diff --git a/main.go b/main.go index 644e0889a..7bc63abe3 100644 --- a/main.go +++ b/main.go @@ -148,7 +148,7 @@ func init() { if config.Alertmanager.HostPort != "" { var err error - alertmanagerClient, err = outputs.NewClient("AlertManager", config.Alertmanager.HostPort+outputs.AlertmanagerURI, config.Alertmanager.MutualTls, config, stats, promStats, statsdClient, dogstatsdClient) + alertmanagerClient, err = outputs.NewClient("AlertManager", config.Alertmanager.HostPort+outputs.AlertmanagerURI, config.Alertmanager.MutualTLS, config, stats, promStats, statsdClient, dogstatsdClient) if err != nil { config.Alertmanager.HostPort = "" } else { @@ -158,7 +158,7 @@ func init() { if config.Elasticsearch.HostPort != "" { var err error - elasticsearchClient, err = outputs.NewClient("Elasticsearch", config.Elasticsearch.HostPort+"/"+config.Elasticsearch.Index+"/"+config.Elasticsearch.Type, config.Elasticsearch.MutualTls, config, stats, promStats, statsdClient, dogstatsdClient) + elasticsearchClient, err = outputs.NewClient("Elasticsearch", config.Elasticsearch.HostPort+"/"+config.Elasticsearch.Index+"/"+config.Elasticsearch.Type, config.Elasticsearch.MutualTLS, config, stats, promStats, statsdClient, dogstatsdClient) if err != nil { config.Elasticsearch.HostPort = "" } else { @@ -178,7 +178,7 @@ func init() { if config.Nats.HostPort != "" { var err error - natsClient, err = outputs.NewClient("NATS", config.Nats.HostPort, config.Nats.MutualTls, config, stats, promStats, statsdClient, dogstatsdClient) + natsClient, err = outputs.NewClient("NATS", config.Nats.HostPort, config.Nats.MutualTLS, config, stats, promStats, statsdClient, dogstatsdClient) if err != nil { config.Nats.HostPort = "" } else { @@ -205,7 +205,7 @@ func init() { } var err error - influxdbClient, err = outputs.NewClient("Influxdb", config.Influxdb.HostPort+"/write?db="+config.Influxdb.Database+credentials, config.Influxdb.MutualTls, config, stats, promStats, statsdClient, dogstatsdClient) + influxdbClient, err = outputs.NewClient("Influxdb", config.Influxdb.HostPort+"/write?db="+config.Influxdb.Database+credentials, config.Influxdb.MutualTLS, config, stats, promStats, statsdClient, dogstatsdClient) if err != nil { config.Influxdb.HostPort = "" } else { @@ -272,7 +272,7 @@ func init() { if config.Webhook.Address != "" { var err error - webhookClient, err = outputs.NewClient("Webhook", config.Webhook.Address, config.Webhook.MutualTls, config, stats, promStats, statsdClient, dogstatsdClient) + webhookClient, err = outputs.NewClient("Webhook", config.Webhook.Address, config.Webhook.MutualTLS, config, stats, promStats, statsdClient, dogstatsdClient) if err != nil { config.Webhook.Address = "" } else { diff --git a/outputs/client.go b/outputs/client.go index 3c8e01d4a..5640d2985 100644 --- a/outputs/client.go +++ b/outputs/client.go @@ -52,16 +52,16 @@ var ErrClientCreation = errors.New("Client creation Error") // EnabledOutputs list all enabled outputs var EnabledOutputs []string -// Mutual TLS files names are static to work with helm and single docker modes -var MutualTlsClientCertFilename = "/client.crt" -var MutualTlsClientKeyFilename = "/client.key" -var MutualTlsCacertFilename = "/ca.crt" +// files names are static fo the shake of helm and single docker compatibility +const MutualTLSClientCertFilename = "/client.crt" +const MutualTLSClientKeyFilename = "/client.key" +const MutualTLSCacertFilename = "/ca.crt" // Client communicates with the different API. type Client struct { OutputType string EndpointURL *url.URL - MutualTlsEnabled bool + MutualTLSEnabled bool Config *types.Configuration Stats *types.Statistics PromStats *types.PromStatistics @@ -78,7 +78,7 @@ type Client struct { } // NewClient returns a new output.Client for accessing the different API. -func NewClient(outputType string, defaultEndpointURL string, mutualTlsEnabled bool, config *types.Configuration, stats *types.Statistics, promStats *types.PromStatistics, statsdClient, dogstatsdClient *statsd.Client) (*Client, error) { +func NewClient(outputType string, defaultEndpointURL string, mutualTLSEnabled bool, config *types.Configuration, stats *types.Statistics, promStats *types.PromStatistics, statsdClient, dogstatsdClient *statsd.Client) (*Client, error) { reg := regexp.MustCompile(`(http|nats)(s?)://.