skip tls verification if default transport is used with insecure option

Signed-off-by: Jose R. Gonzalez <jose@flutes.dev>
google · Feb 7, 2023 · 223f982 · 223f982
1 parent 62f183e
commit 223f982
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 650 deletions.
diff --git a/go.sum b/go.sum
diff --git a/pkg/crane/options.go b/pkg/crane/options.go
@@ -16,6 +16,7 @@ package crane
 
 import (
 	"context"
+	"crypto/tls"
 	"net/http"
 
 	"github.com/google/go-containerregistry/pkg/authn"
@@ -30,6 +31,10 @@ type Options struct {
 	Remote   []remote.Option
 	Platform *v1.Platform
 	Keychain authn.Keychain
+
+	transport    *http.Transport
+	insecure     bool
+	transportSet bool
 }
 
 // GetOptions exposes the underlying []remote.Option, []name.Option, and
@@ -47,26 +52,44 @@ func makeOptions(opts ...Option) Options {
 		},
 		Keychain: authn.DefaultKeychain,
 	}
+
 	for _, o := range opts {
 		o(&opt)
 	}
+
+	// Allow for untrusted certificates if the user passed Insecure but no custom
+	// transport.
+	if opt.insecure && !opt.transportSet {
+		opt.transport = remote.DefaultTransport.(*http.Transport).Clone()
+		opt.transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true, //nolint: gosec
+		}
+
+		WithTransport(opt.transport)(&opt)
+	}
+
 	return opt
 }
 
 // Option is a functional option for crane.
 type Option func(*Options)
 
 // WithTransport is a functional option for overriding the default transport
-// for remote operations.
+// for remote operations. Setting a transport will override the Insecure option's
+// configuration allowing for image registries to use untrusted certificates.
 func WithTransport(t http.RoundTripper) Option {
 	return func(o *Options) {
 		o.Remote = append(o.Remote, remote.WithTransport(t))
+		o.transportSet = true
 	}
 }
 
 // Insecure is an Option that allows image references to be fetched without TLS.
+// This will also allow for untrusted (e.g. self-signed) certificates in cases where
+// the default transport is used (i.e. when WithTransport is not used).
 func Insecure(o *Options) {
 	o.Name = append(o.Name, name.Insecure)
+	o.insecure = true
 }
 
 // WithPlatform is an Option to specify the platform.

diff --git a/pkg/crane/options_test.go b/pkg/crane/options_test.go
@@ -0,0 +1,39 @@
+package crane
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+func TestInsecureOptionTracking(t *testing.T) {
+	want := true
+	opts := GetOptions(Insecure)
+
+	if got := opts.insecure; got != want {
+		t.Errorf("got %t\nwant: %t", got, want)
+	}
+}
+
+func TestTransportOptionTracking(t *testing.T) {
+	want := true
+	opts := GetOptions(WithTransport(remote.DefaultTransport))
+
+	if got := opts.transportSet; got != want {
+		t.Errorf("got %t\nwant: %t", got, want)
+	}
+}
+
+func TestInsecureTransport(t *testing.T) {
+	want := true
+	opts := GetOptions(Insecure)
+	if opts.transport.TLSClientConfig == nil {
+		t.Fatal(errors.New("TLSClientConfig was nil and should be set"))
+
+	}
+
+	if got := opts.transport.TLSClientConfig.InsecureSkipVerify; got != want {
+		t.Errorf("got: %t\nwant: %t", got, want)
+	}
+}
diff --git a/pkg/v1/fake/image.go b/pkg/v1/fake/image.go
diff --git a/pkg/v1/fake/index.go b/pkg/v1/fake/index.go
diff --git a/pkg/v1/zz_deepcopy_generated.go b/pkg/v1/zz_deepcopy_generated.go