From 0c833278f9858ae27b9cc3f522c132d75771035e Mon Sep 17 00:00:00 2001
From: Maxime Riaud <65339037+misteriaud@users.noreply.github.com>
Date: Fri, 20 Dec 2024 15:08:38 -0600
Subject: [PATCH] [ASCII-2585] Update processAgent to use HTTPS instead of HTTP
 for IPC (#32361)

---
 cmd/process-agent/subcommands/config/config.go         |  2 +-
 cmd/process-agent/subcommands/status/status.go         |  2 +-
 cmd/process-agent/subcommands/status/status_test.go    |  2 +-
 .../subcommands/taggerlist/tagger_list.go              |  2 +-
 cmd/process-agent/subcommands/workloadlist/command.go  |  2 +-
 comp/api/authtoken/fetchonlyimpl/mock.go               |  9 ++++++++-
 comp/process/apiserver/apiserver.go                    | 10 ++++++++--
 comp/process/apiserver/apiserver_test.go               |  4 ++--
 pkg/config/fetcher/from_processes.go                   |  2 +-
 pkg/flare/archive.go                                   |  9 +++++----
 pkg/flare/archive_test.go                              |  4 ++--
 test/new-e2e/pkg/utils/e2e/client/agent_client.go      |  2 +-
 .../config-refresh/config_endpoint.go                  |  2 +-
 13 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/cmd/process-agent/subcommands/config/config.go b/cmd/process-agent/subcommands/config/config.go
index f7a9996ac10ab..ea776ffd07a47 100644
--- a/cmd/process-agent/subcommands/config/config.go
+++ b/cmd/process-agent/subcommands/config/config.go
@@ -194,7 +194,7 @@ func getClient(cfg model.Reader) (settings.Client, error) {
 		return nil, fmt.Errorf("invalid process_config.cmd_port -- %d", port)
 	}
 
-	ipcAddressWithPort := fmt.Sprintf("http://%s:%d/config", ipcAddress, port)
+	ipcAddressWithPort := fmt.Sprintf("https://%s:%d/config", ipcAddress, port)
 	if err != nil {
 		return nil, err
 	}
diff --git a/cmd/process-agent/subcommands/status/status.go b/cmd/process-agent/subcommands/status/status.go
index f98877e1979a2..225817d4fa121 100644
--- a/cmd/process-agent/subcommands/status/status.go
+++ b/cmd/process-agent/subcommands/status/status.go
@@ -138,7 +138,7 @@ func getStatusURL() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("config error: %s", err.Error())
 	}
-	return fmt.Sprintf("http://%s/agent/status", addressPort), nil
+	return fmt.Sprintf("https://%s/agent/status", addressPort), nil
 }
 
 func runStatus(deps dependencies) error {
diff --git a/cmd/process-agent/subcommands/status/status_test.go b/cmd/process-agent/subcommands/status/status_test.go
index e6aabd23aeb17..a6dc7dcd631e9 100644
--- a/cmd/process-agent/subcommands/status/status_test.go
+++ b/cmd/process-agent/subcommands/status/status_test.go
@@ -68,7 +68,7 @@ func TestNotRunning(t *testing.T) {
 
 	addressPort, err := pkgconfigsetup.GetProcessAPIAddressPort(pkgconfigsetup.Datadog())
 	require.NoError(t, err)
-	statusURL := fmt.Sprintf("http://%s/agent/status", addressPort)
+	statusURL := fmt.Sprintf("https://%s/agent/status", addressPort)
 
 	var b strings.Builder
 	getAndWriteStatus(log.NoopLogger, statusURL, &b)
diff --git a/cmd/process-agent/subcommands/taggerlist/tagger_list.go b/cmd/process-agent/subcommands/taggerlist/tagger_list.go
index 235a5a2b958df..fac3127349075 100644
--- a/cmd/process-agent/subcommands/taggerlist/tagger_list.go
+++ b/cmd/process-agent/subcommands/taggerlist/tagger_list.go
@@ -23,7 +23,7 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/util/fxutil"
 )
 
-const taggerListURLTpl = "http://%s/agent/tagger-list"
+const taggerListURLTpl = "https://%s/agent/tagger-list"
 
 // Commands returns a slice of subcommands for the `tagger-list` command in the Process Agent
 func Commands(globalParams *command.GlobalParams) []*cobra.Command {
diff --git a/cmd/process-agent/subcommands/workloadlist/command.go b/cmd/process-agent/subcommands/workloadlist/command.go
index a123e4c4f9fa2..8da7a727cc74e 100644
--- a/cmd/process-agent/subcommands/workloadlist/command.go
+++ b/cmd/process-agent/subcommands/workloadlist/command.go
@@ -91,7 +91,7 @@ func workloadURL(verbose bool) (string, error) {
 		return "", fmt.Errorf("config error: %s", err.Error())
 	}
 
