fix(linter): add linter rules to reduce the chance for invalid FIPS settings BE-11979 (#975)

2025-08-06 14:25:31 +02:00 · 2025-08-05 09:23:07 -03:00 · 2025-08-05 09:23:07 -03:00 · d00d71ecbf
commit d00d71ecbf
parent dc273b2d63
13 changed files with 140 additions and 46 deletions
--- a/api/http/handler/websocket/proxy.go
+++ b/api/http/handler/websocket/proxy.go
@ -73,10 +73,7 @@ func (handler *Handler) doProxyWebsocketRequest(
 	proxy.Dialer = &proxyDialer

 	if enableTLS {
-		tlsConfig := crypto.CreateTLSConfiguration()
-		tlsConfig.InsecureSkipVerify = params.endpoint.TLSConfig.TLSSkipVerify
-
-		proxyDialer.TLSClientConfig = tlsConfig
+		proxyDialer.TLSClientConfig = crypto.CreateTLSConfiguration(params.endpoint.TLSConfig.TLSSkipVerify)
 	}

 	signature, err := handler.SignatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
--- a/api/http/proxy/factory/kubernetes/local_transport_test.go
+++ b/api/http/proxy/factory/kubernetes/local_transport_test.go
@ -9,5 +9,5 @@ import (
 func TestNewLocalTransport(t *testing.T) {
 	transport, err := NewLocalTransport(nil, nil, nil, nil, nil)
 	require.NoError(t, err)
-	require.True(t, transport.baseTransport.httpTransport.TLSClientConfig.InsecureSkipVerify)
+	require.True(t, transport.baseTransport.httpTransport.TLSClientConfig.InsecureSkipVerify) //nolint:forbidigo
 }
--- a/api/http/server.go
+++ b/api/http/server.go
@ -372,7 +372,7 @@ func (server *Server) Start() error {
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // Disable HTTP/2
 	}

-	httpsServer.TLSConfig = crypto.CreateTLSConfiguration()
+	httpsServer.TLSConfig = crypto.CreateTLSConfiguration(false)
 	httpsServer.TLSConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 		return server.SSLService.GetRawCertificate(), nil
 	}