Skip to content

fix: adding insecure flag for image pulls to allow http#4495

Open
JaydipGabani wants to merge 6 commits into
open-policy-agent:masterfrom
JaydipGabani:gator-insecure
Open

fix: adding insecure flag for image pulls to allow http#4495
JaydipGabani wants to merge 6 commits into
open-policy-agent:masterfrom
JaydipGabani:gator-insecure

Conversation

@JaydipGabani

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #

Special notes for your reviewer:

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
@JaydipGabani JaydipGabani requested a review from a team as a code owner April 7, 2026 04:49
Copilot AI review requested due to automatic review settings April 7, 2026 04:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes OCI image pulls default to HTTPS and adds an explicit --insecure flag to allow pulling from plain HTTP registries (e.g., localhost:5000).

Changes:

  • Add --insecure CLI flag to gator test, gator expand, gator sync test, and gator bench and plumb it through to the OCI pull implementation.
  • Change OCI pulling behavior to only use plain HTTP when explicitly enabled (removing the prior loopback auto-HTTP behavior).
  • Update docs and Bats integration tests to reflect/validate the new default + flag behavior.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
website/docs/gator.md Documents HTTPS-by-default behavior and the new --insecure flag; updates examples.
test/gator/test/test.bats Updates OCI image tests to pass --insecure; adds coverage that plain HTTP is rejected by default.
test/gator/expand/test.bats Updates OCI image expand test to pass --insecure.
pkg/oci/oci.go Adds allowPlainHTTP parameter and only enables repo.PlainHTTP when explicitly requested.
pkg/oci/oci_test.go Removes unit test for the deleted loopback auto-HTTP heuristic.
pkg/gator/reader/filereader.go Threads allowPlainHTTP through image-reading code paths into oci.PullImage.
pkg/gator/bench/types.go Adds AllowPlainHTTP to benchmark options.
pkg/gator/bench/bench.go Passes AllowPlainHTTP into source reading.
cmd/gator/test/test.go Adds --insecure flag and passes it to reader.ReadSources.
cmd/gator/sync/test/test.go Adds --insecure flag and passes it to reader.ReadSources.
cmd/gator/expand/expand.go Adds --insecure flag and passes it to reader.ReadSources.
cmd/gator/bench/bench.go Adds --insecure flag and maps it to bench.Opts.AllowPlainHTTP.

