Add insecure flag for http getter

ebudan · May 4, 2021 · 9e42df5 · 9e42df5
1 parent e2a8659
commit 9e42df5
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 1 deletion.
diff --git a/client.go b/client.go
@@ -67,6 +67,15 @@ type Client struct {
 	// By default a no op progress listener is used.
 	ProgressListener ProgressTracker
 
+	// Insecure controls whether a client verifies the server's
+	// certificate chain and host name. If Insecure is true, crypto/tls
+	// accepts any certificate presented by the server and any host name in that
+	// certificate. In this mode, TLS is susceptible to machine-in-the-middle
+	// attacks unless custom verification is used. This should be used only for
+	// testing or in combination with VerifyConnection or VerifyPeerCertificate.
+	// This is identical to tls.Config.InsecureSkipVerify.
+	Insecure bool
+
 	Options []ClientOption
 }
 
@@ -289,7 +298,7 @@ func (c *Client) Get() error {
 		// if we're specifying a subdir.
 		err := g.Get(dst, u)
 		if err != nil {
-			err = fmt.Errorf("error downloading '%s': %s", src, err)
+			err = fmt.Errorf("error downloading '%s': %s", u.Redacted(), err)
 			return err
 		}
 	}

diff --git a/client_option_insecure.go b/client_option_insecure.go
@@ -0,0 +1,14 @@
+package getter
+
+// WithInsecure allows for a user to avoid
+// checking certificates (not recommended).
+// For example, when connecting on HTTPS where an
+// invalid certificate is presented.
+// User assumes all risk.
+// Not all getters have support for insecure mode yet.
+func WithInsecure() func(*Client) error {
+	return func(c *Client) error {
+		c.Insecure = true
+		return nil
+	}
+}
diff --git a/cmd/go-getter/main.go b/cmd/go-getter/main.go
@@ -14,6 +14,7 @@ import (
 func main() {
 	modeRaw := flag.String("mode", "any", "get mode (any, file, dir)")
 	progress := flag.Bool("progress", false, "display terminal progress")
+	insecure := flag.Bool("insecure", false, "do not verify server's certificate chain (not recommended)")
 	flag.Parse()
 	args := flag.Args()
 	if len(args) < 2 {
@@ -46,6 +47,11 @@ func main() {
 		opts = append(opts, getter.WithProgress(defaultProgressBar))
 	}
 
+	if *insecure {
+		log.Println("WARNING: Using Insecure TLS transport!")
+		opts = append(opts, getter.WithInsecure())
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	// Build the client
 	client := &getter.Client{

diff --git a/get_http.go b/get_http.go
@@ -2,6 +2,7 @@ package getter
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/xml"
 	"fmt"
 	"io"
@@ -11,6 +12,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/hashicorp/go-cleanhttp"
 	safetemp "github.com/hashicorp/go-safetemp"
 )
 
@@ -74,6 +76,11 @@ func (g *HttpGetter) Get(dst string, u *url.URL) error {
 
 	if g.Client == nil {
 		g.Client = httpClient
+		if g.client != nil && g.client.Insecure {
+			insecureTransport := cleanhttp.DefaultTransport()
+			insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+			g.Client.Transport = insecureTransport
+		}
 	}
 
 	// Add terraform-get to the parameter.
@@ -157,6 +164,11 @@ func (g *HttpGetter) GetFile(dst string, src *url.URL) error {
 
 	if g.Client == nil {
 		g.Client = httpClient
+		if g.client != nil && g.client.Insecure {
+			insecureTransport := cleanhttp.DefaultTransport()
+			insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+			g.Client.Transport = insecureTransport
+		}
 	}
 
 	var currentFileSize int64