[lxc-devel] [lxd/master] Added InsecureSkipVerify flag the ConnectionArgs struct

Wed Sep 20 13:34:54 UTC 2017

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 668 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170920/0e1e0071/attachment.bin>
-------------- next part --------------
From 12528546cc4127b11fdf3fd2fa7234dd79f523d6 Mon Sep 17 00:00:00 2001
From: Ivan Georgiev <ivan.georgiev at komfo.com>
Date: Wed, 20 Sep 2017 16:17:57 +0300
Subject: [PATCH] Added insecureSkipVerify flag the ConnectionArgs struct

Signed-off-by: Ivan Georgiev <ivan.georgiev at komfo.com>
---
 client/connection.go | 8 ++++++--
 client/util.go       | 4 ++--
 shared/network.go    | 4 ++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/client/connection.go b/client/connection.go
index a9474a18a..9156b6ef9 100644
--- a/client/connection.go
+++ b/client/connection.go
@@ -32,6 +32,10 @@ type ConnectionArgs struct {
 
 	// Custom HTTP Client (used as base for the connection)
 	HTTPClient *http.Client
+
+	// Controls whether a client verifies the
+	// server's certificate chain and host name.
+	InsecureSkipVerify bool
 }
 
 // ConnectLXD lets you connect to a remote LXD daemon over HTTPs.
@@ -123,7 +127,7 @@ func ConnectSimpleStreams(url string, args *ConnectionArgs) (ImageServer, error)
 	}
 
 	// Setup the HTTP client
-	httpClient, err := tlsHTTPClient(args.HTTPClient, args.TLSClientCert, args.TLSClientKey, args.TLSCA, args.TLSServerCert, args.Proxy)
+	httpClient, err := tlsHTTPClient(args.HTTPClient, args.TLSClientCert, args.TLSClientKey, args.TLSCA, args.TLSServerCert, args.InsecureSkipVerify, args.Proxy)
 	if err != nil {
 		return nil, err
 	}
@@ -152,7 +156,7 @@ func httpsLXD(url string, args *ConnectionArgs) (ContainerServer, error) {
 	}
 
 	// Setup the HTTP client
-	httpClient, err := tlsHTTPClient(args.HTTPClient, args.TLSClientCert, args.TLSClientKey, args.TLSCA, args.TLSServerCert, args.Proxy)
+	httpClient, err := tlsHTTPClient(args.HTTPClient, args.TLSClientCert, args.TLSClientKey, args.TLSCA, args.TLSServerCert, args.InsecureSkipVerify, args.Proxy)
 	if err != nil {
 		return nil, err
 	}
diff --git a/client/util.go b/client/util.go
index 3649a0a83..e041fd979 100644
--- a/client/util.go
+++ b/client/util.go
@@ -13,9 +13,9 @@ import (
 	"github.com/lxc/lxd/shared/ioprogress"
 )
 
-func tlsHTTPClient(client *http.Client, tlsClientCert string, tlsClientKey string, tlsCA string, tlsServerCert string, proxy func(req *http.Request) (*url.URL, error)) (*http.Client, error) {
+func tlsHTTPClient(client *http.Client, tlsClientCert string, tlsClientKey string, tlsCA string, tlsServerCert string, insecureSkipVerify bool, proxy func(req *http.Request) (*url.URL, error)) (*http.Client, error) {
 	// Get the TLS configuration
-	tlsConfig, err := shared.GetTLSConfigMem(tlsClientCert, tlsClientKey, tlsCA, tlsServerCert)
+	tlsConfig, err := shared.GetTLSConfigMem(tlsClientCert, tlsClientKey, tlsCA, tlsServerCert, insecureSkipVerify)
 	if err != nil {
 		return nil, err
 	}
diff --git a/shared/network.go b/shared/network.go
index a2ee54740..61591d6ef 100644
--- a/shared/network.go
+++ b/shared/network.go
@@ -103,9 +103,9 @@ func GetTLSConfig(tlsClientCertFile string, tlsClientKeyFile string, tlsClientCA
 	return tlsConfig, nil
 }
 
-func GetTLSConfigMem(tlsClientCert string, tlsClientKey string, tlsClientCA string, tlsRemoteCertPEM string) (*tls.Config, error) {
+func GetTLSConfigMem(tlsClientCert string, tlsClientKey string, tlsClientCA string, tlsRemoteCertPEM string, insecureSkipVerify bool) (*tls.Config, error) {
 	tlsConfig := initTLSConfig()
-
+	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 	// Client authentication
 	if tlsClientCert != "" && tlsClientKey != "" {
 		cert, err := tls.X509KeyPair([]byte(tlsClientCert), []byte(tlsClientKey))
