commit 1cc3deebc40733fb6dcd98fbb5412399dc764876
author Tibor Vass <tiborvass@users.noreply.github.com> Tue Aug 21 16:52:37 2018 -0700
committer GitHub <noreply@github.com> Tue Aug 21 16:52:37 2018 -0700
tree 6757906d5a5210da28f298b50d81f12e105cc7c0
parent 9972a826c81630ed6136a198586ae4a36c6f9dfe
parent 547b993e07330f3e74cba935975fce05e8661381

Merge pull request #37684 from thaJeztah/add_remote_api_warning

Add warning if REST API is accessible through an insecure connection

daemon/info.go

diff --git a/daemon/info.go b/daemon/info.go
index cc9ad8a..9dcfb95 100644
--- a/daemon/info.go
+++ b/daemon/info.go
@@ -68,6 +68,7 @@
 		Isolation:          daemon.defaultIsolation,
 	}
 
+	daemon.fillAPIInfo(v)
 	// Retrieve platform specific info
 	daemon.fillPlatformInfo(v, sysInfo)
 	daemon.fillDriverInfo(v)
@@ -171,6 +172,32 @@
 	v.SecurityOptions = securityOptions
 }
 
+func (daemon *Daemon) fillAPIInfo(v *types.Info) {
+	const warn string = `
+         Access to the remote API is equivalent to root access on the host. Refer
+         to the 'Docker daemon attack surface' section in the documentation for
+         more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface`
+
+	cfg := daemon.configStore
+	for _, host := range cfg.Hosts {
+		// cnf.Hosts is normalized during startup, so should always have a scheme/proto
+		h := strings.SplitN(host, "://", 2)
+		proto := h[0]
+		addr := h[1]
+		if proto != "tcp" {
+			continue
+		}
+		if !cfg.TLS {
+			v.Warnings = append(v.Warnings, fmt.Sprintf("WARNING: API is accessible on http://%s without encryption.%s", addr, warn))
+			continue
+		}
+		if !cfg.TLSVerify {
+			v.Warnings = append(v.Warnings, fmt.Sprintf("WARNING: API is accessible on https://%s without TLS client verification.%s", addr, warn))
+			continue
+		}
+	}
+}
+
 func hostName() string {
 	hostname := ""
 	if hn, err := os.Hostname(); err != nil {

integration/system/info_test.go

diff --git a/integration/system/info_test.go b/integration/system/info_test.go
index 2a05dfb..b8bdcf0 100644
--- a/integration/system/info_test.go
+++ b/integration/system/info_test.go
@@ -5,6 +5,7 @@
 	"fmt"
 	"testing"
 
+	"github.com/docker/docker/internal/test/daemon"
 	"github.com/docker/docker/internal/test/request"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
@@ -40,3 +41,26 @@
 		assert.Check(t, is.Contains(out, linePrefix))
 	}
 }
+
+func TestInfoAPIWarnings(t *testing.T) {
+	d := daemon.New(t)
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	d.StartWithBusybox(t, "--iptables=false", "-H=0.0.0.0:23756", "-H=unix://"+d.Sock())
+	defer d.Stop(t)
+
+	info, err := client.Info(context.Background())
+	assert.NilError(t, err)
+
+	stringsToCheck := []string{
+		"Access to the remote API is equivalent to root access",
+		"http://0.0.0.0:23756",
+	}
+
+	out := fmt.Sprintf("%+v", info)
+	for _, linePrefix := range stringsToCheck {
+		assert.Check(t, is.Contains(out, linePrefix))
+	}
+}