mirror of
https://github.com/portainer/portainer.git
synced 2025-08-05 05:45:22 +02:00
fix(tls): centralize the TLS configuration to ensure FIPS compliance BE-11979 (#960)
This commit is contained in:
andres-portainer
GitHub
parent
3eab294908
commit
163aa57e5c
25 changed files with 454 additions and 112 deletions
|
|
@ -1,7 +1,6 @@
|
|||
package client
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
|
|
@ -11,6 +10,7 @@ import (
|
|||
"time"
|
||||
|
||||
portainer "github.com/portainer/portainer/api"
|
||||
"github.com/portainer/portainer/api/crypto"
|
||||
|
||||
"github.com/rs/zerolog/log"
|
||||
"github.com/segmentio/encoding/json"
|
||||
|
|
@ -105,21 +105,28 @@ func Get(url string, timeout int) ([]byte, error) {
|
|||
// ExecutePingOperation will send a SystemPing operation HTTP request to a Docker environment(endpoint)
|
||||
// using the specified host and optional TLS configuration.
|
||||
// It uses a new Http.Client for each operation.
|
||||
func ExecutePingOperation(host string, tlsConfig *tls.Config) (bool, error) {
|
||||
func ExecutePingOperation(host string, tlsConfiguration portainer.TLSConfiguration) (bool, error) {
|
||||
transport := &http.Transport{}
|
||||
|
||||
scheme := "http"
|
||||
if tlsConfig != nil {
|
||||
|
||||
if tlsConfiguration.TLS {
|
||||
tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(tlsConfiguration)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
transport.TLSClientConfig = tlsConfig
|
||||
scheme = "https"
|
||||
}
|
||||
|
||||
client := &http.Client{
|
||||
Timeout: time.Second * 3,
|
||||
Timeout: 3 * time.Second,
|
||||
Transport: transport,
|
||||
}
|
||||
|
||||
target := strings.Replace(host, "tcp://", scheme+"://", 1)
|
||||
|
||||
return pingOperation(client, target)
|
||||
}
|
||||
|
||||
|
|
|
|||
31
api/http/client/client_test.go
Normal file
31
api/http/client/client_test.go
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
package client
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
portainer "github.com/portainer/portainer/api"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestExecutePingOperationFailure(t *testing.T) {
|
||||
host := "http://localhost:1"
|
||||
config := portainer.TLSConfiguration{
|
||||
TLS: true,
|
||||
TLSSkipVerify: true,
|
||||
}
|
||||
|
||||
// Invalid host
|
||||
ok, err := ExecutePingOperation(host, config)
|
||||
require.False(t, ok)
|
||||
require.Error(t, err)
|
||||
|
||||
// Invalid TLS configuration
|
||||
config.TLSCertPath = "/invalid/path/to/cert"
|
||||
config.TLSKeyPath = "/invalid/path/to/key"
|
||||
|
||||
ok, err = ExecutePingOperation(host, config)
|
||||
require.False(t, ok)
|
||||
require.Error(t, err)
|
||||
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue