Skip to content

Commit

Permalink
(MAINT) SSL Verification extended (#504)
Browse files Browse the repository at this point in the history
* (MAINT) update SSL verification and certificate handling

- Changed SSL verification mode to VERIFY_PEER for enhanced security.
- Added Puppet settings initialization to load necessary certificates.
- Updated HTTP request to use Puppet's certname and certificate files.
- Ensured CA file is set for SSL verification.

* fix(rbac_token): correct syntax errors in SSL configuration

- Fixed incorrect syntax in Net::HTTP initialization.
- Corrected method calls for SSL setup and certificate handling.
- Ensured proper request initialization for RBAC token generation.

* fix(rbac_token): correct Net::HTTPSuccess class reference

- Fixed incorrect reference to Net::HTTPSuccess class in token request error handling.

* fix(rbac_token): correct typo in Net::HTTP::Post initialization

Corrected the typo in the initialization of Net::HTTP::Post for creating the RBAC token request. This ensures the correct HTTP method is used for the request.

* fix(get_peadm_config): use Puppet certname instead of localhost for HTTPS connection

Changed the HTTPS connection to use Puppet's certname instead of 'localhost' to ensure proper SSL certificate validation.
  • Loading branch information
CoMfUcIoS authored Sep 23, 2024
1 parent cd0f5ad commit 9cbef67
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 9 deletions.
5 changes: 3 additions & 2 deletions tasks/get_peadm_config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -101,11 +101,12 @@ def server(role, letter, certname_array)
end

def https(port)
https = Net::HTTP.new('localhost', port)
https = Net::HTTP.new(Puppet.settings[:certname], port)
https.use_ssl = true
https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
https.verify_mode = OpenSSL::SSL::VERIFY_NONE
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = Puppet.settings[:localcacert]
https
end

Expand Down
18 changes: 11 additions & 7 deletions tasks/rbac_token.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,31 +4,35 @@
#
# rubocop:disable Style/GlobalVars
require 'net/https'
require 'uri'
require 'json'
require 'fileutils'
require 'puppet'

# Parameters expected:
# Hash
# String password
$params = JSON.parse(STDIN.read)

uri = URI.parse('https://localhost:4433/rbac-api/v1/auth/token')
Puppet.initialize_settings

body = {
'login' => 'admin',
'password' => $params['password'],
'lifetime' => $params['token_lifetime'],
'label' => 'provision-time token',
}.to_json

http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(uri.request_uri)
https = Net::HTTP.new(Puppet.settings[:certname], 4433)
https.use_ssl = true
https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = Puppet.settings[:localcacert]
request = Net::HTTP::Post.new('/rbac-api/v1/auth/token')
request['Content-Type'] = 'application/json'
request.body = body

response = http.request(request)
response = https.request(request)
raise "Error requesting token, #{response.body}" unless response.is_a? Net::HTTPSuccess
token = JSON.parse(response.body)['token']

Expand Down

0 comments on commit 9cbef67

Please sign in to comment.