feat(api): TLS endpoint creation and init overhaul (#1173)

2025-07-24 15:59:41 +02:00 · 2017-09-14 08:08:37 +02:00 · 2017-09-14 08:08:37 +02:00 · 8d4807c9e7
commit 8d4807c9e7
parent 87825f7ebb
26 changed files with 828 additions and 481 deletions
--- a/api/http/handler/endpoint.go
+++ b/api/http/handler/endpoint.go
@ -57,10 +57,12 @@ func NewEndpointHandler(bouncer *security.RequestBouncer, authorizeEndpointManag

 type (
 	postEndpointsRequest struct {
-		Name      string `valid:"required"`
-		URL       string `valid:"required"`
-		PublicURL string `valid:"-"`
-		TLS       bool
+		Name                string `valid:"required"`
+		URL                 string `valid:"required"`
+		PublicURL           string `valid:"-"`
+		TLS                 bool
+		TLSSkipVerify       bool
+		TLSSkipClientVerify bool
 	}

 	postEndpointsResponse struct {
@ -73,10 +75,12 @@ type (
 	}

 	putEndpointsRequest struct {
-		Name      string `valid:"-"`
-		URL       string `valid:"-"`
-		PublicURL string `valid:"-"`
-		TLS       bool   `valid:"-"`
+		Name                string `valid:"-"`
+		URL                 string `valid:"-"`
+		PublicURL           string `valid:"-"`
+		TLS                 bool   `valid:"-"`
+		TLSSkipVerify       bool   `valid:"-"`
+		TLSSkipClientVerify bool   `valid:"-"`
 	}
 )

@ -123,10 +127,13 @@ func (handler *EndpointHandler) handlePostEndpoints(w http.ResponseWriter, r *ht
 	}

 	endpoint := &portainer.Endpoint{
-		Name:            req.Name,
-		URL:             req.URL,
-		PublicURL:       req.PublicURL,
-		TLS:             req.TLS,
+		Name:      req.Name,
+		URL:       req.URL,
+		PublicURL: req.PublicURL,
+		TLSConfig: portainer.TLSConfiguration{
+			TLS:           req.TLS,
+			TLSSkipVerify: req.TLSSkipVerify,
+		},
 		AuthorizedUsers: []portainer.UserID{},
 		AuthorizedTeams: []portainer.TeamID{},
 	}
@ -139,12 +146,19 @@ func (handler *EndpointHandler) handlePostEndpoints(w http.ResponseWriter, r *ht

 	if req.TLS {
 		folder := strconv.Itoa(int(endpoint.ID))
-		caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
-		endpoint.TLSCACertPath = caCertPath
-		certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
-		endpoint.TLSCertPath = certPath
-		keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
-		endpoint.TLSKeyPath = keyPath
+
+		if !req.TLSSkipVerify {
+			caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
+			endpoint.TLSConfig.TLSCACertPath = caCertPath
+		}
+
+		if !req.TLSSkipClientVerify {
+			certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSCertPath = certPath
+			keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
+			endpoint.TLSConfig.TLSKeyPath = keyPath
+		}
+
 		err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
@ -284,18 +298,33 @@ func (handler *EndpointHandler) handlePutEndpoint(w http.ResponseWriter, r *http

 	folder := strconv.Itoa(int(endpoint.ID))
 	if req.TLS {
-		endpoint.TLS = true
-		caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
-		endpoint.TLSCACertPath = caCertPath
-		certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
-		endpoint.TLSCertPath = certPath
-		keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
-		endpoint.TLSKeyPath = keyPath
+		endpoint.TLSConfig.TLS = true
+		endpoint.TLSConfig.TLSSkipVerify = req.TLSSkipVerify
+		if !req.TLSSkipVerify {
+			caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
+			endpoint.TLSConfig.TLSCACertPath = caCertPath
+		} else {
+			endpoint.TLSConfig.TLSCACertPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileCA)
+		}
+
+		if !req.TLSSkipClientVerify {
+			certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSCertPath = certPath
+			keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
+			endpoint.TLSConfig.TLSKeyPath = keyPath
+		} else {
+			endpoint.TLSConfig.TLSCertPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSKeyPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileKey)
+		}
 	} else {
-		endpoint.TLS = false
-		endpoint.TLSCACertPath = ""
-		endpoint.TLSCertPath = ""
-		endpoint.TLSKeyPath = ""
+		endpoint.TLSConfig.TLS = false
+		endpoint.TLSConfig.TLSSkipVerify = true
+		endpoint.TLSConfig.TLSCACertPath = ""
+		endpoint.TLSConfig.TLSCertPath = ""
+		endpoint.TLSConfig.TLSKeyPath = ""
 		err = handler.FileService.DeleteTLSFiles(folder)
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
@ -350,7 +379,7 @@ func (handler *EndpointHandler) handleDeleteEndpoint(w http.ResponseWriter, r *h
 		return
 	}

-	if endpoint.TLS {
+	if endpoint.TLSConfig.TLS {
 		err = handler.FileService.DeleteTLSFiles(id)
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)