fix tls insecure connection between agent and master

Author: Kbayero

agent-manager/main.go

@@ -2,9 +2,9 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"net"
 
-	"net/http"
 	_ "net/http/pprof"
 
 	pb "github.com/utmstack/UTMStack/agent-manager/agent"
@@ -14,17 +14,13 @@ import (
 	"github.com/utmstack/UTMStack/agent-manager/util"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/health"
 	"google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/status"
 )
 
 func main() {
-	go func() {
-		// http://localhost:6060/debug/pprof/
-		http.ListenAndServe("0.0.0.0:6060", nil)
-	}()
-
 	h := util.GetLogger()
 
 	defer func() {
@@ -38,20 +34,28 @@ func main() {
 	migration.MigrateDatabase(h)
 
 	s, err := pb.InitGrpc()
-
 	if err != nil {
 		h.Fatal("Failed to inititialize gRPC: %v", err)
 	}
 
-	lis, err := net.Listen("tcp", "0.0.0.0:50051")
+	cert, err := tls.LoadX509KeyPair("/cert/utm.crt", "/cert/utm.key")
 	if err != nil {
-		h.Fatal("Failed to listen: %v", err)
+		h.Fatal("failed to load server certificates: %v", err)
+	}
+
+	tlsConfig := &tls.Config{
+		MinVersion:   tls.VersionTLS13,
+		Certificates: []tls.Certificate{cert},
 	}
 
-	// Create a gRPC server with the authInterceptor.
-	grpcServer := grpc.NewServer(grpc.UnaryInterceptor(recoverInterceptor),
+	creds := credentials.NewTLS(tlsConfig)
+
+	grpcServer := grpc.NewServer(
+		grpc.Creds(creds),
+		grpc.UnaryInterceptor(recoverInterceptor),
 		grpc.ChainUnaryInterceptor(auth.UnaryInterceptor),
-		grpc.StreamInterceptor(auth.StreamInterceptor))
+		grpc.StreamInterceptor(auth.StreamInterceptor),
+	)
 
 	pb.RegisterAgentServiceServer(grpcServer, s)
 	pb.RegisterPanelServiceServer(grpcServer, s)
@@ -72,6 +76,11 @@ func main() {
 	s.InitPingSync()
 
 	// Start the gRPC server
+	lis, err := net.Listen("tcp", "0.0.0.0:50051")
+	if err != nil {
+		h.Fatal("Failed to listen: %v", err)
+	}
+
 	h.Info("Starting gRPC server on 0.0.0.0:50051")
 	if err := grpcServer.Serve(lis); err != nil {
 		h.Fatal("Failed to serve: %v", err)

agent/agent/configuration/const.go

@@ -109,16 +109,6 @@ var (
 	ProhibitedPortsChange = []LogType{LogTypeCiscoGeneric, LogTypeNetflow}
 )
 
-func GetCertPath() string {
-	path, _ := utils.GetMyPath()
-	return filepath.Join(path, "certs", "utm.crt")
-}
-
-func GetKeyPath() string {
-	path, _ := utils.GetMyPath()
-	return filepath.Join(path, "certs", "utm.key")
-}
-
 func GetCaPath() string {
 	path, _ := utils.GetMyPath()
 	return filepath.Join(path, "certs", "ca.crt")

agent/agent/conn/conn.go

@@ -1,14 +1,15 @@
 package conn
 
 import (
+	"crypto/tls"
 	"fmt"
 	"time"
 
 	"github.com/threatwinds/logger"
 	"github.com/utmstack/UTMStack/agent/agent/configuration"
 	"github.com/utmstack/UTMStack/agent/agent/utils"
 	grpc "google.golang.org/grpc"
-	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/credentials"
 )
 
 const (
@@ -33,29 +34,26 @@ func ConnectToServer(cnf *configuration.Config, h *logger.Logger, addrs, port st
 		}
 
