Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added sopport for insecure mode (skip verification certs) #70

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Added sopport for insecure mode (skip verification certs) #70

wants to merge 2 commits into from

Conversation

juliancnn
Copy link
Member

@juliancnn juliancnn commented Dec 10, 2024
edited
Loading

Description

Part of wazuh/wazuh#27174

This PR adds the functionality to make optional the verification of certificates against a CA, also modifies the test tool to verify this behavior.

Example

Skipping validation against opensearch

╰─# ./urlrequest_testtool -u "https://localhost:9200/_cluster/health?pretty=true" -t get --skip-verify-peer true --username admin --password admin
{
  "cluster_name" : "opensearch-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 5,
  "active_shards" : 5,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Without skipping validation

(venv) ╭─root@56bc7e709b7a /workspaces/repos/wazuh-http-request/build/test_tool ‹27174-implement-ssl-verification●› 
╰─# ./urlrequest_testtool -u "https://localhost:9200/_cluster/health?pretty=true" -t get --skip-verify-peer false --username admin --password admin
SSL peer certificate or SSH remote key was not OK: -1
SSL peer certificate or SSH remote key was not OK

Usage: urlrequest_testtool <option(s)> SOURCES 
Options:
        -h                      Show this help message
        -u URL_ADDRESS          Specifies the URL of the file to download or the RESTful address.
        -t TYPE                 Specifies the type of action to execute [download, post, get, put, delete].
        -p JSON_FILE            Specifies the file containing the JSON data to send in the POST request.
        -o OUTPUT_FILE          Specifies the output file of the downloaded file.
        -H HEADERS              Specifies the headers to send in the request. If not preset, DEFAULT_HEADERS will be used.
        --cacert CACERT         Specifies the CA certificate file to use in the request.
        --cert CERT             Specifies the certificate file to use in the request.
        --key KEY               Specifies the key file to use in the request.
        --username USERNAME     Specifies the username to use in the request.
        --password PASSWORD     Specifies the password to use in the request.
        --skip-verify-peer      Specifies if the peer verification should be skipped. Default is false.
        --timeout TIMEOUT       Specifies the timeout in miliseconds for the request.

Example:
        ./urlrequest_testtool -u https://httpbin.org/get -t download -o out 

        ./urlrequest_testtool -u https://httpbin.org/get -t get

        ./urlrequest_testtool -u https://httpbin.org/post -t post -p input.json

        ./urlrequest_testtool -u https://httpbin.org/put -t put -p input.json

        ./urlrequest_testtool -u https://httpbin.org/delete -t delete

        ./urlrequest_testtool -u https://httpbin.org/get -t get -H "Authorization: Bearer token"

        ./urlrequest_testtool -u https://httpbin.org/get -t get --cacert cacert.pem --cert cert.pem --key key.pem --username admin --password admin

        ./urlrequest_testtool -u https://httpbin.org/delay/10 -t get --timeout 1000

(venv) ╭─root@56bc7e709b7a /workspaces/repos/wazuh-http-request/build/test_tool ‹27174-implement-ssl-verification●› 
╰─# ./urlrequest_testtool -u "https://localhost:9200/_cluster/health?pretty=true" -t get --username admin --password admin 
SSL peer certificate or SSH remote key was not OK: -1
SSL peer certificate or SSH remote key was not OK

Usage: urlrequest_testtool <option(s)> SOURCES 
Options:
        -h                      Show this help message
        -u URL_ADDRESS          Specifies the URL of the file to download or the RESTful address.
        -t TYPE                 Specifies the type of action to execute [download, post, get, put, delete].
        -p JSON_FILE            Specifies the file containing the JSON data to send in the POST request.
        -o OUTPUT_FILE          Specifies the output file of the downloaded file.
        -H HEADERS              Specifies the headers to send in the request. If not preset, DEFAULT_HEADERS will be used.
        --cacert CACERT         Specifies the CA certificate file to use in the request.
        --cert CERT             Specifies the certificate file to use in the request.
        --key KEY               Specifies the key file to use in the request.
        --username USERNAME     Specifies the username to use in the request.
        --password PASSWORD     Specifies the password to use in the request.
        --skip-verify-peer      Specifies if the peer verification should be skipped. Default is false.
        --timeout TIMEOUT       Specifies the timeout in miliseconds for the request.

Example:
        ./urlrequest_testtool -u https://httpbin.org/get -t download -o out 

        ./urlrequest_testtool -u https://httpbin.org/get -t get

        ./urlrequest_testtool -u https://httpbin.org/post -t post -p input.json

        ./urlrequest_testtool -u https://httpbin.org/put -t put -p input.json

        ./urlrequest_testtool -u https://httpbin.org/delete -t delete

        ./urlrequest_testtool -u https://httpbin.org/get -t get -H "Authorization: Bearer token"

        ./urlrequest_testtool -u https://httpbin.org/get -t get --cacert cacert.pem --cert cert.pem --key key.pem --username admin --password admin

        ./urlrequest_testtool -u https://httpbin.org/delay/10 -t get --timeout 1000

With certs:

╭─root@56bc7e709b7a /workspaces/repos/wazuh-http-request/build/test_tool ‹27174-implement-ssl-verification› 
╰─# ./urlrequest_testtool -u "https://localhost:9200/_cluster/health?pretty=true" -t get --skip-verify-peer false --username admin --password admin --cert /workspaces/repos/full_environment/certs/wazuh-indexer.pem --cacert /workspaces/repos/full_environment/certs/root-ca.pem --key /workspaces/repos/full_environment/certs/wazuh-indexer.key
{
  "cluster_name" : "opensearch-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 5,
  "active_shards" : 5,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

HTTP

./urlrequest_testtool -u "http://www.http2demo.io/" -t get

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-Ua-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width">
    <link rel="shortcut icon" href="img/favicon.ico" type="image/x-icon">
    <title>HTTP/2 technology demo</title>
    <link rel="stylesheet" href="css/style.css" media="all">
    <link rel="stylesheet" href="css/jssocials.css" media="all">
    <link rel="stylesheet" href="css/jssocials-theme-flat.css" media="all">
    <link rel="stylesheet" href="css/font-awesome.css" media="all">
</head>
..........

@juliancnn juliancnn requested a review from Dwordcito as a code owner December 10, 2024 20:38
@juliancnn juliancnn self-assigned this Dec 10, 2024
@juliancnn juliancnn force-pushed the 27174-implement-ssl-verification branch from 3b40ddf to 5c15a99 Compare December 10, 2024 20:43
@juliancnn juliancnn linked an issue Dec 11, 2024 that may be closed by this pull request
Implement SSL certificate verification for wazuh-engine indexer connector wazuh/wazuh#27174
Open
JavierBejMen
JavierBejMen approved these changes Dec 17, 2024
View reviewed changes
Copy link
Member

@JavierBejMen JavierBejMen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested on wazuh/wazuh#27268 (review)

@JavierBejMen JavierBejMen self-requested a review December 17, 2024 10:59
NahuFigueroa97
NahuFigueroa97 approved these changes Dec 17, 2024
View reviewed changes
Copy link
Member

@NahuFigueroa97 NahuFigueroa97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Tested in wazuh/wazuh#27268 (review)

JcabreraC
JcabreraC approved these changes Dec 18, 2024
View reviewed changes
Copy link
Member

@JcabreraC JcabreraC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ! Testing in: wazuh/wazuh#27268 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JcabreraC JcabreraC JcabreraC approved these changes

@JavierBejMen JavierBejMen JavierBejMen approved these changes

@Dwordcito Dwordcito Awaiting requested review from Dwordcito Dwordcito is a code owner

@NahuFigueroa97 NahuFigueroa97 Awaiting requested review from NahuFigueroa97

Assignees

@juliancnn juliancnn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement SSL certificate verification for wazuh-engine indexer connector
4 participants
@juliancnn @JavierBejMen @JcabreraC @NahuFigueroa97