Skip to content

Commit

Permalink
refactor: move httpclient to tls
Browse files Browse the repository at this point in the history 
Signed-off-by: Suraj Shirvankar <surajshirvankar@gmail.com>
  • Loading branch information
@h0lyalg0rithm
h0lyalg0rithm committed Aug 17, 2024
1 parent 8d63a3b commit 874912c
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 27 deletions.
25 changes: 0 additions & 25 deletions sztp-agent/pkg/secureagent/agent.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,7 @@ Copyright (C) 2022 Red Hat.
package secureagent

import (
"crypto/tls"
"crypto/x509"
"net/http"
"os"
)

const (
Expand Down Expand Up @@ -184,25 +181,3 @@ func (a *Agent) SetContentTypeReq(ct string) {
func (a *Agent) SetProgressJSON(p ProgressJSON) {
a.ProgressJSON = p
}

func NewHttpClient(bootstrapTrustAnchorCert string, deviceEndEntityCert string, devicePrivateKey string) http.Client {
caCert, _ := os.ReadFile(bootstrapTrustAnchorCert)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, _ := tls.LoadX509KeyPair(deviceEndEntityCert, devicePrivateKey)
client := http.Client{
CheckRedirect: func(r *http.Request, _ []*http.Request) error {
r.URL.Opaque = r.URL.Path
return nil
},
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
//nolint:gosec
InsecureSkipVerify: true, // TODO: remove skip verify
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
},
},
}
return client
}
2 changes: 1 addition & 1 deletion sztp-agent/pkg/secureagent/configuration_test.go
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
package secureagent

import (
"testing"
"net/http"
"testing"
)

// nolint:funlen
Expand Down
2 changes: 1 addition & 1 deletion sztp-agent/pkg/secureagent/image_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ func TestAgent_downloadAndValidateImage(t *testing.T) {
svr := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/imageOK" || r.URL.Path == "/report-progress" {
w.WriteHeader(200)
}else {
} else {
w.WriteHeader(400)
}
}))
Expand Down
25 changes: 25 additions & 0 deletions sztp-agent/pkg/secureagent/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,40 @@ package secureagent

import (
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/json"
"errors"
"io"
"log"
"net/http"
"os"
"strconv"
"strings"
)

func NewHttpClient(bootstrapTrustAnchorCert string, deviceEndEntityCert string, devicePrivateKey string) http.Client {

Check failure on line 25 in sztp-agent/pkg/secureagent/tls.go

View workflow job for this annotation

GitHub Actions / golangci 

exported: exported function NewHttpClient should have comment or be unexported (revive)
caCert, _ := os.ReadFile(bootstrapTrustAnchorCert)

Check failure on line 26 in sztp-agent/pkg/secureagent/tls.go

View workflow job for this annotation

GitHub Actions / golangci 

G304: Potential file inclusion via variable (gosec)
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, _ := tls.LoadX509KeyPair(deviceEndEntityCert, devicePrivateKey)
client := http.Client{
CheckRedirect: func(r *http.Request, _ []*http.Request) error {
r.URL.Opaque = r.URL.Path
return nil
},
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
//nolint:gosec
InsecureSkipVerify: true, // TODO: remove skip verify

Check failure

Code scanning / CodeQL

Disabled TLS certificate check High

InsecureSkipVerify should not be used in production code.
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
},
},
}
return client
}

func (a *Agent) doTLSRequest(input string, url string, empty bool) (*BootstrapServerPostOutput, error) {
var postResponse BootstrapServerPostOutput
var errorResponse BootstrapServerErrorOutput
Expand Down

0 comments on commit 874912c

Please sign in to comment.