optimize bypass cert logic

Author: samueltaripin

internal/ospackage/debutils/download.go

@@ -500,13 +500,14 @@ func DownloadPackagesComplete(pkgList []string, destDir, dotFile string, pkgSour
 		downloadPkgList = append(downloadPkgList, filepath.Base(pkg.URL))
 	}
 
-	// Determine if we should skip TLS verification
-	// Use insecure mode if ANY repository has it enabled
-	insecureSkipVerify := RepoCfg.InsecureSkipVerify
-	for _, cfg := range RepoCfgs {
-		if cfg.InsecureSkipVerify {
-			insecureSkipVerify = true
-			break
+	// Check if any repository requires insecure mode
+	hasInsecureRepo := RepoCfg.InsecureSkipVerify
+	if !hasInsecureRepo {
+		for _, cfg := range RepoCfgs {
+			if cfg.InsecureSkipVerify {
+				hasInsecureRepo = true
+				break
+			}
 		}
 	}
 
@@ -519,10 +520,41 @@ func DownloadPackagesComplete(pkgList []string, destDir, dotFile string, pkgSour
 		return downloadPkgList, nil, fmt.Errorf("creating cache directory %s: %w", absDestDir, err)
 	}
 
-	// Download packages using configured workers and cache directory
+	// Download packages with appropriate security settings
 	log.Infof("downloading %d packages to %s using %d workers", len(urls), absDestDir, config.Workers())
-	if err := pkgfetcher.FetchPackages(urls, absDestDir, config.Workers(), insecureSkipVerify); err != nil {
-		return downloadPkgList, nil, fmt.Errorf("fetch failed: %w", err)
+	if !hasInsecureRepo {
+		// All repositories are secure - use secure client for all downloads (no per-URL checking)
+		log.Debugf("all repositories use secure connections, using secure client for all downloads")
+		if err := pkgfetcher.FetchPackages(urls, absDestDir, config.Workers(), false); err != nil {
+			return downloadPkgList, nil, fmt.Errorf("fetch failed: %w", err)
+		}
+	} else {
+		// Build security configurations for repositories with insecure mode
+		var securityConfigs []pkgfetcher.URLSecurityConfig
+
+		// Add base repository config if insecure
+		if RepoCfg.InsecureSkipVerify {
+			securityConfigs = append(securityConfigs, pkgfetcher.URLSecurityConfig{
+				URLPrefixes:        []string{RepoCfg.PkgPrefix},
+				InsecureSkipVerify: true,
+			})
+		}
+
+		// Add multiple repository configs if insecure
+		for _, cfg := range RepoCfgs {
+			if cfg.InsecureSkipVerify {
+				securityConfigs = append(securityConfigs, pkgfetcher.URLSecurityConfig{
+					URLPrefixes:        []string{cfg.PkgPrefix},
+					InsecureSkipVerify: true,
+				})
+			}
+		}
+
+		// Download with per-repository security settings (URL checking enabled)
+		log.Debugf("mixed repository security settings, using per-URL security checking")
+		if err := pkgfetcher.FetchPackagesWithSecurityConfig(urls, absDestDir, config.Workers(), securityConfigs); err != nil {
+			return downloadPkgList, nil, fmt.Errorf("fetch failed: %w", err)
+		}
 	}
 	log.Info("all downloads complete")
 

internal/ospackage/pkgfetcher/pkgfetcher.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -15,15 +16,67 @@ import (
 	"github.com/schollz/progressbar/v3"
 )
 
+// URLSecurityConfig holds URL patterns and their security settings
+type URLSecurityConfig struct {
+	URLPrefixes        []string // List of URL prefixes (e.g., "https://repo1.com", "http://repo2.com")
+	InsecureSkipVerify bool     // Whether to skip TLS verification for these URLs
+}
+
 // FetchPackages downloads the given URLs into destDir using a pool of workers.
 // It shows a single progress bar tracking files completed vs total.
+// Deprecated: Use FetchPackagesWithSecurityConfig for per-repository security settings
 func FetchPackages(urls []string, destDir string, workers int, insecureSkipVerify bool) error {
+	// Create a single security config for all URLs (legacy behavior)
+	var securityConfigs []URLSecurityConfig
+	if insecureSkipVerify {
+		securityConfigs = []URLSecurityConfig{{
+			URLPrefixes:        []string{""}, // Empty prefix matches all URLs
+			InsecureSkipVerify: true,
+		}}
+	}
+	return FetchPackagesWithSecurityConfig(urls, destDir, workers, securityConfigs)
+}
+
+// FetchPackagesWithSecurityConfig downloads URLs with per-repository security settings.
+// It creates secure and insecure HTTP clients and selects the appropriate one based on URL matching.
+func FetchPackagesWithSecurityConfig(urls []string, destDir string, workers int, securityConfigs []URLSecurityConfig) error {
 	log := logger.Logger()
 
