Agent<->Landscape over TLS by default

Previously, if the Landscape server's SSL public key wasn't provided we'd default to insecure credentials for gRPC. That's not nice when the system trusts the server cert. A browser would happily render the page as safe, but the agent would fail to connect to the server's hostagent messenger. We should assume TLS by default. If the server cert path is not provided, load the system's cert pool and try to connect based on the system's chain of trust. To avoid complicating the existing tests, we preserve the use of insecure credentials via a context value. If set, we don't even check the cert path. Otherwise, TLS by default.
canonical · Dec 2, 2024 · 0c788ce · 0c788ce
1 parent 8404d08
commit 0c788ce
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 5 deletions.
diff --git a/windows-agent/internal/proservices/landscape/connection.go b/windows-agent/internal/proservices/landscape/connection.go
@@ -65,7 +65,7 @@ func newConnection(ctx context.Context, d serviceData) (conn *connection, err er
 		cancel:   cancel,
 	}
 
-	creds, err := transportCredentials(conn.settings.certificatePath)
+	creds, err := transportCredentials(ctx, conn.settings.certificatePath)
 	if err != nil {
 		return nil, err
 	}

diff --git a/windows-agent/internal/proservices/landscape/utils.go b/windows-agent/internal/proservices/landscape/utils.go
@@ -100,17 +100,37 @@ func newHostAgentInfo(ctx context.Context, c serviceData) (info *landscapeapi.Ho
 	return info, nil
 }
 
+type transportCredentialsType struct{}
+
+// InsecureCredentials is the key used in tests for insecure credentials.
+var InsecureCredentials = transportCredentialsType{}
+
 // transportCredentials reads the Landscape client config to check if a SSL public key is specified.
 //
-// If this credential is not specified, an insecure credential is returned.
-// If the credential is specified but erroneous, an error is returned.
-func transportCredentials(sslPublicKeyPath string) (cred credentials.TransportCredentials, err error) {
+// If this credential is not specified, credentials based on the system's certificate pool is returned.
+// If the SSL public key is specified but invalid, an error is returned.
+// If the context has the "InsecureCredentials" key, insecure credentials are returned (for testing purposes).
+func transportCredentials(ctx context.Context, sslPublicKeyPath string) (cred credentials.TransportCredentials, err error) {
 	defer decorate.OnError(&err, "Landscape credentials")
 
-	if sslPublicKeyPath == "" {
+	isInsecure := ctx.Value(InsecureCredentials)
+	if isInsecure == true {
+		log.Warningf(ctx, "Landscape: context requires insecure credentials, ignoring server's public key %s", sslPublicKeyPath)
 		return insecure.NewCredentials(), nil
 	}
 
+	if sslPublicKeyPath == "" {
+		certPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("could not load system certificates: %v", err)
+		}
+
+		return credentials.NewTLS(&tls.Config{
+			RootCAs:    certPool,
+			MinVersion: tls.VersionTLS12,
+		}), nil
+	}
+
 	cert, err := os.ReadFile(sslPublicKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("could not load SSL public key file: %v", err)