-	url := fmt.Sprintf("http://%s/agent/workload-list", addressPort)
+	url := fmt.Sprintf("https://%s/agent/workload-list", addressPort)
 
 	if verbose {
 		return url + "/verbose", nil
diff --git a/comp/api/authtoken/fetchonlyimpl/mock.go b/comp/api/authtoken/fetchonlyimpl/mock.go
index 3fa24b25731aa..967c064870e55 100644
--- a/comp/api/authtoken/fetchonlyimpl/mock.go
+++ b/comp/api/authtoken/fetchonlyimpl/mock.go
@@ -9,6 +9,8 @@ package fetchonlyimpl
 
 import (
 	"crypto/tls"
+	"net/http"
+	"net/http/httptest"
 
 	"go.uber.org/fx"
 
@@ -40,7 +42,12 @@ func (fc *MockFetchOnly) GetTLSClientConfig() *tls.Config {
 
 // GetTLSServerConfig is a mock of the fetchonly GetTLSServerConfig function
 func (fc *MockFetchOnly) GetTLSServerConfig() *tls.Config {
-	return &tls.Config{}
+	// Starting a TLS httptest server to retrieve a localhost tlsCert
+	ts := httptest.NewTLSServer(http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {}))
+	tlsConfig := ts.TLS.Clone()
+	ts.Close()
+
+	return tlsConfig
 }
 
 // NewMock returns a new fetch only authtoken mock
diff --git a/comp/process/apiserver/apiserver.go b/comp/process/apiserver/apiserver.go
index 9c37154296f64..a7f75cfcbf471 100644
--- a/comp/process/apiserver/apiserver.go
+++ b/comp/process/apiserver/apiserver.go
@@ -7,7 +7,9 @@ package apiserver
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
+	"net"
 	"net/http"
 	"time"
 
@@ -60,14 +62,18 @@ func newApiServer(deps dependencies) Component {
 			ReadTimeout:  timeout,
 			WriteTimeout: timeout,
 			IdleTimeout:  timeout,
-			TLSConfig:    deps.At.GetTLSServerConfig(),
 		},
 	}
 
 	deps.Lc.Append(fx.Hook{
 		OnStart: func(_ context.Context) error {
+			ln, err := net.Listen("tcp", addr)
+			if err != nil {
+				return err
+			}
 			go func() {
-				err := apiserver.server.ListenAndServe()
+				tlsListener := tls.NewListener(ln, deps.At.GetTLSServerConfig())
+				err = apiserver.server.Serve(tlsListener)
 				if err != nil && !errors.Is(err, http.ErrServerClosed) {
 					_ = deps.Log.Error(err)
 				}
diff --git a/comp/process/apiserver/apiserver_test.go b/comp/process/apiserver/apiserver_test.go
index 1131bad880776..4f8b7f2cca342 100644
--- a/comp/process/apiserver/apiserver_test.go
+++ b/comp/process/apiserver/apiserver_test.go
@@ -56,7 +56,7 @@ func TestLifecycle(t *testing.T) {
 	))
 
 	assert.EventuallyWithT(t, func(c *assert.CollectT) {
-		url := fmt.Sprintf("http://localhost:%d/agent/status", port)
+		url := fmt.Sprintf("https://localhost:%d/agent/status", port)
 		req, err := http.NewRequest("GET", url, nil)
 		require.NoError(c, err)
 		req.Header.Set("Authorization", "Bearer "+util.GetAuthToken())
@@ -94,7 +94,7 @@ func TestPostAuthentication(t *testing.T) {
 
 	assert.EventuallyWithT(t, func(c *assert.CollectT) {
 		// No authentication
-		url := fmt.Sprintf("http://localhost:%d/config/log_level?value=debug", port)
+		url := fmt.Sprintf("https://localhost:%d/config/log_level?value=debug", port)
 		req, err := http.NewRequest("POST", url, nil)
 		require.NoError(c, err)
 		res, err := util.GetClient(false).Do(req)
diff --git a/pkg/config/fetcher/from_processes.go b/pkg/config/fetcher/from_processes.go
index 95c24e283fb46..e6f86f6c44e19 100644
--- a/pkg/config/fetcher/from_processes.go
+++ b/pkg/config/fetcher/from_processes.go
@@ -94,7 +94,7 @@ func ProcessAgentConfig(config config.Reader, getEntireConfig bool) (string, err
 		return "", fmt.Errorf("invalid process_config.cmd_port -- %d", port)
 	}
 
