From 115185894f457cb870254a425058c288a78537c3 Mon Sep 17 00:00:00 2001
From: DQ <dengq@vmware.com>
Date: Wed, 11 Mar 2020 14:40:12 +0800
Subject: [PATCH] Merge internal Transport and Secure Transport

Signed-off-by: DQ <dengq@vmware.com>
---
 src/chartserver/client.go                     |  2 +-
 src/chartserver/reverse_proxy.go              |  2 +-
 src/common/config/store/driver/rest.go        |  2 +-
 src/common/http/client.go                     | 53 +++++--------------
 src/common/job/client.go                      |  4 +-
 src/core/api/health.go                        |  2 +-
 src/core/main.go                              |  9 ++--
 .../job/impl/replication/scheduler.go         |  2 +-
 src/pkg/registry/client.go                    |  4 +-
 src/registryctl/client/client.go              |  2 +-
 src/replication/adapter/harbor/adapter.go     |  2 +-
 src/server/registry/proxy.go                  |  2 +-
 12 files changed, 30 insertions(+), 56 deletions(-)

diff --git a/src/chartserver/client.go b/src/chartserver/client.go
index a304c952a..0d6668c49 100644
--- a/src/chartserver/client.go
+++ b/src/chartserver/client.go
@@ -31,7 +31,7 @@ type ChartClient struct {
 // NewChartClient is constructor of ChartClient
 // credential can be nil
 func NewChartClient(credential *Credential) *ChartClient { // Create http client with customized timeouts
-	tr := commonhttp.GetHTTPTransport(commonhttp.InternalTransport)
+	tr := commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 	tr.MaxIdleConns = maxIdleConnections
 	tr.IdleConnTimeout = idleConnectionTimeout
 	client := &http.Client{
diff --git a/src/chartserver/reverse_proxy.go b/src/chartserver/reverse_proxy.go
index d2ac8e899..02b883c8f 100644
--- a/src/chartserver/reverse_proxy.go
+++ b/src/chartserver/reverse_proxy.go
@@ -58,7 +58,7 @@ func NewProxyEngine(target *url.URL, cred *Credential, middlewares ...func(http.
 			director(target, cred, req)
 		},
 		ModifyResponse: modifyResponse,
-		Transport:      commonhttp.GetHTTPTransport(commonhttp.InternalTransport),
+		Transport:      commonhttp.GetHTTPTransport(commonhttp.SecureTransport),
 	}
 
 	if len(middlewares) > 0 {
diff --git a/src/common/config/store/driver/rest.go b/src/common/config/store/driver/rest.go
index e801b31bb..04a5120e4 100644
--- a/src/common/config/store/driver/rest.go
+++ b/src/common/config/store/driver/rest.go
@@ -18,7 +18,7 @@ type RESTDriver struct {
 // NewRESTDriver - Create RESTDriver
 func NewRESTDriver(configRESTURL string, modifiers ...modifier.Modifier) *RESTDriver {
 	if commonhttp.InternalTLSEnabled() {
-		tr := commonhttp.GetHTTPTransport(commonhttp.InternalTransport)
+		tr := commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 		return &RESTDriver{configRESTURL: configRESTURL, client: commonhttp.NewClient(&http.Client{Transport: tr}, modifiers...)}
 
 	}
diff --git a/src/common/http/client.go b/src/common/http/client.go
index 6e279a3e0..a63983682 100644
--- a/src/common/http/client.go
+++ b/src/common/http/client.go
@@ -16,16 +16,16 @@ package http
 
 import (
 	"bytes"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
-	"github.com/goharbor/harbor/src/common/http/modifier"
-	"github.com/goharbor/harbor/src/internal"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"reflect"
+
+	"github.com/goharbor/harbor/src/common/http/modifier"
+	"github.com/goharbor/harbor/src/internal"
 )
 
 const (
@@ -33,8 +33,7 @@ const (
 	DefaultTransport = iota
 	// InsecureTransport used to get the insecure http Transport
 	InsecureTransport
-	// InternalTransport used to get the internal secure http Transport
-	InternalTransport
+
 	// SecureTransport used to get the external secure http Transport
 	SecureTransport
 )
@@ -42,26 +41,22 @@ const (
 var (
 	secureHTTPTransport   *http.Transport
 	insecureHTTPTransport *http.Transport
-	internalTransport     *http.Transport
 )
 
 func init() {
 
-	secureHTTPTransport = &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: false,
-		},
-	}
+	secureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
 