 	total := len(urls)
 	jobs := make(chan string, total)
 	var wg sync.WaitGroup
 
+	// Create two HTTP clients: one secure, one insecure
+	secureClient := network.NewHTTPClientWithOptions(network.HTTPClientOptions{
+		InsecureSkipVerify: false,
+	})
+	insecureClient := network.NewHTTPClientWithOptions(network.HTTPClientOptions{
+		InsecureSkipVerify: true,
+	})
+
+	// Helper function to determine if a URL should use insecure client
+	shouldUseInsecure := func(downloadURL string) bool {
+		for _, config := range securityConfigs {
+			if !config.InsecureSkipVerify {
+				continue
+			}
+			// If URLPrefixes is empty or contains empty string, apply to all URLs (legacy behavior)
+			if len(config.URLPrefixes) == 0 || (len(config.URLPrefixes) == 1 && config.URLPrefixes[0] == "") {
+				return true
+			}
+			// Check if the URL matches any of the prefixes
+			for _, prefix := range config.URLPrefixes {
+				// Normalize URLs for comparison (handle trailing slashes)
+				normalizedURL := strings.TrimSuffix(downloadURL, "/")
+				normalizedPrefix := strings.TrimSuffix(prefix, "/")
+				if strings.HasPrefix(normalizedURL, normalizedPrefix) {
+					return true
+				}
+			}
+		}
+		return false
+	}
+
 	// create a single progress bar for total files
 	bar := progressbar.NewOptions(total,
 		progressbar.OptionEnableColorCodes(true),
@@ -49,8 +102,8 @@ func FetchPackages(urls []string, destDir string, workers int, insecureSkipVerif
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			for url := range jobs {
-				name := path.Base(url)
+			for downloadURL := range jobs {
+				name := path.Base(downloadURL)
 
 				// update description to current file
 				bar.Describe(name)
@@ -78,11 +131,16 @@ func FetchPackages(urls []string, destDir string, workers int, insecureSkipVerif
 				}
 				err := func() error {
 
-					// Create HTTP client with appropriate TLS settings
-					client := network.NewHTTPClientWithOptions(network.HTTPClientOptions{
-						InsecureSkipVerify: insecureSkipVerify,
-					})
-					resp, err := client.Get(url)
+					// Select the appropriate HTTP client based on URL
+					var client *http.Client
+					if shouldUseInsecure(downloadURL) {
+						client = insecureClient
+						log.Debugf("using insecure client for %s", downloadURL)
+					} else {
+						client = secureClient
+					}
+
+					resp, err := client.Get(downloadURL)
 					if err != nil {
 						return err
 					}
@@ -105,7 +163,7 @@ func FetchPackages(urls []string, destDir string, workers int, insecureSkipVerif
 				}()
 
 				if err != nil {
-					log.Errorf("downloading %s failed: %v", url, err)
+					log.Errorf("downloading %s failed: %v", downloadURL, err)
 					downloadError = true
 				}
 				// increment progress bar

internal/ospackage/rpmutils/download.go

@@ -59,22 +59,25 @@ func UserPackages() ([]ospackage.PackageInfo, error) {
 	log.Infof("fetching packages from %s", "user package list")
 
 	repoList := make([]struct {
-		id       string
-		codename string
-		url      string
-		pkey     string
+		id                 string
+		codename           string
+		url                string
+		pkey               string
+		insecureSkipVerify bool
 	}, len(UserRepo))
 	for i, repo := range UserRepo {
 		repoList[i] = struct {
-			id       string
-			codename string
-			url      string
-			pkey     string
+			id                 string
+			codename           string
+			url                string
+			pkey               string
+			insecureSkipVerify bool
 		}{
-			id:       fmt.Sprintf("rpmcustrepo%d", i+1),
-			codename: repo.Codename,
-			url:      repo.URL,
-			pkey:     repo.PKey,
+			id:                 fmt.Sprintf("rpmcustrepo%d", i+1),
+			codename:           repo.Codename,
+			url:                repo.URL,
+			pkey:               repo.PKey,
+			insecureSkipVerify: repo.InsecureSkipVerify,
 		}
 	}
 
