(ITHELP-98367) - Fix AiTM attacks vulnerability (#502)

* (ITHELP-98367) - Fix AiTM attacks vulnerability

* Changing localhost out for certnames

---------

Co-authored-by: Neil Anderson <[email protected]>

Author: Ramesh7

REFERENCE.md

@@ -1075,14 +1075,6 @@ Run on a PE primary node to check if Code Manager is enabled.
 
 **Supports noop?** false
 
-#### Parameters
-
-##### `host`
-
-Data type: `String[1]`
-
-Hostname of the PE primary node
-
 ### <a name="code_sync_status"></a>`code_sync_status`
 
 A task to confirm code is in sync accross the cluster for clusters with code manager configured

plans/add_replica.pp

@@ -22,9 +22,7 @@
   $replica_target             = peadm::get_targets($replica_host, 1)
   $replica_postgresql_target  = peadm::get_targets($replica_postgresql_host, 1)
 
-  $code_manager_enabled = run_task(
-    'peadm::code_manager_enabled', $primary_target, host => $primary_target.peadm::certname()
-  ).first.value['code_manager_enabled']
+  $code_manager_enabled = run_task('peadm::code_manager_enabled', $primary_target).first.value['code_manager_enabled']
 
   if $code_manager_enabled == false {
     fail('Code Manager must be enabled to add a replica. Please refer to the docs for more information on enabling Code Manager.')

tasks/backup_classification.rb

@@ -20,11 +20,12 @@ def execute!
   private
 
   def https_client
-    client = Net::HTTP.new('localhost', '4433')
+    client = Net::HTTP.new(Puppet.settings[:certname], 4433)
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end
 

tasks/code_manager_enabled.json

@@ -1,10 +1,5 @@
 {
   "description": "Run on a PE primary node to check if Code Manager is enabled.",
-  "parameters": {
-    "host": {
-      "type": "String[1]",
-      "description": "Hostname of the PE primary node"
-    }
-   },
+  "parameters": {},
   "input_method": "stdin"
 }

tasks/code_manager_enabled.rb

@@ -6,12 +6,8 @@
 require 'net/http'
 require 'puppet'
 
-# GetPEAdmConfig task class
-class GetPEAdmConfig
-  def initialize(params)
-    @host = params['host']
-  end
-
+# CodeManagerEnabled task class
+class CodeManagerEnabled
   def execute!
     code_manager_enabled = groups.dig('PE Master', 'classes', 'puppet_enterprise::profile::master', 'code_manager_auto_configure')
 
@@ -20,18 +16,16 @@ def execute!
     puts({ 'code_manager_enabled' => code_manager_enabled_value }.to_json)
   end
 
-  # Returns a GetPEAdmConfig::NodeGroups object created from the /groups object
-  # returned by the classifier
   def groups
     @groups ||= begin
-      net = https(@host, 4433)
+      net = https
       res = net.get('/classifier-api/v1/groups')
       NodeGroup.new(JSON.parse(res.body))
     end
   end
 
-  def https(host, port)
-    https = Net::HTTP.new(host, port)
+  def https
+    https = Net::HTTP.new(Puppet.settings[:certname], 4433)
     https.use_ssl = true
     https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
@@ -68,6 +62,6 @@ def dig(name, *args)
 # testing of this task.
 unless ENV['RSPEC_UNIT_TEST_MODE']
   Puppet.initialize_settings
-  task = GetPEAdmConfig.new(JSON.parse(STDIN.read))
+  task = CodeManagerEnabled.new
   task.execute!
 end

tasks/code_sync_status.rb

@@ -19,11 +19,12 @@ def execute!
   private
 
   def https_client
-    client = Net::HTTP.new('localhost', '8140')
+    client = Net::HTTP.new(Puppet.settings[:certname], 8140)
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end
 

tasks/pe_ldap_config.rb

@@ -32,17 +32,17 @@ def main
   end
 
   uri = URI("https://#{pe_main}:4433/rbac-api/v1/ds")
-  http = Net::HTTP.new(uri.host, uri.port)
-  http.use_ssl = true
-  http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-  http.ca_file = cafout.strip
-  http.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
-  http.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
+  https = Net::HTTP.new(uri.host, uri.port)
+  https.use_ssl = true
+  https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+  https.ca_file = cafout.strip
+  https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
+  https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
 
   req = Net::HTTP::Put.new(uri, 'Content-type' => 'application/json')
   req.body = data.to_json
 
-  resp = http.request(req)
+  resp = https.request(req)
 
   puts resp.body
   raise "API response code #{resp.code}" unless resp.code == '200'

tasks/puppet_infra_upgrade.rb

@@ -7,6 +7,7 @@
 require 'open3'
 require 'timeout'
 require 'etc'
+require 'puppet'
 
 # Class to run and execute the `puppet infra upgrade` command as a task.
 class PuppetInfraUpgrade
@@ -39,39 +40,38 @@ def execute!
     end
   end
 
-  def inventory_uri
-    @inventory_uri ||= URI.parse('https://localhost:8143/orchestrator/v1/inventory')
-  end
-
   def request_object(nodes:, token_file:)
     token = File.read(token_file)
     body = {
       'nodes' => nodes,
     }.to_json
 
-    request = Net::HTTP::Post.new(inventory_uri.request_uri)
+    request = Net::HTTP::Post.new('/orchestrator/v1/inventory')
     request['Content-Type'] = 'application/json'
     request['X-Authentication'] = token.chomp
     request.body = body
 
     request
   end
 
-  def http_object
-    http = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+  def https_object
+    https = Net::HTTP.new(Puppet.settings[:certname], 8143)
+    https.use_ssl = true
+    https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    https.ca_file = Puppet.settings[:localcacert]
 
-    http
+    https
   end
 
   def wait_until_connected(nodes:, token_file:, timeout: 120)
-    http = http_object
+    https = https_object
     request = request_object(nodes: nodes, token_file: token_file)
     inventory = {}
     Timeout.timeout(timeout) do
       loop do
-        response = http.request(request)
+        response = https.request(request)
         unless response.is_a? Net::HTTPSuccess
           raise "Unexpected result from orchestrator: #{response.class}\n#{response}"
         end
@@ -92,6 +92,7 @@ def wait_until_connected(nodes:, token_file:, timeout: 120)
 # environment flag is used to disable auto-execution and enable Ruby unit
 # testing of this task.
 unless ENV['RSPEC_UNIT_TEST_MODE']
+  Puppet.initialize_settings
   upgrade = PuppetInfraUpgrade.new(JSON.parse(STDIN.read))
   upgrade.execute!
 end

tasks/restore_classification.rb

@@ -20,11 +20,12 @@ def execute!
   private
 
   def https_client
-    client = Net::HTTP.new('localhost', '4433')
+    client = Net::HTTP.new(Puppet.settings[:certname], 4433)
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end