aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVladimir Kochnev <hashtable@yandex.ru>2022-07-25 16:00:23 +0300
committerMatthew Heon <matthew.heon@pm.me>2022-07-26 14:44:05 -0400
commite6ebfbd1e0106d8ddcf19a1ec3f97052592f49ad (patch)
tree18ee57abaae057fdd78a836ee61dd70a670fa8e8
parent64bc2ee97f2dbcada22cff4364416abb81a3272a (diff)
downloadpodman-e6ebfbd1e0106d8ddcf19a1ec3f97052592f49ad.tar.gz
podman-e6ebfbd1e0106d8ddcf19a1ec3f97052592f49ad.tar.bz2
podman-e6ebfbd1e0106d8ddcf19a1ec3f97052592f49ad.zip
Set TLSVerify=true by default for API endpoints
Option defaults in API must be the same as in CLI. ``` % podman image push --help % podman image pull --help % podman manifest push --help % podman image search --help ``` All of these CLI commands them have --tls-verify=true by default: ``` --tls-verify require HTTPS and verify certificates when accessing the registry (default true) ``` As for `podman image build`, it doesn't have any means to control `tlsVerify` parameter but it must be true by default. Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
-rw-r--r--pkg/api/handlers/compat/images_build.go1
-rw-r--r--pkg/api/handlers/compat/images_search.go1
-rw-r--r--pkg/api/handlers/libpod/images_push.go1
-rw-r--r--pkg/api/handlers/libpod/manifests.go1
-rw-r--r--pkg/api/server/register_images.go8
-rw-r--r--pkg/api/server/register_manifest.go10
-rw-r--r--test/apiv2/12-imagesMore.at5
-rw-r--r--test/apiv2/15-manifest.at2
8 files changed, 19 insertions, 10 deletions
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index a9185c3d3..15cfc824e 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -140,6 +140,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
Registry: "docker.io",
Rm: true,
ShmSize: 64 * 1024 * 1024,
+ TLSVerify: true,
}
decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder)
diff --git a/pkg/api/handlers/compat/images_search.go b/pkg/api/handlers/compat/images_search.go
index a6fd3a3a1..2fc95e84e 100644
--- a/pkg/api/handlers/compat/images_search.go
+++ b/pkg/api/handlers/compat/images_search.go
@@ -26,6 +26,7 @@ func SearchImages(w http.ResponseWriter, r *http.Request) {
ListTags bool `json:"listTags"`
}{
// This is where you can override the golang default value for one of fields
+ TLSVerify: true,
}
if err := decoder.Decode(&query, r.URL.Query()); err != nil {
diff --git a/pkg/api/handlers/libpod/images_push.go b/pkg/api/handlers/libpod/images_push.go
index f427dc01b..9ee651f5b 100644
--- a/pkg/api/handlers/libpod/images_push.go
+++ b/pkg/api/handlers/libpod/images_push.go
@@ -32,6 +32,7 @@ func PushImage(w http.ResponseWriter, r *http.Request) {
TLSVerify bool `schema:"tlsVerify"`
Quiet bool `schema:"quiet"`
}{
+ TLSVerify: true,
// #14971: older versions did not sent *any* data, so we need
// to be quiet by default to remain backwards compatible
Quiet: true,
diff --git a/pkg/api/handlers/libpod/manifests.go b/pkg/api/handlers/libpod/manifests.go
index 3235a2972..43c7139d3 100644
--- a/pkg/api/handlers/libpod/manifests.go
+++ b/pkg/api/handlers/libpod/manifests.go
@@ -310,6 +310,7 @@ func ManifestPush(w http.ResponseWriter, r *http.Request) {
TLSVerify bool `schema:"tlsVerify"`
}{
// Add defaults here once needed.
+ TLSVerify: true,
}
if err := decoder.Decode(&query, r.URL.Query()); err != nil {
utils.Error(w, http.StatusBadRequest,
diff --git a/pkg/api/server/register_images.go b/pkg/api/server/register_images.go
index 11ab8cae0..1bfedd77e 100644
--- a/pkg/api/server/register_images.go
+++ b/pkg/api/server/register_images.go
@@ -192,8 +192,8 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// - in: query
// name: tlsVerify
// type: boolean
- // default: false
- // description: skip TLS verification for registries
+ // default: true
+ // description: Require HTTPS and verify signatures when contacting registries.
// - in: query
// name: listTags
// type: boolean
@@ -1120,8 +1120,8 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// - in: query
// name: tlsVerify
// type: boolean
- // default: false
- // description: skip TLS verification for registries
+ // default: true
+ // description: Require HTTPS and verify signatures when contacting registries.
// - in: query
// name: listTags
// type: boolean
diff --git a/pkg/api/server/register_manifest.go b/pkg/api/server/register_manifest.go
index 4fadb92fd..19b507047 100644
--- a/pkg/api/server/register_manifest.go
+++ b/pkg/api/server/register_manifest.go
@@ -69,12 +69,12 @@ func (s *APIServer) registerManifestHandlers(r *mux.Router) error {
// name: all
// description: push all images
// type: boolean
- // default: false
+ // default: true
// - in: query
// name: tlsVerify
// type: boolean
- // default: false
- // description: skip TLS verification for registries
+ // default: true
+ // description: Require HTTPS and verify signatures when contacting registries.
// responses:
// 200:
// schema:
@@ -195,8 +195,8 @@ func (s *APIServer) registerManifestHandlers(r *mux.Router) error {
// - in: query
// name: tlsVerify
// type: boolean
- // default: false
- // description: skip TLS verification for registries
+ // default: true
+ // description: Require HTTPS and verify signatures when contacting registries.
// - in: body
// name: options
// description: options for mutating a manifest
diff --git a/test/apiv2/12-imagesMore.at b/test/apiv2/12-imagesMore.at
index d4b09174f..498d67569 100644
--- a/test/apiv2/12-imagesMore.at
+++ b/test/apiv2/12-imagesMore.at
@@ -28,7 +28,10 @@ t GET libpod/images/$IMAGE/json 200 \
.RepoTags[1]=localhost:$REGISTRY_PORT/myrepo:mytag
# Push to local registry...
-t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tlsVerify=false&tag=mytag" 200
+t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tag=mytag" 200 \
+ .error~".*x509: certificate signed by unknown authority"
+t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tlsVerify=false&tag=mytag" 200 \
+ .error~null
# ...and check output. We can't use our built-in checks because this output
# is a sequence of JSON objects, i.e., individual ones, not in a JSON array.
diff --git a/test/apiv2/15-manifest.at b/test/apiv2/15-manifest.at
index 970bed5a8..6584ea8e4 100644
--- a/test/apiv2/15-manifest.at
+++ b/test/apiv2/15-manifest.at
@@ -31,6 +31,8 @@ t POST /v3.4.0/libpod/manifests/$id_abc/add images="[\"containers-storage:$id_ab
t PUT /v4.0.0/libpod/manifests/$id_xyz operation='update' images="[\"containers-storage:$id_xyz_image\"]" 200
t POST "/v3.4.0/libpod/manifests/abc:latest/push?destination=localhost:$REGISTRY_PORT%2Fabc:latest&tlsVerify=false&all=true" 200
+t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?all=true" 400 \
+ .cause='x509: certificate signed by unknown authority'
t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?tlsVerify=false&all=true" 200
# /v3.x cannot delete a manifest list