fix: check for skipTlsVerify before allowing http connection

mstruebing · mstruebing · commit 37659920ecd4 · 2025-04-05T09:51:15.000Z
diff --git a/src/cache_test.ts b/src/cache_test.ts
@@ -11,7 +11,7 @@ import { ListPromise } from './informer.js';
 import nock from 'nock';
 import { Watch } from './watch.js';
 
-const server = 'http://foo.company.com';
+const server = 'https://foo.company.com';
 
 const fakeConfig: {
     clusters: Cluster[];
diff --git a/src/config.ts b/src/config.ts
@@ -545,8 +545,10 @@ export class KubeConfig implements SecurityAuthentication {
             } else {
                 throw new Error('Unsupported proxy type');
             }
-        } else if (cluster?.server?.startsWith('http:')) {
+        } else if (cluster?.server?.startsWith('http:') && cluster.skipTLSVerify) {
             agent = new http.Agent(agentOptions);
+        } else if (cluster?.server?.startsWith('http:') && !cluster.skipTLSVerify) {
+            throw new Error('HTTP protocol is not allowed when skipTLSVerify is not set or false');
         } else {
             agent = new https.Agent(agentOptions);
         }
diff --git a/src/config_test.ts b/src/config_test.ts
@@ -1,5 +1,12 @@
 import { after, before, beforeEach, describe, it, mock } from 'node:test';
-import { deepEqual, deepStrictEqual, notStrictEqual, rejects, strictEqual, throws } from 'node:assert';
+import assert, {
+    deepEqual,
+    deepStrictEqual,
+    notStrictEqual,
+    rejects,
+    strictEqual,
+    throws,
+} from 'node:assert';
 import child_process from 'node:child_process';
 import { readFileSync } from 'node:fs';
 import https from 'node:https';
@@ -461,11 +468,21 @@ describe('KubeConfig', () => {
 
             strictEqual(rc.getAgent() instanceof http.Agent, true);
         });
-        it('should apply https agent if cluster.server starts with https and no proxy-url is provided', async () => {
+        it('should throw an error if cluster.server starts with http, no proxy-url is provided and insecure-skip-tls-verify is not set', async () => {
             const kc = new KubeConfig();
             kc.loadFromFile(kcProxyUrl);
             kc.setCurrentContext('contextF');
 
+            const testServerName = 'http://example.com';
+            const rc = new RequestContext(testServerName, HttpMethod.GET);
+
+            await assert.rejects(kc.applySecurityAuthentication(rc), Error);
+        });
+        it('should apply https agent if cluster.server starts with https and no proxy-url is provided', async () => {
+            const kc = new KubeConfig();
+            kc.loadFromFile(kcProxyUrl);
+            kc.setCurrentContext('contextG');
+
             const testServerName = 'https://example.com';
             const rc = new RequestContext(testServerName, HttpMethod.GET);
 
diff --git a/src/watch_test.ts b/src/watch_test.ts
@@ -7,7 +7,7 @@ import { Cluster, Context, User } from './config_types.js';
 import { Watch } from './watch.js';
 import { IncomingMessage } from 'node:http';
 
-const server = 'http://foo.company.com';
+const server = 'https://foo.company.com';
 
 const fakeConfig: {
     clusters: Cluster[];
diff --git a/testdata/kubeconfig-proxy-url.yaml b/testdata/kubeconfig-proxy-url.yaml
@@ -20,6 +20,15 @@ clusters:
           server: htto://exampleerror.com
           proxy-url: http://example:8080
       name: clusterD
+    - cluster:
+          certificate-authority-data: Q0FEQVRA
+          server: http://exampleerror.com
+          insecure-skip-tls-verify: true
+      name: clusterE
+    - cluster:
+          certificate-authority-data: Q0FEQVRA
+          server: http://exampleerror.com
+      name: clusterF
 
 contexts:
     - context:
@@ -38,6 +47,14 @@ contexts:
           cluster: clusterD
           user: userD
       name: contextD
+    - context:
+          cluster: clusterE
+          user: userE
+      name: contextE
+    - context:
+          cluster: clusterF
+          user: userF
+      name: contextF
 
 current-context: contextA
 kind: Config
@@ -59,3 +76,11 @@ users:
       user:
           client-certificate-data: XVNFUl9DQURBVEE=
           client-key-data: XVNFUl9DS0RBVEE=
+    - name: userE
+      user:
+          client-certificate-data: XVNFUl9DQURBVEE=
+          client-key-data: XVNFUl9DS0RBVEE=
+    - name: userF
+      user:
+          client-certificate-data: XVNFUl9DQURBVEE=
+          client-key-data: XVNFUl9DS0RBVEE=

Original file line number	Diff line number	Diff line change
`@@ -545,8 +545,10 @@ export class KubeConfig implements SecurityAuthentication {`
`545`	`545`	`} else {`
`546`	`546`	`throw new Error('Unsupported proxy type');`
`547`	`547`	`}`
`548`		`- } else if (cluster?.server?.startsWith('http:')) {`
	`548`	`+ } else if (cluster?.server?.startsWith('http:') && cluster.skipTLSVerify) {`
`549`	`549`	`agent = new http.Agent(agentOptions);`
	`550`	`+ } else if (cluster?.server?.startsWith('http:') && !cluster.skipTLSVerify) {`
	`551`	`+ throw new Error('HTTP protocol is not allowed when skipTLSVerify is not set or false');`
`550`	`552`	`} else {`
`551`	`553`	`agent = new https.Agent(agentOptions);`
`552`	`554`	`}`