Skip tlsVerify insecure BUILD_REGISTRY_SOURCES

If the registry is set to insecure allowd using BUILD_REGISTRY_SOURCES, hardcode to skip the tls verify to avoid the errors. Returns error if set insecureRegistries but force to use tls-verify. Signed-off-by: Qi Wang <qiwan@redhat.com>
2020-10-13 10:10:44 -04:00 · 2020-10-13 10:10:44 -04:00 · 2ddc22c2dd
parent 7389cc7acf
commit 2ddc22c2dd
17 changed files with 76 additions and 26 deletions
--- a/cmd/buildah/commit.go
+++ b/cmd/buildah/commit.go
@ -95,7 +95,7 @@ func init() {
 	}

 	flags.BoolVar(&opts.squash, "squash", false, "produce an image with only one layer")
-	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when accessing the registry")
+	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when accessing the registry. TLS verification cannot be used when talking to an insecure registry.")

 	rootCmd.AddCommand(commitCommand)

--- a/cmd/buildah/from.go
+++ b/cmd/buildah/from.go
@ -78,7 +78,7 @@ func init() {
 	if err := flags.MarkHidden("signature-policy"); err != nil {
 		panic(fmt.Sprintf("error marking signature-policy as hidden: %v", err))
 	}
-	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry")
+	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry. TLS verification cannot be used when talking to an insecure registry.")

 	// Add in the common flags
 	fromAndBudFlags, err := buildahcli.GetFromAndBudFlags(&fromAndBudResults, &userNSResults, &namespaceResults)
--- a/cmd/buildah/login.go
+++ b/cmd/buildah/login.go
@ -37,7 +37,7 @@ func init() {

 	flags := loginCommand.Flags()
 	flags.SetInterspersed(false)
-	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry")
+	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry. TLS verification cannot be used when talking to an insecure registry.")
 	flags.BoolVar(&opts.getLogin, "get-login", true, "Return the current login user for the registry")
 	flags.AddFlagSet(auth.GetLoginFlags(&opts.loginOpts))
 	rootCmd.AddCommand(loginCommand)
--- a/cmd/buildah/manifest.go
+++ b/cmd/buildah/manifest.go
@ -131,7 +131,7 @@ func init() {
 	flags.StringSliceVar(&manifestAddOpts.features, "features", nil, "override the `features` of the specified image")
 	flags.StringSliceVar(&manifestAddOpts.osFeatures, "os-features", nil, "override the OS `features` of the specified image")
 	flags.StringSliceVar(&manifestAddOpts.annotations, "annotation", nil, "set an `annotation` for the specified image")
-	flags.BoolVar(&manifestAddOpts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry")
+	flags.BoolVar(&manifestAddOpts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry. TLS verification cannot be used when talking to an insecure registry.")
 	flags.BoolVar(&manifestAddOpts.all, "all", false, "add all of the list's images if the image is a list")
 	manifestCommand.AddCommand(manifestAddCommand)

@ -207,7 +207,7 @@ func init() {
 	if err := flags.MarkHidden("signature-policy"); err != nil {
 		panic(fmt.Sprintf("error marking signature-policy as hidden: %v", err))
 	}
-	flags.BoolVar(&manifestPushOpts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry")
+	flags.BoolVar(&manifestPushOpts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry. TLS verification cannot be used when talking to an insecure registry.")
 	flags.BoolVarP(&manifestPushOpts.quiet, "quiet", "q", false, "don't output progress information when pushing lists")
 	manifestCommand.AddCommand(manifestPushCommand)
 }
--- a/cmd/buildah/pull.go
+++ b/cmd/buildah/pull.go
@ -72,7 +72,7 @@ func init() {
 	if err := flags.MarkHidden("override-arch"); err != nil {
 		panic(fmt.Sprintf("error marking override-arch as hidden: %v", err))
 	}
-	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry")
+	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry. TLS verification cannot be used when talking to an insecure registry.")
 	if err := flags.MarkHidden("blob-cache"); err != nil {
 		panic(fmt.Sprintf("error marking blob-cache as hidden: %v", err))
 	}
--- a/cmd/buildah/push.go
+++ b/cmd/buildah/push.go
@ -85,7 +85,7 @@ func init() {
 	if err := flags.MarkHidden("signature-policy"); err != nil {
 		panic(fmt.Sprintf("error marking signature-policy as hidden: %v", err))
 	}
-	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry")
+	flags.BoolVar(&opts.tlsVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry. TLS verification cannot be used when talking to an insecure registry.")
 	if err := flags.MarkHidden("blob-cache"); err != nil {
 		panic(fmt.Sprintf("error marking blob-cache as hidden: %v", err))
 	}
--- a/commit.go
+++ b/commit.go
@ -167,17 +167,17 @@ var (
 // variable, if it's set.  The contents are expected to be a JSON-encoded
 // github.com/openshift/api/config/v1.Image, set by an OpenShift build
 // controller that arranged for us to be run in a container.
-func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error {
+func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) (insecure bool, err error) {
 	transport := dest.Transport()
 	if transport == nil {
-		return nil
+		return false, nil
 	}
 	if transport.Name() != docker.Transport.Name() {
-		return nil
+		return false, nil
 	}
 	dref := dest.DockerReference()
 	if dref == nil || reference.Domain(dref) == "" {
-		return nil
+		return false, nil
 	}

