Honor InsecureSkipVerify flag

pkg/apiserver/apiserver_test.go

@@ -332,6 +332,7 @@ type SimpleRESTStorage struct {
 	// The id requested, and location to return for ResourceLocation
 	requestedResourceLocationID string
 	resourceLocation            *url.URL
+	resourceLocationTransport   http.RoundTripper
 	expectedResourceNamespace   string
 
 	// If non-nil, called inside the WorkFunc when answering update, delete, create.
@@ -477,7 +478,7 @@ func (storage *SimpleRESTStorage) ResourceLocation(ctx api.Context, id string) (
 	}
 	// Make a copy so the internal URL never gets mutated
 	locationCopy := *storage.resourceLocation
-	return &locationCopy, nil, nil
+	return &locationCopy, storage.resourceLocationTransport, nil
 }
 
 // Implement Connecter

pkg/apiserver/proxy.go

@@ -286,6 +286,11 @@ func dialURL(url *url.URL, transport http.RoundTripper) (net.Conn, error) {
 			return nil, err
 		}
 
+		// Return if we were configured to skip validation
+		if tlsConfig != nil && tlsConfig.InsecureSkipVerify {
+			return tlsConn, nil
+		}
+
 		// Verify
 		host, _, _ := net.SplitHostPort(dialAddr)
 		if err := tlsConn.VerifyHostname(host); err != nil {

pkg/apiserver/proxy_test.go

@@ -18,6 +18,8 @@ package apiserver
 
 import (
 	"compress/gzip"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -125,43 +127,97 @@ func TestProxy(t *testing.T) {
 }
 
 func TestProxyUpgrade(t *testing.T) {
-	backendServer := httptest.NewServer(websocket.Handler(func(ws *websocket.Conn) {
-		defer ws.Close()
-		body := make([]byte, 5)
-		ws.Read(body)
-		ws.Write([]byte("hello " + string(body)))
-	}))
-	defer backendServer.Close()
-
-	serverURL, _ := url.Parse(backendServer.URL)
-	simpleStorage := &SimpleRESTStorage{
-		errors:                    map[string]error{},
-		resourceLocation:          serverURL,
-		expectedResourceNamespace: "myns",
+
+	localhostPool := x509.NewCertPool()
+	if !localhostPool.AppendCertsFromPEM(localhostCert) {
+		t.Errorf("error setting up localhostCert pool")
 	}
 
-	namespaceHandler := handleNamespaced(map[string]rest.Storage{"foo": simpleStorage})
+	testcases := map[string]struct {
+		ServerFunc     func(http.Handler) *httptest.Server
+		ProxyTransport http.RoundTripper
+	}{
+		"http": {
+			ServerFunc:     httptest.NewServer,
+			ProxyTransport: nil,
+		},
+		"https (invalid hostname + InsecureSkipVerify)": {
+			ServerFunc: func(h http.Handler) *httptest.Server {
+				cert, err := tls.X509KeyPair(exampleCert, exampleKey)
+				if err != nil {
+					t.Errorf("https (invalid hostname): proxy_test: %v", err)
+				}
+				ts := httptest.NewUnstartedServer(h)
+				ts.TLS = &tls.Config{
+					Certificates: []tls.Certificate{cert},
+				}
+				ts.StartTLS()
+				return ts
+			},
+			ProxyTransport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}},
+		},
+		"https (valid hostname + RootCAs)": {
+			ServerFunc: func(h http.Handler) *httptest.Server {
+				cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+				if err != nil {
+					t.Errorf("https (valid hostname): proxy_test: %v", err)
+				}
+				ts := httptest.NewUnstartedServer(h)
+				ts.TLS = &tls.Config{
+					Certificates: []tls.Certificate{cert},
+				}
+				ts.StartTLS()
+				return ts
+			},
+			ProxyTransport: &http.Transport{TLSClientConfig: &tls.Config{RootCAs: localhostPool}},
+		},
+	}
 
-	server := httptest.NewServer(namespaceHandler)
-	defer server.Close()
+	for k, tc := range testcases {
 
