Continue work on TLS API Support

* Fixed attach endpoint client using unencrypted socket when TLS is enabled
* Duplicated libpod remote unix socket e2e suite for plaintext TCP, TLS,
  and mTLS

Signed-off-by: Andrew Melnick <[email protected]>

Makefile

@@ -682,7 +682,10 @@ ginkgo:
 
 .PHONY: ginkgo-remote
 ginkgo-remote:
-	$(MAKE) ginkgo-run TAGS="$(REMOTETAGS) remote_testing"
+	$(MAKE) ginkgo-run TAGS="$(REMOTETAGS) remote_testing remote_unix_testing"
+	$(MAKE) ginkgo-run TAGS="$(REMOTETAGS) remote_testing remote_tcp_testing"
+	$(MAKE) ginkgo-run TAGS="$(REMOTETAGS) remote_testing remote_tls_testing"
+	$(MAKE) ginkgo-run TAGS="$(REMOTETAGS) remote_testing remote_mtls_testing"
 
 .PHONY: testbindings
 # bindings tests need access to podman-registry

pkg/bindings/containers/attach.go

@@ -3,6 +3,7 @@ package containers
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -115,9 +116,11 @@ func Attach(ctx context.Context, nameOrID string, stdin io.Reader, stdout io.Wri
 	headers.Add("Connection", "Upgrade")
 	headers.Add("Upgrade", "tcp")
 
+	// FIXME: This is one giant race condition. Let's hope no-one uses this same client until we're done!
 	var socket net.Conn
 	socketSet := false
 	dialContext := conn.Client.Transport.(*http.Transport).DialContext
+	tlsConfig := conn.Client.Transport.(*http.Transport).TLSClientConfig
 	t := &http.Transport{
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
 			c, err := dialContext(ctx, network, address)
@@ -130,7 +133,28 @@ func Attach(ctx context.Context, nameOrID string, stdin io.Reader, stdout io.Wri
 			}
 			return c, err
 		},
+		DialTLSContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+			c, err := dialContext(ctx, network, address)
+			if err != nil {
+				return nil, err
+			}
+			cfg := tlsConfig.Clone()
+			if cfg.ServerName == "" {
+				var firstTLSHost string
+				if firstTLSHost, _, err = net.SplitHostPort(address); err != nil {
+					return nil, err
+				}
+				cfg.ServerName = firstTLSHost
+			}
+			c = tls.Client(c, cfg)
+			if !socketSet {
+				socket = c
+				socketSet = true
+			}
+			return c, err
+		},
 		IdleConnTimeout: time.Duration(0),
+		TLSClientConfig: tlsConfig,
 	}
 	conn.Client.Transport = t
 	response, err := conn.DoRequest(ctx, nil, http.MethodPost, "/containers/%s/attach", params, headers, nameOrID)
@@ -463,9 +487,11 @@ func ExecStartAndAttach(ctx context.Context, sessionID string, options *ExecStar
 		return err
 	}
 
+	// FIXME: This is one giant race condition. Let's hope no-one uses this same client until we're done!
 	var socket net.Conn
 	socketSet := false
 	dialContext := conn.Client.Transport.(*http.Transport).DialContext
+	tlsConfig := conn.Client.Transport.(*http.Transport).TLSClientConfig
 	t := &http.Transport{
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
 			c, err := dialContext(ctx, network, address)
@@ -478,7 +504,28 @@ func ExecStartAndAttach(ctx context.Context, sessionID string, options *ExecStar
 			}
 			return c, err
 		},
+		DialTLSContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+			c, err := dialContext(ctx, network, address)
+			if err != nil {
+				return nil, err
+			}
+			cfg := tlsConfig.Clone()
+			if cfg.ServerName == "" {
+				var firstTLSHost string
+				if firstTLSHost, _, err = net.SplitHostPort(address); err != nil {
+					return nil, err
+				}
+				cfg.ServerName = firstTLSHost
+			}
+			c = tls.Client(c, cfg)
+			if !socketSet {
+				socket = c
+				socketSet = true
+			}
+			return c, err
+		},
 		IdleConnTimeout: time.Duration(0),
+		TLSClientConfig: tlsConfig,
 	}
 	conn.Client.Transport = t
 	response, err := conn.DoRequest(ctx, bytes.NewReader(bodyJSON), http.MethodPost, "/exec/%s/start", nil, nil, sessionID)