refactor: Reimplement TLS configuration in coding and in jobs config (#79)

* wip: refactor: tls configuration

* refactor: adapt tls spec config

* refactor: Adapt integration tests to run with new TLS structs

* refactor: Use client_cas instead of ca

* refactor: Adapt acceptance tests to have a correct CN for bosh director cert

---------

Co-authored-by: Maximilian Moehl <[email protected]>
Co-authored-by: Dominik Froehlich <[email protected]>

Author: 3 people

acceptance-tests/bosh_helpers.go

@@ -99,20 +99,28 @@ var opsfileStartApache = `
         apt-get update && apt-get install apache2 -y && apache2ctl start
 `
 
+var opsfileChangeBoshDirectorCN string = `---
+# Replace bosh director cert common name with the right one
+- type: replace
+  path: /instance_groups/name=pcap-api/jobs/name=pcap-api/properties/pcap-api/bosh/tls/common_name
+  value: ((director_common_name))
+`
+
 // opsfiles that need to be set for all tests
-var defaultOpsfiles = []string{opsfileChangeName, opsfileChangeVersion, opsfileAddSSHUser, opsfileStartApache}
+var defaultOpsfiles = []string{opsfileChangeName, opsfileChangeVersion, opsfileChangeBoshDirectorCN, opsfileAddSSHUser, opsfileStartApache}
 var defaultSSHUser string = "ginkgo"
 
 // buildManifestVars returns a map of variables needed to deploy pcap.
 func buildManifestVars(baseManifestVars baseManifestVars, customVars map[string]interface{}) map[string]interface{} {
 	vars := map[string]interface{}{
-		"release-version":   config.ReleaseVersion,
-		"director_ssl_ca":   config.BoshDirectorCA,
-		"bosh_director_api": config.BoshDirectorAPI,
-		"director_ssl_cert": config.BoshDirectorCert,
-		"director_ssl_key":  config.BoshDirectorKey,
-		"deployment-name":   baseManifestVars.deploymentName,
-		"ssh_user":          defaultSSHUser,
+		"release-version":      config.ReleaseVersion,
+		"director_ssl_ca":      config.BoshDirectorCA,
+		"bosh_director_api":    config.BoshDirectorAPI,
+		"director_ssl_cert":    config.BoshDirectorCert,
+		"director_ssl_key":     config.BoshDirectorKey,
+		"director_common_name": config.BoshDirectorCertCN,
+		"deployment-name":      baseManifestVars.deploymentName,
+		"ssh_user":             defaultSSHUser,
 	}
 	for k, v := range customVars {
 		vars[k] = v

acceptance-tests/config.go

@@ -1,6 +1,8 @@
 package acceptance_tests
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"os"
 	"os/exec"
@@ -9,18 +11,19 @@ import (
 var config Config
 
 type Config struct {
-	ReleaseRepoPath  string `json:"releaseRepoPath"`
-	ReleaseVersion   string `json:"releaseVersion"`
-	BoshDirectorAPI  string `json:"boshDirectorAPI"`
-	BoshDirectorCert string `json:"boshDirectorCert"`
-	BoshDirectorKey  string `json:"boshDirectorKey"`
-	BoshDirectorCA   string `json:"boshDirectorCA"`
-	BoshClient       string `json:"boshClient"`
-	BoshClientSecret string `json:"boshClientSecret"`
-	BoshEnvironment  string `json:"boshEnvironment"`
-	BoshPath         string `json:"boshPath"`
-	BaseManifestPath string `json:"baseManifestPath"`
-	HomePath         string `json:"homePath"`
+	ReleaseRepoPath    string `json:"releaseRepoPath"`
+	ReleaseVersion     string `json:"releaseVersion"`
+	BoshDirectorAPI    string `json:"boshDirectorAPI"`
+	BoshDirectorCertCN string `json:"boshDirectorCertCN"`
+	BoshDirectorCert   string `json:"boshDirectorCert"`
+	BoshDirectorKey    string `json:"boshDirectorKey"`
+	BoshDirectorCA     string `json:"boshDirectorCA"`
+	BoshClient         string `json:"boshClient"`
+	BoshClientSecret   string `json:"boshClientSecret"`
+	BoshEnvironment    string `json:"boshEnvironment"`
+	BoshPath           string `json:"boshPath"`
+	BaseManifestPath   string `json:"baseManifestPath"`
+	HomePath           string `json:"homePath"`
 }
 
 func loadConfig() (Config, error) {
@@ -84,20 +87,30 @@ func loadConfig() (Config, error) {
 	if err != nil {
 		return Config{}, err
 	}
+	// extract Bosh Director SSL Certificate Common Name
+	block, _ := pem.Decode([]byte(boshDirectorCert))
+	if block == nil {
+		return Config{}, fmt.Errorf("failed to parse PEM block containing the public key")
+	}
+
+	cert, _ := x509.ParseCertificate(block.Bytes) // handle error
+
+	boshDirectorCertCN := cert.Subject.CommonName
 