-	ws, err := websocket.Dial("ws://"+server.Listener.Addr().String()+"/api/version2/proxy/namespaces/myns/foo/123", "", "http://127.0.0.1/")
-	if err != nil {
-		t.Fatalf("websocket dial err: %s", err)
-	}
-	defer ws.Close()
+		backendServer := tc.ServerFunc(websocket.Handler(func(ws *websocket.Conn) {
+			defer ws.Close()
+			body := make([]byte, 5)
+			ws.Read(body)
+			ws.Write([]byte("hello " + string(body)))
+		}))
+		defer backendServer.Close()
 
-	if _, err := ws.Write([]byte("world")); err != nil {
-		t.Fatalf("write err: %s", err)
-	}
+		serverURL, _ := url.Parse(backendServer.URL)
+		simpleStorage := &SimpleRESTStorage{
+			errors:                    map[string]error{},
+			resourceLocation:          serverURL,
+			resourceLocationTransport: tc.ProxyTransport,
+			expectedResourceNamespace: "myns",
+		}
 
-	response := make([]byte, 20)
-	n, err := ws.Read(response)
-	if err != nil {
-		t.Fatalf("read err: %s", err)
-	}
-	if e, a := "hello world", string(response[0:n]); e != a {
-		t.Fatalf("expected '%#v', got '%#v'", e, a)
+		namespaceHandler := handleNamespaced(map[string]rest.Storage{"foo": simpleStorage})
+
+		server := httptest.NewServer(namespaceHandler)
+		defer server.Close()
+
+		ws, err := websocket.Dial("ws://"+server.Listener.Addr().String()+"/api/version2/proxy/namespaces/myns/foo/123", "", "http://127.0.0.1/")
+		if err != nil {
+			t.Errorf("%s: websocket dial err: %s", k, err)
+			continue
+		}
+		defer ws.Close()
+
+		if _, err := ws.Write([]byte("world")); err != nil {
+			t.Errorf("%s: write err: %s", k, err)
+			continue
+		}
+
+		response := make([]byte, 20)
+		n, err := ws.Read(response)
+		if err != nil {
+			t.Errorf("%s: read err: %s", k, err)
+			continue
+		}
+		if e, a := "hello world", string(response[0:n]); e != a {
+			t.Errorf("%s: expected '%#v', got '%#v'", k, e, a)
+			continue
+		}
 	}
 }
 