 	if registrySources, ok := os.LookupEnv("BUILD_REGISTRY_SOURCES"); ok && len(registrySources) > 0 {
@ -188,7 +188,7 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
 			AllowedRegistries  []string `json:"allowedRegistries,omitempty"`
 		}
 		if err := json.Unmarshal([]byte(registrySources), &sources); err != nil {
-			return errors.Wrapf(err, "error parsing $BUILD_REGISTRY_SOURCES (%q) as JSON", registrySources)
+			return false, errors.Wrapf(err, "error parsing $BUILD_REGISTRY_SOURCES (%q) as JSON", registrySources)
 		}
 		blocked := false
 		if len(sources.BlockedRegistries) > 0 {
@ -199,7 +199,7 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
 			}
 		}
 		if blocked {
-			return errors.Errorf("%s registry at %q denied by policy: it is in the blocked registries list", forWhat, reference.Domain(dref))
+			return false, errors.Errorf("%s registry at %q denied by policy: it is in the blocked registries list", forWhat, reference.Domain(dref))
 		}
 		allowed := true
 		if len(sources.AllowedRegistries) > 0 {
@ -211,10 +211,13 @@ func checkRegistrySourcesAllows(forWhat string, dest types.ImageReference) error
 			}
 		}
 		if !allowed {
-			return errors.Errorf("%s registry at %q denied by policy: not in allowed registries list", forWhat, reference.Domain(dref))
+			return false, errors.Errorf("%s registry at %q denied by policy: not in allowed registries list", forWhat, reference.Domain(dref))
+		}
+		if len(sources.InsecureRegistries) > 0 {
+			return true, nil
 		}
 	}
-	return nil
+	return false, nil
 }

 // Commit writes the contents of the container, along with its updated
@ -278,9 +281,18 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 	}()

 	// Check if the commit is blocked by $BUILDER_REGISTRY_SOURCES.
-	if err := checkRegistrySourcesAllows("commit to", dest); err != nil {
+	insecure, err := checkRegistrySourcesAllows("commit to", dest)
+	if err != nil {
 		return imgID, nil, "", err
 	}
+	if insecure {
+		if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+			return imgID, nil, "", errors.Errorf("can't require tls verification on an insecured registry")
+		}
+		systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+		systemContext.OCIInsecureSkipTLSVerify = true
+		systemContext.DockerDaemonInsecureSkipTLSVerify = true
+	}
 	if len(options.AdditionalTags) > 0 {
 		names, err := util.ExpandNames(options.AdditionalTags, "", systemContext, b.store)
 		if err != nil {
@ -291,9 +303,18 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 			if err != nil {
 				return imgID, nil, "", errors.Wrapf(err, "error parsing image name %q as an image reference", name)
 			}
-			if err := checkRegistrySourcesAllows("commit to", additionalDest); err != nil {
+			insecure, err := checkRegistrySourcesAllows("commit to", additionalDest)
+			if err != nil {
 				return imgID, nil, "", err
 			}
+			if insecure {
+				if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+					return imgID, nil, "", errors.Errorf("can't require tls verification on an insecured registry")
+				}
+				systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+				systemContext.OCIInsecureSkipTLSVerify = true
+				systemContext.DockerDaemonInsecureSkipTLSVerify = true
+			}
 		}
 	}
 	logrus.Debugf("committing image with reference %q is allowed by policy", transports.ImageName(dest))
@ -471,9 +492,18 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
 	}

 	// Check if the push is blocked by $BUILDER_REGISTRY_SOURCES.
-	if err := checkRegistrySourcesAllows("push to", dest); err != nil {
+	insecure, err := checkRegistrySourcesAllows("push to", dest)
+	if err != nil {
 		return nil, "", err
 	}
+	if insecure {
+		if systemContext.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+			return nil, "", errors.Errorf("can't require tls verification on an insecured registry")
+		}
+		systemContext.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+		systemContext.OCIInsecureSkipTLSVerify = true
+		systemContext.DockerDaemonInsecureSkipTLSVerify = true
+	}
 	logrus.Debugf("pushing image to reference %q is allowed by policy", transports.ImageName(dest))

 	// Copy everything.
--- a/docs/buildah-bud.md
+++ b/docs/buildah-bud.md
@ -467,7 +467,7 @@ Commands after the target stage will be skipped.

