Merge pull request #177 from fisuda/hardening/insecure_skip_verify

Add insecureSkipVerify option
lets-fiware · Jul 17, 2021 · 8755158 · 8755158
2 parents ccf3b64 + 63bd255
commit 8755158
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 33 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## NGSI Go v0.8.4-next
 
+-   Hardening: Add insecureSkipVerify option (#177)
 -   Fix: Fix URL path join (#176)
 -   Fix: Fix EOF error when ngsi-go-config.json is empty (#175)
 -   Hardening: Add replace option in regproxy (#174)

diff --git a/e2e/cases/1000_common/0001_ngsi.test b/e2e/cases/1000_common/0001_ngsi.test
@@ -92,13 +92,14 @@ COMMANDS:
      hget     get historical raw and aggregated time series context information
 
 GLOBAL OPTIONS:
-   --syslog LEVEL  specify logging LEVEL (off, err, info, debug)
-   --stderr LEVEL  specify logging LEVEL (off, err, info, debug)
-   --config FILE   specify configuration FILE
-   --cache FILE    specify cache FILE
-   --batch, -B     don't use previous args (batch) (default: false)
-   --help          show help (default: false)
-   --version, -v   print the version (default: false)
+   --syslog LEVEL        specify logging LEVEL (off, err, info, debug)
+   --stderr LEVEL        specify logging LEVEL (off, err, info, debug)
+   --config FILE         specify configuration FILE
+   --cache FILE          specify cache FILE
+   --batch, -B           don't use previous args (batch) (default: false)
+   --insecureSkipVerify  TLS/SSL skip certificate verification (default: false)
+   --help                show help (default: false)
+   --version, -v         print the version (default: false)
 
 COPYRIGHT:
    (c) 2020-2021 Kazuhito Suda

diff --git a/internal/ngsicmd/flags.go b/internal/ngsicmd/flags.go
@@ -82,6 +82,10 @@ var (
 		Name:   "cmdName",
 		Hidden: true,
 	}
+	insecureSkipVerifyFlag = &cli.BoolFlag{
+		Name:  "insecureSkipVerify",
+		Usage: "TLS/SSL skip certificate verification",
+	}
 )
 
 // Common flags

diff --git a/internal/ngsicmd/initcmd.go b/internal/ngsicmd/initcmd.go
@@ -124,6 +124,8 @@ func initCmd(c *cli.Context, cmdName string, requiredHost bool) (*ngsilib.NGSI,
 		ngsi.Maxsize = maxsize
 	}
 
+	ngsi.InsecureSkipVerify = c.Bool("insecureSkipVerify")
+
 	c.App.Writer = ngsi.StdWriter
 	c.App.ErrWriter = ngsi.LogWriter
 

diff --git a/internal/ngsicmd/ngsi.go b/internal/ngsicmd/ngsi.go
@@ -111,6 +111,7 @@ func getNgsiApp() *cli.App {
 			timeOutFlag,
 			maxCountFlag,
 			batchFlag,
+			insecureSkipVerifyFlag,
 			cmdNameFlag,
 		},
 		Commands: []*cli.Command{

diff --git a/internal/ngsilib/http_lib.go b/internal/ngsilib/http_lib.go
@@ -31,6 +31,7 @@ package ngsilib
 
 import (
 	"bytes"
+	"crypto/tls"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -78,7 +79,11 @@ func NewHTTPRequet() HTTPRequest {
 func (r *httpRequest) Request(method string, url *url.URL, headers map[string]string, body interface{}) (res *http.Response, b []byte, err error) {
 	const funcName = "Request"
 
-	client := &http.Client{Timeout: time.Duration(60 * time.Second)}
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: gNGSI.InsecureSkipVerify},
+	}
+
+	client := &http.Client{Timeout: time.Duration(60 * time.Second), Transport: tr}
 
 	var reader io.Reader
 

diff --git a/internal/ngsilib/ngsilib.go b/internal/ngsilib/ngsilib.go
@@ -46,31 +46,32 @@ type NGSI struct {
 	tokenList     tokenInfoList
 	contextList   ContextsInfo
 
-	LogLevel      int
-	ConfigFile    IoLib
-	CacheFile     IoLib
-	StdReader     io.Reader
-	StdWriter     io.Writer
-	LogWriter     io.Writer
-	FileReader    FileLib
-	JSONConverter JSONLib
-	FilePath      FilePathLib
-	Ioutil        IoutilLib
-	ZipLib        ZipLib
-	MultiPart     MultiPart
-	Host          string
-	Destination   string
-	Margin        int64
-	Maxsize       int
-	Timeout       time.Duration
-	PreviousArgs  *Settings
-	Updated       bool
-	HTTP          HTTPRequest
-	Stderr        io.Writer
-	OsType        string
-	SyslogLib     SyslogLib
-	TimeLib       TimeLib
-	BatchFlag     *bool
+	LogLevel           int
+	ConfigFile         IoLib
+	CacheFile          IoLib
+	StdReader          io.Reader
+	StdWriter          io.Writer
+	LogWriter          io.Writer
+	FileReader         FileLib
+	JSONConverter      JSONLib
+	FilePath           FilePathLib
+	Ioutil             IoutilLib
+	ZipLib             ZipLib
+	MultiPart          MultiPart
+	Host               string
+	Destination        string
+	Margin             int64
+	Maxsize            int
+	Timeout            time.Duration
+	PreviousArgs       *Settings
+	Updated            bool
+	HTTP               HTTPRequest
+	Stderr             io.Writer
+	OsType             string
+	SyslogLib          SyslogLib
+	TimeLib            TimeLib
+	BatchFlag          *bool
+	InsecureSkipVerify bool
 }
 
 // CmdFlags is ...
@@ -108,6 +109,7 @@ func NewNGSI() *NGSI {
 		gNGSI.SyslogLib = &syslogLib{}
 		gNGSI.PreviousArgs = &Settings{UsePreviousArgs: true}
 		gNGSI.TimeLib = &timeLib{}
+		gNGSI.InsecureSkipVerify = false
 		gNGSI.serverList = make(ServerList)
 		gNGSI.contextList = make(ContextsInfo)
 		gNGSI.contextList["etsi1.0"] = "https://uri.etsi.org/ngsi-ld/v1/ngsi-ld-core-context.jsonld"