From 6274eea0b1d5e02a9d202f3339c58dfbb9bcb8f7 Mon Sep 17 00:00:00 2001 From: Webb Scales Date: Wed, 21 Jun 2023 21:26:10 -0400 Subject: [PATCH] Add TLS validation on the client side --- jenkins/run-server-func-tests | 14 +++++++++++--- lib/pbench/client/__init__.py | 7 +++++-- server/pbenchinacan/run-pbench-in-a-can | 13 ++++++++++--- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/jenkins/run-server-func-tests b/jenkins/run-server-func-tests index 8c4fe98ea0..f211e0892b 100755 --- a/jenkins/run-server-func-tests +++ b/jenkins/run-server-func-tests @@ -8,11 +8,19 @@ export PB_SERVER_IMAGE_TAG=${PB_SERVER_IMAGE_TAG:-"$(cat jenkins/branch.name)"} export PB_POD_NAME=${PB_POD_NAME:-"pbench-in-a-can_${PB_SERVER_IMAGE_TAG}"} export PB_SERVER_CONTAINER_NAME=${PB_SERVER_CONTAINER_NAME:-"${PB_POD_NAME}-pbenchserver"} -SERVER_URL="https://localhost:8443" +# Note: the value of PB_HOST_IP will be used to generate the TLS certificate +# and so it (not `localhost`) must also be used to access the Pbench Server; +# otherwise, the TLS validation will fail due to a host mismatch. +if [[ -z "${PB_HOST_IP}" ]]; then + host_ip_list=$(hostname -I) + PB_HOST_IP=${host_ip_list%% *} + export PB_HOST_IP +fi +SERVER_URL="https://${PB_HOST_IP}:8443" SERVER_API_ENDPOINTS="${SERVER_URL}/api/v1/endpoints" -# For now, ignore certificate problems when connecting to the Pbench Server -CURL_PB_SERVER="--insecure" +# Have Curl use the Pbench CA certificate to validate the TLS/SSL connection +export CURL_CA_BUNDLE="${PWD}/server/pbenchinacan/etc/pki/tls/certs/pbench_CA.crt" cleanup_flag=0 keep_flag=0 diff --git a/lib/pbench/client/__init__.py b/lib/pbench/client/__init__.py index b8753cc3a0..93ed34ef41 100644 --- a/lib/pbench/client/__init__.py +++ b/lib/pbench/client/__init__.py @@ -1,3 +1,4 @@ +import os from enum import Enum from pathlib import Path from typing import Iterator, Optional @@ -315,8 +316,10 @@ def connect(self, headers: Optional[dict[str, str]] = None) -> None: """ url = parse.urljoin(self.url, "api/v1/endpoints") self.session = requests.Session() - # FIXME: `verify` should be set to the path to the CA bundle - self.session.verify = False + + # Use the same CA as Curl to do TLS verification; + # if it's not defined then disable TLS verification. + self.session.verify = os.environ.get("CURL_CA_BUNDLE", False) if headers: self.session.headers.update(headers) response = self.session.get(url) diff --git a/server/pbenchinacan/run-pbench-in-a-can b/server/pbenchinacan/run-pbench-in-a-can index b968bbf1d2..f85bb6aab4 100755 --- a/server/pbenchinacan/run-pbench-in-a-can +++ b/server/pbenchinacan/run-pbench-in-a-can @@ -27,9 +27,16 @@ export PB_DASHBOARD_DIR="${PB_DASHBOARD_DIR:-${PWD}/dashboard/build/}" export KEYCLOAK_REALM=${KEYCLOAK_REALM:-"pbench-server"} export KEYCLOAK_CLIENT=${KEYCLOAK_CLIENT:-"pbench-client"} +# Note: the value of PB_HOST_IP will be used to generate the TLS certificate +# and so it (not `localhost`) must also be used to access the Pbench Server; +# otherwise, the TLS validation will fail due to a host mismatch. +if [[ -z "${PB_HOST_IP}" ]]; then + host_ip_list=$(hostname -I) + PB_HOST_IP=${host_ip_list%% *} + export PB_HOST_IP +fi + host_name=${PB_HOST_NAME:-$(hostname --fqdn)} -host_ip_list=${PB_HOST_IP:-$(hostname -I)} -host_ip=${host_ip_list%% *} # Set up TMP_DIR, if it's not already defined, to point to WORKSPACE_TMP, if it # is defined (e.g., by the CI), or to `/var/tmp/pbench` as a fallback. @@ -118,7 +125,7 @@ podman run \ -addext "authorityKeyIdentifier = keyid,issuer" \ -addext "basicConstraints=CA:FALSE" \ -addext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \ - -addext "subjectAltName = IP.2:${host_ip}" + -addext "subjectAltName = IP.2:${PB_HOST_IP}" #+ # Start the services which the Pbench Server depends upon and then start the