Set TLSVerify=true by default for API endpoints
Option defaults in API must be the same as in CLI. ``` % podman image push --help % podman image pull --help % podman manifest push --help % podman image search --help ``` All of these CLI commands them have --tls-verify=true by default: ``` --tls-verify require HTTPS and verify certificates when accessing the registry (default true) ``` As for `podman image build`, it doesn't have any means to control `tlsVerify` parameter but it must be true by default. Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
This commit is contained in:
		
							parent
							
								
									b70e2a4788
								
							
						
					
					
						commit
						52a4642edd
					
				|  | @ -140,6 +140,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { | |||
| 		Registry:      "docker.io", | ||||
| 		Rm:            true, | ||||
| 		ShmSize:       64 * 1024 * 1024, | ||||
| 		TLSVerify:     true, | ||||
| 	} | ||||
| 
 | ||||
| 	decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder) | ||||
|  |  | |||
|  | @ -26,6 +26,7 @@ func SearchImages(w http.ResponseWriter, r *http.Request) { | |||
| 		ListTags  bool                `json:"listTags"` | ||||
| 	}{ | ||||
| 		// This is where you can override the golang default value for one of fields
 | ||||
| 		TLSVerify: true, | ||||
| 	} | ||||
| 
 | ||||
| 	if err := decoder.Decode(&query, r.URL.Query()); err != nil { | ||||
|  |  | |||
|  | @ -32,6 +32,7 @@ func PushImage(w http.ResponseWriter, r *http.Request) { | |||
| 		TLSVerify        bool   `schema:"tlsVerify"` | ||||
| 		Quiet            bool   `schema:"quiet"` | ||||
| 	}{ | ||||
| 		TLSVerify: true, | ||||
| 		// #14971: older versions did not sent *any* data, so we need
 | ||||
| 		//         to be quiet by default to remain backwards compatible
 | ||||
| 		Quiet: true, | ||||
|  |  | |||
|  | @ -310,6 +310,7 @@ func ManifestPush(w http.ResponseWriter, r *http.Request) { | |||
| 		TLSVerify bool `schema:"tlsVerify"` | ||||
| 	}{ | ||||
| 		// Add defaults here once needed.
 | ||||
| 		TLSVerify: true, | ||||
| 	} | ||||
| 	if err := decoder.Decode(&query, r.URL.Query()); err != nil { | ||||
| 		utils.Error(w, http.StatusBadRequest, | ||||
|  |  | |||
|  | @ -192,8 +192,8 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error { | |||
| 	//  - in: query
 | ||||
| 	//    name: tlsVerify
 | ||||
| 	//    type: boolean
 | ||||
| 	//    default: false
 | ||||
| 	//    description: skip TLS verification for registries
 | ||||
| 	//    default: true
 | ||||
| 	//    description: Require HTTPS and verify signatures when contacting registries.
 | ||||
| 	//  - in: query
 | ||||
| 	//    name: listTags
 | ||||
| 	//    type: boolean
 | ||||
|  | @ -1120,8 +1120,8 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error { | |||
| 	//  - in: query
 | ||||
| 	//    name: tlsVerify
 | ||||
| 	//    type: boolean
 | ||||
| 	//    default: false
 | ||||
| 	//    description: skip TLS verification for registries
 | ||||
| 	//    default: true
 | ||||
| 	//    description: Require HTTPS and verify signatures when contacting registries.
 | ||||
| 	//  - in: query
 | ||||
| 	//    name: listTags
 | ||||
| 	//    type: boolean
 | ||||
|  |  | |||
|  | @ -69,12 +69,12 @@ func (s *APIServer) registerManifestHandlers(r *mux.Router) error { | |||
| 	//    name: all
 | ||||
| 	//    description: push all images
 | ||||
| 	//    type: boolean
 | ||||
| 	//    default: false
 | ||||
| 	//    default: true
 | ||||
| 	//  - in: query
 | ||||
| 	//    name: tlsVerify
 | ||||
| 	//    type: boolean
 | ||||
| 	//    default: false
 | ||||
| 	//    description: skip TLS verification for registries
 | ||||
| 	//    default: true
 | ||||
| 	//    description: Require HTTPS and verify signatures when contacting registries.
 | ||||
| 	// responses:
 | ||||
| 	//   200:
 | ||||
| 	//     schema:
 | ||||
|  | @ -195,8 +195,8 @@ func (s *APIServer) registerManifestHandlers(r *mux.Router) error { | |||
| 	//  - in: query
 | ||||
| 	//    name: tlsVerify
 | ||||
| 	//    type: boolean
 | ||||
| 	//    default: false
 | ||||
| 	//    description: skip TLS verification for registries
 | ||||
| 	//    default: true
 | ||||
| 	//    description: Require HTTPS and verify signatures when contacting registries.
 | ||||
| 	//  - in: body
 | ||||
| 	//    name: options
 | ||||
| 	//    description: options for mutating a manifest
 | ||||
|  |  | |||
|  | @ -28,7 +28,10 @@ t GET libpod/images/$IMAGE/json 200 \ | |||
|   .RepoTags[1]=localhost:$REGISTRY_PORT/myrepo:mytag | ||||
| 
 | ||||
| # Push to local registry... | ||||
| t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tlsVerify=false&tag=mytag" 200 | ||||
| t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tag=mytag" 200 \ | ||||
|   .error~".*x509: certificate signed by unknown authority" | ||||
| t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tlsVerify=false&tag=mytag" 200 \ | ||||
|   .error~null | ||||
| 
 | ||||
| # ...and check output. We can't use our built-in checks because this output | ||||
| # is a sequence of JSON objects, i.e., individual ones, not in a JSON array. | ||||
|  |  | |||
|  | @ -31,6 +31,8 @@ t POST /v3.4.0/libpod/manifests/$id_abc/add images="[\"containers-storage:$id_ab | |||
| t PUT /v4.0.0/libpod/manifests/$id_xyz operation='update' images="[\"containers-storage:$id_xyz_image\"]" 200 | ||||
| 
 | ||||
| t POST "/v3.4.0/libpod/manifests/abc:latest/push?destination=localhost:$REGISTRY_PORT%2Fabc:latest&tlsVerify=false&all=true" 200 | ||||
| t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?all=true" 400 \ | ||||
|   .cause='x509: certificate signed by unknown authority' | ||||
| t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?tlsVerify=false&all=true" 200 | ||||
| 
 | ||||
| # /v3.x cannot delete a manifest list | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue