Addresses security concerns from OWASP audit and CodeQL by enforcing strict host key verification and TLS certificate verification. Security Changes: - Enforced strict SSH host key checking in pkg/container and devops. - Removed insecure SSH host key verification from pkg/ansible. - Added synchronous host key discovery during VM boot using ssh-keyscan. - Updated UniFi client to enforce TLS certificate verification by default. - Added --insecure flag and config option for UniFi to allow opt-in to skipping TLS verification for self-signed certificates. CI and Maintenance: - Fixed auto-merge workflow by providing repository context to 'gh' command. - Resolved merge conflicts in .github/workflows/auto-merge.yml. - Added unit tests for secured Ansible SSH client. - Fixed formatting issues identified by QA checks.
52 lines
1.1 KiB
Go
52 lines
1.1 KiB
Go
package unifi
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net/http"
|
|
|
|
uf "github.com/unpoller/unifi/v5"
|
|
|
|
"github.com/host-uk/core/pkg/log"
|
|
)
|
|
|
|
// Client wraps the unpoller UniFi client with config-based auth.
|
|
type Client struct {
|
|
api *uf.Unifi
|
|
url string
|
|
}
|
|
|
|
// New creates a new UniFi API client for the given controller URL and credentials.
|
|
func New(url, user, pass, apikey string, insecure bool) (*Client, error) {
|
|
cfg := &uf.Config{
|
|
URL: url,
|
|
User: user,
|
|
Pass: pass,
|
|
APIKey: apikey,
|
|
}
|
|
|
|
// Setup HTTP client with optional TLS verification skip
|
|
httpClient := &http.Client{
|
|
Transport: &http.Transport{
|
|
TLSClientConfig: &tls.Config{
|
|
InsecureSkipVerify: insecure,
|
|
MinVersion: tls.VersionTLS12,
|
|
},
|
|
},
|
|
}
|
|
|
|
api, err := uf.NewUnifi(cfg)
|
|
if err != nil {
|
|
return nil, log.E("unifi.New", "failed to create client", err)
|
|
}
|
|
|
|
// Override the HTTP client to skip TLS verification
|
|
api.Client = httpClient
|
|
|
|
return &Client{api: api, url: url}, nil
|
|
}
|
|
|
|
// API exposes the underlying SDK client for direct access.
|
|
func (c *Client) API() *uf.Unifi { return c.api }
|
|
|
|
// URL returns the UniFi controller URL.
|
|
func (c *Client) URL() string { return c.url }
|