From d8f2cb862290895a25383485bebbca1b08f79c95 Mon Sep 17 00:00:00 2001 From: haircommander Date: Fri, 15 Jun 2018 19:41:00 -0400 Subject: TLS verify is skipped per registry. Signed-off-by: haircommander Closes: #952 Approved by: rhatdan --- cmd/podman/search.go | 65 ++++++++++++++++++++++++++-------------------------- 1 file changed, 33 insertions(+), 32 deletions(-) (limited to 'cmd') diff --git a/cmd/podman/search.go b/cmd/podman/search.go index a5eb580cd..96a17fb64 100644 --- a/cmd/podman/search.go +++ b/cmd/podman/search.go @@ -2,19 +2,16 @@ package main import ( "context" - "fmt" "reflect" "strconv" "strings" "github.com/containers/image/docker" - "github.com/containers/image/types" "github.com/pkg/errors" "github.com/projectatomic/libpod/cmd/podman/formats" "github.com/projectatomic/libpod/cmd/podman/libpodruntime" "github.com/projectatomic/libpod/libpod/common" sysreg "github.com/projectatomic/libpod/pkg/registries" - "github.com/projectatomic/libpod/pkg/util" "github.com/sirupsen/logrus" "github.com/urfave/cli" ) @@ -113,7 +110,7 @@ func searchCmd(c *cli.Context) error { limit: c.Int("limit"), filter: c.StringSlice("filter"), } - registries, sc, err := getSystemContextAndRegistries(c) + regAndSkipTLS, err := getRegistriesAndSkipTLS(c) if err != nil { return err } @@ -123,7 +120,7 @@ func searchCmd(c *cli.Context) error { return err } - return generateSearchOutput(term, registries, opts, *filter, sc) + return generateSearchOutput(term, regAndSkipTLS, opts, *filter) } func genSearchFormat(format string) string { @@ -154,11 +151,8 @@ func (s *searchParams) headerMap() map[string]string { return values } -// A wrapper for GetSystemContext and GetInsecureRegistries -// Sets up system context and active list of registries to search with -func getSystemContextAndRegistries(c *cli.Context) ([]string, *types.SystemContext, error) { - sc := common.GetSystemContext("", "", false) - +// A function for finding which registries can skip TLS +func getRegistriesAndSkipTLS(c *cli.Context) (map[string]bool, error) { // Variables for setting up Registry and TLSVerify tlsVerify := c.BoolT("tls-verify") forceSecure := false @@ -174,42 +168,49 @@ func getSystemContextAndRegistries(c *cli.Context) ([]string, *types.SystemConte var err error registries, err = sysreg.GetRegistries() if err != nil { - return nil, nil, errors.Wrapf(err, "error getting registries to search") + return nil, errors.Wrapf(err, "error getting registries to search") } } - - // If user flagged to skip verify for HTTP connections, set System Context as such + regAndSkipTLS := make(map[string]bool) + // If tls-verify is set to false, allow insecure always. if !tlsVerify { - // If tls-verify is set to false, allow insecure always. - sc.DockerInsecureSkipTLSVerify = true - } else if !forceSecure { - // if the user didn't allow nor disallow insecure registries, check to see if the registry is insecure - insecureRegistries, err := sysreg.GetInsecureRegistries() - if err != nil { - return nil, nil, errors.Wrapf(err, "error getting insecure registries to search") + for _, reg := range registries { + regAndSkipTLS[reg] = true } - - for _, reg := range insecureRegistries { - // if there are any insecure registries in registries, allow for HTTP - if util.StringInSlice(reg, registries) { - sc.DockerInsecureSkipTLSVerify = true - logrus.Info(fmt.Sprintf("%s is an insecure registry; searching with tls-verify=false", reg)) - break + } else { + // initially set all registries to verify with TLS + for _, reg := range registries { + regAndSkipTLS[reg] = false + } + // if the user didn't allow nor disallow insecure registries, check to see if the registry is insecure + if !forceSecure { + insecureRegistries, err := sysreg.GetInsecureRegistries() + if err != nil { + return nil, errors.Wrapf(err, "error getting insecure registries to search") + } + for _, reg := range insecureRegistries { + // if there are any insecure registries in registries, allow for HTTP + if _, ok := regAndSkipTLS[reg]; ok { + regAndSkipTLS[reg] = true + } } } } - return registries, sc, nil + return regAndSkipTLS, nil } -func getSearchOutput(term string, registries []string, opts searchOpts, filter searchFilterParams, sc *types.SystemContext) ([]searchParams, error) { +func getSearchOutput(term string, regAndSkipTLS map[string]bool, opts searchOpts, filter searchFilterParams) ([]searchParams, error) { // Max number of queries by default is 25 limit := maxQueries if opts.limit != 0 { limit = opts.limit } + sc := common.GetSystemContext("", "", false) var paramsArr []searchParams - for _, reg := range registries { + for reg, skipTLS := range regAndSkipTLS { + // set the SkipTLSVerify bool depending on the registry being searched through + sc.DockerInsecureSkipTLSVerify = skipTLS results, err := docker.SearchRegistry(context.TODO(), sc, reg, term, limit) if err != nil { logrus.Errorf("error searching registry %q: %v", reg, err) @@ -269,8 +270,8 @@ func getSearchOutput(term string, registries []string, opts searchOpts, filter s return paramsArr, nil } -func generateSearchOutput(term string, registries []string, opts searchOpts, filter searchFilterParams, sc *types.SystemContext) error { - searchOutput, err := getSearchOutput(term, registries, opts, filter, sc) +func generateSearchOutput(term string, regAndSkipTLS map[string]bool, opts searchOpts, filter searchFilterParams) error { + searchOutput, err := getSearchOutput(term, regAndSkipTLS, opts, filter) if err != nil { return err } -- cgit v1.2.3-54-g00ecf