-	insecureHTTPTransport = &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
-		},
-	}
+	insecureHTTPTransport = http.DefaultTransport.(*http.Transport).Clone()
+	insecureHTTPTransport.TLSClientConfig.InsecureSkipVerify = true
 
-	initInternalTransport()
+	if InternalTLSEnabled() {
+		tlsConfig, err := GetInternalTLSConfig()
+		if err != nil {
+			panic(err)
+		}
+		secureHTTPTransport.TLSClientConfig = tlsConfig
+	}
 }
 
 // Client is a util for common HTTP operations, such Get, Head, Post, Put and Delete.
@@ -71,24 +66,6 @@ type Client struct {
 	client    *http.Client
 }
 
-func initInternalTransport() {
-	if InternalTLSEnabled() {
-		tlsConfig, err := GetInternalTLSConfig()
-		if err != nil {
-			panic(err)
-		}
-		internalTransport = &http.Transport{
-			TLSClientConfig: tlsConfig,
-		}
-	} else {
-		internalTransport = &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-		}
-	}
-}
-
 // GetHTTPTransport returns HttpTransport based on insecure configuration
 func GetHTTPTransport(clientType uint) *http.Transport {
 	switch clientType {
@@ -96,8 +73,6 @@ func GetHTTPTransport(clientType uint) *http.Transport {
 		return secureHTTPTransport.Clone()
 	case InsecureTransport:
 		return insecureHTTPTransport.Clone()
-	case InternalTransport:
-		return internalTransport.Clone()
 	default:
 		// default Transport is secure one
 		return secureHTTPTransport.Clone()
diff --git a/src/common/job/client.go b/src/common/job/client.go
index d1a854863..bad513db4 100644
--- a/src/common/job/client.go
+++ b/src/common/job/client.go
@@ -63,7 +63,7 @@ func Init() {
 func NewDefaultClient(endpoint, secret string) *DefaultClient {
 	var c *commonhttp.Client
 	httpCli := &http.Client{
-		Transport: commonhttp.GetHTTPTransport(commonhttp.InternalTransport),
+		Transport: commonhttp.GetHTTPTransport(commonhttp.SecureTransport),
 	}
 	if len(secret) > 0 {
 		c = commonhttp.NewClient(httpCli, auth.NewSecretAuthorizer(secret))
@@ -81,7 +81,7 @@ func NewDefaultClient(endpoint, secret string) *DefaultClient {
 func NewReplicationClient(endpoint, secret string) *DefaultClient {
 	var tr *http.Transport
 	if endpoint == config.InternalCoreURL() {
-		tr = commonhttp.GetHTTPTransport(commonhttp.InternalTransport)
+		tr = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 	} else {
 		tr = commonhttp.GetHTTPTransport(commonhttp.DefaultTransport)
 	}
diff --git a/src/core/api/health.go b/src/core/api/health.go
index 133bc8952..6188aa285 100644
--- a/src/core/api/health.go
+++ b/src/core/api/health.go
@@ -131,7 +131,7 @@ func HTTPStatusCodeHealthChecker(method string, url string, header http.Header,
 		}
 
 		client := httputil.NewClient(&http.Client{
-			Transport: httputil.GetHTTPTransport(httputil.InternalTransport),
+			Transport: httputil.GetHTTPTransport(httputil.SecureTransport),
 			Timeout:   timeout,
 		})
 		resp, err := client.Do(req)
diff --git a/src/core/main.go b/src/core/main.go
index 957ffb6d5..24bdca7ef 100755
--- a/src/core/main.go
+++ b/src/core/main.go
@@ -19,7 +19,6 @@ import (
 	"fmt"
 	"os"
 	"os/signal"
-	"strings"
 	"syscall"
 	"time"
 
@@ -27,6 +26,7 @@ import (
 	_ "github.com/astaxie/beego/session/redis"
 	_ "github.com/goharbor/harbor/src/api/event/handler"
 	"github.com/goharbor/harbor/src/common/dao"
+	common_http "github.com/goharbor/harbor/src/common/http"
 	"github.com/goharbor/harbor/src/common/job"
 	"github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/common/utils"
@@ -162,15 +162,14 @@ func main() {
 
 	server.RegisterRoutes()
 
-	iTLSEnabled := os.Getenv("INTERNAL_TLS_ENABLED")
-	if strings.ToLower(iTLSEnabled) == "true" {
+	if common_http.InternalTLSEnabled() {
 		log.Info("internal TLS enabled, Init TLS ...")
 		iTLSKeyPath := os.Getenv("INTERNAL_TLS_KEY_PATH")
 		iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")
-		iTrustCA := os.Getenv("INTERNAL_TLS_TRUST_CA_PATH")
 
