diff --git a/src/cmd/common/viper.go b/src/cmd/common/viper.go index dd963619ed..d8a95339f6 100644 --- a/src/cmd/common/viper.go +++ b/src/cmd/common/viper.go @@ -20,16 +20,16 @@ const ( // Root config keys - VLogLevel = "log_level" - VArchitecture = "architecture" - VNoLogFile = "no_log_file" - VNoProgress = "no_progress" - VNoColor = "no_color" - VZarfCache = "zarf_cache" - VTmpDir = "tmp_dir" - VInsecure = "insecure" - VHttpOnly = "http_only" - VSkipVerifyTLS = "tls_skip_verify" + VLogLevel = "log_level" + VArchitecture = "architecture" + VNoLogFile = "no_log_file" + VNoProgress = "no_progress" + VNoColor = "no_color" + VZarfCache = "zarf_cache" + VTmpDir = "tmp_dir" + VInsecure = "insecure" + VPlainHTTP = "plain_http" + VInsecureSkipTLSVerify = "insecure_skip_tls_verify" // Init config keys diff --git a/src/cmd/package.go b/src/cmd/package.go index 8b1405e25c..d4812ef1eb 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -33,6 +33,12 @@ var packageCmd = &cobra.Command{ Use: "package", Aliases: []string{"p"}, Short: lang.CmdPackageShort, + PersistentPreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --insecure-no-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.InsecureNoSignatureValidation = true + } + }, } var packageCreateCmd = &cobra.Command{ @@ -272,6 +278,11 @@ var packagePullCmd = &cobra.Command{ Example: lang.CmdPackagePullExample, Args: cobra.ExactArgs(1), RunE: func(cmd *cobra.Command, args []string) error { + // If --insecure was provided, set --insecure-no-shasum to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.InsecureNoShasum = true + } + pkgConfig.PkgOpts.PackageSource = args[0] pkgClient, err := packager.New(&pkgConfig) if err != nil { @@ -370,6 +381,7 @@ func bindPackageFlags(v *viper.Viper) { packageFlags := packageCmd.PersistentFlags() packageFlags.IntVar(&config.CommonOptions.OCIConcurrency, "oci-concurrency", v.GetInt(common.VPkgOCIConcurrency), lang.CmdPackageFlagConcurrency) packageFlags.StringVarP(&pkgConfig.PkgOpts.PublicKeyPath, "key", "k", v.GetString(common.VPkgPublicKey), lang.CmdPackageFlagFlagPublicKey) + packageFlags.BoolVar(&pkgConfig.PkgOpts.InsecureNoSignatureValidation, "insecure-no-signature-validation", false, lang.CmdPackageFlagInsecureNoSignatureValidation) } func bindCreateFlags(v *viper.Viper) { @@ -478,4 +490,5 @@ func bindPublishFlags(v *viper.Viper) { func bindPullFlags(v *viper.Viper) { pullFlags := packagePullCmd.Flags() pullFlags.StringVarP(&pkgConfig.PullOpts.OutputDirectory, "output-directory", "o", v.GetString(common.VPkgPullOutputDir), lang.CmdPackagePullFlagOutputDirectory) + pullFlags.BoolVar(&pkgConfig.PkgOpts.InsecureNoShasum, "insecure-no-shasum", false, lang.CmdPackageFlagInsecureNoShasum) } diff --git a/src/cmd/root.go b/src/cmd/root.go index b8df1947b3..09116eb1ea 100644 --- a/src/cmd/root.go +++ b/src/cmd/root.go @@ -37,6 +37,12 @@ var ( var rootCmd = &cobra.Command{ Use: "zarf COMMAND", PersistentPreRunE: func(cmd *cobra.Command, _ []string) error { + // If --insecure was provided, set --insecure-skip-tls-verify and --plain-http to match + if config.CommonOptions.Insecure { + config.CommonOptions.InsecureSkipTLSVerify = true + config.CommonOptions.PlainHTTP = true + } + // Skip for vendor only commands if common.CheckVendorOnlyFromPath(cmd) { return nil @@ -121,7 +127,7 @@ func init() { rootCmd.PersistentFlags().StringVar(&config.CommonOptions.CachePath, "zarf-cache", v.GetString(common.VZarfCache), lang.RootCmdFlagCachePath) rootCmd.PersistentFlags().StringVar(&config.CommonOptions.TempDirectory, "tmpdir", v.GetString(common.VTmpDir), lang.RootCmdFlagTempDir) rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.Insecure, "insecure", v.GetBool(common.VInsecure), lang.RootCmdFlagInsecure) - rootCmd.PersistentFlags().MarkHidden("insecure") - rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.HttpOnly, "http-only", v.GetBool(common.VHttpOnly), lang.RootCmdFlagHttpOnly) - rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.SkipVerifyTLS, "tls-skip-verify", v.GetBool(common.VSkipVerifyTLS), lang.RootCmdFlagSkipVerifyTLS) + rootCmd.PersistentFlags().MarkDeprecated("insecure", "please