[Client] Implements ca_fingerprinting

picandocodigo · picandocodigo · commit 9a21b792e685 · 2021-10-04T16:28:52.000+01:00
diff --git a/elasticsearch-transport/lib/elasticsearch/transport/client.rb b/elasticsearch-transport/lib/elasticsearch/transport/client.rb
@@ -126,6 +126,7 @@ class Client
       #                                                     if you're using X-Opaque-Id
       # @option enable_meta_header [Boolean] :enable_meta_header Enable sending the meta data header to Cloud.
       #                                                          (Default: true)
+      # @option ca_fingerprint [String] :ca_fingerprint provide this value to only trust certificates that are signed by a specific CA certificate
       #
       # @yield [faraday] Access and configure the `Faraday::Connection` instance directly with a block
       #
@@ -156,6 +157,7 @@ def initialize(arguments={}, &block)
 
         @send_get_body_as = @arguments[:send_get_body_as] || 'GET'
         @opaque_id_prefix = @arguments[:opaque_id_prefix] || nil
+        @ca_fingerprint = @arguments.delete(:ca_fingerprint)
 
         if @arguments[:request_timeout]
           @arguments[:transport_options][:request] = { timeout: @arguments[:request_timeout] }
@@ -188,6 +190,7 @@ def perform_request(method, path, params = {}, body = nil, headers = nil)
           opaque_id = @opaque_id_prefix ? "#{@opaque_id_prefix}#{opaque_id}" : opaque_id
           headers.merge!('X-Opaque-Id' => opaque_id)
         end
+        validate_ca_fingerprints if @ca_fingerprint
         transport.perform_request(method, path, params, body, headers)
       end
 
@@ -211,6 +214,31 @@ def set_compatibility_header
         )
       end
 
+      def validate_ca_fingerprints
+        transport.connections.connections.each do |connection|
+          unless connection.host[:scheme] == 'https'
+            raise Elasticsearch::Transport::Transport::Error, 'CA fingerprinting can\'t be configured over http'
+          end
+
+          next if connection.verified
+
+          ctx = OpenSSL::SSL::SSLContext.new
+          socket = TCPSocket.new(connection.host[:host], connection.host[:port])
+          ssl = OpenSSL::SSL::SSLSocket.new(socket, ctx)
+          ssl.connect
+          cert_store = ssl.peer_cert_chain
+          matching_certs = cert_store.chain.select do |cert|
+            OpenSSL::Digest::SHA256.hexdigest(cert.to_der).upcase == @ca_fingerprint.upcase
+          end
+          if matching_certs.empty?
+            raise Elasticsearch::Transport::Transport::Error,
+                  'Server certificate CA fingerprint does not match the value configured in ca_fingerprint'
+          end
+
+          connection.verified = true
+        end
+      end
+
       def add_header(header)
         headers = @arguments[:transport_options]&.[](:headers) || {}
         headers.merge!(header)
diff --git a/elasticsearch-transport/lib/elasticsearch/transport/transport/connections/connection.rb b/elasticsearch-transport/lib/elasticsearch/transport/transport/connections/connection.rb
@@ -33,6 +33,7 @@ class Connection
           DEFAULT_RESURRECT_TIMEOUT = 60
 
           attr_reader :host, :connection, :options, :failures, :dead_since
+          attr_accessor :verified
 
           # @option arguments [Hash]   :host       Host information (example: `{host: 'localhost', port: 9200}`)
           # @option arguments [Object] :connection The transport-specific physical connection or "session"
@@ -42,6 +43,7 @@ def initialize(arguments={})
             @host       = arguments[:host].is_a?(Hash) ? Redacted.new(arguments[:host]) : arguments[:host]
             @connection = arguments[:connection]
             @options    = arguments[:options] || {}
+            @verified   = false
             @state_mutex = Mutex.new
 
