Merge 0f153fe35c into 6d9b57671f

Signed-off-by: Tanner Jones <tanner@testifysec.com>

cmd/registry/auth/basic/basic.go

@@ -26,6 +26,7 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"golang.org/x/term"
+	"oras.land/oras-go/v2/registry/remote/auth"
 	"oras.land/oras-go/v2/registry/remote/credentials"
 
 	"github.com/falcosecurity/falcoctl/internal/config"
@@ -41,6 +42,7 @@ type loginOptions struct {
 	username          string
 	password          string
 	passwordFromStdin bool
+	insecure          bool
 }
 
 // NewBasicCmd returns the basic command.
@@ -66,16 +68,21 @@ Example - Login with username and password from stdin:
 
 Example - Login with username and password in an interactive prompt:
 	falcoctl registry auth basic localhost:5000
+
+Example - Login to an insecure registry:
+	falcoctl registry auth basic --insecure localhost:5000
 `,
 		Args: cobra.ExactArgs(1),
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			_ = viper.BindPFlag("registry.auth.basic.username", cmd.Flags().Lookup("username"))
 			_ = viper.BindPFlag("registry.auth.basic.password", cmd.Flags().Lookup("password"))
 			_ = viper.BindPFlag("registry.auth.basic.password_stdin", cmd.Flags().Lookup("password-stdin"))
+			_ = viper.BindPFlag("registry.auth.basic.insecure", cmd.Flags().Lookup("insecure"))
 
 			o.username = viper.GetString("registry.auth.basic.username")
 			o.password = viper.GetString("registry.auth.basic.password")
 			o.passwordFromStdin = viper.GetBool("registry.auth.basic.password_stdin")
+			o.insecure = viper.GetBool("registry.auth.basic.insecure")
 
 			return nil
 		},
@@ -87,6 +94,7 @@ Example - Login with username and password in an interactive prompt:
 	cmd.Flags().StringVarP(&o.username, "username", "u", "", "registry username")
 	cmd.Flags().StringVarP(&o.password, "password", "p", "", "registry password")
 	cmd.Flags().BoolVar(&o.passwordFromStdin, "password-stdin", false, "read password from stdin")
+	cmd.Flags().BoolVar(&o.insecure, "insecure", false, "enables plain HTTP and skips TLS verification")
 
 	return cmd
 }
@@ -96,18 +104,26 @@ func (o *loginOptions) RunBasic(ctx context.Context, args []string) error {
 	var reg string
 	logger := o.Printer.Logger
 
+	// Remove scheme if present
+	registryArg := strings.TrimPrefix(strings.TrimPrefix(args[0], "http://"), "https://")
+
 	// Allow to have the registry expressed as a ref, but actually extract it.
-	reg, err := utils.GetRegistryFromRef(args[0])
+	reg, err := utils.GetRegistryFromRef(registryArg)
 	if err != nil {
-		reg = args[0]
+		reg = registryArg
 	}
 
 	if err := getCredentials(o.Printer, o); err != nil {
 		return err
 	}
 
-	// create empty client
-	client := authn.NewClient()
+	// create empty client with insecure option if specified
+	var client *auth.Client
+	if o.insecure {
+		client = authn.NewClient(authn.WithInsecure())
+	} else {
+		client = authn.NewClient()
+	}
 
 	// create credential store
 	credentialStore, err := credentials.NewStore(config.RegistryCredentialConfPath(), credentials.StoreOptions{

cmd/registry/auth/basic/basic_test.go

@@ -73,11 +73,15 @@ Example - Login with username and password from stdin:
 Example - Login with username and password in an interactive prompt:
 	falcoctl registry auth basic localhost:5000
 
+Example - Login to an insecure registry:
+	falcoctl registry auth basic --insecure localhost:5000
+
 Usage:
   falcoctl registry auth basic [hostname]
 
 Flags:
   -h, --help              help for basic
+      --insecure          allow connections to SSL registry without certs
   -p, --password string   registry password
       --password-stdin    read password from stdin
   -u, --username string   registry username
@@ -127,8 +131,54 @@ var registryAuthBasicTests = Describe("auth", func() {
 			Expect(output).Should(gbytes.Say(regexp.QuoteMeta(registryAuthBasicHelp)))
 		})
 	})
-	Context("failure", func() {
 
+	Context("insecure flag", func() {
+		When("using HTTP with --insecure", func() {
+			BeforeEach(func() {
+				args = []string{registryCmd, authCmd, basicCmd, "--insecure", "-u", "username", "-p", "password", "--config", configFile, registry}
+			})
+
+			It("should succeed with plain HTTP", func() {
+				Expect(err).ShouldNot(HaveOccurred())
+				Expect(output).Should(gbytes.Say("Login succeeded"))
+			})
+		})
+
+		When("using HTTPS with self-signed cert and --insecure", func() {
+			BeforeEach(func() {
+				// The registry is already configured for HTTPS in the test suite
+				args = []string{registryCmd, authCmd, basicCmd, "--insecure", "-u", "username", "-p", "password", "--config", configFile, registryBasic}
+			})
+
+			It("should succeed with insecure HTTPS", func() {
+				Expect(err).ShouldNot(HaveOccurred())
+				Expect(output).Should(gbytes.Say("Login succeeded"))
+			})
+		})
+
+		When("using HTTPS without --insecure", func() {
+			BeforeEach(func() {
+				args = []string{registryCmd, authCmd, basicCmd, "-u", "username", "-p", "password", "--config", configFile, registryBasic}
+			})
+
+			It("should fail with certificate verification error", func() {
+				Expect(err).Should(HaveOccurred())
+				Expect(output).Should(gbytes.Say("certificate"))
+			})
+		})
+
+		When("using HTTP without --insecure", func() {
+			BeforeEach(func() {
+				args = []string{registryCmd, authCmd, basicCmd, "-u", "username", "-p", "password", "--config", configFile, "http://" + registry}
+			})
+
+			It("should fail when trying plain HTTP without insecure flag", func() {
+				Expect(err).Should(HaveOccurred())
+			})
+		})
+	})
+
+	Context("failure", func() {
 		When("without hostname", func() {
 			BeforeEach(func() {
 				args = []string{registryCmd, authCmd, basicCmd}
@@ -137,5 +187,4 @@ var registryAuthBasicTests = Describe("auth", func() {
 				"ERROR accepts 1 arg(s), received 0")
 		})
 	})
-
 })

