refactor: Reimplement TLS configuration in coding and in jobs config (c…

…loudfoundry#79) * wip: refactor: tls configuration * refactor: adapt tls spec config * refactor: Adapt integration tests to run with new TLS structs * refactor: Use client_cas instead of ca * refactor: Adapt acceptance tests to have a correct CN for bosh director cert --------- Co-authored-by: Maximilian Moehl <[email protected]> Co-authored-by: Dominik Froehlich <[email protected]>
sap-contributions · Jul 14, 2023 · 45d7cdd · 45d7cdd
1 parent bd75214
commit 45d7cdd
Show file tree

Hide file tree

Showing 38 changed files with 343 additions and 302 deletions.
diff --git a/acceptance-tests/bosh_helpers.go b/acceptance-tests/bosh_helpers.go
@@ -99,20 +99,28 @@ var opsfileStartApache = `
         apt-get update && apt-get install apache2 -y && apache2ctl start
 `
 
+var opsfileChangeBoshDirectorCN string = `---
+# Replace bosh director cert common name with the right one
+- type: replace
+  path: /instance_groups/name=pcap-api/jobs/name=pcap-api/properties/pcap-api/bosh/tls/common_name
+  value: ((director_common_name))
+`
+
 // opsfiles that need to be set for all tests
-var defaultOpsfiles = []string{opsfileChangeName, opsfileChangeVersion, opsfileAddSSHUser, opsfileStartApache}
+var defaultOpsfiles = []string{opsfileChangeName, opsfileChangeVersion, opsfileChangeBoshDirectorCN, opsfileAddSSHUser, opsfileStartApache}
 var defaultSSHUser string = "ginkgo"
 
 // buildManifestVars returns a map of variables needed to deploy pcap.
 func buildManifestVars(baseManifestVars baseManifestVars, customVars map[string]interface{}) map[string]interface{} {
 	vars := map[string]interface{}{
-		"release-version":   config.ReleaseVersion,
-		"director_ssl_ca":   config.BoshDirectorCA,
-		"bosh_director_api": config.BoshDirectorAPI,
-		"director_ssl_cert": config.BoshDirectorCert,
-		"director_ssl_key":  config.BoshDirectorKey,
-		"deployment-name":   baseManifestVars.deploymentName,
-		"ssh_user":          defaultSSHUser,
+		"release-version":      config.ReleaseVersion,
+		"director_ssl_ca":      config.BoshDirectorCA,
+		"bosh_director_api":    config.BoshDirectorAPI,
+		"director_ssl_cert":    config.BoshDirectorCert,
+		"director_ssl_key":     config.BoshDirectorKey,
+		"director_common_name": config.BoshDirectorCertCN,
+		"deployment-name":      baseManifestVars.deploymentName,
+		"ssh_user":             defaultSSHUser,
 	}
 	for k, v := range customVars {
 		vars[k] = v

diff --git a/acceptance-tests/config.go b/acceptance-tests/config.go
@@ -1,6 +1,8 @@
 package acceptance_tests
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"os"
 	"os/exec"
@@ -9,18 +11,19 @@ import (
 var config Config
 
 type Config struct {
-	ReleaseRepoPath  string `json:"releaseRepoPath"`
-	ReleaseVersion   string `json:"releaseVersion"`
-	BoshDirectorAPI  string `json:"boshDirectorAPI"`
-	BoshDirectorCert string `json:"boshDirectorCert"`
-	BoshDirectorKey  string `json:"boshDirectorKey"`
-	BoshDirectorCA   string `json:"boshDirectorCA"`
-	BoshClient       string `json:"boshClient"`
-	BoshClientSecret string `json:"boshClientSecret"`
-	BoshEnvironment  string `json:"boshEnvironment"`
-	BoshPath         string `json:"boshPath"`
-	BaseManifestPath string `json:"baseManifestPath"`
-	HomePath         string `json:"homePath"`
+	ReleaseRepoPath    string `json:"releaseRepoPath"`
+	ReleaseVersion     string `json:"releaseVersion"`
+	BoshDirectorAPI    string `json:"boshDirectorAPI"`
+	BoshDirectorCertCN string `json:"boshDirectorCertCN"`
+	BoshDirectorCert   string `json:"boshDirectorCert"`
+	BoshDirectorKey    string `json:"boshDirectorKey"`
+	BoshDirectorCA     string `json:"boshDirectorCA"`
+	BoshClient         string `json:"boshClient"`
+	BoshClientSecret   string `json:"boshClientSecret"`
+	BoshEnvironment    string `json:"boshEnvironment"`
+	BoshPath           string `json:"boshPath"`
+	BaseManifestPath   string `json:"baseManifestPath"`
+	HomePath           string `json:"homePath"`
 }
 
