Skip to content

Commit

Permalink
(ITHELP-98367) - Fix AiTM attacks vulnerability (#502)
Browse files Browse the repository at this point in the history
* (ITHELP-98367) - Fix AiTM attacks vulnerability

* Changing localhost out for certnames

---------

Co-authored-by: Neil Anderson <[email protected]>
  • Loading branch information
Ramesh7 and ragingra authored Sep 20, 2024
1 parent 7798c27 commit 9af464b
Show file tree
Hide file tree
Showing 9 changed files with 37 additions and 54 deletions.
8 changes: 0 additions & 8 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -1075,14 +1075,6 @@ Run on a PE primary node to check if Code Manager is enabled.

**Supports noop?** false

#### Parameters

##### `host`

Data type: `String[1]`

Hostname of the PE primary node

### <a name="code_sync_status"></a>`code_sync_status`

A task to confirm code is in sync accross the cluster for clusters with code manager configured
Expand Down
4 changes: 1 addition & 3 deletions plans/add_replica.pp
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,7 @@
$replica_target = peadm::get_targets($replica_host, 1)
$replica_postgresql_target = peadm::get_targets($replica_postgresql_host, 1)

$code_manager_enabled = run_task(
'peadm::code_manager_enabled', $primary_target, host => $primary_target.peadm::certname()
).first.value['code_manager_enabled']
$code_manager_enabled = run_task('peadm::code_manager_enabled', $primary_target).first.value['code_manager_enabled']

if $code_manager_enabled == false {
fail('Code Manager must be enabled to add a replica. Please refer to the docs for more information on enabling Code Manager.')
Expand Down
5 changes: 3 additions & 2 deletions tasks/backup_classification.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,12 @@ def execute!
private

def https_client
client = Net::HTTP.new('localhost', '4433')
client = Net::HTTP.new(Puppet.settings[:certname], 4433)
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down
7 changes: 1 addition & 6 deletions tasks/code_manager_enabled.json
Original file line number Diff line number Diff line change
@@ -1,10 +1,5 @@
{
"description": "Run on a PE primary node to check if Code Manager is enabled.",
"parameters": {
"host": {
"type": "String[1]",
"description": "Hostname of the PE primary node"
}
},
"parameters": {},
"input_method": "stdin"
}
18 changes: 6 additions & 12 deletions tasks/code_manager_enabled.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,8 @@
require 'net/http'
require 'puppet'

# GetPEAdmConfig task class
class GetPEAdmConfig
def initialize(params)
@host = params['host']
end

# CodeManagerEnabled task class
class CodeManagerEnabled
def execute!
code_manager_enabled = groups.dig('PE Master', 'classes', 'puppet_enterprise::profile::master', 'code_manager_auto_configure')

Expand All @@ -20,18 +16,16 @@ def execute!
puts({ 'code_manager_enabled' => code_manager_enabled_value }.to_json)
end

# Returns a GetPEAdmConfig::NodeGroups object created from the /groups object
# returned by the classifier
def groups
@groups ||= begin
net = https(@host, 4433)
net = https
res = net.get('/classifier-api/v1/groups')
NodeGroup.new(JSON.parse(res.body))
end
end

def https(host, port)
https = Net::HTTP.new(host, port)
def https
https = Net::HTTP.new(Puppet.settings[:certname], 4433)
https.use_ssl = true
https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
Expand Down Expand Up @@ -68,6 +62,6 @@ def dig(name, *args)
# testing of this task.
unless ENV['RSPEC_UNIT_TEST_MODE']
Puppet.initialize_settings
task = GetPEAdmConfig.new(JSON.parse(STDIN.read))
task = CodeManagerEnabled.new
task.execute!
end
5 changes: 3 additions & 2 deletions tasks/code_sync_status.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,12 @@ def execute!
private

def https_client
client = Net::HTTP.new('localhost', '8140')
client = Net::HTTP.new(Puppet.settings[:certname], 8140)
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down
14 changes: 7 additions & 7 deletions tasks/pe_ldap_config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,17 @@ def main
end

uri = URI("https://#{pe_main}:4433/rbac-api/v1/ds")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.ca_file = cafout.strip
http.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
http.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = cafout.strip
https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))

req = Net::HTTP::Put.new(uri, 'Content-type' => 'application/json')
req.body = data.to_json

resp = http.request(req)
resp = https.request(req)

puts resp.body
raise "API response code #{resp.code}" unless resp.code == '200'
Expand Down
25 changes: 13 additions & 12 deletions tasks/puppet_infra_upgrade.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
require 'open3'
require 'timeout'
require 'etc'
require 'puppet'

# Class to run and execute the `puppet infra upgrade` command as a task.
class PuppetInfraUpgrade
Expand Down Expand Up @@ -39,39 +40,38 @@ def execute!
end
end

def inventory_uri
@inventory_uri ||= URI.parse('https://localhost:8143/orchestrator/v1/inventory')
end

def request_object(nodes:, token_file:)
token = File.read(token_file)
body = {
'nodes' => nodes,
}.to_json

request = Net::HTTP::Post.new(inventory_uri.request_uri)
request = Net::HTTP::Post.new('/orchestrator/v1/inventory')
request['Content-Type'] = 'application/json'
request['X-Authentication'] = token.chomp
request.body = body

request
end

def http_object
http = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
def https_object
https = Net::HTTP.new(Puppet.settings[:certname], 8143)
https.use_ssl = true
https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = Puppet.settings[:localcacert]

http
https
end

def wait_until_connected(nodes:, token_file:, timeout: 120)
http = http_object
https = https_object
request = request_object(nodes: nodes, token_file: token_file)
inventory = {}
Timeout.timeout(timeout) do
loop do
response = http.request(request)
response = https.request(request)
unless response.is_a? Net::HTTPSuccess
raise "Unexpected result from orchestrator: #{response.class}\n#{response}"
end
Expand All @@ -92,6 +92,7 @@ def wait_until_connected(nodes:, token_file:, timeout: 120)
# environment flag is used to disable auto-execution and enable Ruby unit
# testing of this task.
unless ENV['RSPEC_UNIT_TEST_MODE']
Puppet.initialize_settings
upgrade = PuppetInfraUpgrade.new(JSON.parse(STDIN.read))
upgrade.execute!
end
5 changes: 3 additions & 2 deletions tasks/restore_classification.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,12 @@ def execute!
private

def https_client
client = Net::HTTP.new('localhost', '4433')
client = Net::HTTP.new(Puppet.settings[:certname], 4433)
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down

0 comments on commit 9af464b

Please sign in to comment.