add AGENT_TLS_INSECURE to enable Insecure TLS mode

2026-03-06 23:51:29 +00:00 · 2023-06-28 17:09:29 +02:00
4 changed files with 70 additions and 12 deletions
--- a/README.md
+++ b/README.md
@@ -164,6 +164,7 @@ Next to attaching the configuration file, it is also possible to override the co
 | Name                                    | Description                                                                                     | Default Value                  |
 | --------------------------------------- | ----------------------------------------------------------------------------------------------- | ------------------------------ |
 | `AGENT_MODE`                            | You can choose to run this in 'release' for production, and or 'demo' for showcasing.           | "release"                      |
+| `AGENT_TLS_INSECURE`                    | Specify if you want to use `InsecureSkipVerify` for the internal HTTP client.                   | "false"                        |
 | `AGENT_USERNAME`                        | The username used to authenticate against the Kerberos Agent login page.                        | "root"                         |
 | `AGENT_PASSWORD`                        | The password used to authenticate against the Kerberos Agent login page.                        | "root"                         |
 | `AGENT_KEY`                             | A unique identifier for your Kerberos Agent, this is auto-generated but can be overriden.       | ""                             |
--- a/machinery/src/cloud/Cloud.go
+++ b/machinery/src/cloud/Cloud.go
@@ -2,6 +2,7 @@ package cloud

 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -352,7 +353,16 @@ loop:
 				req, _ := http.NewRequest("POST", url, buffy)
 				req.Header.Set("Content-Type", "application/json")

-				client := &http.Client{}
+				var client *http.Client
+				if os.Getenv("AGENT_TLS_INSECURE") == "true" {
+					tr := &http.Transport{
+						TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+					}
+					client = &http.Client{Transport: tr}
+				} else {
+					client = &http.Client{}
+				}
+
 				resp, err := client.Do(req)
 				if resp != nil {
 					resp.Body.Close()
@@ -374,8 +384,6 @@ loop:
 					buffy = bytes.NewBuffer(jsonStr)
 					req, _ = http.NewRequest("POST", vaultURI+"/devices/heartbeat", buffy)
 					req.Header.Set("Content-Type", "application/json")
-
-					client = &http.Client{}
 					resp, err = client.Do(req)
 					if resp != nil {
 						resp.Body.Close()
@@ -550,7 +558,15 @@ func VerifyHub(c *gin.Context) {
 		if err == nil {
 			req.Header.Set("X-Kerberos-Hub-PublicKey", publicKey)
 			req.Header.Set("X-Kerberos-Hub-PrivateKey", privateKey)
-			client := &http.Client{}
+			var client *http.Client
+			if os.Getenv("AGENT_TLS_INSECURE") == "true" {
+				tr := &http.Transport{
+					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				}
+				client = &http.Client{Transport: tr}
+			} else {
+				client = &http.Client{}
+			}

 			resp, err := client.Do(req)
 			if err == nil {
@@ -649,7 +665,15 @@ func VerifyPersistence(c *gin.Context) {
 				req.Header.Set("X-Kerberos-Hub-PrivateKey", config.HubPrivateKey)
 				req.Header.Set("X-Kerberos-Hub-Region", config.S3.Region)

-				client := &http.Client{}
+				var client *http.Client
+				if os.Getenv("AGENT_TLS_INSECURE") == "true" {
+					tr := &http.Transport{
+						TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+					}
+					client = &http.Client{Transport: tr}
+				} else {
+					client = &http.Client{}
+				}

 				resp, err := client.Do(req)
 				if resp != nil {
@@ -689,7 +713,16 @@ func VerifyPersistence(c *gin.Context) {

 			if err == nil && uri != "" && accessKey != "" && secretAccessKey != "" {

-				client := &http.Client{}
+				var client *http.Client
+				if os.Getenv("AGENT_TLS_INSECURE") == "true" {
+					tr := &http.Transport{
+						TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+					}
+					client = &http.Client{Transport: tr}
+				} else {
+					client = &http.Client{}
+				}
+
 				req, err := http.NewRequest("POST", uri+"/ping", nil)
 				req.Header.Add("X-Kerberos-Storage-AccessKey", accessKey)
 				req.Header.Add("X-Kerberos-Storage-SecretAccessKey", secretAccessKey)
@@ -731,7 +764,15 @@ func VerifyPersistence(c *gin.Context) {
 								req.Header.Set("X-Kerberos-Storage-Capture", "IPCamera")
 								req.Header.Set("X-Kerberos-Storage-Directory", directory)

-								client := &http.Client{}
+								var client *http.Client
+								if os.Getenv("AGENT_TLS_INSECURE") == "true" {
+									tr := &http.Transport{
+										TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+									}
+									client = &http.Client{Transport: tr}
+								} else {
+									client = &http.Client{}
+								}

 								resp, err := client.Do(req)

--- a/machinery/src/cloud/KerberosHub.go
+++ b/machinery/src/cloud/KerberosHub.go
@@ -1,6 +1,7 @@
 package cloud

 import (
+	"crypto/tls"
 	"errors"
 	"io/ioutil"
 	"net/http"
@@ -62,7 +63,15 @@ func UploadKerberosHub(configuration *models.Configuration, fileName string) (bo
 	req.Header.Set("X-Kerberos-Hub-PrivateKey", config.HubPrivateKey)
 	req.Header.Set("X-Kerberos-Hub-Region", config.S3.Region)

-	client := &http.Client{}
+	var client *http.Client
+	if os.Getenv("AGENT_TLS_INSECURE") == "true" {
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		client = &http.Client{Transport: tr}
+	} else {
+		client = &http.Client{}
+	}

 	resp, err := client.Do(req)
 	if resp != nil {
@@ -96,9 +105,6 @@ func UploadKerberosHub(configuration *models.Configuration, fileName string) (bo
 	req.Header.Set("X-Kerberos-Hub-PublicKey", config.HubKey)
 	req.Header.Set("X-Kerberos-Hub-PrivateKey", config.HubPrivateKey)
 	req.Header.Set("X-Kerberos-Hub-Region", config.S3.Region)
-
-	client = &http.Client{}
-
 	resp, err = client.Do(req)
 	if resp != nil {
 		defer resp.Body.Close()
--- a/machinery/src/cloud/KerberosVault.go
+++ b/machinery/src/cloud/KerberosVault.go
@@ -1,6 +1,7 @@
 package cloud

 import (
+	"crypto/tls"
 	"errors"
 	"io/ioutil"
 	"net/http"
@@ -67,7 +68,16 @@ func UploadKerberosVault(configuration *models.Configuration, fileName string) (
 	req.Header.Set("X-Kerberos-Storage-Device", config.Key)
 	req.Header.Set("X-Kerberos-Storage-Capture", "IPCamera")
 	req.Header.Set("X-Kerberos-Storage-Directory", config.KStorage.Directory)
-	client := &http.Client{}
+
+	var client *http.Client
+	if os.Getenv("AGENT_TLS_INSECURE") == "true" {
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		client = &http.Client{Transport: tr}
+	} else {
+		client = &http.Client{}
+	}

 	resp, err := client.Do(req)
 	if resp != nil {