Skip to content

Commit

Permalink
(ITHELP-98367) - Fix AiTM attacks vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
Ramesh7 committed Sep 20, 2024
1 parent 7798c27 commit 3831af4
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 18 deletions.
3 changes: 2 additions & 1 deletion tasks/backup_classification.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ def https_client
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down
3 changes: 2 additions & 1 deletion tasks/code_sync_status.rb
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ def https_client
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down
3 changes: 2 additions & 1 deletion tasks/get_peadm_config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,8 @@ def https(port)
https.use_ssl = true
https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
https.verify_mode = OpenSSL::SSL::VERIFY_NONE
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = Puppet.settings[:localcacert]
https
end

Expand Down
14 changes: 7 additions & 7 deletions tasks/pe_ldap_config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,17 @@ def main
end

uri = URI("https://#{pe_main}:4433/rbac-api/v1/ds")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.ca_file = cafout.strip
http.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
http.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = cafout.strip
https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))

req = Net::HTTP::Put.new(uri, 'Content-type' => 'application/json')
req.body = data.to_json

resp = http.request(req)
resp = https.request(req)

puts resp.body
raise "API response code #{resp.code}" unless resp.code == '200'
Expand Down
18 changes: 11 additions & 7 deletions tasks/puppet_infra_upgrade.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
require 'open3'
require 'timeout'
require 'etc'
require 'puppet'

# Class to run and execute the `puppet infra upgrade` command as a task.
class PuppetInfraUpgrade
Expand Down Expand Up @@ -57,21 +58,24 @@ def request_object(nodes:, token_file:)
request
end

def http_object
http = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
def https_object
https = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
https.use_ssl = true
https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = Puppet.settings[:localcacert]

http
https
end

def wait_until_connected(nodes:, token_file:, timeout: 120)
http = http_object
https = https_object
request = request_object(nodes: nodes, token_file: token_file)
inventory = {}
Timeout.timeout(timeout) do
loop do
response = http.request(request)
response = https.request(request)
unless response.is_a? Net::HTTPSuccess
raise "Unexpected result from orchestrator: #{response.class}\n#{response}"
end
Expand Down
3 changes: 2 additions & 1 deletion tasks/restore_classification.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ def https_client
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down

0 comments on commit 3831af4

Please sign in to comment.