(ITHELP-98367) - Fix AiTM attacks vulnerability

tasks/backup_classification.rb

@@ -24,7 +24,8 @@ def https_client
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end
 

tasks/code_sync_status.rb

@@ -23,7 +23,8 @@ def https_client
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end
 

tasks/get_peadm_config.rb

@@ -105,7 +105,8 @@ def https(port)
     https.use_ssl = true
     https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    https.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    https.ca_file = Puppet.settings[:localcacert]
     https
   end
 

tasks/pe_ldap_config.rb

@@ -32,17 +32,17 @@ def main
   end
 
   uri = URI("https://#{pe_main}:4433/rbac-api/v1/ds")
-  http = Net::HTTP.new(uri.host, uri.port)
-  http.use_ssl = true
-  http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-  http.ca_file = cafout.strip
-  http.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
-  http.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
+  https = Net::HTTP.new(uri.host, uri.port)
+  https.use_ssl = true
+  https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+  https.ca_file = cafout.strip
+  https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
+  https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
 
   req = Net::HTTP::Put.new(uri, 'Content-type' => 'application/json')
   req.body = data.to_json
 
-  resp = http.request(req)
+  resp = https.request(req)
 
   puts resp.body
   raise "API response code #{resp.code}" unless resp.code == '200'

tasks/puppet_infra_upgrade.rb

@@ -7,6 +7,7 @@
 require 'open3'
 require 'timeout'
 require 'etc'
+require 'puppet'
 
 # Class to run and execute the `puppet infra upgrade` command as a task.
 class PuppetInfraUpgrade
@@ -57,21 +58,24 @@ def request_object(nodes:, token_file:)
     request
   end
 
-  def http_object
-    http = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+  def https_object
+    https = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
+    https.use_ssl = true
+    https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    https.ca_file = Puppet.settings[:localcacert]
 
-    http
+    https
   end
 
   def wait_until_connected(nodes:, token_file:, timeout: 120)
-    http = http_object
+    https = https_object
     request = request_object(nodes: nodes, token_file: token_file)
     inventory = {}
     Timeout.timeout(timeout) do
       loop do
-        response = http.request(request)
+        response = https.request(request)
         unless response.is_a? Net::HTTPSuccess
           raise "Unexpected result from orchestrator: #{response.class}\n#{response}"
         end

tasks/rbac_token.rb

@@ -7,6 +7,7 @@
 require 'uri'
 require 'json'
 require 'fileutils'
+require 'open3'
 
 # Parameters expected:
 #   Hash
@@ -21,14 +22,35 @@
   'label'    => 'provision-time token',
 }.to_json
 
-http = Net::HTTP.new(uri.host, uri.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+caf = ['/opt/puppetlabs/bin/puppet', 'config', 'print', 'localcacert']
+cafout, cafstatus = Open3.capture2(*caf)
+unless cafstatus.success?
+  raise 'Could not get the CA file path.'
+end
+
+cert = ['/opt/puppetlabs/bin/puppet', 'config', 'print', 'hostcert']
+certout, certstatus = Open3.capture2(*cert)
+unless certstatus.success?
+  raise 'Could not get the Cert file path.'
+end
+
+key = ['/opt/puppetlabs/bin/puppet', 'config', 'print', 'hostprivkey']
+keyout, keystatus = Open3.capture2(*key)
+unless keystatus.success?
+  raise 'Could not get the Key file path.'
+end
+
+https = Net::HTTP.new(uri.host, uri.port)
+https.use_ssl = true
+https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
+https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
+https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+https.ca_file = cafout.strip
 request = Net::HTTP::Post.new(uri.request_uri)
 request['Content-Type'] = 'application/json'
 request.body = body
 
-response = http.request(request)
+response = https.request(request)
 raise "Error requesting token, #{response.body}" unless response.is_a? Net::HTTPSuccess
 token = JSON.parse(response.body)['token']
 

tasks/restore_classification.rb

@@ -24,7 +24,8 @@ def https_client
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end