*`) if !reg.MatchString(defaultEndpointURL) { log.Printf("[ERROR] : %v - %v\n", outputType, "Bad Endpoint") @@ -93,7 +93,7 @@ func NewClient(outputType string, defaultEndpointURL string, mutualTlsEnabled bo log.Printf("[ERROR] : %v - %v\n", outputType, err.Error()) return nil, ErrClientCreation } - return &Client{OutputType: outputType, EndpointURL: endpointURL, MutualTlsEnabled: mutualTlsEnabled, Config: config, Stats: stats, PromStats: promStats, StatsdClient: statsdClient, DogstatsdClient: dogstatsdClient}, nil + return &Client{OutputType: outputType, EndpointURL: endpointURL, MutualTLSEnabled: mutualTLSEnabled, Config: config, Stats: stats, PromStats: promStats, StatsdClient: statsdClient, DogstatsdClient: dogstatsdClient}, nil } // Post sends event (payload) to Output. @@ -120,15 +120,15 @@ func (c *Client) Post(payload interface{}) error { customTransport := http.DefaultTransport.(*http.Transport).Clone() - if c.MutualTlsEnabled { + if c.MutualTLSEnabled { // Load client cert - cert, err := tls.LoadX509KeyPair(c.Config.MutualTlsFilesPath + MutualTlsClientCertFilename, c.Config.MutualTlsFilesPath + MutualTlsClientKeyFilename) + cert, err := tls.LoadX509KeyPair(c.Config.MutualTLSFilesPath+MutualTLSClientCertFilename, c.Config.MutualTLSFilesPath+MutualTLSClientKeyFilename) if err != nil { log.Printf("[ERROR] : %v - %v\n", c.OutputType, err.Error()) } // Load CA cert - caCert, err := ioutil.ReadFile(c.Config.MutualTlsFilesPath + MutualTlsCacertFilename) + caCert, err := ioutil.ReadFile(c.Config.MutualTLSFilesPath + MutualTLSCacertFilename) if err != nil { log.Printf("[ERROR] : %v - %v\n", c.OutputType, err.Error()) } @@ -137,6 +137,7 @@ func (c *Client) Post(payload interface{}) error { customTransport.TLSClientConfig = &tls.Config{ Certificates: []tls.Certificate{cert}, RootCAs: caCertPool, + MinVersion: tls.VersionTLS12, } } else { // With MutualTLS enabled, the check cert flag is ignored diff --git a/outputs/client_test.go b/outputs/client_test.go index c5b9d01ec..dcab38428 100644 --- a/outputs/client_test.go +++ b/outputs/client_test.go @@ -33,7 +33,7 @@ func TestNewClient(t *testing.T) { stats := &types.Statistics{} promStats := &types.PromStatistics{} - testClientOutput := Client{OutputType: "test", EndpointURL: u, MutualTlsEnabled: false, Config: config, Stats: stats, PromStats: promStats} + testClientOutput := Client{OutputType: "test", EndpointURL: u, MutualTLSEnabled: false, Config: config, Stats: stats, PromStats: promStats} _, err := NewClient("test", "localhost/%*$ยจ^!/:;", false, config, stats, promStats, nil, nil) require.NotNil(t, err) @@ -87,16 +87,16 @@ func TestPost(t *testing.T) { func TestMutualTlsPost(t *testing.T) { config := &types.Configuration{} - config.MutualTlsFilesPath = "/tmp/falcosidekicktests" + config.MutualTLSFilesPath = "/tmp/falcosidekicktests" // delete folder to avoid makedir failure - os.RemoveAll(config.MutualTlsFilesPath) + os.RemoveAll(config.MutualTLSFilesPath) serverTLSConf, err := certsetup(config) if err != nil { - require.Nil(t, err) - } + require.Nil(t, err) + } - tls_url := "127.0.0.1:5443" + tlsURL := "127.0.0.1:5443" // set up the httptest.Server using our certificate signed by our CA server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -109,13 +109,13 @@ func TestMutualTlsPost(t *testing.T) { })) // This Listen config is required since server.URL generates a "Server already started" Panic error // Check https://golang.org/src/net/http/httptest/server.go#:~:text=s.URL - l, _ := net.Listen("tcp", tls_url) - server.Listener = l + l, _ := net.Listen("tcp", tlsURL) + server.Listener = l server.TLS = serverTLSConf server.StartTLS() defer server.Close() - nc, err := NewClient("", server.URL + "/200", true, config, &types.Statistics{}, &types.PromStatistics{}, nil, nil) + nc, err := NewClient("", server.URL+"/200", true, config, &types.Statistics{}, &types.PromStatistics{}, nil, nil) require.Nil(t, err) require.NotEmpty(t, nc) @@ -125,10 +125,10 @@ func TestMutualTlsPost(t *testing.T) { } func certsetup(config *types.Configuration) (serverTLSConf *tls.Config, err error) { - err = os.Mkdir(config.MutualTlsFilesPath, 0755) - if err != nil { - return nil, err - } + err = os.Mkdir(config.MutualTLSFilesPath, 0755) + if err != nil { + return nil, err + } // set up our CA certificate ca := &x509.Certificate{ @@ -169,7 +169,7 @@ func certsetup(config *types.Configuration) (serverTLSConf *tls.Config, err erro }) // save ca to ca.crt file (it will be used by Client) - err = ioutil.WriteFile(config.MutualTlsFilesPath + "/ca.crt", caPEM.Bytes(), 0644) + err = ioutil.WriteFile(config.MutualTLSFilesPath+"/ca.crt", caPEM.Bytes(), 0600) if err != nil { return nil, err } @@ -220,15 +220,16 @@ func certsetup(config *types.Configuration) (serverTLSConf *tls.Config, err erro if err != nil { return nil, err } - + // create server TLS config caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caPEM.Bytes()) serverTLSConf = &tls.Config{ Certificates: []tls.Certificate{serverCert}, - ClientCAs: caCertPool, - RootCAs: caCertPool, - ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: caCertPool, + RootCAs: caCertPool, + ClientAuth: tls.RequireAndVerifyClientCert, + MinVersion: tls.VersionTLS12, } // create client certificate @@ -268,7 +269,7 @@ func certsetup(config *types.Configuration) (serverTLSConf *tls.Config, err erro }) // save client cert and key to client.crt and client.key - err = ioutil.WriteFile(config.MutualTlsFilesPath + "/client.crt", clientCertPEM.Bytes(), 0644) + err = ioutil.WriteFile(config.MutualTLSFilesPath+"/client.crt", clientCertPEM.Bytes(), 0600) if err != nil { return nil, err } @@ -277,9 +278,9 @@ func certsetup(config *types.Configuration) (serverTLSConf *tls.Config, err erro Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(clientCertPrivKey), }) - err = ioutil.WriteFile(config.MutualTlsFilesPath + "/client.key", clientCertPrivKeyPEM.Bytes(), 0644) + err = ioutil.WriteFile(config.MutualTLSFilesPath+"/client.key", clientCertPrivKeyPEM.Bytes(), 0600) if err != nil { return nil, err } - return + return serverTLSConf, nil } diff --git a/types/types.go b/types/types.go index a1ee74219..d9d766d42 100644 --- a/types/types.go +++ b/types/types.go @@ -20,8 +20,8 @@ type FalcoPayload struct { // Configuration is a struct to store configuration type Configuration struct { + MutualTLSFilesPath string CheckCert bool - MutualTlsFilesPath string Debug bool ListenAddress string ListenPort int @@ -115,7 +115,7 @@ type DiscordOutputConfig struct { type alertmanagerOutputConfig struct { HostPort string MinimumPriority string - MutualTls bool + MutualTLS bool } type elasticsearchOutputConfig struct { @@ -124,7 +124,7 @@ type elasticsearchOutputConfig struct { Type string MinimumPriority string Suffix string - MutualTls bool + MutualTLS bool } type influxdbOutputConfig struct { @@ -133,7 +133,7 @@ type influxdbOutputConfig struct { User string Password string MinimumPriority string - MutualTls bool + MutualTLS bool } type lokiOutputConfig struct { @@ -144,7 +144,7 @@ type lokiOutputConfig struct { type natsOutputConfig struct { HostPort string MinimumPriority string - MutualTls bool + MutualTLS bool } type stanOutputConfig struct { @@ -216,7 +216,7 @@ type WebhookOutputConfig struct { Address string CustomHeaders map[string]string MinimumPriority string - MutualTls bool + MutualTLS bool } // CloudEventsOutputConfig represents parameters for CloudEvents