From 717f0978d90b9452dd2fc1956fab9b118d44c225 Mon Sep 17 00:00:00 2001 From: andres-portainer <91705312+andres-portainer@users.noreply.github.com> Date: Fri, 5 Jan 2024 15:24:29 -0300 Subject: [PATCH] fix(tls): set the correct scheme for Docker clients EE-6514 (#10917) --- api/docker/client/client.go | 52 +++++++++++-------------------------- 1 file changed, 15 insertions(+), 37 deletions(-) diff --git a/api/docker/client/client.go b/api/docker/client/client.go index 17e912cb3..25d0c89d3 100644 --- a/api/docker/client/client.go +++ b/api/docker/client/client.go @@ -18,7 +18,7 @@ import ( "github.com/segmentio/encoding/json" ) -var errUnsupportedEnvironmentType = errors.New("Environment not supported") +var errUnsupportedEnvironmentType = errors.New("environment not supported") const ( defaultDockerRequestTimeout = 60 * time.Second @@ -48,9 +48,16 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeNam case portainer.AzureEnvironment: return nil, errUnsupportedEnvironmentType case portainer.AgentOnDockerEnvironment: - return createAgentClient(endpoint, factory.signatureService, nodeName, timeout) + return createAgentClient(endpoint, endpoint.URL, factory.signatureService, nodeName, timeout) case portainer.EdgeAgentOnDockerEnvironment: - return createEdgeClient(endpoint, factory.signatureService, factory.reverseTunnelService, nodeName, timeout) + tunnel, err := factory.reverseTunnelService.GetActiveTunnel(endpoint) + if err != nil { + return nil, err + } + + endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port) + + return createAgentClient(endpoint, endpointURL, factory.signatureService, nodeName, timeout) } if strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://") { @@ -93,7 +100,7 @@ func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*cli ) } -func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, nodeName string, timeout *time.Duration) (*client.Client, error) { +func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) { httpCli, err := httpClient(endpoint, timeout) if err != nil { return nil, err @@ -113,47 +120,18 @@ func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.D headers[portainer.PortainerAgentTargetHeader] = nodeName } - tunnel, err := reverseTunnelService.GetActiveTunnel(endpoint) - if err != nil { - return nil, err - } - - endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port) - - return client.NewClientWithOpts( + opts := []client.Opt{ client.WithHost(endpointURL), client.WithAPIVersionNegotiation(), client.WithHTTPClient(httpCli), client.WithHTTPHeaders(headers), - ) -} - -func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) { - httpCli, err := httpClient(endpoint, timeout) - if err != nil { - return nil, err } - signature, err := signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage) - if err != nil { - return nil, err + if nnTransport, ok := httpCli.Transport.(*NodeNameTransport); ok && nnTransport.TLSClientConfig != nil { + opts = append(opts, client.WithScheme("https")) } - headers := map[string]string{ - portainer.PortainerAgentPublicKeyHeader: signatureService.EncodedPublicKey(), - portainer.PortainerAgentSignatureHeader: signature, - } - - if nodeName != "" { - headers[portainer.PortainerAgentTargetHeader] = nodeName - } - - return client.NewClientWithOpts( - client.WithHost(endpoint.URL), - client.WithAPIVersionNegotiation(), - client.WithHTTPClient(httpCli), - client.WithHTTPHeaders(headers), - ) + return client.NewClientWithOpts(opts...) } type NodeNameTransport struct {