fix(tls): centralize the TLS configuration to ensure FIPS compliance BE-11979 (#960)

2025-08-05 22:05:23 +02:00 · 2025-08-01 22:23:59 -03:00 · 2025-08-01 22:23:59 -03:00 · 163aa57e5c
commit 163aa57e5c
parent 3eab294908
25 changed files with 454 additions and 112 deletions
--- a/api/internal/endpointutils/endpoint_setup.go
+++ b/api/internal/endpointutils/endpoint_setup.go
@ -5,7 +5,6 @@ import (
 	"strings"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/client"

@ -108,12 +107,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore dataservices.
 	}

 	if strings.HasPrefix(endpoint.URL, "tcp://") {
-		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(tlsConfiguration.TLSCACertPath, tlsConfiguration.TLSCertPath, tlsConfiguration.TLSKeyPath, tlsConfiguration.TLSSkipVerify)
-		if err != nil {
-			return err
-		}
-
-		agentOnDockerEnvironment, err := client.ExecutePingOperation(endpoint.URL, tlsConfig)
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(endpoint.URL, tlsConfiguration)
 		if err != nil {
 			return err
 		}
@ -136,7 +130,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore dataservices.

 func createUnsecuredEndpoint(endpointURL string, dataStore dataservices.DataStore, snapshotService portainer.SnapshotService) error {
 	if strings.HasPrefix(endpointURL, "tcp://") {
-		if _, err := client.ExecutePingOperation(endpointURL, nil); err != nil {
+		if _, err := client.ExecutePingOperation(endpointURL, portainer.TLSConfiguration{}); err != nil {
 			return err
 		}
 	}
--- a/api/internal/endpointutils/endpoint_setup_test.go
+++ b/api/internal/endpointutils/endpoint_setup_test.go
@ -0,0 +1,12 @@
+package endpointutils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateOfflineUnsecuredEndpoint(t *testing.T) {
+	err := createUnsecuredEndpoint("tcp://localhost:1", nil, nil)
+	require.Error(t, err)
+}
--- a/api/internal/snapshot/snapshot.go
+++ b/api/internal/snapshot/snapshot.go
@ -2,7 +2,6 @@ package snapshot

 import (
 	"context"
-	"crypto/tls"
 	"errors"
 	"time"

@ -138,14 +137,9 @@ func SupportDirectSnapshot(endpoint *portainer.Endpoint) bool {
 // If the snapshot is a success, it will be associated to the environment(endpoint).
 func (service *Service) SnapshotEndpoint(endpoint *portainer.Endpoint) error {
 	if endpoint.Type == portainer.AgentOnDockerEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment {
-		var err error
-		var tlsConfig *tls.Config
-
-		if endpoint.TLSConfig.TLS {
-			tlsConfig, err = crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
-			if err != nil {
-				return err
-			}
+		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
+		if err != nil {
+			return err
 		}

 		_, version, err := agent.GetAgentVersionAndPlatform(endpoint.URL, tlsConfig)