use --plain-http, --insecure-skip-tls-verify, --insecure-no-shasum, or --insecure-no-signature-validation instead.") + rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.PlainHTTP, "plain-http", v.GetBool(common.VPlainHTTP), lang.RootCmdFlagPlainHTTP) + rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.InsecureSkipTLSVerify, "insecure-skip-tls-verify", v.GetBool(common.VInsecureSkipTLSVerify), lang.RootCmdFlagInsecureSkipTLSVerify) } diff --git a/src/config/config.go b/src/config/config.go index 021c1d466f..4a4001dce6 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -110,13 +110,3 @@ func GetAbsHomePath(path string) string { } return path } - -// HttpOnly is a convenience method that consolidates --http-only and --insecure flags into single boolean. -func HttpOnly() bool { - return CommonOptions.HttpOnly || CommonOptions.Insecure -} - -// SkipVerifyTLS is a convenience method that consolidates --tls-skip-verify and --insecure flags into single boolean. -func SkipVerifyTLS() bool { - return CommonOptions.SkipVerifyTLS || CommonOptions.Insecure -} diff --git a/src/config/lang/english.go b/src/config/lang/english.go index aa5ee96953..c510d0e0f5 100644 --- a/src/config/lang/english.go +++ b/src/config/lang/english.go @@ -45,16 +45,16 @@ const ( RootCmdLong = "Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud native workloads\n" + "using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments." - RootCmdFlagLogLevel = "Log level when running Zarf. Valid options are: warn, info, debug, trace" - RootCmdFlagArch = "Architecture for OCI images and Zarf packages" - RootCmdFlagSkipLogFile = "Disable log file creation" - RootCmdFlagNoProgress = "Disable fancy UI progress bars, spinners, logos, etc" - RootCmdFlagNoColor = "Disable colors in output" - RootCmdFlagCachePath = "Specify the location of the Zarf cache directory" - RootCmdFlagTempDir = "Specify the temporary directory to use for intermediate files" - RootCmdFlagInsecure = "Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture." - RootCmdFlagHttpOnly = "Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture." - RootCmdFlagSkipVerifyTLS = "Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagLogLevel = "Log level when running Zarf. Valid options are: warn, info, debug, trace" + RootCmdFlagArch = "Architecture for OCI images and Zarf packages" + RootCmdFlagSkipLogFile = "Disable log file creation" + RootCmdFlagNoProgress = "Disable fancy UI progress bars, spinners, logos, etc" + RootCmdFlagNoColor = "Disable colors in output" + RootCmdFlagCachePath = "Specify the location of the Zarf cache directory" + RootCmdFlagTempDir = "Specify the temporary directory to use for intermediate files" + RootCmdFlagInsecure = "Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagPlainHTTP = "Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagInsecureSkipTLSVerify = "Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture." RootCmdDeprecatedDeploy = "Deprecated: Please use \"zarf package deploy %s\" to deploy this package. This warning will be removed in Zarf v1.0.0." RootCmdDeprecatedCreate = "Deprecated: Please use \"zarf package create\" to create this package. This warning will be removed in Zarf v1.0.0." @@ -212,10 +212,12 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA CmdInternalCrc32Short = "Generates a decimal CRC32 for the given text" // zarf package - CmdPackageShort = "Zarf package commands for creating, deploying, and inspecting packages" - CmdPackageFlagConcurrency = "Number of concurrent layer operations to perform when interacting with a remote package." - CmdPackageFlagFlagPublicKey = "Path to public key file for validating signed packages" - CmdPackageFlagRetries = "Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs" + CmdPackageShort = "Zarf package commands for creating, deploying, and inspecting packages" + CmdPackageFlagConcurrency = "Number of concurrent layer operations to perform when interacting with a remote package." + CmdPackageFlagFlagPublicKey = "Path to public key file for validating signed packages" + CmdPackageFlagInsecureNoShasum = "Skip verifying the shasum of the Zarf package before pulling it" + CmdPackageFlagInsecureNoSignatureValidation = "Skip validating the signature of the Zarf package" + CmdPackageFlagRetries = "Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs" CmdPackageCreateShort = "Creates a Zarf package from a given directory or the current directory" CmdPackageCreateLong = "Builds an archive of resources and dependencies defined by the 'zarf.yaml' in the specified directory.