skip tls verification if default transport is used with insecure option (#1559)

Signed-off-by: Jose R. Gonzalez <[email protected]>

Author: komish

go.sum

@@ -16,6 +16,7 @@ package crane
 
 import (
 	"context"
+	"crypto/tls"
 	"net/http"
 
 	"github.com/google/go-containerregistry/pkg/authn"
@@ -30,6 +31,9 @@ type Options struct {
 	Remote   []remote.Option
 	Platform *v1.Platform
 	Keychain authn.Keychain
+
+	transport http.RoundTripper
+	insecure  bool
 }
 
 // GetOptions exposes the underlying []remote.Option, []name.Option, and
@@ -47,26 +51,44 @@ func makeOptions(opts ...Option) Options {
 		},
 		Keychain: authn.DefaultKeychain,
 	}
+
 	for _, o := range opts {
 		o(&opt)
 	}
+
+	// Allow for untrusted certificates if the user
+	// passed Insecure but no custom transport.
+	if opt.insecure && opt.transport == nil {
+		transport := remote.DefaultTransport.(*http.Transport).Clone()
+		transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true, //nolint: gosec
+		}
+
+		WithTransport(transport)(&opt)
+	}
+
 	return opt
 }
 
 // Option is a functional option for crane.
 type Option func(*Options)
 
 // WithTransport is a functional option for overriding the default transport
-// for remote operations.
+// for remote operations. Setting a transport will override the Insecure option's
+// configuration allowing for image registries to use untrusted certificates.
 func WithTransport(t http.RoundTripper) Option {
 	return func(o *Options) {
 		o.Remote = append(o.Remote, remote.WithTransport(t))
+		o.transport = t
 	}
 }
 
 // Insecure is an Option that allows image references to be fetched without TLS.
+// This will also allow for untrusted (e.g. self-signed) certificates in cases where
+// the default transport is used (i.e. when WithTransport is not used).
 func Insecure(o *Options) {
 	o.Name = append(o.Name, name.Insecure)
+	o.insecure = true
 }
 
 // WithPlatform is an Option to specify the platform.

pkg/crane/options.go

@@ -0,0 +1,58 @@
+// Copyright 2023 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package crane
+
+import (
+	"errors"
+	"net/http"
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+func TestInsecureOptionTracking(t *testing.T) {
+	want := true
+	opts := GetOptions(Insecure)
+
+	if got := opts.insecure; got != want {
+		t.Errorf("got %t\nwant: %t", got, want)
+	}
+}
+
+func TestTransportSetting(t *testing.T) {
+	opts := GetOptions(WithTransport(remote.DefaultTransport))
+
+	if opts.transport == nil {
+		t.Error("expected crane transport to be set when user passes WithTransport")
+	}
+}
+
+func TestInsecureTransport(t *testing.T) {
+	want := true
+	opts := GetOptions(Insecure)
+	var transport *http.Transport
+	var ok bool
+	if transport, ok = opts.transport.(*http.Transport); !ok {
+		t.Fatal("Unable to successfully assert default transport")
+	}
+
+	if transport.TLSClientConfig == nil {
+		t.Fatal(errors.New("TLSClientConfig was nil and should be set"))
+	}
+
+	if got := transport.TLSClientConfig.InsecureSkipVerify; got != want {
+		t.Errorf("got: %t\nwant: %t", got, want)
+	}
+}