(MAINT) SSL Verification extended (#504)

* (MAINT) update SSL verification and certificate handling

- Changed SSL verification mode to VERIFY_PEER for enhanced security.
- Added Puppet settings initialization to load necessary certificates.
- Updated HTTP request to use Puppet's certname and certificate files.
- Ensured CA file is set for SSL verification.

* fix(rbac_token): correct syntax errors in SSL configuration

- Fixed incorrect syntax in Net::HTTP initialization.
- Corrected method calls for SSL setup and certificate handling.
- Ensured proper request initialization for RBAC token generation.

* fix(rbac_token): correct Net::HTTPSuccess class reference

- Fixed incorrect reference to Net::HTTPSuccess class in token request error handling.

* fix(rbac_token): correct typo in Net::HTTP::Post initialization

Corrected the typo in the initialization of Net::HTTP::Post for creating the RBAC token request. This ensures the correct HTTP method is used for the request.

* fix(get_peadm_config): use Puppet certname instead of localhost for HTTPS connection

Changed the HTTPS connection to use Puppet's certname instead of 'localhost' to ensure proper SSL certificate validation.

Author: CoMfUcIoS

tasks/get_peadm_config.rb

@@ -101,11 +101,12 @@ def server(role, letter, certname_array)
   end
 
   def https(port)
-    https = Net::HTTP.new('localhost', port)
+    https = Net::HTTP.new(Puppet.settings[:certname], port)
     https.use_ssl = true
     https.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
     https.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
-    https.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    https.ca_file = Puppet.settings[:localcacert]
     https
   end
 

tasks/rbac_token.rb

@@ -4,31 +4,35 @@
 #
 # rubocop:disable Style/GlobalVars
 require 'net/https'
-require 'uri'
 require 'json'
 require 'fileutils'
+require 'puppet'
 
 # Parameters expected:
 #   Hash
 #     String password
 $params = JSON.parse(STDIN.read)
 
-uri = URI.parse('https://localhost:4433/rbac-api/v1/auth/token')
+Puppet.initialize_settings
+
 body = {
   'login'    => 'admin',
   'password' => $params['password'],
   'lifetime' => $params['token_lifetime'],
   'label'    => 'provision-time token',
 }.to_json
 
-http = Net::HTTP.new(uri.host, uri.port)
-http.use_ssl = true
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-request = Net::HTTP::Post.new(uri.request_uri)
+https = Net::HTTP.new(Puppet.settings[:certname], 4433)
+https.use_ssl = true
+https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+https.ca_file = Puppet.settings[:localcacert]
+request = Net::HTTP::Post.new('/rbac-api/v1/auth/token')
 request['Content-Type'] = 'application/json'
 request.body = body
 
-response = http.request(request)
+response = https.request(request)
 raise "Error requesting token, #{response.body}" unless response.is_a? Net::HTTPSuccess
 token = JSON.parse(response.body)['token']