@@ -86,13 +89,14 @@ func UserPackages() ([]ospackage.PackageInfo, error) {
 		pkey := repoItem.pkey
 
 		repo := RepoConfig{
-			Name:         id,
-			GPGCheck:     true,
-			RepoGPGCheck: true,
-			Enabled:      true,
-			GPGKey:       pkey,
-			URL:          baseURL,
-			Section:      fmt.Sprintf("[%s]", codename),
+			Name:               id,
+			GPGCheck:           true,
+			RepoGPGCheck:       true,
+			Enabled:            true,
+			GPGKey:             pkey,
+			URL:                baseURL,
+			Section:            fmt.Sprintf("[%s]", codename),
+			InsecureSkipVerify: repoItem.insecureSkipVerify,
 		}
 
 		userRepo = append(userRepo, repo)
@@ -459,8 +463,16 @@ func DownloadPackagesComplete(pkgList []string, destDir, dotFile string, pkgSour
 		downloadPkgList = append(downloadPkgList, pkg.Name)
 	}
 
-	// Use insecure mode if the repository has it enabled
-	insecureSkipVerify := RepoCfg.InsecureSkipVerify
+	// Check if any repository requires insecure mode
+	hasInsecureRepo := RepoCfg.InsecureSkipVerify
+	if !hasInsecureRepo {
+		for _, userRepoItem := range UserRepo {
+			if userRepoItem.InsecureSkipVerify {
+				hasInsecureRepo = true
+				break
+			}
+		}
+	}
 
 	// Ensure dest directory exists
 	absDestDir, err := filepath.Abs(destDir)
@@ -471,10 +483,41 @@ func DownloadPackagesComplete(pkgList []string, destDir, dotFile string, pkgSour
 		return downloadPkgList, nil, fmt.Errorf("creating cache directory %s: %v", absDestDir, err)
 	}
 
-	// Download packages using configured workers and cache directory
+	// Download packages with appropriate security settings
 	log.Infof("Downloading %d packages to %s using %d workers", len(urls), absDestDir, config.Workers())
-	if err := pkgfetcher.FetchPackages(urls, absDestDir, config.Workers(), insecureSkipVerify); err != nil {
-		return downloadPkgList, nil, fmt.Errorf("fetch failed: %v", err)
+	if !hasInsecureRepo {
+		// All repositories are secure - use secure client for all downloads (no per-URL checking)
+		log.Debugf("all repositories use secure connections, using secure client for all downloads")
+		if err := pkgfetcher.FetchPackages(urls, absDestDir, config.Workers(), false); err != nil {
+			return downloadPkgList, nil, fmt.Errorf("fetch failed: %v", err)
+		}
+	} else {
+		// Build security configurations for repositories with insecure mode
+		var securityConfigs []pkgfetcher.URLSecurityConfig
+
+		// Add base repository config if insecure
+		if RepoCfg.InsecureSkipVerify {
+			securityConfigs = append(securityConfigs, pkgfetcher.URLSecurityConfig{
+				URLPrefixes:        []string{RepoCfg.URL},
+				InsecureSkipVerify: true,
+			})
+		}
+
+		// Add user repository configs if insecure
+		for _, userRepoItem := range UserRepo {
+			if userRepoItem.InsecureSkipVerify {
+				securityConfigs = append(securityConfigs, pkgfetcher.URLSecurityConfig{
+					URLPrefixes:        []string{userRepoItem.URL},
+					InsecureSkipVerify: true,
+				})
+			}
+		}
+
+		// Download with per-repository security settings (URL checking enabled)
+		log.Debugf("mixed repository security settings, using per-URL security checking")
+		if err := pkgfetcher.FetchPackagesWithSecurityConfig(urls, absDestDir, config.Workers(), securityConfigs); err != nil {
+			return downloadPkgList, nil, fmt.Errorf("fetch failed: %v", err)
+		}
 	}
 	log.Info("All downloads complete")