Description
Problem
client.NewAviClient generates clients, that are insecure by default
Description
Calling NewAviSession will create a new AviSession. In avisession.go line 365 the library uses InsecureSkipVerify: true, when constructing a new http client. This completely ignores the value of avess.insecure, which is set a few lines above (line 321) or by the options in line 326.
The only way to get a secure http client (inside the AVI session) is to construct the http client first and set it via the options mechanism, by using the following code:
tlsConfig := tls.Config{
InsecureSkipVerify: false,
}
httpClient := &http.Client{Transport: &http.Transport{TLSClientConfig: &tlsConfig}}
client, err := clients.NewAviClient(apiEndpoint, apiUser, session.setClient(httpClient)) Apart from being more work than using a secure default setup, it is surprising for the user, as there is a session.SetInsecure option (and no session.SetSecure option), which wrongly implies, that the session is secure by default.
Expected behaviour
By default a secure http client is created and used inside the AVI session, which can be configured to be insecure, when needed.