == nil {
+		return nil
+	}
+	if _, err := d.TimeDuration(); err != nil {
+		return err
+	}
+	if !valid(*d) {
+		return fmt.Errorf("invalid value for %s: %s", name, string(*d))
+	}
+	return nil
+}
+
 // HTTPSettings contains the timeout settings for HTTP clients.
 // All timeout values use Duration (Go duration strings in config).
 // If not set (nil), the http.DefaultTransport value from the Go
@@ -63,6 +82,7 @@ type HTTPSettings struct {
 	TCPDialTimeout *Duration `json:"tcpDialTimeout,omitempty"`
 
 	// TCPKeepAlive is the interval between TCP keep-alive probes.
+	// Use -1 to disable keep-alive probes.
 	TCPKeepAlive *Duration `json:"tcpKeepAlive,omitempty"`
 
 	// TLSHandshakeTimeout is the maximum time to wait for a TLS handshake.
@@ -74,3 +94,26 @@ type HTTPSettings struct {
 	// IdleConnTimeout is the maximum time an idle connection remains open.
 	IdleConnTimeout *Duration `json:"idleConnTimeout,omitempty"`
 }
+
+// Validate checks that timeout values are non-negative.
+// TCPKeepAlive additionally allows -1 to disable keep-alive probes
+// (consistent with Go's net.Dialer.KeepAlive).
+func (s *HTTPSettings) Validate() error {
+	for _, check := range []struct {
+		name  string
+		val   *Duration
+		valid func(Duration) bool
+	}{
+		{"timeout", s.Timeout, nonNegative},
+		{"tcpDialTimeout", s.TCPDialTimeout, nonNegative},
+		{"tcpKeepAlive", s.TCPKeepAlive, nonNegativeOrMinusOne},
+		{"tlsHandshakeTimeout", s.TLSHandshakeTimeout, nonNegative},
+		{"responseHeaderTimeout", s.ResponseHeaderTimeout, nonNegative},
+		{"idleConnTimeout", s.IdleConnTimeout, nonNegative},
+	} {
+		if err := validateDuration(check.name, check.val, check.valid); err != nil {
+			return err
+		}
+	}
+	return nil
+}