 func loadConfig() (Config, error) {
@@ -84,20 +87,30 @@ func loadConfig() (Config, error) {
 	if err != nil {
 		return Config{}, err
 	}
+	// extract Bosh Director SSL Certificate Common Name
+	block, _ := pem.Decode([]byte(boshDirectorCert))
+	if block == nil {
+		return Config{}, fmt.Errorf("failed to parse PEM block containing the public key")
+	}
+
+	cert, _ := x509.ParseCertificate(block.Bytes) // handle error
+
+	boshDirectorCertCN := cert.Subject.CommonName
 
 	return Config{
-		ReleaseRepoPath:  releaseRepoPath,
-		ReleaseVersion:   releaseVersion,
-		BoshDirectorAPI:  boshDirectorAPI,
-		BoshDirectorCert: boshDirectorCert,
-		BoshDirectorKey:  boshDirectorKey,
-		BoshDirectorCA:   boshDirectorCA,
-		BoshClient:       boshClient,
-		BoshClientSecret: boshClientSecret,
-		BoshEnvironment:  boshEnvironment,
-		BoshPath:         boshPath,
-		BaseManifestPath: baseManifestPath,
-		HomePath:         homePath,
+		ReleaseRepoPath:    releaseRepoPath,
+		ReleaseVersion:     releaseVersion,
+		BoshDirectorAPI:    boshDirectorAPI,
+		BoshDirectorCertCN: boshDirectorCertCN,
+		BoshDirectorCert:   boshDirectorCert,
+		BoshDirectorKey:    boshDirectorKey,
+		BoshDirectorCA:     boshDirectorCA,
+		BoshClient:         boshClient,
+		BoshClientSecret:   boshClientSecret,
+		BoshEnvironment:    boshEnvironment,
+		BoshPath:           boshPath,
+		BaseManifestPath:   baseManifestPath,
+		HomePath:           homePath,
 	}, nil
 }
 

diff --git a/jobs/pcap-agent/spec b/jobs/pcap-agent/spec
@@ -36,5 +36,5 @@ properties:
     description: "Certificate and chain to talk to pcap-api in PEM format"
   pcap-agent.listen.tls.private_key:
     description: "Private key to talk to pcap-api in PEM format"
-  pcap-agent.listen.tls.ca:
+  pcap-agent.listen.tls.client_cas:
     description: "CA bundle which is used to request and verify client certificates"
diff --git a/jobs/pcap-agent/templates/client-ca.crt.erb b/jobs/pcap-agent/templates/client-ca.crt.erb
@@ -1,3 +1,3 @@
-<%- if_p("pcap-agent.listen.tls.ca") do |client_ca| -%>
+<%- if_p("pcap-agent.listen.tls.client_cas") do |client_ca| -%>
 <%= client_ca -%>
 <%- end -%>
diff --git a/jobs/pcap-agent/templates/pcap-agent.yml.erb b/jobs/pcap-agent/templates/pcap-agent.yml.erb
@@ -7,7 +7,7 @@ config = {
     "tls" => {
       "certificate"=> "/var/vcap/jobs/pcap-agent/config/certs/pcap-agent.crt",
       "private_key" => "/var/vcap/jobs/pcap-agent/config/certs/pcap-agent.key",
-      "ca" => "/var/vcap/jobs/pcap-agent/config/certs/client-ca.crt",
+      "client_cas" => "/var/vcap/jobs/pcap-agent/config/certs/client-ca.crt",
     },
   },
   "buffer" => {

diff --git a/jobs/pcap-api/spec b/jobs/pcap-api/spec
@@ -9,9 +9,7 @@ templates:
   pcap-api.crt.erb: config/certs/pcap-api.crt
   pcap-api.key.erb: config/certs/pcap-api.key
   pcap-api.ca.erb: config/certs/pcap-api-ca.crt
-  bosh_mtls/pcap-api-bosh.ca.erb: config/certs/bosh/pcap-api-bosh-ca.crt
-  bosh_mtls/pcap-api-bosh.crt.erb: config/certs/bosh/pcap-api-bosh.crt
-  bosh_mtls/pcap-api-bosh.key.erb: config/certs/bosh/pcap-api-bosh.key
+  pcap-api-bosh.ca.erb: config/certs/bosh/pcap-api-bosh-ca.crt
   agents_mtls/pcap-api-client.crt.erb: config/certs/pcap-api-client.crt
   agents_mtls/pcap-api-client.key.erb: config/certs/pcap-api-client.key
   agents_mtls/pcap-api-client.ca.erb: config/certs/pcap-api-client-ca.crt
@@ -44,7 +42,7 @@ properties:
     description: "Certificate chain to talk to gorouter in PEM format"
   pcap-api.listen.tls.private_key:
     description: "Private key to talk to gorouter in PEM format"
-  pcap-api.listen.tls.ca:
+  pcap-api.listen.tls.client_cas:
     description: "CA bundle which is used to request and verify client certificates" # platform CA (gorouter CA)
 
