opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-20 08:36:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Set TLSVerify=true by default for API endpoints

Browse Source 
Option defaults in API must be the same as in CLI.

```
% podman image push --help
% podman image pull --help
% podman manifest push --help
% podman image search --help
```

All of these CLI commands them have --tls-verify=true by default:
```
--tls-verify  require HTTPS and verify certificates when accessing the registry (default true)
```

As for `podman image build`, it doesn't have any means to control
`tlsVerify` parameter but it must be true by default.

Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
This commit is contained in:
Vladimir Kochnev
2022-07-25 16:00:23 +03:00
committed by Matthew Heon
parent 64bc2ee97f
commit e6ebfbd1e0
8 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/api/handlers/compat/images_build.go
View File

@ -140,6 +140,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
Registry: "docker.io", Registry: "docker.io",
Rm: true, Rm: true,
ShmSize: 64 * 1024 * 1024, ShmSize: 64 * 1024 * 1024,
TLSVerify: true,
} }
decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder) decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder)

1
pkg/api/handlers/compat/images_search.go
View File

@ -26,6 +26,7 @@ func SearchImages(w http.ResponseWriter, r *http.Request) {
ListTags bool `json:"listTags"` ListTags bool `json:"listTags"`
}{ }{
// This is where you can override the golang default value for one of fields // This is where you can override the golang default value for one of fields
TLSVerify: true,
} }
if err := decoder.Decode(&query, r.URL.Query()); err != nil { if err := decoder.Decode(&query, r.URL.Query()); err != nil {

1
pkg/api/handlers/libpod/images_push.go
View File

@ -32,6 +32,7 @@ func PushImage(w http.ResponseWriter, r *http.Request) {
TLSVerify bool `schema:"tlsVerify"` TLSVerify bool `schema:"tlsVerify"`
Quiet bool `schema:"quiet"` Quiet bool `schema:"quiet"`
}{ }{
TLSVerify: true,
// #14971: older versions did not sent *any* data, so we need // #14971: older versions did not sent *any* data, so we need
// to be quiet by default to remain backwards compatible // to be quiet by default to remain backwards compatible
Quiet: true, Quiet: true,

1
pkg/api/handlers/libpod/manifests.go
View File

@ -310,6 +310,7 @@ func ManifestPush(w http.ResponseWriter, r *http.Request) {
TLSVerify bool `schema:"tlsVerify"` TLSVerify bool `schema:"tlsVerify"`
}{ }{
// Add defaults here once needed. // Add defaults here once needed.
TLSVerify: true,
} }
if err := decoder.Decode(&query, r.URL.Query()); err != nil { if err := decoder.Decode(&query, r.URL.Query()); err != nil {
utils.Error(w, http.StatusBadRequest, utils.Error(w, http.StatusBadRequest,

8
pkg/api/server/register_images.go
View File

@ -192,8 +192,8 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// - in: query // - in: query
// name: tlsVerify // name: tlsVerify
// type: boolean // type: boolean
// default: false // default: true
// description: skip TLS verification for registries // description: Require HTTPS and verify signatures when contacting registries.
// - in: query // - in: query
// name: listTags // name: listTags
// type: boolean // type: boolean
@ -1120,8 +1120,8 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error {
// - in: query // - in: query
// name: tlsVerify // name: tlsVerify
// type: boolean // type: boolean
// default: false // default: true
// description: skip TLS verification for registries // description: Require HTTPS and verify signatures when contacting registries.
// - in: query // - in: query
// name: listTags // name: listTags
// type: boolean // type: boolean

10
pkg/api/server/register_manifest.go
View File

@ -69,12 +69,12 @@ func (s *APIServer) registerManifestHandlers(r *mux.Router) error {
// name: all // name: all
// description: push all images // description: push all images
// type: boolean // type: boolean
// default: false // default: true
// - in: query // - in: query
// name: tlsVerify // name: tlsVerify
// type: boolean // type: boolean
// default: false // default: true
// description: skip TLS verification for registries // description: Require HTTPS and verify signatures when contacting registries.
// responses: // responses:
// 200: // 200:
// schema: // schema:
@ -195,8 +195,8 @@ func (s *APIServer) registerManifestHandlers(r *mux.Router) error {
// - in: query // - in: query
// name: tlsVerify // name: tlsVerify
// type: boolean // type: boolean
// default: false // default: true
// description: skip TLS verification for registries // description: Require HTTPS and verify signatures when contacting registries.
// - in: body // - in: body
// name: options // name: options
// description: options for mutating a manifest // description: options for mutating a manifest

5
test/apiv2/12-imagesMore.at
View File

@ -28,7 +28,10 @@ t GET libpod/images/$IMAGE/json 200 \
.RepoTags[1]=localhost:$REGISTRY_PORT/myrepo:mytag .RepoTags[1]=localhost:$REGISTRY_PORT/myrepo:mytag
# Push to local registry... # Push to local registry...
t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tlsVerify=false&tag=mytag" 200 t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tag=mytag" 200 \
.error~".*x509: certificate signed by unknown authority"
t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tlsVerify=false&tag=mytag" 200 \
.error~null
# ...and check output. We can't use our built-in checks because this output # ...and check output. We can't use our built-in checks because this output
# is a sequence of JSON objects, i.e., individual ones, not in a JSON array. # is a sequence of JSON objects, i.e., individual ones, not in a JSON array.

2
test/apiv2/15-manifest.at
View File

@ -31,6 +31,8 @@ t POST /v3.4.0/libpod/manifests/$id_abc/add images="[\"containers-storage:$id_ab
t PUT /v4.0.0/libpod/manifests/$id_xyz operation='update' images="[\"containers-storage:$id_xyz_image\"]" 200 t PUT /v4.0.0/libpod/manifests/$id_xyz operation='update' images="[\"containers-storage:$id_xyz_image\"]" 200
t POST "/v3.4.0/libpod/manifests/abc:latest/push?destination=localhost:$REGISTRY_PORT%2Fabc:latest&tlsVerify=false&all=true" 200 t POST "/v3.4.0/libpod/manifests/abc:latest/push?destination=localhost:$REGISTRY_PORT%2Fabc:latest&tlsVerify=false&all=true" 200
t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?all=true" 400 \
.cause='x509: certificate signed by unknown authority'
t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?tlsVerify=false&all=true" 200 t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?tlsVerify=false&all=true" 200
# /v3.x cannot delete a manifest list # /v3.x cannot delete a manifest list