 	return Config{
-		ReleaseRepoPath:  releaseRepoPath,
-		ReleaseVersion:   releaseVersion,
-		BoshDirectorAPI:  boshDirectorAPI,
-		BoshDirectorCert: boshDirectorCert,
-		BoshDirectorKey:  boshDirectorKey,
-		BoshDirectorCA:   boshDirectorCA,
-		BoshClient:       boshClient,
-		BoshClientSecret: boshClientSecret,
-		BoshEnvironment:  boshEnvironment,
-		BoshPath:         boshPath,
-		BaseManifestPath: baseManifestPath,
-		HomePath:         homePath,
+		ReleaseRepoPath:    releaseRepoPath,
+		ReleaseVersion:     releaseVersion,
+		BoshDirectorAPI:    boshDirectorAPI,
+		BoshDirectorCertCN: boshDirectorCertCN,
+		BoshDirectorCert:   boshDirectorCert,
+		BoshDirectorKey:    boshDirectorKey,
+		BoshDirectorCA:     boshDirectorCA,
+		BoshClient:         boshClient,
+		BoshClientSecret:   boshClientSecret,
+		BoshEnvironment:    boshEnvironment,
+		BoshPath:           boshPath,
+		BaseManifestPath:   baseManifestPath,
+		HomePath:           homePath,
 	}, nil
 }
 

jobs/pcap-agent/spec

@@ -36,5 +36,5 @@ properties:
     description: "Certificate and chain to talk to pcap-api in PEM format"
   pcap-agent.listen.tls.private_key:
     description: "Private key to talk to pcap-api in PEM format"
-  pcap-agent.listen.tls.ca:
+  pcap-agent.listen.tls.client_cas:
     description: "CA bundle which is used to request and verify client certificates"

jobs/pcap-agent/templates/client-ca.crt.erb

@@ -1,3 +1,3 @@
-<%- if_p("pcap-agent.listen.tls.ca") do |client_ca| -%>
+<%- if_p("pcap-agent.listen.tls.client_cas") do |client_ca| -%>
 <%= client_ca -%>
 <%- end -%>

jobs/pcap-agent/templates/pcap-agent.yml.erb

@@ -7,7 +7,7 @@ config = {
     "tls" => {
       "certificate"=> "/var/vcap/jobs/pcap-agent/config/certs/pcap-agent.crt",
       "private_key" => "/var/vcap/jobs/pcap-agent/config/certs/pcap-agent.key",
-      "ca" => "/var/vcap/jobs/pcap-agent/config/certs/client-ca.crt",
+      "client_cas" => "/var/vcap/jobs/pcap-agent/config/certs/client-ca.crt",
     },
   },
   "buffer" => {

jobs/pcap-api/spec

@@ -9,9 +9,7 @@ templates:
   pcap-api.crt.erb: config/certs/pcap-api.crt
   pcap-api.key.erb: config/certs/pcap-api.key
   pcap-api.ca.erb: config/certs/pcap-api-ca.crt
-  bosh_mtls/pcap-api-bosh.ca.erb: config/certs/bosh/pcap-api-bosh-ca.crt
-  bosh_mtls/pcap-api-bosh.crt.erb: config/certs/bosh/pcap-api-bosh.crt
-  bosh_mtls/pcap-api-bosh.key.erb: config/certs/bosh/pcap-api-bosh.key
+  pcap-api-bosh.ca.erb: config/certs/bosh/pcap-api-bosh-ca.crt
   agents_mtls/pcap-api-client.crt.erb: config/certs/pcap-api-client.crt
   agents_mtls/pcap-api-client.key.erb: config/certs/pcap-api-client.key
   agents_mtls/pcap-api-client.ca.erb: config/certs/pcap-api-client-ca.crt
@@ -44,7 +42,7 @@ properties:
     description: "Certificate chain to talk to gorouter in PEM format"
   pcap-api.listen.tls.private_key:
     description: "Private key to talk to gorouter in PEM format"
-  pcap-api.listen.tls.ca:
+  pcap-api.listen.tls.client_cas:
     description: "CA bundle which is used to request and verify client certificates" # platform CA (gorouter CA)
 
   pcap-api.agents_mtls.enabled:
@@ -70,19 +68,15 @@ properties:
     description: "Endpoint of the BOSH Director API"
   pcap-api.bosh.token_scope:
     description: "Scope of the token"
-  pcap-api.bosh.mtls.enabled:
+  pcap-api.bosh.tls.enabled:
     default: true
-  pcap-api.bosh.mtls.common_name:
+  pcap-api.bosh.tls.common_name:
     description: "Common name of the Bosh Director"
-  pcap-api.bosh.mtls.skip_verify:
+  pcap-api.bosh.tls.skip_verify:
     description: "Skip server verification for connection to Bosh Director"
     default: false
-  pcap-api.bosh.mtls.certificate:
-    description: "Client certificate to talk to Bosh Director in PEM format"
-  pcap-api.bosh.mtls.private_key:
-    description: "Private key to talk to Bosh Director in PEM format"
-  pcap-api.bosh.mtls.ca:
-    description: "CA bundle which is used to request and verify Bosh Director client certificates"
+  pcap-api.bosh.tls.ca:
+    description: "CA bundle which is used to request and verify Bosh Director certificates"
 
 
   pcap-api.cli_download_root:

jobs/pcap-api/templates/agents_mtls/pcap-api-client.ca.erb

@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.ca") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.ca", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid client CAs"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.ca") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>

jobs/pcap-api/templates/agents_mtls/pcap-api-client.crt.erb

@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.certificate") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.certificate", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid certificate"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.certificate") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>

jobs/pcap-api/templates/agents_mtls/pcap-api-client.key.erb

@@ -1,7 +1,9 @@
-<%
-if_p("pcap-api.agents_mtls.private_key") do |pem|
-%>
+<%- if p("pcap-api.agents_mtls.enabled").to_s == "true"
+      if !p("pcap-api.agents_mtls.private_key", nil)
+        raise "Conflicting configuration: pcap-api.agents_mtls.enabled is true, you must provide a valid private key"
+      end
+    end
+-%>
+<%- if_p("pcap-api.agents_mtls.private_key") do |pem| -%>
 <%= pem %>
-<%
-end
-%>
+<%- end -%>