internal/login/basic/basic.go

@@ -18,6 +18,8 @@ package basic
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"strings"
 
 	"oras.land/oras-go/v2/registry/remote/auth"
 	"oras.land/oras-go/v2/registry/remote/credentials"
@@ -34,9 +36,42 @@ func Login(ctx context.Context, client *auth.Client, credStore credentials.Store
 
 	client.Credential = auth.StaticCredential(reg, cred)
 
-	r, err := registry.NewRegistry(reg, registry.WithClient(client))
+	// Check if client is configured for insecure connections
+	transport, ok := client.Client.Transport.(*http.Transport)
+	insecure := ok && transport.TLSClientConfig != nil && transport.TLSClientConfig.InsecureSkipVerify
+
+	// If the registry URL starts with https://, force HTTPS
+	forceHTTPS := strings.HasPrefix(reg, "https://")
+	// If the registry URL starts with http://, force HTTP
+	forceHTTP := strings.HasPrefix(reg, "http://")
+	// Strip scheme if present
+	reg = strings.TrimPrefix(strings.TrimPrefix(reg, "http://"), "https://")
+
+	// Create registry client with appropriate settings
+	var r *registry.Registry
+	var err error
+
+	switch {
+	case forceHTTPS:
+		// For explicit HTTPS URLs, use HTTPS with insecure setting from client
+		r, err = registry.NewRegistry(reg, registry.WithClient(client), registry.WithPlainHTTP(false))
+	case forceHTTP:
+		// For explicit HTTP URLs, use HTTP if insecure is enabled
+		if !insecure {
+			return fmt.Errorf("cannot use plain HTTP for %q without --insecure flag", reg)
+		}
+		r, err = registry.NewRegistry(reg, registry.WithClient(client), registry.WithPlainHTTP(true))
+	default:
+		// For URLs without scheme, try HTTPS first, then fall back to HTTP if insecure is enabled
+		r, err = registry.NewRegistry(reg, registry.WithClient(client), registry.WithPlainHTTP(false))
+		if err != nil && insecure {
+			// If HTTPS failed and insecure is enabled, try HTTP
+			r, err = registry.NewRegistry(reg, registry.WithClient(client), registry.WithPlainHTTP(true))
+		}
+	}
+
 	if err != nil {
-		return err
+		return fmt.Errorf("unable to connect to registry %q: %w", reg, err)
 	}
 
 	if err := r.CheckConnection(ctx); err != nil {

internal/utils/validate.go

@@ -22,6 +22,9 @@ import (
 
 // GetRegistryFromRef extracts the registry from a ref string.
 func GetRegistryFromRef(ref string) (string, error) {
+	// Remove scheme if present
+	ref = strings.TrimPrefix(strings.TrimPrefix(ref, "http://"), "https://")
+
 	index := strings.Index(ref, "/")
 	if index <= 0 {
 		return "", fmt.Errorf("cannot extract registry name from ref %q", ref)

pkg/oci/authn/client.go

@@ -17,6 +17,7 @@ package authn
 
 import (
 	"context"
+	"crypto/tls"
 	"net"
 	"net/http"
 	"time"
@@ -36,6 +37,7 @@ type Options struct {
 	CredentialsFuncs      []func(context.Context, string) (auth.Credential, error)
 	AutoLoginHandler      *AutoLoginHandler
 	ClientTokenCache      auth.Cache
+	Insecure              bool
 }
 
 // NewClient creates a new authenticated client to interact with a remote registry.
@@ -48,9 +50,7 @@ func NewClient(options ...func(*Options)) *auth.Client {
 		o(opt)
 	}
 
-	authClient := auth.Client{
-		Client: &http.Client{
-			Transport: &http.Transport{
+	transport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		DialContext: (&net.Dialer{
 			Timeout:   30 * time.Second,
@@ -61,8 +61,18 @@ func NewClient(options ...func(*Options)) *auth.Client {
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
-				// TODO(loresuso, alacuku): tls config.
-			},
+	}
+
+	if opt.Insecure {
+		//nolint:gosec // InsecureSkipVerify is intentionally set to true when --insecure flag is used
+		transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true,
+		}
+	}
+
+	authClient := auth.Client{
+		Client: &http.Client{
+			Transport: transport,
 		},
 		Cache: opt.ClientTokenCache,
 		Credential: func(ctx context.Context, reg string) (auth.Credential, error) {
@@ -151,3 +161,10 @@ func WithClientTokenCache(cache auth.Cache) func(c *Options) {
 		c.ClientTokenCache = cache
 	}
 }
+
+// WithInsecure configures the client to skip TLS verification.
+func WithInsecure() func(c *Options) {
+	return func(c *Options) {
+		c.Insecure = true
+	}
+}