 		h.Info("trying to connect to Server...")
-
-		if cnf.SkipCertValidation {
-			conn, err = grpc.Dial(serverAddress, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMessageSize)))
+		var opts grpc.DialOption
+		if !cnf.SkipCertValidation {
+			creds, err := credentials.NewClientTLSFromFile(configuration.GetCaPath(), "")
 			if err != nil {
-				connectionAttemps++
-				h.Info("error connecting to Server, trying again in %.0f seconds", reconnectDelay.Seconds())
-				time.Sleep(reconnectDelay)
-				reconnectDelay = utils.IncrementReconnectDelay(reconnectDelay, maxReconnectDelay)
-				continue
+				return nil, fmt.Errorf("failed to load CA trust certificate: %v", err)
 			}
+			opts = grpc.WithTransportCredentials(creds)
 		} else {
-			tlsCredentials, err := utils.LoadTLSCredentials(configuration.GetCertPath())
-			if err != nil {
-				return nil, fmt.Errorf("failed to load TLS credentials: %v", err)
-			}
-			conn, err = grpc.Dial(serverAddress, grpc.WithTransportCredentials(tlsCredentials), grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMessageSize)))
-			if err != nil {
-				connectionAttemps++
-				h.Info("error connecting to Server, trying again in %.0f seconds", reconnectDelay.Seconds())
-				time.Sleep(reconnectDelay)
-				reconnectDelay = utils.IncrementReconnectDelay(reconnectDelay, maxReconnectDelay)
-				continue
-			}
+			tlsConfig := &tls.Config{InsecureSkipVerify: true}
+			creds := credentials.NewTLS(tlsConfig)
+			opts = grpc.WithTransportCredentials(creds)
+		}
+
+		conn, err = grpc.NewClient(serverAddress, opts, grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMessageSize)))
+		if err != nil {
+			connectionAttemps++
+			h.Info("error connecting to Server, trying again in %.0f seconds", reconnectDelay.Seconds())
+			time.Sleep(reconnectDelay)
+			reconnectDelay = utils.IncrementReconnectDelay(reconnectDelay, maxReconnectDelay)
+			continue
 		}
 
 		break

agent/agent/utils/certs.go

@@ -82,6 +82,7 @@ func GenerateCerts(folder string) error {
 			Locality:     []string{"Coral Springs"},
 		},
 		IPAddresses:  []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+		DNSNames:     []string{"localhost"},
 		NotBefore:    time.Now(),
 		NotAfter:     time.Now().AddDate(10, 0, 0),
 		SubjectKeyId: []byte{1, 2, 3, 4, 6},

agent/agent/utils/tls.go

@@ -1,94 +1,104 @@
 package main
 
 import (
-	"fmt"
+	"crypto/tls"
 	"net"
-	"os"
-	"path/filepath"
+	"net/http"
 
 	"github.com/gin-gonic/gin"
-	"github.com/utmstack/UTMStack/log-auth-proxy/config"
 	"github.com/utmstack/UTMStack/log-auth-proxy/handlers"
 	"github.com/utmstack/UTMStack/log-auth-proxy/logservice"
 	"github.com/utmstack/UTMStack/log-auth-proxy/middleware"
 	"github.com/utmstack/UTMStack/log-auth-proxy/utils"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/health"
 	"google.golang.org/grpc/health/grpc_health_v1"
 )
 
 func main() {
-	h := utils.GetLogger()
 	autService := logservice.NewLogAuthService()
 	go autService.SyncAuth()
 	authInterceptor := middleware.NewLogAuthInterceptor(autService)
 
-	cert, key, err := loadCerts()
-	if err != nil {
-		h.Fatal("Failed to load certificates: %v", err)
-	}
-
 	logOutputService := logservice.NewLogOutputService()
 	go logOutputService.SyncOutputs()
 
-	go startHTTPServer(authInterceptor, logOutputService, cert, key)
+	go startHTTPServer(authInterceptor, logOutputService)
 	go startGRPCServer(authInterceptor, logOutputService)
 