   pcap-api.agents_mtls.enabled:
@@ -70,19 +68,15 @@ properties:
     description: "Endpoint of the BOSH Director API"
   pcap-api.bosh.token_scope:
     description: "Scope of the token"
-  pcap-api.bosh.mtls.enabled:
+  pcap-api.bosh.tls.enabled:
     default: true
-  pcap-api.bosh.mtls.common_name:
+  pcap-api.bosh.tls.common_name:
     description: "Common name of the Bosh Director"
-  pcap-api.bosh.mtls.skip_verify:
+  pcap-api.bosh.tls.skip_verify:
     description: "Skip server verification for connection to Bosh Director"
     default: false
-  pcap-api.bosh.mtls.certificate:
-    description: "Client certificate to talk to Bosh Director in PEM format"
-  pcap-api.bosh.mtls.private_key:
-    description: "Private key to talk to Bosh Director in PEM format"
-  pcap-api.bosh.mtls.ca:
-    description: "CA bundle which is used to request and verify Bosh Director client certificates"
+  pcap-api.bosh.tls.ca:
+    description: "CA bundle which is used to request and verify Bosh Director certificates"
 
 
   pcap-api.cli_download_root:

diff --git a/jobs/pcap-api/templates/agents_mtls/pcap-api-client.ca.erb b/jobs/pcap-api/templates/agents_mtls/pcap-api-client.ca.erb
@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.ca") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.ca", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid client CAs"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.ca") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>
diff --git a/jobs/pcap-api/templates/agents_mtls/pcap-api-client.crt.erb b/jobs/pcap-api/templates/agents_mtls/pcap-api-client.crt.erb
@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.certificate") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.certificate", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid certificate"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.certificate") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>
diff --git a/jobs/pcap-api/templates/agents_mtls/pcap-api-client.key.erb b/jobs/pcap-api/templates/agents_mtls/pcap-api-client.key.erb
@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.private_key") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.private_key", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid private key"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.private_key") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>
diff --git a/jobs/pcap-api/templates/bosh_mtls/pcap-api-bosh.ca.erb b/jobs/pcap-api/templates/bosh_mtls/pcap-api-bosh.ca.erb
diff --git a/jobs/pcap-api/templates/bosh_mtls/pcap-api-bosh.crt.erb b/jobs/pcap-api/templates/bosh_mtls/pcap-api-bosh.crt.erb
diff --git a/jobs/pcap-api/templates/bosh_mtls/pcap-api-bosh.key.erb b/jobs/pcap-api/templates/bosh_mtls/pcap-api-bosh.key.erb
diff --git a/jobs/pcap-api/templates/pcap-api-bosh.ca.erb b/jobs/pcap-api/templates/pcap-api-bosh.ca.erb
@@ -0,0 +1,13 @@
+<%- if p("pcap-api.bosh.tls.enabled").to_s == "true"
+      if !p("pcap-api.bosh.tls.ca", nil)
+        raise "Conflicting configuration: pcap-api.bosh.tls.enabled, you must provide a valid Bosh CAs"
+      end
+    end
+-%>
+<%
+if_p("pcap-api.bosh.tls.ca") do |pem|
+%>
+<%= pem %>
+<%
+end
+%>
diff --git a/jobs/pcap-api/templates/pcap-api.ca.erb b/jobs/pcap-api/templates/pcap-api.ca.erb
@@ -1,3 +1,9 @@
+<%- if p("pcap-api.listen.tls.enabled").to_s == "true"
+      if !p("pcap-api.listen.tls.client_cas", nil)
+        raise "Conflicting configuration: pcap-api.listen.tls.enabled is true, you must provide a valid client CA"
+      end
+    end
+-%>
 <%- if_p("pcap-api.listen.tls.ca") do |pem| -%>
 <%= pem %>
-<%- end -%>
+<%- end -%>
diff --git a/jobs/pcap-api/templates/pcap-api.crt.erb b/jobs/pcap-api/templates/pcap-api.crt.erb
@@ -1,3 +1,9 @@
+<%- if p("pcap-api.listen.tls.enabled").to_s == "true"
+      if !p("pcap-api.listen.tls.certificate", nil)
+        raise "Conflicting configuration: pcap-api.listen.tls.enabled is true, you must provide a valid certificate"
+      end
+    end
+-%>
 <%- if_p("pcap-api.listen.tls.certificate") do |pem| -%>
 <%= pem %>
 <%- end -%>
diff --git a/jobs/pcap-api/templates/pcap-api.key.erb b/jobs/pcap-api/templates/pcap-api.key.erb
@@ -1,3 +1,9 @@
+<%- if p("pcap-api.listen.tls.enabled").to_s == "true"
+      if !p("pcap-api.listen.tls.private_key", nil)
+        raise "Conflicting configuration: pcap-api.listen.tls.enabled is true, you must provide a valid private key"
+      end
+    end
+-%>
 <%- if_p("pcap-api.listen.tls.private_key") do |pem| -%>
 <%= pem %>
 <%- end -%>
diff --git a/jobs/pcap-api/templates/pcap-api.yml.erb b/jobs/pcap-api/templates/pcap-api.yml.erb
@@ -18,13 +18,13 @@ if p("pcap-api.listen.tls.enabled").to_s == "true"
     config["listen"]["tls"] = {
         "certificate"=> "/var/vcap/jobs/pcap-api/config/certs/pcap-api.crt",
         "private_key" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api.key",
-        "ca" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api-ca.crt"
+        "client_cas" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api-ca.crt"
     }
 end
 
