From f6bcc3bcdb88ec385c9b308a0f33a6187a7824ef Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Tue, 7 Jan 2020 08:54:18 -0800
Subject: [PATCH] Image uploader: use HTTPS for "no verify" registries

Registries with an invalid SSL certificate are insecure, but still
need to be accessed via HTTPS. This patch updates the URL builder
to take this into consideration.

Closes-Bug: #1858672
Change-Id: I71436313098f513c200ecc3f862a2b851fb1060a
(cherry picked from commit dcf99e7167b7827b6edaf10b460a0dd5e57cdddb)
---
 tripleo_common/image/image_uploader.py            | 7 ++++---
 tripleo_common/tests/image/test_image_uploader.py | 8 ++++++++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/tripleo_common/image/image_uploader.py b/tripleo_common/image/image_uploader.py
index 0f751dae8..78714ff9f 100644
--- a/tripleo_common/image/image_uploader.py
+++ b/tripleo_common/image/image_uploader.py
@@ -568,10 +568,11 @@ class BaseImageUploader(object):
             mirror = cls.mirrors[netloc]
             return '%sv2%s' % (mirror, path)
         else:
-            if not cls.is_insecure_registry(registry_host=netloc):
-                scheme = 'https'
-            else:
+            if (cls.is_insecure_registry(registry_host=netloc) and
+                    netloc not in cls.no_verify_registries):
                 scheme = 'http'
+            else:
+                scheme = 'https'
             if netloc == 'docker.io':
                 netloc = 'registry-1.docker.io'
             return '%s://%s/v2%s' % (scheme, netloc, path)
diff --git a/tripleo_common/tests/image/test_image_uploader.py b/tripleo_common/tests/image/test_image_uploader.py
index 5404039bf..555e21c9d 100644
--- a/tripleo_common/tests/image/test_image_uploader.py
+++ b/tripleo_common/tests/image/test_image_uploader.py
@@ -587,6 +587,7 @@ class TestBaseImageUploader(base.TestCase):
         build = image_uploader.BaseImageUploader._build_url
         insecure_reg = image_uploader.BaseImageUploader.insecure_registries
         secure_reg = image_uploader.BaseImageUploader.secure_registries
+        no_verify_reg = image_uploader.BaseImageUploader.no_verify_registries
         mirrors = image_uploader.BaseImageUploader.mirrors
         # fix urls
         self.assertEqual(
@@ -605,6 +606,13 @@ class TestBaseImageUploader(base.TestCase):
             'https://192.0.2.1:8787/v2/t/nova-api/tags/list',
             build(url3, '/t/nova-api/tags/list')
         )
+        # "no verify" registries are insecure but still use https
+        secure_reg.remove('192.0.2.1:8787')
+        no_verify_reg.add('192.0.2.1:8787')
+        self.assertEqual(
+            'https://192.0.2.1:8787/v2/t/nova-api/tags/list',
+            build(url3, '/t/nova-api/tags/list')
+        )
 
         # test mirrors
         mirrors['docker.io'] = 'http://192.0.2.2:8081/registry-1.docker/'