 **--tls-verify** *bool-value*

-Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Require HTTPS and verify certificates when talking to container registries (defaults to true).  TLS verification cannot be used when talking to an insecure registry.

 **--ulimit** *type*=*soft-limit*[:*hard-limit*]

--- a/docs/buildah-commit.md
+++ b/docs/buildah-commit.md
@ -83,7 +83,7 @@ Squash all of the new image's layers (including those inherited from a base imag

 **--tls-verify** *bool-value*

-Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Require HTTPS and verify certificates when talking to container registries (defaults to true).  TLS verification cannot be used when talking to an insecure registry.

 **--timestamp** *seconds*

--- a/docs/buildah-from.md
+++ b/docs/buildah-from.md
@ -333,7 +333,7 @@ If you omit the unit, the system uses bytes. If you omit the size entirely, the

 **--tls-verify** *bool-value*

-Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Require HTTPS and verify certificates when talking to container registries (defaults to true).  TLS verification cannot be used when talking to an insecure registry.

 **--ulimit** *type*=*soft-limit*[:*hard-limit*]

--- a/docs/buildah-login.md
+++ b/docs/buildah-login.md
@ -54,6 +54,7 @@ The default certificates directory is _/etc/containers/certs.d_.
 Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
 then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
 TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
+TLS verification cannot be used when talking to an insecure registry.

 **--help**, **-h**

--- a/docs/buildah-manifest-add.md
+++ b/docs/buildah-manifest-add.md
@ -76,7 +76,7 @@ image.  This option is rarely used.

 **--tls-verify** *bool-value*

-Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Require HTTPS and verify certificates when talking to container registries (defaults to true). TLS verification cannot be used when talking to an insecure registry.

 **--variant**

--- a/docs/buildah-manifest-push.md
+++ b/docs/buildah-manifest-push.md
@ -65,7 +65,7 @@ Sign the pushed images using the GPG key that matches the specified fingerprint.

 **--tls-verify** *bool-value*

-Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Require HTTPS and verify certificates when talking to container registries (defaults to true).  TLS verification cannot be used when talking to an insecure registry.

 ## EXAMPLE

--- a/docs/buildah-pull.md
+++ b/docs/buildah-pull.md
@ -76,7 +76,7 @@ Don't copy signatures when pulling images.

 **--tls-verify** *bool-value*

-Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Require HTTPS and verify certificates when talking to container registries (defaults to true).  TLS verification cannot be used when talking to an insecure registry.


 ## EXAMPLE
--- a/docs/buildah-push.md
+++ b/docs/buildah-push.md
@ -92,7 +92,7 @@ Sign the pushed image using the GPG key that matches the specified fingerprint.

 **--tls-verify** *bool-value*

-Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Require HTTPS and verify certificates when talking to container registries (defaults to true).  TLS verification cannot be used when talking to an insecure registry.

 ## EXAMPLE

--- a/pull.go
+++ b/pull.go
@ -238,9 +238,18 @@ func pullImage(ctx context.Context, store storage.Store, srcRef types.ImageRefer
 	if blocked {
 		return nil, errors.Errorf("pull access to registry for %q is blocked by configuration", transports.ImageName(srcRef))
 	}
-	if err := checkRegistrySourcesAllows("pull from", srcRef); err != nil {
+	insecure, err := checkRegistrySourcesAllows("pull from", srcRef)
+	if err != nil {
 		return nil, err
 	}
+	if insecure {
+		if sc.DockerInsecureSkipTLSVerify == types.OptionalBoolFalse {
+			return nil, errors.Errorf("can't require tls verification on an insecured registry")
+		}
+		sc.DockerInsecureSkipTLSVerify = types.OptionalBoolTrue
+		sc.OCIInsecureSkipTLSVerify = true
+		sc.DockerDaemonInsecureSkipTLSVerify = true
+	}

 	destName, err := localImageNameForReference(ctx, store, srcRef)
 	if err != nil {
--- a/tests/push.bats
+++ b/tests/push.bats
@ -181,6 +181,16 @@ load helpers
  rm -rf ${TESTDIR}/tmp
 }

+@test "buildah push to registry allowed by BUILD_REGISTRY_SOURCES" {
+  _prefetch busybox
+  export BUILD_REGISTRY_SOURCES='{"insecureRegistries": ["localhost:5000"]}'
+
+  run_buildah 125 push --creds testuser:testpassword  --signature-policy ${TESTSDIR}/policy.json --tls-verify=true busybox docker://localhost:5000/buildah/busybox:latest
+  expect_output --substring "can't require tls verification on an insecured registry"
+
+  run_buildah push --creds testuser:testpassword  --signature-policy ${TESTSDIR}/policy.json busybox docker://localhost:5000/buildah/busybox:latest
+}
+
@test "push with authfile" {
  _prefetch busybox
  mkdir ${TESTDIR}/tmp