public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Aaron Lauterer <a.lauterer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH installer v6 23/36] auto-installer: fetch: add http post utility module
Date: Wed, 17 Apr 2024 14:30:55 +0200	[thread overview]
Message-ID: <20240417123108.212720-24-a.lauterer@proxmox.com> (raw)
In-Reply-To: <20240417123108.212720-1-a.lauterer@proxmox.com>

It sends a http(s) POST request with the sysinfo as payload and expects
an answer file in return.

In order to handle non FQDN URLs (e.g. IP addresses) and self signed
certificates, it can optionally take an SHA256 fingerprint of the
certificate. This can of course also be used to pin a certificate
explicitly, even if it would be in the trust chain.

A custom cert verifier for ureq / rustl was necessary to get cert
fingerprint matching to work.

If no fingerprint is proviced, we switch rustls to native-certs and
native-tls.

Tested-by: Christoph Heiss <c.heiss@proxmox.com>
Reviewed-by: Christoph Heiss <c.heiss@proxmox.com>
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
 proxmox-auto-installer/Cargo.toml             |  6 ++
 .../src/fetch_plugins/utils/mod.rs            |  1 +
 .../src/fetch_plugins/utils/post.rs           | 94 +++++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 proxmox-auto-installer/src/fetch_plugins/utils/post.rs

diff --git a/proxmox-auto-installer/Cargo.toml b/proxmox-auto-installer/Cargo.toml
index bb0b49c..ac2f3a6 100644
--- a/proxmox-auto-installer/Cargo.toml
+++ b/proxmox-auto-installer/Cargo.toml
@@ -18,3 +18,9 @@ toml = "0.7"
 enum-iterator = "0.6.0"
 log = "0.4.20"
 regex = "1.7"
+ureq = { version = "2.6", features = [ "native-certs", "native-tls" ] }
+rustls = { version = "0.20", features = [ "dangerous_configuration" ] }
+rustls-native-certs = "0.6"
+native-tls = "0.2"
+sha2 = "0.10"
+hex = "0.4"
diff --git a/proxmox-auto-installer/src/fetch_plugins/utils/mod.rs b/proxmox-auto-installer/src/fetch_plugins/utils/mod.rs
index b3e9dad..6b4c7db 100644
--- a/proxmox-auto-installer/src/fetch_plugins/utils/mod.rs
+++ b/proxmox-auto-installer/src/fetch_plugins/utils/mod.rs
@@ -12,6 +12,7 @@ static ANSWER_MP: &str = "/mnt/answer";
 static PARTLABEL: &str = "proxmoxinst";
 static SEARCH_PATH: &str = "/dev/disk/by-label";
 
+pub mod post;
 pub mod sysinfo;
 
