(ITHELP-98367) - Fix AiTM attacks vulnerability

Author: Ramesh7

tasks/backup_classification.rb

@@ -24,7 +24,8 @@ def https_client
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end
 

tasks/code_sync_status.rb

@@ -23,7 +23,8 @@ def https_client
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end
 

tasks/get_peadm_config.rb

@@ -105,7 +105,8 @@ def https(port)
     https.use_ssl = true
     https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    https.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    https.ca_file = Puppet.settings[:localcacert]
     https
   end
 

tasks/pe_ldap_config.rb

@@ -32,17 +32,17 @@ def main
   end
 
   uri = URI("https://#{pe_main}:4433/rbac-api/v1/ds")
-  http = Net::HTTP.new(uri.host, uri.port)
-  http.use_ssl = true
-  http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-  http.ca_file = cafout.strip
-  http.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
-  http.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
+  https = Net::HTTP.new(uri.host, uri.port)
+  https.use_ssl = true
+  https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+  https.ca_file = cafout.strip
+  https.cert = OpenSSL::X509::Certificate.new(File.read(certout.strip))
+  https.key = OpenSSL::PKey::RSA.new(File.read(keyout.strip))
 
   req = Net::HTTP::Put.new(uri, 'Content-type' => 'application/json')
   req.body = data.to_json
 
-  resp = http.request(req)
+  resp = https.request(req)
 
   puts resp.body
   raise "API response code #{resp.code}" unless resp.code == '200'

tasks/puppet_infra_upgrade.rb

@@ -7,6 +7,7 @@
 require 'open3'
 require 'timeout'
 require 'etc'
+require 'puppet'
 
 # Class to run and execute the `puppet infra upgrade` command as a task.
 class PuppetInfraUpgrade
@@ -57,21 +58,24 @@ def request_object(nodes:, token_file:)
     request
   end
 
-  def http_object
-    http = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+  def https_object
+    https = Net::HTTP.new(inventory_uri.host, inventory_uri.port)
+    https.use_ssl = true
+    https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    https.ca_file = Puppet.settings[:localcacert]
 
-    http
+    https
   end
 
   def wait_until_connected(nodes:, token_file:, timeout: 120)
-    http = http_object
+    https = https_object
     request = request_object(nodes: nodes, token_file: token_file)
     inventory = {}
     Timeout.timeout(timeout) do
       loop do
-        response = http.request(request)
+        response = https.request(request)
         unless response.is_a? Net::HTTPSuccess
           raise "Unexpected result from orchestrator: #{response.class}\n#{response}"
         end

tasks/restore_classification.rb

@@ -24,7 +24,8 @@ def https_client
     client.use_ssl = true
     client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
     client
   end