From b9250a783afb82fbf9f984a1cb672e1884ebea81 Mon Sep 17 00:00:00 2001
From: Petu Eusebiu <peusebiu@cisco.com>
Date: Thu, 27 Jan 2022 14:45:46 +0200
Subject: [PATCH] Use InsecureSkipVerify only with https upstreams

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
---
 pkg/extensions/sync/sync_internal_test.go | 17 ++++++++++++++++-
 pkg/extensions/sync/utils.go              |  9 ++++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/pkg/extensions/sync/sync_internal_test.go b/pkg/extensions/sync/sync_internal_test.go
index 678bd307..416e1dd5 100644
--- a/pkg/extensions/sync/sync_internal_test.go
+++ b/pkg/extensions/sync/sync_internal_test.go
@@ -143,13 +143,17 @@ func TestSyncInternal(t *testing.T) {
 
 		var tlsVerify bool
 		updateDuration := time.Microsecond
+		port := GetFreePort()
+		baseURL := GetBaseURL(port)
+		baseSecureURL := GetSecureBaseURL(port)
+
 		syncRegistryConfig := RegistryConfig{
 			Content: []Content{
 				{
 					Prefix: testImage,
 				},
 			},
-			URL:          BaseURL,
+			URL:          baseURL,
 			PollInterval: updateDuration,
 			TLSVerify:    &tlsVerify,
 			CertDir:      badCertsDir,
@@ -158,6 +162,17 @@ func TestSyncInternal(t *testing.T) {
 		_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
 		So(err, ShouldNotBeNil)
 		syncRegistryConfig.CertDir = "/path/to/invalid/cert"
+
+		_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
+		So(err, ShouldNotBeNil)
+
+		syncRegistryConfig.CertDir = ""
+		syncRegistryConfig.URL = baseSecureURL
+
+		_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
+		So(err, ShouldBeNil)
+
+		syncRegistryConfig.URL = BaseURL
 		_, err = getHTTPClient(&syncRegistryConfig, Credentials{}, log.NewLogger("debug", ""))
 		So(err, ShouldNotBeNil)
 	})
diff --git a/pkg/extensions/sync/utils.go b/pkg/extensions/sync/utils.go
index b00db63d..84836def 100644
--- a/pkg/extensions/sync/utils.go
+++ b/pkg/extensions/sync/utils.go
@@ -104,6 +104,13 @@ func getFileCredentials(filepath string) (CredentialsFile, error) {
 func getHTTPClient(regCfg *RegistryConfig, credentials Credentials, log log.Logger) (*resty.Client, error) {
 	client := resty.New()
 
+	registryURL, err := url.Parse(regCfg.URL)
+	if err != nil {
+		log.Error().Err(err).Str("url", regCfg.URL).Msg("couldn't parse url")
+
+		return nil, err
+	}
+
 	if regCfg.CertDir != "" {
 		log.Debug().Msgf("sync: using certs directory: %s", regCfg.CertDir)
 		clientCert := path.Join(regCfg.CertDir, "client.cert")
@@ -133,7 +140,7 @@ func getHTTPClient(regCfg *RegistryConfig, credentials Credentials, log log.Logg
 	}
 
 	// nolint: gosec
-	if regCfg.TLSVerify != nil && !*regCfg.TLSVerify {
+	if regCfg.TLSVerify != nil && !*regCfg.TLSVerify && registryURL.Scheme == "https" {
 		client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
 	}