Don't warn about insecure connections to localhost

alexellis · alexellis · commit e86c5754611f · 2021-02-14T09:39:07.000Z
This message isn't strictly required or beneficial when
connecting to 127.0.0.1 or localhost, where certificates from
Let's Encrypt are not applicable. If using Kubernetes or SSH
port forwarding, then the connection is encrypted already.

Tested by creating an SSH tunnel to a faasd instance, and
seeing no warning, then connecting to the same faasd instance
with its IP addresses, and continuing to see the error.

The warning message has been updated since SSL is not
applicable to HTTPS currently.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) &lt;alexellis2@gmail.com&gt;
diff --git a/commands/errors.go b/commands/errors.go
@@ -9,14 +9,16 @@ import (
 
 const (
 	// NoTLSWarn Warning thrown when no SSL/TLS is used
-	NoTLSWarn = "WARNING! Communication is not secure, please consider using HTTPS. Letsencrypt.org offers free SSL/TLS certificates."
+	NoTLSWarn = "WARNING! You are not using an encrypted connection to the gateway, consider using HTTPS."
 )
 
 // checkTLSInsecure returns a warning message if the given gateway does not have https.
 // Use tsInsecure to skip validations
 func checkTLSInsecure(gateway string, tlsInsecure bool) string {
 	if !tlsInsecure {
-		if !strings.HasPrefix(gateway, "https") {
+		if strings.HasPrefix(gateway, "https") == false &&
+			strings.HasPrefix(gateway, "http://127.0.0.1") == false &&
+			strings.HasPrefix(gateway, "http://localhost") == false {
 			return NoTLSWarn
 		}
 	}
diff --git a/commands/errors_test.go b/commands/errors_test.go
@@ -14,14 +14,30 @@ func Test_checkTLSInsecure(t *testing.T) {
 		args args
 		want string
 	}{
-		{name: "secure gateway and tls secure", args: args{gateway: "https://127.0.0.1:8080", tlsInsecure: false}, want: ""},
-		{name: "secure gateway and tls insecure", args: args{gateway: "https://127.0.0.1:8080", tlsInsecure: true}, want: ""},
-		{name: "insecure gateway and tls secure", args: args{gateway: "http://127.0.0.1:8080", tlsInsecure: false}, want: "WARNING! Communication is not secure, please consider using HTTPS. Letsencrypt.org offers free SSL/TLS certificates."},
-		{name: "insecure gateway and tls insecure", args: args{gateway: "http://127.0.0.1:8080", tlsInsecure: true}, want: ""},
+		{name: "HTTPS gateway",
+			args: args{gateway: "https://192.168.0.101:8080", tlsInsecure: false},
+			want: ""},
+		{name: "HTTPS gateway with TLSInsecure",
+			args: args{gateway: "https://192.168.0.101:8080", tlsInsecure: true},
+			want: ""},
+		{name: "HTTP gateway without TLSInsecure",
+			args: args{gateway: "http://192.168.0.101:8080", tlsInsecure: false},
+			want: "WARNING! You are not using an encrypted connection to the gateway, consider using HTTPS."},
+		{name: "HTTP gateway to 127.0.0.1 without TLSInsecure",
+			args: args{gateway: "http://127.0.0.1:8080", tlsInsecure: false},
+			want: ""},
+		{name: "HTTP gateway to localhost without TLSInsecure",
+			args: args{gateway: "http://localhost:8080", tlsInsecure: false},
+			want: ""},
+		{name: "HTTP gateway to remote host with TLSInsecure", args: args{gateway: "http://192.168.0.101:8080", tlsInsecure: true},
+			want: ""},
 	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := checkTLSInsecure(tt.args.gateway, tt.args.tlsInsecure); got != tt.want {
+			got := checkTLSInsecure(tt.args.gateway, tt.args.tlsInsecure)
+
+			if got != tt.want {
 				t.Errorf("checkTLSInsecure() = %v, want %v", got, tt.want)
 			}
 		})
diff --git a/commands/login.go b/commands/login.go
@@ -88,7 +88,7 @@ func runLogin(cmd *cobra.Command, args []string) error {
 
 	gateway = getGatewayURL(gateway, defaultGateway, "", os.Getenv(openFaaSURLEnvironment))
 
-	if err := validateLogin(gateway, username, password, timeout); err != nil {
+	if err := validateLogin(gateway, username, password, timeout, tlsInsecure); err != nil {
 		return err
 	}
 
@@ -111,7 +111,12 @@ func runLogin(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func validateLogin(gatewayURL string, user string, pass string, timeout time.Duration) error {
+func validateLogin(gatewayURL string, user string, pass string, timeout time.Duration, insecureTLS bool) error {
+
+	if len(checkTLSInsecure(gatewayURL, insecureTLS)) > 0 {
+		fmt.Printf(NoTLSWarn)
+	}
+
 	client := proxy.MakeHTTPClient(&timeout, tlsInsecure)
 	req, err := http.NewRequest("GET", gatewayURL+"/system/functions", nil)
 	if err != nil {
@@ -128,10 +133,6 @@ func validateLogin(gatewayURL string, user string, pass string, timeout time.Dur
 		defer res.Body.Close()
 	}
 
-	if res.TLS == nil {
-		fmt.Println("WARNING! Communication is not secure, please consider using HTTPS. Letsencrypt.org offers free SSL/TLS certificates.")
-	}
-
 	switch res.StatusCode {
 	case http.StatusOK:
 		return nil

Original file line number	Diff line number	Diff line change
`@@ -9,14 +9,16 @@ import (`
`9`	`9`
`10`	`10`	`const (`
`11`	`11`	`// NoTLSWarn Warning thrown when no SSL/TLS is used`
`12`		`- NoTLSWarn = "WARNING! Communication is not secure, please consider using HTTPS. Letsencrypt.org offers free SSL/TLS certificates."`
	`12`	`+ NoTLSWarn = "WARNING! You are not using an encrypted connection to the gateway, consider using HTTPS."`
`13`	`13`	`)`
`14`	`14`
`15`	`15`	`// checkTLSInsecure returns a warning message if the given gateway does not have https.`
`16`	`16`	`// Use tsInsecure to skip validations`
`17`	`17`	`func checkTLSInsecure(gateway string, tlsInsecure bool) string {`
`18`	`18`	`if !tlsInsecure {`
`19`		`- if !strings.HasPrefix(gateway, "https") {`
	`19`	`+ if strings.HasPrefix(gateway, "https") == false &&`
	`20`	`+ strings.HasPrefix(gateway, "http://127.0.0.1") == false &&`
	`21`	`+ strings.HasPrefix(gateway, "http://localhost") == false {`
`20`	`22`	`return NoTLSWarn`
`21`	`23`	`}`
`22`	`24`	`}`