Work in progress

relay/sources/relayd/Cargo.toml

@@ -37,7 +37,8 @@ openssl = "0.10"
 prometheus = { version = "0.11", default-features = false, features = ["process"] }
 regex = "1"
 # Use openssl for TLS to be consistent
-reqwest = { version = "0.11", default-features = false, features = ["stream", "blocking", "native-tls"] }
+#reqwest = { version = "0.11", default-features = false, features = ["stream", "blocking", "native-tls"] }
+reqwest = { git = "https://github.com/amousset/reqwest", branch = "add-disable_built_in_roots", default-features = false, features = ["stream", "blocking", "native-tls"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 sha2 = "0.9"

relay/sources/relayd/src/configuration/main.rs

@@ -406,7 +406,7 @@ impl Default for DatabaseConfig {
 
 #[derive(Deserialize, Debug, PartialEq, Eq, Clone)]
 pub struct UpstreamConfig {
-    // TODO better URL type
+    // TODO better URL type: reqwest::Url
     /// When the section is there, url is mandatory
     pub url: String,
     #[serde(default = "UpstreamConfig::default_user")]
@@ -416,8 +416,35 @@ pub struct UpstreamConfig {
     /// Default password, to be used for new inventories
     #[serde(default = "UpstreamConfig::default_default_password")]
     pub default_password: Secret,
+
+    //////////////////////////////////////////////////////////
+    //
+    // # Certificate management
+    //
+    // Three options:
+    //
+    // * No validation (6.X with  certificate validation disabled, default)
+    // * Standard validation (6.X with  certificate validation enabled)
+    // * P2P validation (7.X+)
+    //   * Hostname validation disabled
+    //   * Direct certificate comparison (from a file)
+    //   * Disabled system root store
+    //
+    //////////////////////////////////////////////////////////
+    //
     #[serde(default = "UpstreamConfig::default_verify_certificates")]
+    /// Allows to completely disable certificate validation.
+    ///
+    /// If true, https is required for all connections
+    ///
+    /// This preserves compatibility with 6.X configs
     pub verify_certificates: bool,
+
+    /// Should we accept based on system certificate store
+    pub use_system_root_certificates: bool,
+    /// Allows specifying a root certificate
+    /// Used for our p2p PKI
+    pub server_certificate: Option<PathBuf>,
     // TODO timeout?
 }
 
@@ -430,9 +457,17 @@ impl UpstreamConfig {
         true
     }
 
+    fn default_verify_hostnames() -> bool {
+        true
+    }
+
     fn default_default_password() -> Secret {
         Secret::new("rudder".into())
     }
+
+    fn default_server_certificate_file() -> PathBuf {
+        PathBuf::from("/var/rudder/cfengine-community/ppkeys/policy_server.cert")
+    }
 }
 
 impl Default for UpstreamConfig {
@@ -443,6 +478,7 @@ impl Default for UpstreamConfig {
             password: Default::default(),
             default_password: Default::default(),
             verify_certificates: Self::default_verify_certificates(),
+            server_certificate_file: Self::default_server_certificate_file(),
         }
     }
 }
@@ -516,6 +552,9 @@ mod tests {
                     password: Secret::new("".to_string()),
                     default_password: Secret::new("".to_string()),
                     verify_certificates: true,
+                    server_certificate_file: PathBuf::from(
+                        "/var/rudder/cfengine-community/ppkeys/policy_server.cert",
+                    ),
                 },
                 database: DatabaseConfig {
                     url: "postgres://rudder@127.0.0.1/rudder".to_string(),
@@ -603,6 +642,9 @@ mod tests {
                     password: Secret::new("password".to_string()),
                     default_password: Secret::new("rudder".to_string()),
                     verify_certificates: false,
+                    server_certificate_file: PathBuf::from(
+                        "tests/files/keys/e745a140-40bc-4b86-b6dc-084488fc906b.pub",
+                    ),
                 },
                 database: DatabaseConfig {
                     url: "postgres://rudderreports@127.0.0.1/rudder".to_string(),

relay/sources/relayd/src/lib.rs

@@ -35,7 +35,7 @@ use tokio::{
     signal::unix::{signal, SignalKind},
     sync::RwLock,
 };
-use tracing::{debug, error, info};
+use tracing::{debug, error, info, warn};
 use tracing_subscriber::{
     filter::EnvFilter,
     fmt::{
@@ -237,9 +237,23 @@ impl JobConfig {
             None
         };
 
-        let client = Client::builder()
-            .danger_accept_invalid_certs(!cfg.output.upstream.verify_certificates)
-            .build()?;
+        // HTTP client
+        //
+        let mut client = Client::builder();
+
+        if cfg.output.upstream.verify_certificates {
+            // Let's enforce https to prevent misconfigurations
+            client.https_only(cfg.output.upstream.verify_certificates);
+        } else {
+            warn!("Certificate validation is disabled");
+            client.danger_accept_invalid_certs(true);
+        }
+
+        if !cfg.output.upstream.verify_hostnames {
+            client.danger_accept_invalid_hostnames(true);
+        }
+
+        let client = client.build()?;
 
         let nodes = RwLock::new(NodesList::new(
             cfg.general.node_id.to_string(),

relay/sources/relayd/tests/files/config/main.conf

@@ -45,7 +45,7 @@ url = "https://127.0.0.1:8080"
 user = "rudder"
 password = "password"
 default_password = "rudder"
-verify_certificates = false
+server_certificate_file = "/var/rudder/cfengine-community/ppkeys/policy_server.cert"
 
 [remote_run]
 command = "tests/api_remote_run/fake_agent.sh"

relay/sources/relayd/tools/config/main.conf

@@ -66,7 +66,14 @@ user = "rudder"
 password = "password"
 # Password used for new inventories
 default_password = "rudder"
+# If false certificate validation is skipped
 verify_certificates = true
+# Verify certificate against `/var/rudder/cfengine-community/ppkeys/policy_server.cert`
+# If true hostname validation is disabled and the given file is used as CA
+# If false standard validation is done
+verify_certificates_from_file = true
+# This upstream's server certificate
+server_certificate_file = "/var/rudder/cfengine-community/ppkeys/policy_server.cert"
 
 [remote_run]
 command = "/opt/rudder/bin/rudder"