-		log.Infof("load client key: %s client cert: %s client TrustCA %s", iTLSKeyPath, iTLSCertPath, iTrustCA)
+		log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
 		// uncomment following if harbor2 is ready
+		// iTrustCA := os.Getenv("INTERNAL_TLS_TRUST_CA_PATH")
 		// beego.BConfig.Listen.EnableMutualHTTPS = true
 		// beego.BConfig.Listen.TrustCaFile = iTrustCA
 		beego.BConfig.Listen.EnableHTTPS = true
diff --git a/src/jobservice/job/impl/replication/scheduler.go b/src/jobservice/job/impl/replication/scheduler.go
index 596253eac..95889bc65 100644
--- a/src/jobservice/job/impl/replication/scheduler.go
+++ b/src/jobservice/job/impl/replication/scheduler.go
@@ -60,7 +60,7 @@ func (s *Scheduler) Run(ctx job.Context, params job.Parameters) error {
 	policyID := (int64)(params["policy_id"].(float64))
 	cred := auth.NewSecretAuthorizer(os.Getenv("JOBSERVICE_SECRET"))
 	client := common_http.NewClient(&http.Client{
-		Transport: common_http.GetHTTPTransport(common_http.InternalTransport),
+		Transport: common_http.GetHTTPTransport(common_http.SecureTransport),
 	}, cred)
 	if err := client.Post(url, struct {
 		PolicyID int64 `json:"policy_id"`
diff --git a/src/pkg/registry/client.go b/src/pkg/registry/client.go
index 0ec9fa34f..2ff282c74 100644
--- a/src/pkg/registry/client.go
+++ b/src/pkg/registry/client.go
@@ -113,7 +113,7 @@ func NewClient(url, username, password string, insecure bool) Client {
 		transportType = commonhttp.SecureTransport
 	}
 	if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
-		transportType = commonhttp.InternalTransport
+		transportType = commonhttp.SecureTransport
 	}
 
 	return &client{
@@ -134,7 +134,7 @@ func NewClientWithAuthorizer(url string, authorizer internal.Authorizer, insecur
 		transportType = commonhttp.SecureTransport
 	}
 	if _, ok := localRegistryURL[strings.TrimRight(url, "/")]; ok {
-		transportType = commonhttp.InternalTransport
+		transportType = commonhttp.SecureTransport
 	}
 	return &client{
 		url:        url,
diff --git a/src/registryctl/client/client.go b/src/registryctl/client/client.go
index e10589496..239583110 100644
--- a/src/registryctl/client/client.go
+++ b/src/registryctl/client/client.go
@@ -58,7 +58,7 @@ func NewClient(baseURL string, cfg *Config) Client {
 	if cfg != nil {
 		authorizer := auth.NewSecretAuthorizer(cfg.Secret)
 		client.client = common_http.NewClient(&http.Client{
-			Transport: common_http.GetHTTPTransport(common_http.InternalTransport),
+			Transport: common_http.GetHTTPTransport(common_http.SecureTransport),
 		}, authorizer)
 	}
 	return client
diff --git a/src/replication/adapter/harbor/adapter.go b/src/replication/adapter/harbor/adapter.go
index 7d9b86410..157c7df63 100644
--- a/src/replication/adapter/harbor/adapter.go
+++ b/src/replication/adapter/harbor/adapter.go
@@ -72,7 +72,7 @@ type adapter struct {
 func newAdapter(registry *model.Registry) (*adapter, error) {
 	var transport *http.Transport
 	if registry.URL == config.GetCoreURL() {
-		transport = common_http.GetHTTPTransport(common_http.InternalTransport)
+		transport = common_http.GetHTTPTransport(common_http.SecureTransport)
 	} else {
 		transport = util.GetHTTPTransport(registry.Insecure)
 	}
diff --git a/src/server/registry/proxy.go b/src/server/registry/proxy.go
index f6db9ee75..5fe9448db 100644
--- a/src/server/registry/proxy.go
+++ b/src/server/registry/proxy.go
@@ -34,7 +34,7 @@ func newProxy() http.Handler {
 	}
 	proxy := httputil.NewSingleHostReverseProxy(url)
 	if commonhttp.InternalTLSEnabled() {
-		proxy.Transport = commonhttp.GetHTTPTransport(commonhttp.InternalTransport)
+		proxy.Transport = commonhttp.GetHTTPTransport(commonhttp.SecureTransport)
 	}
 
 	proxy.Director = basicAuthDirector(proxy.Director)