 /// Searches for upper and lower case existence of the partlabel in the search_path
diff --git a/proxmox-auto-installer/src/fetch_plugins/utils/post.rs b/proxmox-auto-installer/src/fetch_plugins/utils/post.rs
new file mode 100644
index 0000000..193e920
--- /dev/null
+++ b/proxmox-auto-installer/src/fetch_plugins/utils/post.rs
@@ -0,0 +1,94 @@
+use anyhow::Result;
+use rustls::ClientConfig;
+use sha2::{Digest, Sha256};
+use std::sync::Arc;
+use ureq::{Agent, AgentBuilder};
+
+/// Issues a POST request with the payload (JSON). Optionally a SHA256 fingerprint can be used to
+/// check the cert against it, instead of the regular cert validation.
+/// To gather the sha256 fingerprint you can use the following command:
+/// ```no_compile
+/// openssl s_client -connect <host>:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256  -noout -in /dev/stdin
+/// ```
+///
+/// # Arguemnts
+/// * `url` - URL to call
+/// * `fingerprint` - SHA256 cert fingerprint if certificate pinning should be used. Optional.
+/// * `payload` - The payload to send to the server. Expected to be a JSON formatted string.
+pub fn call(url: String, fingerprint: Option<&str>, payload: String) -> Result<String> {
+    let answer      ;
+
+    if let Some(fingerprint) = fingerprint {
+        let tls_config = ClientConfig::builder()
+            .with_safe_defaults()
+            .with_custom_certificate_verifier(VerifyCertFingerprint::new(fingerprint)?)
+            .with_no_client_auth();
+
+        let agent: Agent = AgentBuilder::new().tls_config(Arc::new(tls_config)).build();
+
+        answer = agent
+            .post(&url)
+            .set("Content-type", "application/json; charset=utf-")
+            .send_string(&payload)?
+            .into_string()?;
+    } else {
+        let mut roots = rustls::RootCertStore::empty();
+        for cert in rustls_native_certs::load_native_certs()? {
+            roots.add(&rustls::Certificate(cert.0)).unwrap();
+        }
+
+        let tls_config = rustls::ClientConfig::builder()
+            .with_safe_defaults()
+            .with_root_certificates(roots)
+            .with_no_client_auth();
+
+        let agent = AgentBuilder::new()
+            .tls_connector(Arc::new(native_tls::TlsConnector::new()?))
+            .tls_config(Arc::new(tls_config))
+            .build();
+        answer = agent
+            .post(&url)
+            .set("Content-type", "application/json; charset=utf-")
+            .timeout(std::time::Duration::from_secs(60))
+            .send_string(&payload)?
+            .into_string()?;
+    }
+    Ok(answer)
+}
+
+struct VerifyCertFingerprint {
+    cert_fingerprint: Vec<u8>,
+}
+
+impl VerifyCertFingerprint {
+    fn new<S: AsRef<str>>(cert_fingerprint: S) -> Result<std::sync::Arc<Self>> {
+        let cert_fingerprint = cert_fingerprint.as_ref();
+        let sanitized = cert_fingerprint.replace(':', "");
+        let decoded = hex::decode(sanitized)?;
+        Ok(std::sync::Arc::new(Self {
+            cert_fingerprint: decoded,
+        }))
+    }
+}
+
+impl rustls::client::ServerCertVerifier for VerifyCertFingerprint {
+    fn verify_server_cert(
+        &self,
+        end_entity: &rustls::Certificate,
+        _intermediates: &[rustls::Certificate],
+        _server_name: &rustls::ServerName,
+        _scts: &mut dyn Iterator<Item = &[u8]>,
+        _ocsp_response: &[u8],
+        _now: std::time::SystemTime,
+    ) -> Result<rustls::client::ServerCertVerified, rustls::Error> {
+        let mut hasher = Sha256::new();
+        hasher.update(end_entity);
+        let result = hasher.finalize();
+
+        if result.as_slice() == self.cert_fingerprint {
+            Ok(rustls::client::ServerCertVerified::assertion())
+        } else {
+            Err(rustls::Error::General("Fingerprint did not match!".into()))
+        }
+    }
+}
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2024-04-17 12:32 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-17 12:30 [pve-devel] [PATCH installer v6 00/36] add automated/unattended installation Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 01/36] tui: common: move InstallConfig struct to common crate Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 02/36] common: make InstallZfsOption members public Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 03/36] common: tui: use BTreeMap for predictable ordering Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 04/36] common: utils: add deserializer for CidrAddress Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 05/36] common: options: add Deserialize trait Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 06/36] low-level: add dump-udev command Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 07/36] add auto-installer crate Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 08/36] auto-installer: add dependencies Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 09/36] auto-installer: add answer file definition Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 10/36] auto-installer: add struct to hold udev info Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 11/36] auto-installer: add utils Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 12/36] auto-installer: add simple logging Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 13/36] auto-installer: add tests for answer file parsing Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 14/36] auto-installer: add auto-installer binary Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 15/36] auto-installer: add fetch answer binary Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 16/36] unconfigured: add proxauto as option to start auto installer Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 17/36] auto-installer: use glob crate for pattern matching Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 18/36] auto-installer: utils: make get_udev_index functions public Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 19/36] auto-installer: add proxmox-autoinst-helper tool Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 20/36] common: add Display trait to ProxmoxProduct Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 21/36] auto-installer: fetch: add gathering of system identifiers and restructure code Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 22/36] auto-installer: helper: add subcommand to view indentifiers Aaron Lauterer
2024-04-17 12:30 ` Aaron Lauterer [this message]
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 24/36] auto-installer: fetch: add http plugin to fetch answer Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 25/36] control: update build depends for auto installer Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 26/36] auto installer: factor out fetch-answer and autoinst-helper Aaron Lauterer
2024-04-17 12:30 ` [pve-devel] [PATCH installer v6 27/36] low-level: write low level config to /tmp Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 28/36] common: add deserializer for FsType Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 29/36] common: skip target_hd when deserializing InstallConfig Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 30/36] add proxmox-chroot utility Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 31/36] auto-installer: answer: deny unknown fields Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 32/36] fetch-answer: move get_answer_file to utils Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 33/36] auto-installer: utils: define ISO specified settings Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 34/36] fetch-answer: use ISO specified configurations Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 35/36] fetch-answer: dpcp: improve logging of steps taken Aaron Lauterer
2024-04-17 12:31 ` [pve-devel] [PATCH installer v6 36/36] autoinst-helper: add prepare-iso subcommand Aaron Lauterer
2024-04-18  8:48   ` Christoph Heiss
2024-04-18  9:13     ` Aaron Lauterer
2024-04-18 13:39     ` Thomas Lamprecht
2024-04-18 11:38   ` [pve-devel] [PATCH installer v6 36/36 follow-up] " Aaron Lauterer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240417123108.212720-24-a.lauterer@proxmox.com \
    --to=a.lauterer@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal