/templates/external_node.rb.erb - Diff - Installer - Foreman

« Previous | Next »

Revision 7697116c

Added by Dominic Cleal over 11 years ago

ID 7697116c39a26a37efc80d8a6c8e25704beb9c94
Parent 6eb2584a
Child c29484db

fixes #2121, #2069 - authenticate to Foreman with SSL certificate

CVE-2013-0171 and CVE-2013-0174 were resolved by verifying client SSL
certificates on Foreman interfaces used by puppetmasters. This change updates
the ENC and report processors to provide and verify certificates by default.

       :facts        => <%= @facts %>,
       :storeconfigs => <%= @storeconfigs %>,
       :timeout      => 3,
       # if CA is specified, remote Foreman host will be verified
       :ssl_ca       => "<%= @ssl_ca -%>",
       # ssl_cert and key are required if require_ssl_puppetmasters is enabled in Foreman
       :ssl_cert     => "<%= @ssl_cert -%>",
       :ssl_key      => "<%= @ssl_key -%>"
+    }
     ### Do not edit below this line
-...
           req.set_form_data('facts' => fact)
           res             = Net::HTTP.new(uri.host, uri.port)
           res.use_ssl     = uri.scheme == 'https'
           res.verify_mode = OpenSSL::SSL::VERIFY_NONE if res.use_ssl?
           if res.use_ssl?
             if SETTINGS[:ssl_ca]
               res.ca_file = SETTINGS[:ssl_ca]
               res.verify_mode = OpenSSL::SSL::VERIFY_PEER
             else
               res.verify_mode = OpenSSL::SSL::VERIFY_NONE
             end
             if SETTINGS[:ssl_cert] and SETTINGS[:ssl_key]
               res.cert = OpenSSL::X509::Certificate.new(File.read(SETTINGS[:ssl_cert]))
               res.key  = OpenSSL::PKey::RSA.new(File.read(SETTINGS[:ssl_key]), nil)
             end
           end
           res.start { |http| http.request(req) }
         rescue => e
           raise "Could not send facts to Foreman: #{e}"
-...
       req              = Net::HTTP::Get.new(foreman_url)
       http             = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl     = uri.scheme == 'https'
       http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl?
       res              = http.start { |http| http.request(req) }
       if http.use_ssl?
         if SETTINGS[:ssl_ca]
           http.ca_file = SETTINGS[:ssl_ca]
           http.verify_mode = OpenSSL::SSL::VERIFY_PEER
         else
           http.verify_mode = OpenSSL::SSL::VERIFY_NONE
         end
         if SETTINGS[:ssl_cert] and SETTINGS[:ssl_key]
           http.cert = OpenSSL::X509::Certificate.new(File.read(SETTINGS[:ssl_cert]))
           http.key  = OpenSSL::PKey::RSA.new(File.read(SETTINGS[:ssl_key]), nil)
         end
       end
       res = http.start { |http| http.request(req) }
       raise "Error retrieving node #{certname}: #{res.class}" unless res.code == "200"
       res.body

Also available in: Unified diff

Project

General

Profile

Foreman » Installer

Revision 7697116c

Added by Dominic Cleal over 11 years ago

Project

General

Profile

Foreman » Installer

Revision 7697116c

Added by Dominic Cleal over 11 years ago

Related issues