\n" + @@ -275,7 +277,7 @@ $ zarf package mirror-resources \ CmdPackageDeployFlagAdoptExistingResources = "Adopts any pre-existing K8s resources into the Helm charts managed by Zarf. ONLY use when you have existing deployments you want Zarf to takeover." CmdPackageDeployFlagSet = "Specify deployment variables to set on the command line (KEY=value)" CmdPackageDeployFlagComponents = "Comma-separated list of components to deploy. Adding this flag will skip the prompts for selected components. Globbing component names with '*' and deselecting 'default' components with a leading '-' are also supported." - CmdPackageDeployFlagShasum = "Shasum of the package to deploy. Required if deploying a remote package and \"--insecure\" is not provided" + CmdPackageDeployFlagShasum = "Shasum of the package to deploy. Required if deploying a remote package and \"--insecure-no-shasum\" is not provided" CmdPackageDeployFlagSget = "[Deprecated] Path to public sget key file for remote packages signed via cosign. This flag will be removed in v1.0.0 please use the --key flag instead." CmdPackageDeployFlagSkipWebhooks = "[alpha] Skip waiting for external webhooks to execute as each package component is deployed" CmdPackageDeployFlagTimeout = "Timeout for Helm operations such as installs and rollbacks" diff --git a/src/internal/packager/helm/chart.go b/src/internal/packager/helm/chart.go index 477a5432dc..656b5560b5 100644 --- a/src/internal/packager/helm/chart.go +++ b/src/internal/packager/helm/chart.go @@ -143,7 +143,7 @@ func (h *Helm) TemplateChart(ctx context.Context) (manifest string, chartValues client.IncludeCRDs = true // TODO: Further research this with regular/OCI charts client.Verify = false - client.InsecureSkipTLSverify = config.SkipVerifyTLS() + client.InsecureSkipTLSverify = config.CommonOptions.InsecureSkipTLSVerify if h.kubeVersion != "" { parsedKubeVersion, err := chartutil.ParseKubeVersion(h.kubeVersion) if err != nil { diff --git a/src/internal/packager/helm/repo.go b/src/internal/packager/helm/repo.go index b1a2910130..c9744c148d 100644 --- a/src/internal/packager/helm/repo.go +++ b/src/internal/packager/helm/repo.go @@ -197,7 +197,7 @@ func (h *Helm) DownloadPublishedChart(ctx context.Context, cosignKeyPath string) Verify: downloader.VerifyNever, Getters: getter.All(pull.Settings), Options: []getter.Option{ - getter.WithInsecureSkipVerifyTLS(config.SkipVerifyTLS()), + getter.WithInsecureSkipVerifyTLS(config.CommonOptions.InsecureSkipTLSVerify), getter.WithBasicAuth(username, password), }, } diff --git a/src/internal/packager/images/common.go b/src/internal/packager/images/common.go index e9e6306318..285c541edb 100644 --- a/src/internal/packager/images/common.go +++ b/src/internal/packager/images/common.go @@ -50,9 +50,9 @@ type PushConfig struct { func NoopOpt(*crane.Options) {} // WithGlobalInsecureFlag returns an option for crane that configures insecure -// based upon Zarf's global --tls-skip-verify (and --insecure) flags. +// based upon Zarf's global --insecure-skip-tls-verify (and --insecure) flags. func WithGlobalInsecureFlag() []crane.Option { - if config.SkipVerifyTLS() { + if config.CommonOptions.InsecureSkipTLSVerify { return []crane.Option{crane.Insecure} } // passing a nil option will cause panic @@ -103,7 +103,7 @@ func createPushOpts(cfg PushConfig, pb *message.ProgressBar) []crane.Option { opts = append(opts, WithPushAuth(cfg.RegInfo)) transport := http.DefaultTransport.