From 7cac8d4abc9e3805edf99c1a07ecfc2959b1457b Mon Sep 17 00:00:00 2001
From: Ioannis Karasavvaidis <ioannis@puppet.com>
Date: Mon, 23 Sep 2024 11:04:00 +0100
Subject: [PATCH 1/5] (MAINT) update SSL verification and certificate handling

- Changed SSL verification mode to VERIFY_PEER for enhanced security.
- Added Puppet settings initialization to load necessary certificates.
- Updated HTTP request to use Puppet's certname and certificate files.
- Ensured CA file is set for SSL verification.
---
 tasks/get_peadm_config.rb |  3 ++-
 tasks/rbac_token.rb       | 20 ++++++++++++--------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/tasks/get_peadm_config.rb b/tasks/get_peadm_config.rb
index 30d8ad21..15ce8f05 100755
--- a/tasks/get_peadm_config.rb
+++ b/tasks/get_peadm_config.rb
@@ -105,7 +105,8 @@ def https(port)
     https.use_ssl = true
     https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    https.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    https.ca_file = Puppet.settings[:localcacert]
     https
   end
 
diff --git a/tasks/rbac_token.rb b/tasks/rbac_token.rb
index 9ad76f1f..22bbce47 100755
--- a/tasks/rbac_token.rb
+++ b/tasks/rbac_token.rb
@@ -4,16 +4,17 @@
 #
 # rubocop:disable Style/GlobalVars
 require 'net/https'
-require 'uri'
 require 'json'
 require 'fileutils'
+require 'puppet'
 
 # Parameters expected:
 #   Hash
 #     String password
 $params = JSON.parse(STDIN.read)
 
-uri = URI.parse('https://localhost:4433/rbac-api/v1/auth/token')
+Puppet.initialize_settings
+
 body = {
   'login'    => 'admin',
   'password' => $params['password'],
@@ -21,15 +22,18 @@
   'label'    => 'provision-time token',
 }.to_json
 
-http = Net::HTTP.new(uri.host, uri.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-request = Net::HTTP::Post.new(uri.request_uri)
+https. = Net::HTTP.new(Puppet.settings[:certname], 4433)
+https..use_ssl = true
+https..cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+https..key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+https..verify_mode = OpenSSL::SSL::VERIFY_PEER
+https..ca_file = Puppet.settings[:localcacert]
+request = Net::https.:Post.new('/rbac-api/v1/auth/token')
 request['Content-Type'] = 'application/json'
 request.body = body
 
-response = http.request(request)
-raise "Error requesting token, #{response.body}" unless response.is_a? Net::HTTPSuccess
+response = https.request(request)
+raise "Error requesting token, #{response.body}" unless response.is_a? Net::https.success
 token = JSON.parse(response.body)['token']
 
 FileUtils.mkdir_p('/root/.puppetlabs')

From a60cc103a38f7c0b4879c749fd49ba5b8efe6b2d Mon Sep 17 00:00:00 2001
From: Ioannis Karasavvaidis <ioannis@puppet.com>
Date: Mon, 23 Sep 2024 11:07:35 +0100
Subject: [PATCH 2/5] fix(rbac_token): correct syntax errors in SSL
 configuration

- Fixed incorrect syntax in Net::HTTP initialization.
- Corrected method calls for SSL setup and certificate handling.
- Ensured proper request initialization for RBAC token generation.
---
 tasks/rbac_token.rb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/tasks/rbac_token.rb b/tasks/rbac_token.rb
index 22bbce47..c12657a9 100755
--- a/tasks/rbac_token.rb
+++ b/tasks/rbac_token.rb
@@ -22,13 +22,13 @@
   'label'    => 'provision-time token',
 }.to_json
 
-https. = Net::HTTP.new(Puppet.settings[:certname], 4433)
-https..use_ssl = true
-https..cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
-https..key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-https..verify_mode = OpenSSL::SSL::VERIFY_PEER
-https..ca_file = Puppet.settings[:localcacert]
-request = Net::https.:Post.new('/rbac-api/v1/auth/token')
+https = Net::HTTP.new(Puppet.settings[:certname], 4433)
+https.use_ssl = true
+https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+https.ca_file = Puppet.settings[:localcacert]
+request = Net::https:Post.new('/rbac-api/v1/auth/token')
 request['Content-Type'] = 'application/json'
 request.body = body
 

From 07463ed6cda08a119ae2420ef7320805d794fa7b Mon Sep 17 00:00:00 2001
From: Ioannis Karasavvaidis <ioannis@puppet.com>
Date: Mon, 23 Sep 2024 11:09:22 +0100
Subject: [PATCH 3/5] fix(rbac_token): correct Net::HTTPSuccess class reference

- Fixed incorrect reference to Net::HTTPSuccess class in token request error handling.
---
 tasks/rbac_token.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/rbac_token.rb b/tasks/rbac_token.rb
index c12657a9..b3a54ac2 100755
--- a/tasks/rbac_token.rb
+++ b/tasks/rbac_token.rb
@@ -33,7 +33,7 @@
 request.body = body
 
 response = https.request(request)
-raise "Error requesting token, #{response.body}" unless response.is_a? Net::https.success
+raise "Error requesting token, #{response.body}" unless response.is_a? Net::HTTPSuccess
 token = JSON.parse(response.body)['token']
 
 FileUtils.mkdir_p('/root/.puppetlabs')

From e3ae941758c3cfda3ec855de6bb96ceb6cb1555a Mon Sep 17 00:00:00 2001
From: Ioannis Karasavvaidis <ioannis@puppet.com>
Date: Mon, 23 Sep 2024 11:43:58 +0100
Subject: [PATCH 4/5] fix(rbac_token): correct typo in Net::HTTP::Post
 initialization

Corrected the typo in the initialization of Net::HTTP::Post for creating the RBAC token request. This ensures the correct HTTP method is used for the request.
---
 tasks/rbac_token.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/rbac_token.rb b/tasks/rbac_token.rb
index b3a54ac2..d7339233 100755
--- a/tasks/rbac_token.rb
+++ b/tasks/rbac_token.rb
@@ -28,7 +28,7 @@
 https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
 https.verify_mode = OpenSSL::SSL::VERIFY_PEER
 https.ca_file = Puppet.settings[:localcacert]
-request = Net::https:Post.new('/rbac-api/v1/auth/token')
+request = Net::HTTP::Post.new('/rbac-api/v1/auth/token')
 request['Content-Type'] = 'application/json'
 request.body = body
 

From 04595e82c0e0938f6e4c360bd2301cdda56df4ac Mon Sep 17 00:00:00 2001
From: Ioannis Karasavvaidis <ioannis@puppet.com>
Date: Mon, 23 Sep 2024 12:25:11 +0100
Subject: [PATCH 5/5] fix(get_peadm_config): use Puppet certname instead of
 localhost for HTTPS connection

Changed the HTTPS connection to use Puppet's certname instead of 'localhost' to ensure proper SSL certificate validation.
---
 tasks/get_peadm_config.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/get_peadm_config.rb b/tasks/get_peadm_config.rb
index 15ce8f05..88eab7ba 100755
--- a/tasks/get_peadm_config.rb
+++ b/tasks/get_peadm_config.rb
@@ -101,7 +101,7 @@ def server(role, letter, certname_array)
   end
 
   def https(port)
-    https = Net::HTTP.new('localhost', port)
+    https = Net::HTTP.new(Puppet.settings[:certname], port)
     https.use_ssl = true
     https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))