From 71aa64ae25fc50a258c7c60090bfe2e782640588 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 4 Sep 2022 14:59:20 +0100 Subject: [PATCH] fix broken insecureskipverify handling in rediss connection uris (#20967) (#21053) Backport #20967 Currently, it's impossible to connect to self-signed TLS encrypted redis instances. The problem lies in inproper error handling, when building redis tls options - only invalid booleans are allowed to be used in `tlsConfig` builder. The problem is, when `strconv.ParseBool(...)` returns error, it always defaults to false - meaning it's impossible to set `tlsOptions.InsecureSkipVerify` to true. Fixes #19213 Co-authored-by: Igor Rzegocki --- modules/nosql/manager_redis.go | 4 ++-- modules/nosql/manager_redis_test.go | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/modules/nosql/manager_redis.go b/modules/nosql/manager_redis.go index b82f899db042f..5e52eb870e895 100644 --- a/modules/nosql/manager_redis.go +++ b/modules/nosql/manager_redis.go @@ -245,7 +245,7 @@ func getRedisTLSOptions(uri *url.URL) *tls.Config { if len(skipverify) > 0 { skipverify, err := strconv.ParseBool(skipverify) - if err != nil { + if err == nil { tlsConfig.InsecureSkipVerify = skipverify } } @@ -254,7 +254,7 @@ func getRedisTLSOptions(uri *url.URL) *tls.Config { if len(insecureskipverify) > 0 { insecureskipverify, err := strconv.ParseBool(insecureskipverify) - if err != nil { + if err == nil { tlsConfig.InsecureSkipVerify = insecureskipverify } } diff --git a/modules/nosql/manager_redis_test.go b/modules/nosql/manager_redis_test.go index 3d94532135162..99a8856f1e836 100644 --- a/modules/nosql/manager_redis_test.go +++ b/modules/nosql/manager_redis_test.go @@ -27,6 +27,24 @@ func TestRedisPasswordOpt(t *testing.T) { } } +func TestSkipVerifyOpt(t *testing.T) { + uri, _ := url.Parse("rediss://myredis/0?skipverify=true") + tlsConfig := getRedisTLSOptions(uri) + + if !tlsConfig.InsecureSkipVerify { + t.Fail() + } +} + +func TestInsecureSkipVerifyOpt(t *testing.T) { + uri, _ := url.Parse("rediss://myredis/0?insecureskipverify=true") + tlsConfig := getRedisTLSOptions(uri) + + if !tlsConfig.InsecureSkipVerify { + t.Fail() + } +} + func TestRedisSentinelUsernameOpt(t *testing.T) { uri, _ := url.Parse("redis+sentinel://redis:password@myredis/0?sentinelusername=suser&sentinelpassword=spass") opts := getRedisOptions(uri).Failover()