(*http.Transport).Clone() - transport.TLSClientConfig.InsecureSkipVerify = config.SkipVerifyTLS() + transport.TLSClientConfig.InsecureSkipVerify = config.CommonOptions.InsecureSkipTLSVerify // TODO (@WSTARR) This is set to match the TLSHandshakeTimeout to potentially mitigate effects of https://github.com/zarf-dev/zarf/issues/1444 transport.ResponseHeaderTimeout = 10 * time.Second diff --git a/src/pkg/packager/creator/normal.go b/src/pkg/packager/creator/normal.go index 3cb300ba60..8766bfb8d3 100644 --- a/src/pkg/packager/creator/normal.go +++ b/src/pkg/packager/creator/normal.go @@ -282,11 +282,11 @@ func (pc *PackageCreator) Output(ctx context.Context, dst *layout.PackagePaths, } message.HorizontalRule() flags := []string{} - if config.HttpOnly() { - flags = append(flags, "--http-only") + if config.CommonOptions.PlainHTTP { + flags = append(flags, "--plain-http") } - if config.SkipVerifyTLS() { - flags = append(flags, "--tls-skip-verify") + if config.CommonOptions.InsecureSkipTLSVerify { + flags = append(flags, "--insecure-skip-tls-verify") } message.Title("To inspect/deploy/pull:", "") message.ZarfCommand("package inspect %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), strings.Join(flags, " ")) diff --git a/src/pkg/packager/sources/new_test.go b/src/pkg/packager/sources/new_test.go index 9ae3147168..af7bf174c7 100644 --- a/src/pkg/packager/sources/new_test.go +++ b/src/pkg/packager/sources/new_test.go @@ -155,7 +155,7 @@ func TestPackageSource(t *testing.T) { { name: "http-insecure", src: fmt.Sprintf("%s/zarf-package-wordpress-amd64-16.0.4.tar.zst", ts.URL), - expectedErr: "remote package provided without a shasum, use --insecure to ignore, or provide one w/ --shasum", + expectedErr: "remote package provided without a shasum, use --insecure-no-shasum to ignore, or provide one w/ --shasum", }, } for _, tt := range tests { diff --git a/src/pkg/packager/sources/oci.go b/src/pkg/packager/sources/oci.go index 8bf6d6d1a6..8c33ee1965 100644 --- a/src/pkg/packager/sources/oci.go +++ b/src/pkg/packager/sources/oci.go @@ -79,8 +79,10 @@ func (s *OCISource) LoadPackage(ctx context.Context, dst *layout.PackagePaths, f spinner.Success() - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - return pkg, nil, err + if !s.InsecureNoSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + return pkg, nil, err + } } } @@ -141,11 +143,13 @@ func (s *OCISource) LoadPackageMetadata(ctx context.Context, dst *layout.Package spinner.Success() } - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { - message.Warn("The package was signed but no public key was provided, skipping signature validation") - } else { - return pkg, nil, err + if !s.InsecureNoSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { + message.Warn("The package was signed but no public key was provided, skipping signature validation") + } else { + return pkg, nil, err + } } } } diff --git a/src/pkg/packager/sources/tarball.go b/src/pkg/packager/sources/tarball.go index db1b2ed01a..54983959e0 100644 --- a/src/pkg/packager/sources/tarball.go +++ b/src/pkg/packager/sources/tarball.go @@ -107,8 +107,10 @@ func (s *TarballSource) LoadPackage(ctx context.Context, dst *layout.PackagePath spinner.Success() - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - return pkg, nil, err + if !s.InsecureNoSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + return pkg, nil, err + } } } @@ -185,11 +187,13 @@ func (s *TarballSource) LoadPackageMetadata(ctx context.Context, dst *layout.Pac spinner.Success() } - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { - message.Warn("The package was signed but no public key was provided, skipping signature validation") - } else { - return pkg, nil, err + if !s.InsecureNoSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { + message.Warn("The package was signed but no public key was provided, skipping signature validation") + } else { + return pkg, nil, err + } } } } diff --git a/src/pkg/packager/sources/url.go b/src/pkg/packager/sources/url.go index dd4aa05ff5..746be7fa19 100644 --- a/src/pkg/packager/sources/url.go +++ b/src/pkg/packager/sources/url.go @@ -32,8 +32,8 @@ type URLSource struct { // Collect downloads a package from the source URL. func (s *URLSource) Collect(ctx context.Context, dir string) (string, error) { - if !config.CommonOptions.Insecure && s.Shasum == "" && !strings.HasPrefix(s.PackageSource, helpers.SGETURLPrefix) { - return "", fmt.Errorf("remote package provided without a shasum, use --insecure to ignore, or provide one w/ --shasum") + if !s.InsecureNoShasum && s.Shasum == "" && !strings.HasPrefix(s.PackageSource, helpers.SGETURLPrefix) { + return "", fmt.Errorf("remote package provided without a shasum, use --insecure-no-shasum to ignore, or provide one w/ --shasum") } var packageURL string if s.Shasum != "" { diff --git a/src/pkg/packager/sources/validate.go b/src/pkg/packager/sources/validate.go index 1c7914ea69..39d13639df 100644 --- a/src/pkg/packager/sources/validate.go +++ b/src/pkg/packager/sources/validate.go @@ -15,7 +15,6 @@ import ( "strings" "github.com/defenseunicorns/pkg/helpers/v2" - "github.com/zarf-dev/zarf/src/config" "github.com/zarf-dev/zarf/src/pkg/layout" "github.com/zarf-dev/zarf/src/pkg/message" "github.com/zarf-dev/zarf/src/pkg/utils" @@ -25,16 +24,11 @@ var ( // ErrPkgKeyButNoSig is returned when a key was provided but the package is not signed ErrPkgKeyButNoSig = errors.New("a key was provided but the package is not signed - the package may be corrupted or the --key flag was erroneously specified") // ErrPkgSigButNoKey is returned when a package is signed but no key was provided - ErrPkgSigButNoKey = errors.New("package is signed but no key was provided - add a key with the --key flag or use the --insecure flag and run the command again") + ErrPkgSigButNoKey = errors.New("package is signed but no key was provided - add a key with the --key flag or use the --insecure-no-signature-validation flag and run the command again") ) // ValidatePackageSignature validates the signature of a package func ValidatePackageSignature(ctx context.Context, paths *layout.PackagePaths, publicKeyPath string) error { - // If the insecure flag was provided ignore the signature validation - if config.CommonOptions.Insecure { - return nil - } - if publicKeyPath != "" { message.Debugf("Using public key %q for signature validation", publicKeyPath) } diff --git a/src/pkg/zoci/common.go b/src/pkg/zoci/common.go index 5523aef95c..29e9f34564 100644 --- a/src/pkg/zoci/common.go +++ b/src/pkg/zoci/common.go @@ -32,8 +32,8 @@ type Remote struct { func NewRemote(url string, platform ocispec.Platform, mods ...oci.Modifier) (*Remote, error) { logger := slog.New(message.ZarfHandler{}) modifiers := append([]oci.Modifier{ - oci.WithPlainHTTP(config.HttpOnly()), - oci.WithInsecureSkipVerify(config.SkipVerifyTLS()), + oci.WithPlainHTTP(config.CommonOptions.PlainHTTP), + oci.WithInsecureSkipVerify(config.CommonOptions.InsecureSkipTLSVerify), oci.WithLogger(logger), oci.WithUserAgent("zarf/" + config.CLIVersion), }, mods...) diff --git a/src/types/runtime.go b/src/types/runtime.go index 65106d7eb5..504f484afe 100644 --- a/src/types/runtime.go +++ b/src/types/runtime.go @@ -12,16 +12,16 @@ import ( type ZarfCommonOptions struct { // Verify that Zarf should perform an action Confirm bool - // Force connections to be over http instead of https - HttpOnly bool // Allow insecure connections for remote packages Insecure bool + // Disable checking the server TLS certificate for validity + InsecureSkipTLSVerify bool + // Force connections to be over http instead of https + PlainHTTP bool // Path to use to cache images and git repos on package create CachePath string // Location Zarf should use as a staging ground when managing files and images for package creation and deployment TempDirectory string - // Disable checking the server TLS certificate for validity. - SkipVerifyTLS bool // Number of concurrent layer operations to perform when interacting with a remote package OCIConcurrency int } @@ -42,6 +42,10 @@ type ZarfPackageOptions struct { PublicKeyPath string // The number of retries to perform for Zarf deploy operations like image pushes or Helm installs Retries int + // Skip checking shasum when pulling the Zarf package + InsecureNoShasum bool + // Skip validating the signature of the Zarf package + InsecureNoSignatureValidation bool } // ZarfInspectOptions tracks the user-defined preferences during a package inspection.