Merge pull request #7850 from joshcooper/create_system_context_10144

melissa · web-flow · commit 4fcf3d953a04 · 2019-12-03T09:54:31.000-08:00
(PUP-10144) Add method for loading system ssl context
diff --git a/lib/puppet/ssl/ssl_provider.rb b/lib/puppet/ssl/ssl_provider.rb
@@ -36,6 +36,26 @@ def create_root_context(cacerts:, crls: [], revocation: Puppet[:certificate_revo
     Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: crls, revocation: revocation).freeze
   end
 
+  # Create an `SSLContext` using the trusted `cacerts` and any certs in OpenSSL's
+  # default verify path locations. When running puppet as a gem, the location is
+  # system dependent. When running puppet from puppet-agent packages, the location
+  # refers to the cacerts bundle in the puppet-agent package.
+  #
+  # Connections made from the returned context will authenticate the server,
+  # i.e. `VERIFY_PEER`, but will not use a client certificate and will not
+  # perform revocation checking.
+  #
+  # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
+  # @return [Puppet::SSL::SSLContext] A context to use to create connections
+  # @raise (see #create_context)
+  # @api private
+  def create_system_context(cacerts:)
+    store = create_x509_store(cacerts, [], false)
+    store.set_default_paths
+
+    Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: [], revocation: false).freeze
+  end
+
   # Create an `SSLContext` using the trusted `cacerts`, `crls`, `private_key`,
   # `client_cert`, and `revocation` mode. Connections made from the returned
   # context will be mutually authenticated.
diff --git a/spec/integration/http/client_spec.rb b/spec/integration/http/client_spec.rb
@@ -0,0 +1,121 @@
+require 'spec_helper'
+require 'puppet_spec/https'
+require 'puppet_spec/files'
+
+describe Puppet::HTTP::Client, unless: Puppet::Util::Platform.jruby? do
+  include PuppetSpec::Files
+
+  before :all do
+    WebMock.disable!
+  end
+
+  after :all do
+    WebMock.enable!
+  end
+
+  before :each do
+    # make sure we don't take too long
+    Puppet[:http_connect_timeout] = '5s'
+  end
+
+  let(:hostname) { '127.0.0.1' }
+  let(:wrong_hostname) { 'localhost' }
+  let(:server) { PuppetSpec::HTTPSServer.new }
+  let(:client) { Puppet::HTTP::Client.new }
+  let(:ssl_provider) { Puppet::SSL::SSLProvider.new }
+  let(:root_context) { ssl_provider.create_root_context(cacerts: [server.ca_cert], crls: [server.ca_crl]) }
+
+  context "when verifying an HTTPS server" do
+    it "connects over SSL" do
+      server.start_server do |port|
+        res = client.get(URI("https://127.0.0.1:#{port}"), ssl_context: root_context)
+        expect(res).to be_success
+      end
+    end
+
+    it "raises if the server's cert doesn't match the hostname we connected to" do
+      server.start_server do |port|
+        expect {
+          client.get(URI("https://#{wrong_hostname}:#{port}"), ssl_context: root_context)
+        }.to raise_error { |err|
+          expect(err).to be_instance_of(Puppet::HTTP::ConnectionError)
+          expect(err.message).to match(/Server hostname '#{wrong_hostname}' did not match server certificate; expected one of (.+)/)
+
+          md = err.message.match(/expected one of (.+)/)
+          expect(md[1].split(', ')).to contain_exactly('127.0.0.1', 'DNS:127.0.0.1', 'DNS:127.0.0.2')
+        }
+      end
+    end
+
+    it "raises if the server's CA is unknown" do
+      wrong_ca = cert_fixture('netlock-arany-utf8.pem')
+      alt_context = ssl_provider.create_root_context(cacerts: [wrong_ca], revocation: false)
+
+      server.start_server do |port|
+        expect {
+          client.get(URI("https://127.0.0.1:#{port}"), ssl_context: alt_context)
+        }.to raise_error(Puppet::HTTP::ConnectionError,
+                         %r{certificate verify failed.* .self signed certificate in certificate chain for CN=Test CA.})
+      end
+    end
+  end
+
+  context "with client certs" do
+    let(:ctx_proc) {
+      -> ctx {
+        # configures the server to require the client to present a client cert
+        ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+      }
+    }
+
+    it "mutually authenticates the connection" do
+      client_context = ssl_provider.create_context(
+        cacerts: [server.ca_cert], crls: [server.ca_crl],
+        client_cert: server.server_cert, private_key: server.server_key
+      )
+
+      server.start_server(ctx_proc: ctx_proc) do |port|
+        res = client.get(URI("https://127.0.0.1:#{port}"), ssl_context: client_context)