@@ -225,3 +281,50 @@ func TestRedirectOnMissingTrailingSlash(t *testing.T) {
 		}
 	}
 }
+
+// exampleCert was generated from crypto/tls/generate_cert.go with the following command:
+//    go run generate_cert.go  --rsa-bits 512 --host example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+var exampleCert = []byte(`-----BEGIN CERTIFICATE-----
+MIIBcjCCAR6gAwIBAgIQBOUTYowZaENkZi0faI9DgTALBgkqhkiG9w0BAQswEjEQ
+MA4GA1UEChMHQWNtZSBDbzAgFw03MDAxMDEwMDAwMDBaGA8yMDg0MDEyOTE2MDAw
+MFowEjEQMA4GA1UEChMHQWNtZSBDbzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCZ
+xfR3sgeHBraGFfF/24tTn4PRVAHOf2UOOxSQRs+aYjNqimFqf/SRIblQgeXdBJDR
+gVK5F1Js2zwlehw0bHxRAgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIApDATBgNVHSUE
+DDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MBYGA1UdEQQPMA2CC2V4YW1w
+bGUuY29tMAsGCSqGSIb3DQEBCwNBAI/mfBB8dm33IpUl+acSyWfL6gX5Wc0FFyVj
+dKeesE1XBuPX1My/rzU6Oy/YwX7LOL4FaeNUS6bbL4axSLPKYSs=
+-----END CERTIFICATE-----`)
+
+var exampleKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAJnF9HeyB4cGtoYV8X/bi1Ofg9FUAc5/ZQ47FJBGz5piM2qKYWp/
+9JEhuVCB5d0EkNGBUrkXUmzbPCV6HDRsfFECAwEAAQJBAJLH9yPuButniACTn5L5
+IJQw1mWQt6zBw9eCo41YWkA0866EgjC53aPZaRjXMp0uNJGdIsys2V5rCOOLWN2C
+ODECIQDICHsi8QQQ9wpuJy8X5l8MAfxHL+DIqI84wQTeVM91FQIhAMTME8A18/7h
+1Ad6drdnxAkuC0tX6Sx0LDozrmen+HFNAiAlcEDrt0RVkIcpOrg7tuhPLQf0oudl
+Zvb3Xlj069awSQIgcT15E/43w2+RASifzVNhQ2MCTr1sSA8lL+xzK+REmnUCIBhQ
+j4139pf8Re1J50zBxS/JlQfgDQi9sO9pYeiHIxNs
+-----END RSA PRIVATE KEY-----`)
+
+// localhostCert was generated from crypto/tls/generate_cert.go with the following command:
+//     go run generate_cert.go  --rsa-bits 512 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+var localhostCert = []byte(`-----BEGIN CERTIFICATE-----
+MIIBdzCCASOgAwIBAgIBADALBgkqhkiG9w0BAQUwEjEQMA4GA1UEChMHQWNtZSBD
+bzAeFw03MDAxMDEwMDAwMDBaFw00OTEyMzEyMzU5NTlaMBIxEDAOBgNVBAoTB0Fj
+bWUgQ28wWjALBgkqhkiG9w0BAQEDSwAwSAJBAN55NcYKZeInyTuhcCwFMhDHCmwa
+IUSdtXdcbItRB/yfXGBhiex00IaLXQnSU+QZPRZWYqeTEbFSgihqi1PUDy8CAwEA
+AaNoMGYwDgYDVR0PAQH/BAQDAgCkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1Ud
+EwEB/wQFMAMBAf8wLgYDVR0RBCcwJYILZXhhbXBsZS5jb22HBH8AAAGHEAAAAAAA
+AAAAAAAAAAAAAAEwCwYJKoZIhvcNAQEFA0EAAoQn/ytgqpiLcZu9XKbCJsJcvkgk
+Se6AbGXgSlq+ZCEVo0qIwSgeBqmsJxUu7NCSOwVJLYNEBO2DtIxoYVk+MA==
+-----END CERTIFICATE-----`)
+
+// localhostKey is the private key for localhostCert.
+var localhostKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAN55NcYKZeInyTuhcCwFMhDHCmwaIUSdtXdcbItRB/yfXGBhiex0
+0IaLXQnSU+QZPRZWYqeTEbFSgihqi1PUDy8CAwEAAQJBAQdUx66rfh8sYsgfdcvV
+NoafYpnEcB5s4m/vSVe6SU7dCK6eYec9f9wpT353ljhDUHq3EbmE4foNzJngh35d
+AekCIQDhRQG5Li0Wj8TM4obOnnXUXf1jRv0UkzE9AHWLG5q3AwIhAPzSjpYUDjVW
+MCUXgckTpKCuGwbJk7424Nb8bLzf3kllAiA5mUBgjfr/WtFSJdWcPQ4Zt9KTMNKD
+EUO0ukpTwEIl6wIhAMbGqZK3zAAFdq8DD2jPx+UJXnh0rnOkZBzDtJ6/iN69AiEA
+1Aq8MJgTaYsDQWyU/hDq5YkDJc9e9DSCvUIzqxQWMQE=
+-----END RSA PRIVATE KEY-----`)

pkg/registry/generic/rest/proxy.go

@@ -240,6 +240,11 @@ func (h *UpgradeAwareProxyHandler) dialURL() (net.Conn, error) {
 			}
 		}
 
+		// Return if we were configured to skip validation
+		if tlsConfig != nil && tlsConfig.InsecureSkipVerify {
+			return tlsConn, nil
+		}
+
 		// Verify
 		host, _, _ := net.SplitHostPort(dialAddr)
 		if err := tlsConn.VerifyHostname(host); err != nil {