fix(api): refactor TLS support (#1909)

* refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement
2025-07-26 00:39:41 +02:00 · 2018-05-19 16:25:11 +02:00 · 2018-05-19 16:25:11 +02:00 · 63d338c4da
commit 63d338c4da
parent 5d3f438288
15 changed files with 163 additions and 108 deletions
--- a/api/http/client/client.go
+++ b/api/http/client/client.go
@ -7,39 +7,8 @@ import (
 	"time"

 	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/crypto"
 )

-// ExecutePingOperationFromEndpoint will send a SystemPing operation HTTP request to a Docker environment
-// using the specified endpoint configuration. It is used exclusively when
-// specifying an endpoint from the CLI via the -H flag.
-func ExecutePingOperationFromEndpoint(endpoint *portainer.Endpoint) (bool, error) {
-	if strings.HasPrefix(endpoint.URL, "unix://") {
-		return false, nil
-	}
-
-	transport := &http.Transport{}
-
-	scheme := "http"
-
-	if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
-		tlsConfig, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
-		if err != nil {
-			return false, err
-		}
-		scheme = "https"
-		transport.TLSClientConfig = tlsConfig
-	}
-
-	client := &http.Client{
-		Timeout:   time.Second * 3,
-		Transport: transport,
-	}
-
-	target := strings.Replace(endpoint.URL, "tcp://", scheme+"://", 1)
-	return pingOperation(client, target)
-}
-
 // ExecutePingOperation will send a SystemPing operation HTTP request to a Docker environment
 // using the specified host and optional TLS configuration.
 func ExecutePingOperation(host string, tlsConfig *tls.Config) (bool, error) {
--- a/api/http/handler/endpoint.go
+++ b/api/http/handler/endpoint.go
@ -121,7 +121,7 @@ func (handler *EndpointHandler) handleGetEndpoints(w http.ResponseWriter, r *htt
 }

 func (handler *EndpointHandler) createTLSSecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
-	tlsConfig, err := crypto.CreateTLSConfig(payload.caCert, payload.cert, payload.key, payload.skipTLSClientVerification, payload.skipTLSServerVerification)
+	tlsConfig, err := crypto.CreateTLSConfigurationFromBytes(payload.caCert, payload.cert, payload.key, payload.skipTLSClientVerification, payload.skipTLSServerVerification)
 	if err != nil {
 		return nil, err
 	}
--- a/api/http/handler/websocket.go
+++ b/api/http/handler/websocket.go
@ -188,7 +188,7 @@ func createDial(endpoint *portainer.Endpoint) (net.Conn, error) {
 	}

 	if endpoint.TLSConfig.TLS {
-		tlsConfig, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
 		if err != nil {
 			return nil, err
 		}
--- a/api/http/proxy/factory.go
+++ b/api/http/proxy/factory.go
@ -29,7 +29,7 @@ func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, tlsConfig *portaine
 	u.Scheme = "https"

 	proxy := factory.createDockerReverseProxy(u, enableSignature)
-	config, err := crypto.CreateTLSConfiguration(tlsConfig)
+	config, err := crypto.CreateTLSConfigurationFromDisk(tlsConfig.TLSCACertPath, tlsConfig.TLSCertPath, tlsConfig.TLSKeyPath, tlsConfig.TLSSkipVerify)
 	if err != nil {
 		return nil, err
 	}
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@ -60,7 +60,7 @@ func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (ht
 	}

 	if endpointURL.Scheme == "tcp" {
-		if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
+		if endpoint.TLSConfig.TLS {
 			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, &endpoint.TLSConfig, enableSignature)
 			if err != nil {
 				return nil, err