add option to disable TLS cert validation (#87)

Author: denis-codefresh

action.yaml

@@ -2,9 +2,13 @@ name: 'codefresh-report-image'
 description: 'Report image to codefresh'
 inputs:
   VERSION:
-    description: specify client version
+    description: Underling reporter image version used by plugin
     required: false
     default: latest
+  IMAGE:
+    description: Underling reporter image used by plugin
+    required: false
+    default: quay.io/codefresh/codefresh-report-image
   CF_API_KEY:
     description: "Codefresh API KEY"
     required: true
@@ -18,7 +22,7 @@ inputs:
     description: "Codefresh runtime name"
     required: true
   CF_VERBOSE:
-    description: "verbose output"
+    description: "Verbose output"
     required: false
   CF_IMAGE:
     description: "image reported, quay.io/codefresh/newly-built-image:0.0.1"
@@ -46,7 +50,7 @@ inputs:
     description: "Generic registry domain"
   CF_INSECURE:
     required: false
-    description: "security flag for standard registry protocol, when set to true it enables http protocol"
+    description: "Disable TLS certificate validation for ALL of the https traffic during the reporting. It is NOT recommended, as it could make your application vulnerable to man-in-the-middle (MITM) attacks."
   CF_WORKFLOW_URL:
     required: false
     description: "external url for the workflow"
@@ -118,21 +122,23 @@ runs:
     - shell: bash
       env:
         VERSION: "${{ inputs.VERSION }}"
+        IMAGE: "${{ inputs.IMAGE }}"
+        CF_VERBOSE: "${{ inputs.CF_VERBOSE }}"
         CF_HOST: "${{ inputs.CF_HOST }}"
         CF_PLATFORM_URL: "${{ inputs.CF_PLATFORM_URL }}"
         CF_RUNTIME_NAME: "${{ inputs.CF_RUNTIME_NAME }}"
         CF_API_KEY: "${{ inputs.CF_API_KEY }}"
+
+        CF_INSECURE: "${{ inputs.CF_INSECURE }}"
 
         CF_IMAGE: "${{ inputs.CF_IMAGE }}"
-        CF_VERBOSE: "${{ inputs.CF_VERBOSE }}"
         CF_CONTAINER_REGISTRY_INTEGRATION: "${{ inputs.CF_CONTAINER_REGISTRY_INTEGRATION }}"
         CF_ISSUE_TRACKING_INTEGRATION: "${{ inputs.CF_ISSUE_TRACKING_INTEGRATION }}"
         CF_DOCKERHUB_USERNAME: "${{ inputs.CF_DOCKERHUB_USERNAME }}"
         CF_DOCKERHUB_PASSWORD: "${{ inputs.CF_DOCKERHUB_PASSWORD }}"
         CF_REGISTRY_USERNAME: "${{ inputs.CF_REGISTRY_USERNAME }}"
         CF_REGISTRY_PASSWORD: "${{ inputs.CF_REGISTRY_PASSWORD }}"
         CF_REGISTRY_DOMAIN: "${{ inputs.CF_REGISTRY_DOMAIN }}"
-        CF_INSECURE: "${{ inputs.CF_INSECURE }}"
         CF_WORKFLOW_URL: "${{ inputs.CF_WORKFLOW_URL }}"
         CF_WORKFLOW_NAME: "${{ inputs.CF_WORKFLOW_NAME }}"
         CF_LOGS_URL: "${{ inputs.CF_LOGS_URL }}"
@@ -178,7 +184,9 @@ runs:
         export CF_WORKFLOW_NAME="${CF_WORKFLOW_NAME:-$GITHUB_WORKFLOW_NAME}"
         export CF_GIT_PROVIDER="${CF_GIT_PROVIDER:-github}"
         export CF_CI_TYPE=github-actions
+
+        export NODE_TLS_REJECT_UNAUTHORIZED=$([[ "$CF_INSECURE" == "true" ]] && echo 0 || echo 1)
         
         env | cut -f 1 -d "=" | grep -E "^CF_"  > cf_env
         echo "Provided env vars: $(cat cf_env|xargs echo)"
-        docker run --env-file=cf_env "quay.io/codefresh/codefresh-report-image:$VERSION"
+        docker run -e NODE_TLS_REJECT_UNAUTHORIZED=$NODE_TLS_REJECT_UNAUTHORIZED --env-file=cf_env "$IMAGE:$VERSION"

service.yaml

@@ -1,2 +1,2 @@
 name: codefresh-report-image
-version: 0.0.158
+version: 0.0.159

src/logger.ts

@@ -14,12 +14,13 @@ const paint = (kind, message) => {
     return message
 }
 
+const debugEnabled = process.env.DEBUG === '1' || process.env.CF_VERBOSE === 'true'
 
 export const logger = winston.createLogger({
     format: winston.format.printf((info) => {
         return paint(info.level, `${info.message}`)
     }),
-    transports: [ new winston.transports.Console({ level: process.env.DEBUG === '1' ?  'debug' : 'info' }) ],
+    transports: [ new winston.transports.Console({ level: debugEnabled ?  'debug' : 'info' }) ],
 })
 
 export const workflowLogger = winston.createLogger({

src/main.ts

@@ -13,16 +13,14 @@ const INITIAL_HEARTBEAT_TIMEOUT_IN_SEC = Number(process.env.INITIAL_HEARTBEAT_TI
  * Take (CF_ prefixed) Env variables and perform http/s request (SSE) to app-proxy for image-report with CF_ENRICHERS
  */
 async function main(argv, env): Promise<void> {
-    const verbose = argv.includes('verbose') || env['VERBOSE']
-    if (verbose) {
-        logger.debug('running with verbose log')
-    }
     const payload = validate(env)
     const { url, headers } = await Utils.buildUrlHeaders(payload)
-    if (verbose) {
-        logger.debug(`payload: ${JSON.stringify(payload, null, 2)}`)
-        logger.debug(`sending request: ${url}, headers: ${JSON.stringify(headers)}`)
-    }
+
+    logger.debug(`skip TLS verification on client: ${env['NODE_TLS_REJECT_UNAUTHORIZED'] === '0'}`)
+    logger.debug(`skip TLS verification on workflow: ${env['CF_INSECURE'] === 'true'}`)
+    logger.debug(`payload: ${JSON.stringify(payload, null, 2)}`)
+    logger.debug(`sending request: ${url}, headers: ${JSON.stringify(headers)}`)
+
     if (payload['CF_CI_TYPE'] && payload['CF_WORKFLOW_URL']) {
         logger.info(`CI provider: ${payload['CF_CI_TYPE']}, job URL: ${payload['CF_WORKFLOW_URL']}`)
     }