From 9e42df5957b5fe484d6e82ce17c3ef229d0d0794 Mon Sep 17 00:00:00 2001 From: Chris Gilmer Date: Tue, 4 May 2021 05:55:09 -0700 Subject: [PATCH] Add insecure flag for http getter --- client.go | 11 ++++++++++- client_option_insecure.go | 14 ++++++++++++++ cmd/go-getter/main.go | 6 ++++++ get_http.go | 12 ++++++++++++ 4 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 client_option_insecure.go diff --git a/client.go b/client.go index 78a96bf0b..d531c2a77 100644 --- a/client.go +++ b/client.go @@ -67,6 +67,15 @@ type Client struct { // By default a no op progress listener is used. ProgressListener ProgressTracker + // Insecure controls whether a client verifies the server's + // certificate chain and host name. If Insecure is true, crypto/tls + // accepts any certificate presented by the server and any host name in that + // certificate. In this mode, TLS is susceptible to machine-in-the-middle + // attacks unless custom verification is used. This should be used only for + // testing or in combination with VerifyConnection or VerifyPeerCertificate. + // This is identical to tls.Config.InsecureSkipVerify. + Insecure bool + Options []ClientOption } @@ -289,7 +298,7 @@ func (c *Client) Get() error { // if we're specifying a subdir. err := g.Get(dst, u) if err != nil { - err = fmt.Errorf("error downloading '%s': %s", src, err) + err = fmt.Errorf("error downloading '%s': %s", u.Redacted(), err) return err } } diff --git a/client_option_insecure.go b/client_option_insecure.go new file mode 100644 index 000000000..75da58cdd --- /dev/null +++ b/client_option_insecure.go @@ -0,0 +1,14 @@ +package getter + +// WithInsecure allows for a user to avoid +// checking certificates (not recommended). +// For example, when connecting on HTTPS where an +// invalid certificate is presented. +// User assumes all risk. +// Not all getters have support for insecure mode yet. +func WithInsecure() func(*Client) error { + return func(c *Client) error { + c.Insecure = true + return nil + } +} diff --git a/cmd/go-getter/main.go b/cmd/go-getter/main.go index 3cd028641..317874d85 100644 --- a/cmd/go-getter/main.go +++ b/cmd/go-getter/main.go @@ -14,6 +14,7 @@ import ( func main() { modeRaw := flag.String("mode", "any", "get mode (any, file, dir)") progress := flag.Bool("progress", false, "display terminal progress") + insecure := flag.Bool("insecure", false, "do not verify server's certificate chain (not recommended)") flag.Parse() args := flag.Args() if len(args) < 2 { @@ -46,6 +47,11 @@ func main() { opts = append(opts, getter.WithProgress(defaultProgressBar)) } + if *insecure { + log.Println("WARNING: Using Insecure TLS transport!") + opts = append(opts, getter.WithInsecure()) + } + ctx, cancel := context.WithCancel(context.Background()) // Build the client client := &getter.Client{ diff --git a/get_http.go b/get_http.go index 8c2278d6a..bd2d2e55c 100644 --- a/get_http.go +++ b/get_http.go @@ -2,6 +2,7 @@ package getter import ( "context" + "crypto/tls" "encoding/xml" "fmt" "io" @@ -11,6 +12,7 @@ import ( "path/filepath" "strings" + "github.com/hashicorp/go-cleanhttp" safetemp "github.com/hashicorp/go-safetemp" ) @@ -74,6 +76,11 @@ func (g *HttpGetter) Get(dst string, u *url.URL) error { if g.Client == nil { g.Client = httpClient + if g.client != nil && g.client.Insecure { + insecureTransport := cleanhttp.DefaultTransport() + insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + g.Client.Transport = insecureTransport + } } // Add terraform-get to the parameter. @@ -157,6 +164,11 @@ func (g *HttpGetter) GetFile(dst string, src *url.URL) error { if g.Client == nil { g.Client = httpClient + if g.client != nil && g.client.Insecure { + insecureTransport := cleanhttp.DefaultTransport() + insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + g.Client.Transport = insecureTransport + } } var currentFileSize int64