Comment thread website/docs/gator.md Outdated
```

Because `localhost:5000` is a plain HTTP registry in this example, add
`--insecure` to the `gator` pull command when consuming the artifact.

Copilot AI Apr 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs refer to a gator "pull command", but there isn't a gator pull subcommand. Please reword this to reference the actual subcommands that pull OCI artifacts (e.g., gator test, gator expand, gator sync test, gator bench) or say "add --insecure to the gator command when consuming the artifact".

Suggested change
`--insecure` to the `gator` pull command when consuming the artifact.
`--insecure` to the `gator` command when consuming the artifact.

Copilot uses AI. Check for mistakes.
@codecov-commenter

codecov-commenter commented Apr 7, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 5.88235% with 32 lines in your changes missing coverage. Please review.
✅ Project coverage is 44.24%. Comparing base (3350319) to head (a90b7d2).
⚠️ Report is 671 commits behind head on master.

Files with missing lines Patch % Lines
cmd/gator/bench/bench.go 0.00% 17 Missing ⚠️
pkg/gator/reader/filereader.go 0.00% 6 Missing ⚠️
pkg/oci/oci.go 0.00% 4 Missing ⚠️
cmd/gator/expand/expand.go 0.00% 2 Missing ⚠️
cmd/gator/sync/test/test.go 0.00% 2 Missing ⚠️
cmd/gator/test/test.go 50.00% 1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (a90b7d2). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (3350319) HEAD (a90b7d2)
unittests 2 1
Additional details and impacted files
@@             Coverage Diff             @@
##           master    #4495       +/-   ##
===========================================
- Coverage   54.49%   44.24%   -10.25%     
===========================================
  Files         134      282      +148     
  Lines       12329    20649     +8320     
===========================================
+ Hits         6719     9137     +2418     
- Misses       5116    10728     +5612     
- Partials      494      784      +290     
Flag Coverage Δ
unittests 44.24% <5.88%> (-10.25%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Comment thread cmd/gator/expand/expand.go Outdated
Cmd.Flags().StringVarP(&flagFormat, flagNameFormat, "f", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML))
Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", "Output file path. If the file already exists, it will be overwritten.")
Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.")
Cmd.Flags().BoolVarP(&flagInsecure, flagNameInsecure, "", false, "use plain HTTP for OCI image pulls (not recommended)")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BoolVarP with an empty shorthand string should just be BoolVar. Same thing in sync/test/test.go and cmd/gator/test/test.go. The bench command already does this correctly.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed this to update BoolVar.

Comment thread cmd/gator/bench/bench.go Outdated
const (
flagNameFilename = "filename"
flagNameImage = "image"
flagNameInsecure = "insecure"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think --insecure is the wrong name for this. In the OCI ecosystem, --insecure conventionally means "skip TLS certificate verification." That's what oras --insecure and crane --insecure do. What this flag actually
controls is downgrading the transport from HTTPS to plain HTTP, which oras calls --plain-http.

If we ship --insecure meaning "use HTTP" and later need a "skip TLS verify" flag, we've already taken the obvious name with the wrong semantics. Let's call it --plain-http to match oras conventions and say exactly what it
does.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to plain-http flag name.

Comment thread pkg/oci/oci.go
// Preserve the oras v1 behavior for local test registries on loopback hosts.
repo.PlainHTTP = shouldUsePlainHTTP(ref.Registry)

repo.PlainHTTP = allowPlainHTTP

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this is enabled, it'd be worth logging a warning to stderr:

      fmt.Fprintf(os.Stderr, "WARNING: pulling %q over plain HTTP\n", imgURL)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added the warning.

…-http

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>

@aramase aramase left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

variable renames and doc update.

Comment thread cmd/gator/bench/bench.go Outdated
Comment thread cmd/gator/expand/expand.go Outdated
Comment thread cmd/gator/sync/test/test.go Outdated
Comment thread cmd/gator/test/test.go Outdated
Comment thread website/docs/gator.md Outdated
Comment thread website/docs/gator.md Outdated
Comment thread website/docs/gator.md

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs need to be updated from --insecure to --plain-http.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the docs and changed variables to flagPlainHTTP.

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
Copilot AI review requested due to automatic review settings April 7, 2026 20:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

pkg/oci/oci.go:69

  • When allowPlainHTTP is enabled, the ORAS repo client is still configured with Docker credential lookup (credentials.Credential(credStore)), which can result in auth tokens/basic creds being sent over plaintext HTTP. Consider disabling auth/credentials when allowPlainHTTP is true (anonymous pulls only), or at least make the warning explicitly call out potential credential disclosure risk over HTTP.
	repo.PlainHTTP = allowPlainHTTP
	if allowPlainHTTP {
		fmt.Fprintf(os.Stderr, "WARNING: pulling %q over plain HTTP\n", imgURL)
	}
	repo.Client = &auth.Client{
		Client:     http.DefaultClient,
		Cache:      auth.NewCache(),
		Credential: credentials.Credential(credStore),
	}

Comment thread pkg/oci/oci.go
@JaydipGabani JaydipGabani requested a review from aramase April 7, 2026 20:31
Comment thread website/docs/gator.md Outdated
```

Because `localhost:5000` is a plain HTTP registry in this example, add
`--plain-http` to the `gator` pull command when consuming the artifact.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no gator pull subcommand? Maybe something like "add --plain-http to the gator command when consuming the artifact" would be accurate.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to add --plain-httpto thegator command when consuming the artifact.

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>

@aramase aramase left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copilot AI review requested due to automatic review settings April 14, 2026 18:06

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Comment thread pkg/oci/oci.go
Comment thread test/gator/test/test.bats
Comment on lines +270 to +275
oras push $img ./templates/$media_type ./constraints/$media_type
popd

run bin/gator test --image=$img --filename="$violating_ns" -o=yaml
[ "$status" -eq 1 ]
match_substring "${output[*]}" "pulling artifact"

Copilot AI Apr 14, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this new test, oras push is invoked without checking its exit status. If the push fails (registry not up, auth issues, etc.), the subsequent gator test will also fail and the assertion match_substring ... "pulling artifact" will still pass, which can make the test a false positive. Use run oras push ... + [$status -eq 0] (as done earlier in this file) and/or assert on a more specific error indicating HTTPS was attempted against an HTTP registry.

Suggested change
oras push $img ./templates/$media_type ./constraints/$media_type
popd
run bin/gator test --image=$img --filename="$violating_ns" -o=yaml
[ "$status" -eq 1 ]
match_substring "${output[*]}" "pulling artifact"
run oras push $img ./templates/$media_type ./constraints/$media_type
[ "$status" -eq 0 ]
popd
run bin/gator test --image=$img --filename="$violating_ns" -o=yaml
[ "$status" -eq 1 ]
match_substring "${output[*]}" "pulling artifact"
match_substring "${output[*]}" "http: server gave HTTP response to HTTPS client"

Copilot uses AI. Check for mistakes.
@github-actions

Copy link
Copy Markdown
Contributor

This PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants