From 4c30995858a5e85eeebdd5bebba611fdc372b494 Mon Sep 17 00:00:00 2001 From: DQ Date: Wed, 18 Mar 2020 17:50:02 +0800 Subject: [PATCH] Refator tls config use default Httptransport instead of empty one remove unused code Signed-off-by: DQ --- src/common/http/client.go | 32 +++++++---------- src/common/http/tls.go | 36 ++----------------- src/common/job/client.go | 12 ++----- .../notification/policy/manager/manager.go | 8 +---- src/pkg/signature/notary/helper.go | 2 +- src/replication/adapter/awsecr/adapter.go | 8 +---- 6 files changed, 21 insertions(+), 77 deletions(-) diff --git a/src/common/http/client.go b/src/common/http/client.go index a81a000a4..c971e3cd5 100644 --- a/src/common/http/client.go +++ b/src/common/http/client.go @@ -16,7 +16,6 @@ package http import ( "bytes" - "crypto/tls" "encoding/json" "errors" "io" @@ -30,11 +29,8 @@ import ( ) const ( - // DefaultTransport used to get the default http Transport - DefaultTransport = iota // InsecureTransport used to get the insecure http Transport - InsecureTransport - + InsecureTransport = iota // SecureTransport used to get the external secure http Transport SecureTransport ) @@ -45,19 +41,9 @@ var ( ) func init() { - secureHTTPTransport = &http.Transport{ - Proxy: http.ProxyFromEnvironment, - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: false, - }, - } - - insecureHTTPTransport = &http.Transport{ - Proxy: http.ProxyFromEnvironment, - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, - } + secureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone() + insecureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone() + insecureHTTPTransport.TLSClientConfig.InsecureSkipVerify = true if InternalTLSEnabled() { tlsConfig, err := GetInternalTLSConfig() @@ -88,6 +74,14 @@ func GetHTTPTransport(clientType uint) *http.Transport { } } +// GetHTTPTransportByInsecure returns a insecure HttpTransport if insecure is true or it returns secure one +func GetHTTPTransportByInsecure(insecure bool) *http.Transport { + if insecure { + return insecureHTTPTransport + } + return secureHTTPTransport +} + // NewClient creates an instance of Client. // Use net/http.Client as the default value if c is nil. // Modifiers modify the request before sending it. @@ -97,7 +91,7 @@ func NewClient(c *http.Client, modifiers ...modifier.Modifier) *Client { } if client.client == nil { client.client = &http.Client{ - Transport: GetHTTPTransport(DefaultTransport), + Transport: GetHTTPTransport(SecureTransport), } } if len(modifiers) > 0 { diff --git a/src/common/http/tls.go b/src/common/http/tls.go index d4768c54f..be7959ee7 100644 --- a/src/common/http/tls.go +++ b/src/common/http/tls.go @@ -16,13 +16,9 @@ package http import ( "crypto/tls" - "crypto/x509" "fmt" - "io/ioutil" "os" "strings" - - "github.com/goharbor/harbor/src/common/utils/log" ) const ( @@ -36,40 +32,12 @@ const ( // InternalTLSEnabled returns if internal TLS enabled func InternalTLSEnabled() bool { - if strings.ToLower(os.Getenv(internalTLSEnable)) == "true" { - return true - } - return false + return strings.ToLower(os.Getenv(internalTLSEnable)) == "true" } // InternalEnableVerifyClientCert returns if mTLS enabled func InternalEnableVerifyClientCert() bool { - if strings.ToLower(os.Getenv(internalVerifyClientCert)) == "true" { - return true - } - return false -} - -// GetInternalCA used to get internal cert file from Env -func GetInternalCA(caPool *x509.CertPool) *x509.CertPool { - if caPool == nil { - caPool = x509.NewCertPool() - } - - caPath := os.Getenv(internalTrustCAPath) - if caPath != "" { - caCert, err := ioutil.ReadFile(caPath) - if err != nil { - log.Errorf("read ca file %s failure %w", caPath, err) - } - if ok := caPool.AppendCertsFromPEM(caCert); !ok { - log.Errorf("append ca to ca pool fail") - } else { - log.Infof("append trustCA %s success", caPath) - } - } - - return caPool + return strings.ToLower(os.Getenv(internalVerifyClientCert)) == "true" } // GetInternalCertPair used to get internal cert and key pair from environment diff --git a/src/common/job/client.go b/src/common/job/client.go index bad513db4..7c22d891a 100644 --- a/src/common/job/client.go +++ b/src/common/job/client.go @@ -79,22 +79,16 @@ func NewDefaultClient(endpoint, secret string) *DefaultClient { // NewReplicationClient used to create a client for replication func NewReplicationClient(endpoint, secret string) *DefaultClient { - var tr *http.Transport - if endpoint == config.InternalCoreURL() { - tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport) - } else { - tr = commonhttp.GetHTTPTransport(commonhttp.DefaultTransport) - } - var c *commonhttp.Client + if len(secret) > 0 { c = commonhttp.NewClient(&http.Client{ - Transport: tr, + Transport: commonhttp.GetHTTPTransport(commonhttp.SecureTransport), }, auth.NewSecretAuthorizer(secret)) } else { c = commonhttp.NewClient(&http.Client{ - Transport: tr, + Transport: commonhttp.GetHTTPTransport(commonhttp.SecureTransport), }) } diff --git a/src/pkg/notification/policy/manager/manager.go b/src/pkg/notification/policy/manager/manager.go index 1a5d612cf..95bcb2114 100755 --- a/src/pkg/notification/policy/manager/manager.go +++ b/src/pkg/notification/policy/manager/manager.go @@ -110,14 +110,8 @@ func (m *DefaultManager) policyHTTPTest(address string, skipCertVerify bool) err } req.Header.Set("Content-Type", "application/json") - var tp *http.Transport - if skipCertVerify { - tp = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport) - } else { - tp = commonhttp.GetHTTPTransport(commonhttp.SecureTransport) - } client := http.Client{ - Transport: tp, + Transport: commonhttp.GetHTTPTransportByInsecure(skipCertVerify), } resp, err := client.Do(req) diff --git a/src/pkg/signature/notary/helper.go b/src/pkg/signature/notary/helper.go index 874c65095..773804e3f 100644 --- a/src/pkg/signature/notary/helper.go +++ b/src/pkg/signature/notary/helper.go @@ -82,7 +82,7 @@ func GetTargets(notaryEndpoint string, username string, fqRepo string) ([]model2 authorizer := ¬aryAuthorizer{ token: t.Token, } - tr := NewTransport(commonhttp.GetHTTPTransport(commonhttp.DefaultTransport), authorizer) + tr := NewTransport(commonhttp.GetHTTPTransport(commonhttp.SecureTransport), authorizer) gun := data.GUN(fqRepo) notaryRepo, err := client.NewFileCachedRepository(notaryCachePath, gun, notaryEndpoint, tr, mockRetriever, trustPin) if err != nil { diff --git a/src/replication/adapter/awsecr/adapter.go b/src/replication/adapter/awsecr/adapter.go index dbcf3e71b..beb3c21b4 100644 --- a/src/replication/adapter/awsecr/adapter.go +++ b/src/replication/adapter/awsecr/adapter.go @@ -245,18 +245,12 @@ func (a *adapter) createRepository(repository string) error { if a.region == "" { return errors.New("no region parsed") } - var tr *http.Transport - if a.registry.Insecure { - tr = commonhttp.GetHTTPTransport(commonhttp.InsecureTransport) - } else { - tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport) - } config := &aws.Config{ Credentials: cred, Region: &a.region, HTTPClient: &http.Client{ - Transport: tr, + Transport: commonhttp.GetHTTPTransportByInsecure(a.registry.Insecure), }, } if a.forceEndpoint != nil {