Add TLS validation on the client side

distributed-system-analysis · Jun 22, 2023 · 6274eea · 6274eea
1 parent b082cca
commit 6274eea
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 8 deletions.
diff --git a/jenkins/run-server-func-tests b/jenkins/run-server-func-tests
@@ -8,11 +8,19 @@ export PB_SERVER_IMAGE_TAG=${PB_SERVER_IMAGE_TAG:-"$(cat jenkins/branch.name)"}
 export PB_POD_NAME=${PB_POD_NAME:-"pbench-in-a-can_${PB_SERVER_IMAGE_TAG}"}
 export PB_SERVER_CONTAINER_NAME=${PB_SERVER_CONTAINER_NAME:-"${PB_POD_NAME}-pbenchserver"}
 
-SERVER_URL="https://localhost:8443"
+# Note:  the value of PB_HOST_IP will be used to generate the TLS certificate
+# and so it (not `localhost`) must also be used to access the Pbench Server;
+# otherwise, the TLS validation will fail due to a host mismatch.
+if [[ -z "${PB_HOST_IP}" ]]; then
+    host_ip_list=$(hostname -I)
+    PB_HOST_IP=${host_ip_list%% *}
+    export PB_HOST_IP
+fi
+SERVER_URL="https://${PB_HOST_IP}:8443"
 SERVER_API_ENDPOINTS="${SERVER_URL}/api/v1/endpoints"
 
-# For now, ignore certificate problems when connecting to the Pbench Server
-CURL_PB_SERVER="--insecure"
+# Have Curl use the Pbench CA certificate to validate the TLS/SSL connection
+export CURL_CA_BUNDLE="${PWD}/server/pbenchinacan/etc/pki/tls/certs/pbench_CA.crt"
 
 cleanup_flag=0
 keep_flag=0

diff --git a/lib/pbench/client/__init__.py b/lib/pbench/client/__init__.py
@@ -1,3 +1,4 @@
+import os
 from enum import Enum
 from pathlib import Path
 from typing import Iterator, Optional
@@ -315,8 +316,10 @@ def connect(self, headers: Optional[dict[str, str]] = None) -> None:
         """
         url = parse.urljoin(self.url, "api/v1/endpoints")
         self.session = requests.Session()
-        # FIXME:  `verify` should be set to the path to the CA bundle
-        self.session.verify = False
+
+        # Use the same CA as Curl to do TLS verification;
+        # if it's not defined then disable TLS verification.
+        self.session.verify = os.environ.get("CURL_CA_BUNDLE", False)
         if headers:
             self.session.headers.update(headers)
         response = self.session.get(url)

diff --git a/server/pbenchinacan/run-pbench-in-a-can b/server/pbenchinacan/run-pbench-in-a-can
@@ -27,9 +27,16 @@ export PB_DASHBOARD_DIR="${PB_DASHBOARD_DIR:-${PWD}/dashboard/build/}"
 export KEYCLOAK_REALM=${KEYCLOAK_REALM:-"pbench-server"}
 export KEYCLOAK_CLIENT=${KEYCLOAK_CLIENT:-"pbench-client"}
 
+# Note:  the value of PB_HOST_IP will be used to generate the TLS certificate
+# and so it (not `localhost`) must also be used to access the Pbench Server;
+# otherwise, the TLS validation will fail due to a host mismatch.
+if [[ -z "${PB_HOST_IP}" ]]; then
+    host_ip_list=$(hostname -I)
+    PB_HOST_IP=${host_ip_list%% *}
+    export PB_HOST_IP
+fi
+
 host_name=${PB_HOST_NAME:-$(hostname --fqdn)}
-host_ip_list=${PB_HOST_IP:-$(hostname -I)}
-host_ip=${host_ip_list%% *}
 
 # Set up TMP_DIR, if it's not already defined, to point to WORKSPACE_TMP, if it
 # is defined (e.g., by the CI), or to `/var/tmp/pbench` as a fallback.
@@ -118,7 +125,7 @@ podman run \
     -addext "authorityKeyIdentifier = keyid,issuer" \
     -addext "basicConstraints=CA:FALSE" \
     -addext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \
-    -addext "subjectAltName = IP.2:${host_ip}"
+    -addext "subjectAltName = IP.2:${PB_HOST_IP}"
 
 #+
 # Start the services which the Pbench Server depends upon and then start the