             @options[:resurrect_timeout] ||= DEFAULT_RESURRECT_TIMEOUT
@@ -153,7 +155,6 @@ def to_s
             "<#{self.class.name} host: #{host} (#{dead? ? 'dead since ' + dead_since.to_s : 'alive'})>"
           end
         end
-
       end
     end
   end
diff --git a/elasticsearch-transport/lib/elasticsearch/transport/transport/http/faraday.rb b/elasticsearch-transport/lib/elasticsearch/transport/transport/http/faraday.rb
@@ -62,7 +62,7 @@ def perform_request(method, path, params = {}, body = nil, headers = nil, opts =
           def __build_connection(host, options={}, block=nil)
             client = ::Faraday.new(__full_url(host), options, &block)
             apply_headers(client, options)
-            Connections::Connection.new :host => host, :connection => client
+            Connections::Connection.new(host: host, connection: client)
           end
 
           # Returns an array of implementation specific connection errors.
diff --git a/elasticsearch-transport/spec/elasticsearch/transport/client_spec.rb b/elasticsearch-transport/spec/elasticsearch/transport/client_spec.rb
@@ -1895,7 +1895,6 @@
       end
 
       context 'when request headers are specified' do
-
         let(:response) do
           client.perform_request('GET', '/', {}, nil, { 'Content-Type' => 'application/yaml' })
         end
@@ -1906,9 +1905,7 @@
       end
 
       describe 'selector' do
-
         context 'when the round-robin selector is used' do
-
           let(:nodes) do
             3.times.collect do
               client.perform_request('GET', '_nodes/_local').body['nodes'].to_a[0][1]['name']
@@ -1989,4 +1986,72 @@
       end
     end
   end
+
+  context 'CA Fingerprinting' do
+    context 'when setting a ca_fingerprint' do
+      let(:subject) { "/C=BE/O=Test/OU=Test/CN=Test" }
+
+      let(:certificate) do
+        OpenSSL::X509::Certificate.new.tap do |cert|
+          cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+          cert.not_before = Time.now
+          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.public_key = OpenSSL::PKey::RSA.new(1024).public_key
+          cert.serial = 0x0
+          cert.version = 2
+        end
+      end
+
+      let(:client) do
+        Elasticsearch::Transport::Client.new(
+          host: 'https://elastic:changeme@localhost:9200',
+          ca_fingerprint: OpenSSL::Digest::SHA256.hexdigest(certificate.to_der)
+        )
+      end
+
+      it 'validates CA fingerprints on perform request' do
+        expect(client.transport.connections.connections.map(&:verified).uniq).to eq [false]
+        allow(client.transport).to receive(:perform_request) { 'Hello' }
+
+        server = double('server').as_null_object
+        allow(TCPSocket).to receive(:new) { server }
+        allow_any_instance_of(OpenSSL::SSL::SSLSocket).to receive(:connect) { nil }
+        allow_any_instance_of(OpenSSL::SSL::SSLSocket).to receive(:peer_cert_chain) { [certificate] }
+        response = client.perform_request('GET', '/')
+        expect(client.transport.connections.connections.map(&:verified).uniq).to eq [true]
+        expect(response).to eq 'Hello'
+      end
+    end
+
+    context 'when using an http host' do
+      let(:client) do
+        Elasticsearch::Transport::Client.new(
+          host: 'http://elastic:changeme@localhost:9200',
+          ca_fingerprint: 'test'
+        )
+      end
+
+      it 'raises an error' do
+        expect do
+          client.perform_request('GET', '/')
+        end.to raise_exception(Elasticsearch::Transport::Transport::Error)
+      end
+    end
+
+    context 'when not setting a ca_fingerprint' do
+      let(:client) do
+        Elasticsearch::Transport::Client.new(
+          host: 'http://elastic:changeme@localhost:9200'
+        )
+      end
+
+      it 'has unvalidated connections' do
+        allow(client).to receive(:validate_ca_fingerprints) { nil }
+        allow(client.transport).to receive(:perform_request) { nil }
+
+        client.perform_request('GET', '/')
+        expect(client).to_not have_received(:validate_ca_fingerprints)
+      end
+    end
+  end
 end