 if p("pcap-api.agents_mtls.enabled").to_s == "true"
   config["agents_mtls"] = {
-      "common_name" => p("pcap-api.agents_mtls.common_name"),
+      "server_name" => p("pcap-api.agents_mtls.common_name"),
       "skip_verify" => p("pcap-api.agents_mtls.skip_verify"),
       "certificate" => "/var/vcap/jobs/pcap-api/config/certs/pcap-api-client.crt",
       "private_key" => '/var/vcap/jobs/pcap-api/config/certs/pcap-api-client.key',
@@ -33,21 +33,19 @@ if p("pcap-api.agents_mtls.enabled").to_s == "true"
 end
 
 if_p("pcap-api.bosh.director_url", "pcap-api.bosh.token_scope") do
-  bosh_mtls = nil
-  if p("pcap-api.bosh.mtls.enabled").to_s == "true"
-    bosh_mtls = {
-      "common_name" => p("pcap-api.bosh.mtls.common_name"),
-      "skip_verify" => p("pcap-api.bosh.mtls.skip_verify"),
-      "certificate" => '/var/vcap/jobs/pcap-api/config/certs/bosh/pcap-api-bosh.crt',
-      "private_key" => '/var/vcap/jobs/pcap-api/config/certs/bosh/pcap-api-bosh.key',
+  bosh_tls = nil
+  if p("pcap-api.bosh.tls.enabled").to_s == "true"
+    bosh_tls = {
+      "server_name" => p("pcap-api.bosh.tls.common_name"),
+      "skip_verify" => p("pcap-api.bosh.tls.skip_verify"),
       "ca" => '/var/vcap/jobs/pcap-api/config/certs/bosh/pcap-api-bosh-ca.crt'
     }
   end
   config['bosh'] = {
       "agent_port" => p("pcap-api.bosh.agent_port"),
       "director_url" => p("pcap-api.bosh.director_url"),
       "token_scope" => p("pcap-api.bosh.token_scope"),
-      "mtls" => bosh_mtls
+      "tls" => bosh_tls
   }
 end
 

diff --git a/manifests/pcap-acceptance-tests.yml b/manifests/pcap-acceptance-tests.yml
@@ -26,11 +26,10 @@ instance_groups:
               director_url: ((bosh_director_api))
               token_scope: bosh.admin
               agent_port: 9494
-              mtls:
+              tls:
+                enabled: true
                 common_name: bosh.service.cf.internal
                 skip_verify: false
-                certificate: ((director_ssl_cert))
-                private_key: ((director_ssl_key))
                 ca: ((director_ssl_ca))
             agents_mtls:
               common_name: pcap-agent.service.cf.internal
@@ -61,7 +60,7 @@ instance_groups:
               tls:
                 certificate: ((pcap_agent_tls.certificate))
                 private_key: ((pcap_agent_tls.private_key))
-                ca: ((pcap_agent_tls.ca))
+                client_cas: ((pcap_agent_tls.ca))
 
 update:
   canaries: 1

diff --git a/manifests/pcap-api.yml b/manifests/pcap-api.yml
@@ -53,11 +53,9 @@ instance_groups:
               director_url: ((pcap_api.bosh_director_api))
               token_scope: bosh.admin
               agent_port: 9494
-              mtls:
+              tls:
                 common_name: bosh.service.cf.internal
                 skip_verify: false
-                certificate: ((pcap_api_bosh_mtls.certificate))
-                private_key: ((pcap_api_bosh_mtls.private_key))
                 ca: ((/bootstrap-bosh/bosh/default_ca.ca))
             agents_mtls:
               common_name: pcap-agent.service.cf.internal
@@ -99,7 +97,7 @@ instance_groups:
               tls:
                 certificate: ((pcap_agent_mtls.certificate))
                 private_key: ((pcap_agent_mtls.private_key))
-                ca: ((pcap_agent_mtls.ca))
+                client_cas: ((pcap_agent_mtls.ca))
 
 update:
   canaries: 1