9f4007c409
* Remove StrictHostKeyChecking=no and implement proper host key verification This commit addresses security concerns from the OWASP audit by enforcing strict host key verification for all SSH and SCP commands. Key changes: - Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and pkg/devops. - Removed insecure host key verification from pkg/ansible SSH client. - Implemented a synchronous host key discovery mechanism during VM boot using ssh-keyscan to populate ~/.core/known_hosts. - Updated the devops Boot lifecycle to wait until the host key is verified. - Ensured pkg/ansible correctly handles missing known_hosts files. - Refactored hardcoded SSH port 2222 to a package constant DefaultSSHPort. - Added CORE_SKIP_SSH_SCAN environment variable for test environments. * Remove StrictHostKeyChecking=no and implement proper host key verification Addresses security concerns from OWASP audit by enforcing strict host key verification. Changes: - Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and devops. - Removed insecure host key verification from pkg/ansible. - Added synchronous host key discovery using ssh-keyscan during VM boot. - Updated Boot lifecycle to wait for host key verification. - Handled missing known_hosts file in pkg/ansible. - Refactored hardcoded SSH port to DefaultSSHPort constant. - Fixed formatting issues identified by QA check. * Secure SSH commands and fix auto-merge CI failure Addresses OWASP security audit by enforcing strict host key verification and fixes a CI failure in the auto-merge workflow. Key changes: - Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and pkg/devops. - Removed insecure host key verification from pkg/ansible. - Implemented synchronous host key discovery using ssh-keyscan during VM boot. - Handled missing known_hosts file in pkg/ansible. - Refactored hardcoded SSH port to DefaultSSHPort constant. - Added pkg/ansible/ssh_test.go to verify SSH client initialization. - Fixed formatting in pkg/io/local/client.go. - Fixed auto-merge.yml by inlining the script and providing repository context to 'gh' command, resolving the "not a git repository" error in CI. * Secure SSH, fix CI auto-merge, and resolve merge conflicts This commit addresses the OWASP security audit by enforcing strict host key verification and resolves persistent CI issues. Security Changes: - Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and devops. - Removed insecure host key verification from pkg/ansible. - Implemented synchronous host key discovery using ssh-keyscan during VM boot. - Updated Boot lifecycle to wait for host key verification. - Handled missing known_hosts file in pkg/ansible. - Refactored hardcoded SSH port to DefaultSSHPort constant. CI and Maintenance: - Fixed auto-merge.yml by inlining the script and adding repository context to 'gh' command, resolving the "not a git repository" error in CI. - Resolved merge conflicts in .github/workflows/auto-merge.yml with dev branch. - Added pkg/ansible/ssh_test.go for SSH client verification. - Fixed formatting in pkg/io/local/client.go to pass QA checks. * Secure SSH and TLS connections, and fix CI issues Addresses security concerns from OWASP audit and CodeQL by enforcing strict host key verification and TLS certificate verification. Security Changes: - Enforced strict SSH host key checking in pkg/container and devops. - Removed insecure SSH host key verification from pkg/ansible. - Added synchronous host key discovery during VM boot using ssh-keyscan. - Updated UniFi client to enforce TLS certificate verification by default. - Added --insecure flag and config option for UniFi to allow opt-in to skipping TLS verification for self-signed certificates. CI and Maintenance: - Fixed auto-merge workflow by providing repository context to 'gh' command. - Resolved merge conflicts in .github/workflows/auto-merge.yml. - Added unit tests for secured Ansible SSH client. - Fixed formatting issues identified by QA checks. * fix: gofmt alignment in cmd_config.go Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Secure connections, fix CI auto-merge, and resolve formatting Addresses OWASP security audit and CodeQL security alerts by enforcing secure defaults for SSH and TLS connections. Key changes: - Enforced strict SSH host key checking (StrictHostKeyChecking=yes). - Implemented synchronous host key verification during VM boot using ssh-keyscan. - Updated UniFi client to enforce TLS certificate verification by default. - Added --insecure flag and config option for UniFi to allow opt-in to skipping TLS verification. - Fixed auto-merge workflow by providing repository context to 'gh' command. - Resolved merge conflicts in .github/workflows/auto-merge.yml. - Fixed formatting in internal/cmd/unifi/cmd_config.go and pkg/io/local/client.go. - Added unit tests for secured Ansible SSH client. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Claude <developers@lethean.io>
151 lines
4 KiB
Go
151 lines
4 KiB
Go
package unifi
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/host-uk/core/pkg/cli"
|
|
uf "github.com/host-uk/core/pkg/unifi"
|
|
)
|
|
|
|
// Config command flags.
|
|
var (
|
|
configURL string
|
|
configUser string
|
|
configPass string
|
|
configAPIKey string
|
|
configInsecure bool
|
|
configTest bool
|
|
)
|
|
|
|
// addConfigCommand adds the 'config' subcommand for UniFi connection setup.
|
|
func addConfigCommand(parent *cli.Command) {
|
|
cmd := &cli.Command{
|
|
Use: "config",
|
|
Short: "Configure UniFi connection",
|
|
Long: "Set the UniFi controller URL and credentials, or test the current connection.",
|
|
RunE: func(cmd *cli.Command, args []string) error {
|
|
return runConfig(cmd)
|
|
},
|
|
}
|
|
|
|
cmd.Flags().StringVar(&configURL, "url", "", "UniFi controller URL")
|
|
cmd.Flags().StringVar(&configUser, "user", "", "UniFi username")
|
|
cmd.Flags().StringVar(&configPass, "pass", "", "UniFi password")
|
|
cmd.Flags().StringVar(&configAPIKey, "apikey", "", "UniFi API key")
|
|
cmd.Flags().BoolVar(&configInsecure, "insecure", false, "Allow insecure TLS connections (e.g. self-signed certs)")
|
|
cmd.Flags().BoolVar(&configTest, "test", false, "Test the current connection")
|
|
|
|
parent.AddCommand(cmd)
|
|
}
|
|
|
|
func runConfig(cmd *cli.Command) error {
|
|
var insecure *bool
|
|
if cmd.Flags().Changed("insecure") {
|
|
insecure = &configInsecure
|
|
}
|
|
|
|
// If setting values, save them first
|
|
if configURL != "" || configUser != "" || configPass != "" || configAPIKey != "" || insecure != nil {
|
|
if err := uf.SaveConfig(configURL, configUser, configPass, configAPIKey, insecure); err != nil {
|
|
return err
|
|
}
|
|
|
|
if configURL != "" {
|
|
cli.Success(fmt.Sprintf("UniFi URL set to %s", configURL))
|
|
}
|
|
if configUser != "" {
|
|
cli.Success("UniFi username saved")
|
|
}
|
|
if configPass != "" {
|
|
cli.Success("UniFi password saved")
|
|
}
|
|
if configAPIKey != "" {
|
|
cli.Success("UniFi API key saved")
|
|
}
|
|
if insecure != nil {
|
|
cli.Success(fmt.Sprintf("UniFi insecure mode set to %v", *insecure))
|
|
}
|
|
}
|
|
|
|
// If testing, verify the connection
|
|
if configTest {
|
|
return runConfigTest(cmd)
|
|
}
|
|
|
|
// If no flags, show current config
|
|
if configURL == "" && configUser == "" && configPass == "" && configAPIKey == "" && !configInsecure && !configTest {
|
|
return showConfig()
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func showConfig() error {
|
|
url, user, pass, apikey, insecure, err := uf.ResolveConfig("", "", "", "", nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
cli.Blank()
|
|
cli.Print(" %s %s\n", dimStyle.Render("URL:"), valueStyle.Render(url))
|
|
|
|
if user != "" {
|
|
cli.Print(" %s %s\n", dimStyle.Render("User:"), valueStyle.Render(user))
|
|
} else {
|
|
cli.Print(" %s %s\n", dimStyle.Render("User:"), warningStyle.Render("not set"))
|
|
}
|
|
|
|
if pass != "" {
|
|
cli.Print(" %s %s\n", dimStyle.Render("Pass:"), valueStyle.Render("****"))
|
|
} else {
|
|
cli.Print(" %s %s\n", dimStyle.Render("Pass:"), warningStyle.Render("not set"))
|
|
}
|
|
|
|
if apikey != "" {
|
|
masked := apikey
|
|
if len(apikey) >= 8 {
|
|
masked = apikey[:4] + "..." + apikey[len(apikey)-4:]
|
|
}
|
|
cli.Print(" %s %s\n", dimStyle.Render("API Key:"), valueStyle.Render(masked))
|
|
} else {
|
|
cli.Print(" %s %s\n", dimStyle.Render("API Key:"), warningStyle.Render("not set"))
|
|
}
|
|
|
|
if insecure {
|
|
cli.Print(" %s %s\n", dimStyle.Render("Insecure:"), warningStyle.Render("enabled"))
|
|
} else {
|
|
cli.Print(" %s %s\n", dimStyle.Render("Insecure:"), successStyle.Render("disabled"))
|
|
}
|
|
|
|
cli.Blank()
|
|
|
|
return nil
|
|
}
|
|
|
|
func runConfigTest(cmd *cli.Command) error {
|
|
var insecure *bool
|
|
if cmd.Flags().Changed("insecure") {
|
|
insecure = &configInsecure
|
|
}
|
|
|
|
client, err := uf.NewFromConfig(configURL, configUser, configPass, configAPIKey, insecure)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
sites, err := client.GetSites()
|
|
if err != nil {
|
|
cli.Error("Connection failed")
|
|
return cli.WrapVerb(err, "connect to", "UniFi controller")
|
|
}
|
|
|
|
cli.Blank()
|
|
cli.Success(fmt.Sprintf("Connected to %s", client.URL()))
|
|
cli.Print(" %s %s\n", dimStyle.Render("Sites:"), numberStyle.Render(fmt.Sprintf("%d", len(sites))))
|
|
for _, s := range sites {
|
|
cli.Print(" %s %s\n", valueStyle.Render(s.Name), dimStyle.Render(s.Desc))
|
|
}
|
|
cli.Blank()
|
|
|
|
return nil
|
|
}
|