Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(ITHELP-98367) - Fix AiTM attacks vulnerability #502

Merged
merged 2 commits into from
Sep 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -1075,14 +1075,6 @@ Run on a PE primary node to check if Code Manager is enabled.

**Supports noop?** false

#### Parameters

##### `host`

Data type: `String[1]`

Hostname of the PE primary node

### <a name="code_sync_status"></a>`code_sync_status`

A task to confirm code is in sync accross the cluster for clusters with code manager configured
Expand Down
4 changes: 1 addition & 3 deletions plans/add_replica.pp
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,7 @@
$replica_target = peadm::get_targets($replica_host, 1)
$replica_postgresql_target = peadm::get_targets($replica_postgresql_host, 1)

$code_manager_enabled = run_task(
'peadm::code_manager_enabled', $primary_target, host => $primary_target.peadm::certname()
).first.value['code_manager_enabled']
$code_manager_enabled = run_task('peadm::code_manager_enabled', $primary_target).first.value['code_manager_enabled']

if $code_manager_enabled == false {
fail('Code Manager must be enabled to add a replica. Please refer to the docs for more information on enabling Code Manager.')
Expand Down
5 changes: 3 additions & 2 deletions tasks/backup_classification.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,12 @@ def execute!
private

def https_client
client = Net::HTTP.new('localhost', '4433')
client = Net::HTTP.new(Puppet.settings[:certname], 4433)
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down
7 changes: 1 addition & 6 deletions tasks/code_manager_enabled.json
Original file line number Diff line number Diff line change
@@ -1,10 +1,5 @@
{
"description": "Run on a PE primary node to check if Code Manager is enabled.",
"parameters": {
"host": {
"type": "String[1]",
"description": "Hostname of the PE primary node"
}
},
"parameters": {},
"input_method": "stdin"
}
18 changes: 6 additions & 12 deletions tasks/code_manager_enabled.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,8 @@
require 'net/http'
require 'puppet'

# GetPEAdmConfig task class
class GetPEAdmConfig
def initialize(params)
@host = params['host']
end

# CodeManagerEnabled task class
class CodeManagerEnabled
def execute!
code_manager_enabled = groups.dig('PE Master', 'classes', 'puppet_enterprise::profile::master', 'code_manager_auto_configure')

Expand All @@ -20,18 +16,16 @@ def execute!
puts({ 'code_manager_enabled' => code_manager_enabled_value }.to_json)
end

# Returns a GetPEAdmConfig::NodeGroups object created from the /groups object
# returned by the classifier
def groups
@groups ||= begin
net = https(@host, 4433)
net = https
res = net.get('/classifier-api/v1/groups')
NodeGroup.new(JSON.parse(res.body))
end
end

def https(host, port)
https = Net::HTTP.new(host, port)
def https
https = Net::HTTP.new(Puppet.settings[:certname], 4433)
https.use_ssl = true
https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
Expand Down Expand Up @@ -68,6 +62,6 @@ def dig(name, *args)
# testing of this task.
unless ENV['RSPEC_UNIT_TEST_MODE']
Puppet.initialize_settings
task = GetPEAdmConfig.new(JSON.parse(STDIN.read))
task = CodeManagerEnabled.new
task.execute!
end
5 changes: 3 additions & 2 deletions tasks/code_sync_status.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,12 @@ def execute!
private

def https_client
client = Net::HTTP.new('localhost', '8140')
client = Net::HTTP.new(Puppet.settings[:certname], 8140)
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down
14 changes: 7 additions & 7 deletions tasks/pe_ldap_config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,17 @@ def main
end

uri = URI("https://#{pe_main}:4433/rbac-api/v1/ds")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.ca_file = cafout.strip
http.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
http.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = cafout.strip
https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))

req = Net::HTTP::Put.new(uri, 'Content-type' => 'application/json')
req.body = data.to_json

resp = http.request(req)
resp = https.request(req)

puts resp.body
raise "API response code #{resp.code}" unless resp.code == '200'
Expand Down
25 changes: 13 additions & 12 deletions tasks/puppet_infra_upgrade.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
require 'open3'
require 'timeout'
require 'etc'
require 'puppet'
ragingra marked this conversation as resolved.
Show resolved Hide resolved

# Class to run and execute the `puppet infra upgrade` command as a task.
class PuppetInfraUpgrade
Expand Down Expand Up @@ -39,39 +40,38 @@ def execute!
end
end

def inventory_uri
@inventory_uri ||= URI.parse('https://localhost:8143/orchestrator/v1/inventory')
end

def request_object(nodes:, token_file:)
token = File.read(token_file)
body = {
'nodes' => nodes,
}.to_json

request = Net::HTTP::Post.new(inventory_uri.request_uri)
request = Net::HTTP::Post.new('/orchestrator/v1/inventory')
request['Content-Type'] = 'application/json'
request['X-Authentication'] = token.chomp
request.body = body

request
end

def http_object
http = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
def https_object
https = Net::HTTP.new(Puppet.settings[:certname], 8143)
https.use_ssl = true
https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = Puppet.settings[:localcacert]

http
https
end

def wait_until_connected(nodes:, token_file:, timeout: 120)
http = http_object
https = https_object
request = request_object(nodes: nodes, token_file: token_file)
inventory = {}
Timeout.timeout(timeout) do
loop do
response = http.request(request)
response = https.request(request)
unless response.is_a? Net::HTTPSuccess
raise "Unexpected result from orchestrator: #{response.class}\n#{response}"
end
Expand All @@ -92,6 +92,7 @@ def wait_until_connected(nodes:, token_file:, timeout: 120)
# environment flag is used to disable auto-execution and enable Ruby unit
# testing of this task.
unless ENV['RSPEC_UNIT_TEST_MODE']
Puppet.initialize_settings
upgrade = PuppetInfraUpgrade.new(JSON.parse(STDIN.read))
upgrade.execute!
end
5 changes: 3 additions & 2 deletions tasks/restore_classification.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,12 @@ def execute!
private

def https_client
client = Net::HTTP.new('localhost', '4433')
client = Net::HTTP.new(Puppet.settings[:certname], 4433)
client.use_ssl = true
client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
client.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.ca_file = Puppet.settings[:localcacert]
client
end

Expand Down
Loading