From a02de36fdda0efd0c02e2f7265829b8c96712a01 Mon Sep 17 00:00:00 2001 From: Ramesh Sencha Date: Fri, 20 Sep 2024 11:01:36 +0530 Subject: [PATCH] (ITHELP-98367) - Fix AiTM attacks vulnerability --- tasks/backup_classification.rb | 3 ++- tasks/code_sync_status.rb | 3 ++- tasks/get_peadm_config.rb | 3 ++- tasks/pe_ldap_config.rb | 14 +++++++------- tasks/puppet_infra_upgrade.rb | 18 +++++++++++------- tasks/rbac_token.rb | 30 ++++++++++++++++++++++++++---- tasks/restore_classification.rb | 3 ++- 7 files changed, 52 insertions(+), 22 deletions(-) diff --git a/tasks/backup_classification.rb b/tasks/backup_classification.rb index 6ddeeba2..5e1dcc6d 100755 --- a/tasks/backup_classification.rb +++ b/tasks/backup_classification.rb @@ -24,7 +24,8 @@ def https_client client.use_ssl = true client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert])) client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey])) - client.verify_mode = OpenSSL::SSL::VERIFY_NONE + client.verify_mode = OpenSSL::SSL::VERIFY_PEER + client.ca_file = Puppet.settings[:localcacert] client end diff --git a/tasks/code_sync_status.rb b/tasks/code_sync_status.rb index 93c2fa69..70cd2ba1 100755 --- a/tasks/code_sync_status.rb +++ b/tasks/code_sync_status.rb @@ -23,7 +23,8 @@ def https_client client.use_ssl = true client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert])) client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey])) - client.verify_mode = OpenSSL::SSL::VERIFY_NONE + client.verify_mode = OpenSSL::SSL::VERIFY_PEER + client.ca_file = Puppet.settings[:localcacert] client end diff --git a/tasks/get_peadm_config.rb b/tasks/get_peadm_config.rb index 30d8ad21..15ce8f05 100755 --- a/tasks/get_peadm_config.rb +++ b/tasks/get_peadm_config.rb @@ -105,7 +105,8 @@ def https(port) https.use_ssl = true https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert])) https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey])) - https.verify_mode = OpenSSL::SSL::VERIFY_NONE + https.verify_mode = OpenSSL::SSL::VERIFY_PEER + https.ca_file = Puppet.settings[:localcacert] https end diff --git a/tasks/pe_ldap_config.rb b/tasks/pe_ldap_config.rb index fd393ee1..ab00dd15 100755 --- a/tasks/pe_ldap_config.rb +++ b/tasks/pe_ldap_config.rb @@ -32,17 +32,17 @@ def main end uri = URI("https://#{pe_main}:4433/rbac-api/v1/ds") - http = Net::HTTP.new(uri.host, uri.port) - http.use_ssl = true - http.verify_mode = OpenSSL::SSL::VERIFY_NONE - http.ca_file = cafout.strip - http.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip)) - http.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip)) + https = Net::HTTP.new(uri.host, uri.port) + https.use_ssl = true + https.verify_mode = OpenSSL::SSL::VERIFY_PEER + https.ca_file = cafout.strip + https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip)) + https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip)) req = Net::HTTP::Put.new(uri, 'Content-type' => 'application/json') req.body = data.to_json - resp = http.request(req) + resp = https.request(req) puts resp.body raise "API response code #{resp.code}" unless resp.code == '200' diff --git a/tasks/puppet_infra_upgrade.rb b/tasks/puppet_infra_upgrade.rb index 4071971b..8a542ea5 100755 --- a/tasks/puppet_infra_upgrade.rb +++ b/tasks/puppet_infra_upgrade.rb @@ -7,6 +7,7 @@ require 'open3' require 'timeout' require 'etc' +require 'puppet' # Class to run and execute the `puppet infra upgrade` command as a task. class PuppetInfraUpgrade @@ -57,21 +58,24 @@ def request_object(nodes:, token_file:) request end - def http_object - http = Net::HTTP.new(inventory_uri.host, inventory_uri.port) - http.use_ssl = true - http.verify_mode = OpenSSL::SSL::VERIFY_NONE + def https_object + https = Net::HTTP.new(inventory_uri.host, inventory_uri.port) + https.use_ssl = true + https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert])) + https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey])) + https.verify_mode = OpenSSL::SSL::VERIFY_PEER + https.ca_file = Puppet.settings[:localcacert] - http + https end def wait_until_connected(nodes:, token_file:, timeout: 120) - http = http_object + https = https_object request = request_object(nodes: nodes, token_file: token_file) inventory = {} Timeout.timeout(timeout) do loop do - response = http.request(request) + response = https.request(request) unless response.is_a? Net::HTTPSuccess raise "Unexpected result from orchestrator: #{response.class}\n#{response}" end diff --git a/tasks/rbac_token.rb b/tasks/rbac_token.rb index 9ad76f1f..2070794d 100755 --- a/tasks/rbac_token.rb +++ b/tasks/rbac_token.rb @@ -7,6 +7,7 @@ require 'uri' require 'json' require 'fileutils' +require 'open3' # Parameters expected: # Hash @@ -21,14 +22,35 @@ 'label' => 'provision-time token', }.to_json -http = Net::HTTP.new(uri.host, uri.port) -http.use_ssl = true -http.verify_mode = OpenSSL::SSL::VERIFY_NONE +caf = ['/opt/puppetlabs/bin/puppet', 'config', 'print', 'localcacert'] +cafout, cafstatus = Open3.capture2(*caf) +unless cafstatus.success? + raise 'Could not get the CA file path.' +end + +cert = ['/opt/puppetlabs/bin/puppet', 'config', 'print', 'hostcert'] +certout, certstatus = Open3.capture2(*cert) +unless certstatus.success? + raise 'Could not get the Cert file path.' +end + +key = ['/opt/puppetlabs/bin/puppet', 'config', 'print', 'hostprivkey'] +keyout, keystatus = Open3.capture2(*key) +unless keystatus.success? + raise 'Could not get the Key file path.' +end + +https = Net::HTTP.new(uri.host, uri.port) +https.use_ssl = true +https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip)) +https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip)) +https.verify_mode = OpenSSL::SSL::VERIFY_PEER +https.ca_file = cafout.strip request = Net::HTTP::Post.new(uri.request_uri) request['Content-Type'] = 'application/json' request.body = body -response = http.request(request) +response = https.request(request) raise "Error requesting token, #{response.body}" unless response.is_a? Net::HTTPSuccess token = JSON.parse(response.body)['token'] diff --git a/tasks/restore_classification.rb b/tasks/restore_classification.rb index cf08a248..2761b85d 100755 --- a/tasks/restore_classification.rb +++ b/tasks/restore_classification.rb @@ -24,7 +24,8 @@ def https_client client.use_ssl = true client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert])) client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey])) - client.verify_mode = OpenSSL::SSL::VERIFY_NONE + client.verify_mode = OpenSSL::SSL::VERIFY_PEER + client.ca_file = Puppet.settings[:localcacert] client end