+        expect(res).to be_success
+      end
+    end
+  end
+
+  context "with a system trust store" do
+    it "connects when the client trusts the server's CA" do
+      system_context = ssl_provider.create_system_context(cacerts: [server.ca_cert])
+
+      server.start_server do |port|
+        res = client.get(URI("https://127.0.0.1:#{port}"), ssl_context: system_context)
+        expect(res).to be_success
+      end
+    end
+
+    it "connects when the server's CA is in the system store" do
+      # create a temp cacert bundle
+      ssl_file = tmpfile('systemstore')
+      File.write(ssl_file, server.ca_cert)
+
+      # override path to system cacert bundle, this must be done before
+      # the SSLContext is created and the call to X509::Store.set_default_paths
+      Puppet::Util.withenv("SSL_CERT_FILE" => ssl_file) do
+        system_context = ssl_provider.create_system_context(cacerts: [])
+        server.start_server do |port|
+          res = client.get(URI("https://127.0.0.1:#{port}"), ssl_context: system_context)
+          expect(res).to be_success
+        end
+      end
+    end
+
+    it "raises if the server's CA is not in the context or system store" do
+      system_context = ssl_provider.create_system_context(cacerts: [cert_fixture('netlock-arany-utf8.pem')])
+
+      server.start_server do |port|
+        expect {
+          client.get(URI("https://127.0.0.1:#{port}"), ssl_context: system_context)
+        }.to raise_error(Puppet::HTTP::ConnectionError,
+                         %r{certificate verify failed.* .self signed certificate in certificate chain for CN=Test CA.})
+      end
+    end
+  end
+end
diff --git a/spec/unit/ssl/ssl_provider_spec.rb b/spec/unit/ssl/ssl_provider_spec.rb
@@ -73,6 +73,67 @@
         sslctx.verify_peer = false
       }.to raise_error(/can't modify frozen/)
     end
+
+    it 'verifies peer' do
+      sslctx = subject.create_root_context(config)
+      expect(sslctx.verify_peer).to eq(true)
+    end
+  end
+
+  context 'when creating a system ssl context' do
+    it 'accepts empty list of CA certs' do
+      sslctx = subject.create_system_context(cacerts: [])
+      expect(sslctx.cacerts).to eq([])
+    end
+
+    it 'accepts valid root certs' do
+      certs = [cert_fixture('ca.pem')]
+      sslctx = subject.create_system_context(cacerts: certs)
+      expect(sslctx.cacerts).to eq(certs)
+    end
+
+    it 'accepts valid intermediate certs' do
+      certs = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
+      sslctx = subject.create_system_context(cacerts: certs)
+      expect(sslctx.cacerts).to eq(certs)
+    end
+
+    it 'accepts expired CA certs' do
+      expired = [cert_fixture('ca.pem'), cert_fixture('intermediate.pem')]
+      expired.each { |x509| x509.not_after = Time.at(0) }
+
+      sslctx = subject.create_system_context(cacerts: expired)
+      expect(sslctx.cacerts).to eq(expired)
+    end
+
+    it 'raises if the frozen context is modified' do
+      sslctx = subject.create_system_context(cacerts: [])
+      expect {
+        sslctx.verify_peer = false
+      }.to raise_error(/can't modify frozen/)
+    end
+
+    it 'trusts system ca store' do
+      expect_any_instance_of(OpenSSL::X509::Store).to receive(:set_default_paths)
+
+      subject.create_system_context(cacerts: [])
+    end
+
+    it 'verifies peer' do
+      sslctx = subject.create_system_context(cacerts: [])
+      expect(sslctx.verify_peer).to eq(true)
+    end
+
+    it 'disable revocation' do
+      sslctx = subject.create_system_context(cacerts: [])
+      expect(sslctx.revocation).to eq(false)
+    end
+
+    it 'sets client cert and private key to nil' do
+      sslctx = subject.create_system_context(cacerts: [])
+      expect(sslctx.client_cert).to be_nil
+      expect(sslctx.private_key).to be_nil
+    end
   end
 
   context 'when creating an ssl context with crls' do
@@ -99,6 +160,11 @@
       sslctx = subject.create_root_context(config.merge(crls: expired))
       expect(sslctx.crls).to eq(expired)
     end
+
+    it 'verifies peer' do
+      sslctx = subject.create_root_context(config)
+      expect(sslctx.verify_peer).to eq(true)
+    end
   end
 
   context 'when creating an ssl context with client certs' do
@@ -345,6 +411,11 @@
         sslctx.verify_peer = false
       }.to raise_error(/can't modify frozen/)
     end
+
+    it 'verifies peer' do
+      sslctx = subject.create_context(config)
+      expect(sslctx.verify_peer).to eq(true)
+    end
   end
 
   context 'when loading an ssl context' do