-	// Block the main thread until an interrupt is received
 	select {}
 }
 
-func startHTTPServer(interceptor *middleware.LogAuthInterceptor, logOutputService *logservice.LogOutputService, cert string, key string) {
+func startHTTPServer(interceptor *middleware.LogAuthInterceptor, logOutputService *logservice.LogOutputService) {
 	h := utils.GetLogger()
+
 	gin.SetMode(gin.ReleaseMode)
 	router := gin.Default()
 	router.POST("/v1/log", interceptor.HTTPAuthInterceptor(), handlers.HttpLog(logOutputService))
 	router.POST("/v1/logs", interceptor.HTTPAuthInterceptor(), handlers.HttpBulkLog(logOutputService))
 	router.POST("/v1/github-webhook", interceptor.HTTPGitHubAuthInterceptor(), handlers.HttpGitHubHandler(logOutputService))
 	router.GET("/v1/ping", handlers.HttpPing)
-	err := router.RunTLS(":8080", cert, key)
-	h.Info("Starting HTTP server on 0.0.0.0:8080")
+
+	cert, err := tls.LoadX509KeyPair("/cert/utm.crt", "/cert/utm.key")
 	if err != nil {
-		h.ErrorF("Failed to start HTTP server: %v", err)
-		return
+		h.Fatal("failed to load server certificates: %v", err)
 	}
-}
 
-func loadCerts() (string, string, error) {
-	certsLocation := os.Getenv(config.UTMCertsLocationEnv)
-	certPath := filepath.Join(certsLocation, config.UTMCertFileName)
-	keyPath := filepath.Join(certsLocation, config.UTMCertFileKey)
+	tlsConfig := &tls.Config{
+		MinVersion:   tls.VersionTLS13,
+		Certificates: []tls.Certificate{cert},
+	}
 
-	if _, err := os.Stat(certPath); os.IsNotExist(err) {
-		return "", "", fmt.Errorf("certificate file does not exist: %s", certPath)
+	server := &http.Server{
+		Addr:      ":8080",
+		Handler:   router,
+		TLSConfig: tlsConfig,
 	}
-	if _, err := os.Stat(keyPath); os.IsNotExist(err) {
-		return "", "", fmt.Errorf("key file does not exist: %s", keyPath)
+
+	h.Info("Starting HTTP server on 0.0.0.0:8080")
+	err = server.ListenAndServeTLS("", "")
+	if err != nil {
+		h.Fatal("Failed to start HTTP server: %v", err)
 	}
-	return certPath, keyPath, nil
 }
 
 func startGRPCServer(interceptor *middleware.LogAuthInterceptor, logOutputService *logservice.LogOutputService) {
 	h := utils.GetLogger()
-	lis, err := net.Listen("tcp", "0.0.0.0:50051")
+
+	cert, err := tls.LoadX509KeyPair("/cert/utm.crt", "/cert/utm.key")
 	if err != nil {
-		h.Fatal("failed to listen grpc server: %v", err)
+		h.Fatal("failed to load server certificates: %v", err)
 	}
 
+	tlsConfig := &tls.Config{
+		MinVersion:   tls.VersionTLS13,
+		Certificates: []tls.Certificate{cert},
+	}
+
+	creds := credentials.NewTLS(tlsConfig)
+
 	s := &logservice.Grpc{
 		OutputService: logOutputService,
 	}
 
-	grpcServer := grpc.NewServer(grpc.UnaryInterceptor(interceptor.GrpcRecoverInterceptor),
-		grpc.ChainUnaryInterceptor(interceptor.GrpcAuthInterceptor))
+	grpcServer := grpc.NewServer(
+		grpc.Creds(creds),
+		grpc.UnaryInterceptor(interceptor.GrpcRecoverInterceptor),
+		grpc.ChainUnaryInterceptor(interceptor.GrpcAuthInterceptor),
+	)
+
 	logservice.RegisterLogServiceServer(grpcServer, s)
 
-	// Register the health check service
 	healthServer := health.NewServer()
 	grpc_health_v1.RegisterHealthServer(grpcServer, healthServer)
 	healthServer.SetServingStatus("", grpc_health_v1.HealthCheckResponse_SERVING)
 
-	// Start the gRPC server
+	lis, err := net.Listen("tcp", "0.0.0.0:50051")
+	if err != nil {
+		h.Fatal("failed to listen grpc server: %v", err)
+	}
+
 	h.Info("Starting gRPC server on 0.0.0.0:50051")
 	if err := grpcServer.Serve(lis); err != nil {
 		h.Fatal("Failed to serve grpc: %v", err)