registry: always treat 127.0.0.1 as insecure for all cases anytime anywhere
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
This commit is contained in:
parent
8582d04393
commit
524aa8b1a6
2 changed files with 19 additions and 25 deletions
|
@ -152,19 +152,25 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
|
||||||
// IsSecure returns false if the provided hostname is part of the list of insecure registries.
|
// IsSecure returns false if the provided hostname is part of the list of insecure registries.
|
||||||
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
|
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
|
||||||
func IsSecure(hostname string, insecureRegistries []string) bool {
|
func IsSecure(hostname string, insecureRegistries []string) bool {
|
||||||
|
|
||||||
if hostname == IndexServerAddress() {
|
if hostname == IndexServerAddress() {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
host, _, err := net.SplitHostPort(hostname)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
host = hostname
|
||||||
|
}
|
||||||
|
|
||||||
|
if host == "127.0.0.1" || host == "localhost" {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
if len(insecureRegistries) == 0 {
|
if len(insecureRegistries) == 0 {
|
||||||
host, _, err := net.SplitHostPort(hostname)
|
|
||||||
if err != nil {
|
|
||||||
host = hostname
|
|
||||||
}
|
|
||||||
if host == "127.0.0.1" || host == "localhost" {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, h := range insecureRegistries {
|
for _, h := range insecureRegistries {
|
||||||
if hostname == h {
|
if hostname == h {
|
||||||
return false
|
return false
|
||||||
|
|
|
@ -328,31 +328,19 @@ func TestIsSecure(t *testing.T) {
|
||||||
}{
|
}{
|
||||||
{"example.com", []string{}, true},
|
{"example.com", []string{}, true},
|
||||||
{"example.com", []string{"example.com"}, false},
|
{"example.com", []string{"example.com"}, false},
|
||||||
{"localhost", []string{"localhost:5000"}, true},
|
{"localhost", []string{"localhost:5000"}, false},
|
||||||
{"localhost:5000", []string{"localhost:5000"}, false},
|
{"localhost:5000", []string{"localhost:5000"}, false},
|
||||||
{"localhost", []string{"example.com"}, true},
|
{"localhost", []string{"example.com"}, false},
|
||||||
{"127.0.0.1:5000", []string{"127.0.0.1:5000"}, false},
|
{"127.0.0.1:5000", []string{"127.0.0.1:5000"}, false},
|
||||||
}
|
|
||||||
for _, tt := range tests {
|
|
||||||
if sec := IsSecure(tt.addr, tt.insecureRegistries); sec != tt.expected {
|
|
||||||
t.Errorf("IsSecure failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestIsSecure(t *testing.T) {
|
|
||||||
tests := []struct {
|
|
||||||
addr string
|
|
||||||
insecureRegistries []string
|
|
||||||
expected bool
|
|
||||||
}{
|
|
||||||
{"localhost", []string{}, false},
|
{"localhost", []string{}, false},
|
||||||
{"localhost:5000", []string{}, false},
|
{"localhost:5000", []string{}, false},
|
||||||
{"127.0.0.1", []string{}, false},
|
{"127.0.0.1", []string{}, false},
|
||||||
{"localhost", []string{"example.com"}, true},
|
{"localhost", []string{"example.com"}, false},
|
||||||
{"127.0.0.1", []string{"example.com"}, true},
|
{"127.0.0.1", []string{"example.com"}, false},
|
||||||
{"example.com", []string{}, true},
|
{"example.com", []string{}, true},
|
||||||
{"example.com", []string{"example.com"}, false},
|
{"example.com", []string{"example.com"}, false},
|
||||||
|
{"127.0.0.1", []string{"example.com"}, false},
|
||||||
|
{"127.0.0.1:5000", []string{"example.com"}, false},
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
if sec := IsSecure(tt.addr, tt.insecureRegistries); sec != tt.expected {
|
if sec := IsSecure(tt.addr, tt.insecureRegistries); sec != tt.expected {
|
||||||
|
|
Loading…
Reference in a new issue