-	ipcAddressWithPort := fmt.Sprintf("http://%s:%d/config", ipcAddress, port)
+	ipcAddressWithPort := fmt.Sprintf("https://%s:%d/config", ipcAddress, port)
 	if getEntireConfig {
 		ipcAddressWithPort += "/all"
 	}
diff --git a/pkg/flare/archive.go b/pkg/flare/archive.go
index 8c2ad86688e97..8e820bb36f3ef 100644
--- a/pkg/flare/archive.go
+++ b/pkg/flare/archive.go
@@ -266,7 +266,7 @@ func getProcessAgentFullConfig() ([]byte, error) {
 		return nil, fmt.Errorf("wrong configuration to connect to process-agent")
 	}
 
-	procStatusURL := fmt.Sprintf("http://%s/config/all", addressPort)
+	procStatusURL := fmt.Sprintf("https://%s/config/all", addressPort)
 
 	bytes, err := getHTTPCallContent(procStatusURL)
 	if err != nil {
@@ -314,7 +314,7 @@ func getChecksFromProcessAgent(fb flaretypes.FlareBuilder, getAddressPort func()
 		log.Errorf("Could not zip process agent checks: wrong configuration to connect to process-agent: %s", err.Error())
 		return
 	}
-	checkURL := fmt.Sprintf("http://%s/check/", addressPort)
+	checkURL := fmt.Sprintf("https://%s/check/", addressPort)
 
 	getCheck := func(checkName, setting string) {
 		filename := fmt.Sprintf("%s_check_output.json", checkName)
@@ -399,7 +399,7 @@ func getProcessAgentTaggerList() ([]byte, error) {
 		return nil, err
 	}
 
-	taggerListURL := fmt.Sprintf("http://%s/agent/tagger-list", addressPort)
+	taggerListURL := fmt.Sprintf("https://%s/agent/tagger-list", addressPort)
 	return getTaggerList(taggerListURL)
 }
 
@@ -485,7 +485,8 @@ func getHTTPCallContent(url string) ([]byte, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 4*time.Second)
 	defer cancel()
 
-	client := http.Client{}
+	client := apiutil.GetClient(false) // FIX: get certificates right then make this true
+
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
diff --git a/pkg/flare/archive_test.go b/pkg/flare/archive_test.go
index fb4ee4866a224..25271c47273f9 100644
--- a/pkg/flare/archive_test.go
+++ b/pkg/flare/archive_test.go
@@ -219,7 +219,7 @@ process_config:
 			_, err = w.Write(b)
 			require.NoError(t, err)
 		}
-		srv := httptest.NewServer(http.HandlerFunc(handler))
+		srv := httptest.NewTLSServer(http.HandlerFunc(handler))
 		defer srv.Close()
 
 		setupIPCAddress(t, cfg, srv.URL)
@@ -294,7 +294,7 @@ func TestProcessAgentChecks(t *testing.T) {
 			require.NoError(t, err)
 		}
 
-		srv := httptest.NewServer(http.HandlerFunc(handler))
+		srv := httptest.NewTLSServer(http.HandlerFunc(handler))
 		defer srv.Close()
 
 		setupIPCAddress(t, configmock.New(t), srv.URL)
diff --git a/test/new-e2e/pkg/utils/e2e/client/agent_client.go b/test/new-e2e/pkg/utils/e2e/client/agent_client.go
index 1a362ac6e4f32..7498924e51b16 100644
--- a/test/new-e2e/pkg/utils/e2e/client/agent_client.go
+++ b/test/new-e2e/pkg/utils/e2e/client/agent_client.go
@@ -126,7 +126,7 @@ func waitForAgentsReady(tt *testing.T, host *Host, params *agentclientparams.Par
 }
 
 func processAgentRequest(params *agentclientparams.Params, host *Host) (*http.Request, bool, error) {
-	return makeStatusEndpointRequest(params, host, "http://localhost:%d/agent/status", params.ProcessAgentPort)
+	return makeStatusEndpointRequest(params, host, "https://localhost:%d/agent/status", params.ProcessAgentPort)
 }
 
 func traceAgentRequest(params *agentclientparams.Params, host *Host) (*http.Request, bool, error) {
diff --git a/test/new-e2e/tests/agent-shared-components/config-refresh/config_endpoint.go b/test/new-e2e/tests/agent-shared-components/config-refresh/config_endpoint.go
index 356f76386e644..19bfbc503ae18 100644
--- a/test/new-e2e/tests/agent-shared-components/config-refresh/config_endpoint.go
+++ b/test/new-e2e/tests/agent-shared-components/config-refresh/config_endpoint.go
@@ -24,7 +24,7 @@ func traceConfigEndpoint(port int) agentConfigEndpointInfo {
 }
 
 func processConfigEndpoint(port int) agentConfigEndpointInfo {
-	return agentConfigEndpointInfo{"process-agent", "http", port, "/config/all"}
+	return agentConfigEndpointInfo{"process-agent", "https", port, "/config/all"}
 }
 
 func securityConfigEndpoint(port int) agentConfigEndpointInfo {