Affected by GO-2025-3917 and 2 other vulnerabilities

GO-2025-3917: NeuVector has an insecure password storage vulnerable to rainbow attack in github.com/neuvector/neuvector

GO-2025-3918: NeuVector admin account has insecure default password in github.com/neuvector/neuvector

GO-2025-3919: NeuVector process with sensitive arguments lead to leakage in github.com/neuvector/neuvector

httpclient

package

v0.0.0-test Latest Latest Go to latest Published: Dec 11, 2024 License: Apache-2.0 Imports: 9 Imported by: 2

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/neuvector/neuvector

Links

Open Source Insights

README ¶

HTTP client

This package provides common http.Transport(s)/connection pools to be used by NV. To use this package, follow below steps:

Implement config update callback.

When proxy or TLS config is changed, SetDefaultTLSClientConfig() should be called. For example, the below snippet parses config and set the default TLS config.

		var pool *x509.CertPool

		if cfg.GlobalCaCerts != "" {
			pool = x509.NewCertPool()
			pool.AppendCertsFromPEM([]byte(cfg.GlobalCaCerts))
		}

		httpProxy := httpclient.ParseProxy(&cfg.RegistryHttpProxy)
		httpsProxy := httpclient.ParseProxy(&cfg.RegistryHttpsProxy)
		var noProxy string

		httpclient.SetDefaultTLSClientConfig(&httpclient.TLSClientSettings{
			TLSconfig: &tls.Config{
				InsecureSkipVerify: !cfg.EnableTLSVerification,
				RootCAs:            pool,
			},
		}, httpProxy, httpsProxy, noProxy)

For some use case where no config is involved, e.g., standalone scanner, httpclient should still be initialized by using below snippet:

		// Default TLS config
		httpclient.SetDefaultTLSClientConfig(&httpclient.TLSClientSettings{
			TLSconfig: &tls.Config{
				// Your TLS config
			},
		}, "", "", "")

http.Client implementation

Due to different implementations of http clients, this package provides a few methods to share http.Transport.

GetTransport()

In NeuVector, proxy can be enabled/disabled in per-resource based. For example, each registry can have different setting even when they connect to the same endpoints. For these components that have their own http.Client, but would like to share a connection pool by using this package, use code similar to the snippet below:

	client := &http.Client{
		Timeout: requestTimeout,
	}

	proxyURL := httpclient.ParseProxy(proxy)
	t, err := httpclient.GetTransport(proxyURL)
	if err != nil {
        ...
	}
	client.Transport = t

This way, the shared http.Transport will be used depending on each function's proxy setting.

Similarly, you can use CreateHTTPClient() to create a HTTP client with the default setting.

GetTLSConfig()

In some connections that are based on TLS but not HTTP, you can still utilize the shared TLSConfig by using GetTLSConfig().

Note that when with this method, proxy settings will not be honored.

Reference

https://pkg.go.dev/net/http#Transport

Transports should be reused instead of created as needed. Transports are safe for concurrent use by multiple goroutines.

Documentation ¶

Index ¶

func CreateHTTPClient(proxy string) (*http.Client, error)
func GetHttpProxy() string
func GetHttpsProxy() string
func GetProxy(targetURL string) (string, error)
func GetTLSConfig() *tls.Config
func GetTransport(proxy string) (*http.Transport, error)
func ParseProxy(proxy *share.CLUSProxy) string
func SetDefaultTLSClientConfig(config *TLSClientSettings, httpProxy string, httpsProxy string, noProxy string) (err error)
type TLSClientSettings

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateHTTPClient ¶

func CreateHTTPClient(proxy string) (*http.Client, error)

This function creates a HTTP client using GetTransport().

Basically a wrapper of GetTransport(). If the proxy setting doesn't exist, GetTransport() will create a new Transport for it.

func GetHttpProxy ¶

func GetHttpProxy() string

Get HTTP proxy setting.

A convenient function to get the latest setting without implementing consul config notification.

func GetHttpsProxy ¶

func GetHttpsProxy() string

Get HTTPS proxy setting.

A convenient function to get the latest setting without implementing consul config notification.

func GetProxy ¶

func GetProxy(targetURL string) (string, error)

Get the proxy url configured based on target URL.

func GetTLSConfig ¶

func GetTLSConfig() *tls.Config

Get the current TLS config

This function doesn't support proxy, so it's not recommended in most cases. Use GetSharedTransport() or CreateHTTPClient()instead.

func GetTransport ¶

func GetTransport(proxy string) (*http.Transport, error)

Get the shared http.Transport with the proxy url.

Note that proxy url must contain user name and password. If there is no transport available, this function creates a new transport for it using shared TLS config.

func ParseProxy ¶

func ParseProxy(proxy *share.CLUSProxy) string

Convert share.CLUSProxy to a proxy url with username and password.

func SetDefaultTLSClientConfig ¶

func SetDefaultTLSClientConfig(config *TLSClientSettings, httpProxy string, httpsProxy string, noProxy string) (err error)

Change TLS config and update related connection pools (http.Transport).

noProxy has no effect for now.

Note: When this function is called, a new set of connection pools will be created to prevent issue in the existing clients.

Types ¶

type TLSClientSettings ¶

type TLSClientSettings struct {
	TLSconfig *tls.Config
}

Source Files ¶

View all Source files

httpclient.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL