Add SNI_HOSTNAME override when certs do not match service (#345)

stackrox · Aug 10, 2020 · 685b738 · 685b738
1 parent 787ac41
commit 685b738
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 6 deletions.
diff --git a/collector/collector.cpp b/collector/collector.cpp
@@ -269,7 +269,7 @@ int main(int argc, char **argv) {
       }
     }
 
-    grpc_channel = collector::CreateChannel(args->GRPCServer(), creds);
+    grpc_channel = collector::CreateChannel(args->GRPCServer(), GetSNIHostname(), creds);
   }
 
   config.grpc_channel = std::move(grpc_channel);

diff --git a/collector/container/scripts/bootstrap.sh b/collector/container/scripts/bootstrap.sh
@@ -66,9 +66,29 @@ function download_kernel_object() {
     )
 
     if [[ ! -f "${filename_gz}" && -n "$GRPC_SERVER" ]]; then
-        local url="https://${GRPC_SERVER}/kernel-objects/${module_version}/${KERNEL_OBJECT}.gz"
+        local connect_to_opts=()
+        local server_port="${GRPC_SERVER##*:}"
+        if [[ "$server_port" == "$GRPC_SERVER" ]]; then
+            echo >&2 "GRPC_SERVER env var must specify the port"
+            exit 1
+        fi
+
+        local sni_port="${SNI_HOSTNAME##*:}"
+        if [[ "$sni_port" != "$SNI_HOSTNAME" ]]; then
+            echo >&2 "SNI_HOSTNAME env var must NOT specify the port"
+            exit 1
+        fi
+
+        local server_hostname="${GRPC_SERVER%:"$server_port"}"
+        if [[ "$SNI_HOSTNAME" != "$server_hostname" ]]; then
+            server_hostname="${SNI_HOSTNAME}"
+            connect_to_opts=(--connect-to "${SNI_HOSTNAME}:${server_port}:${GRPC_SERVER}")
+        fi
+
+        local url="https://${server_hostname}:${server_port}/kernel-objects/${module_version}/${KERNEL_OBJECT}.gz"
         log "Attempting to download from ${url}..."
-        curl "${curl_opts[@]}" \
+
+        curl "${curl_opts[@]}" "${connect_to_opts[@]}" \
             --cacert /run/secrets/stackrox.io/certs/ca.pem \
             --cert /run/secrets/stackrox.io/certs/cert.pem \
             --key /run/secrets/stackrox.io/certs/key.pem \
@@ -210,6 +230,9 @@ function main() {
     # and export because this env var is read by collector
     export NODE_HOSTNAME="$(cat /host/proc/sys/kernel/hostname)"
 
+    # Export SNI_HOSTNAME and default it to sensor.stackrox
+    export SNI_HOSTNAME="${SNI_HOSTNAME:-sensor.stackrox}"
+
     # Get the linux distribution and BUILD_ID and ID to identify kernel version (COS or RHEL)
     OS_DISTRO="$(get_distro)"
     OS_BUILD_ID="$(get_os_release_value 'BUILD_ID')"

diff --git a/collector/lib/GRPC.cpp b/collector/lib/GRPC.cpp
@@ -53,7 +53,7 @@ std::shared_ptr<grpc::ChannelCredentials> TLSCredentialsFromFiles(
   return grpc::SslCredentials(sslOptions);
 }
 
-std::shared_ptr<grpc::Channel> CreateChannel(const std::string& server_address, const std::shared_ptr<grpc::ChannelCredentials>& creds) {
+std::shared_ptr<grpc::Channel> CreateChannel(const std::string& server_address, const std::string& hostname_override, const std::shared_ptr<grpc::ChannelCredentials>& creds) {
   grpc::ChannelArguments chan_args;
   chan_args.SetInt("GRPC_ARG_KEEPALIVE_TIME_MS", 10000);
   chan_args.SetInt("GRPC_ARG_KEEPALIVE_TIMEOUT_MS", 10000);
@@ -62,7 +62,9 @@ std::shared_ptr<grpc::Channel> CreateChannel(const std::string& server_address,
   chan_args.SetInt("GRPC_ARG_HTTP2_MIN_RECV_PING_INTERVAL_WITHOUT_DATA_MS", 5000);
   chan_args.SetInt("GRPC_ARG_HTTP2_MIN_SENT_PING_INTERVAL_WITHOUT_DATA_MS", 10000);
   chan_args.SetInt("GRPC_ARG_HTTP2_MAX_PINGS_WITHOUT_DATA", 0);
-
+  if (!hostname_override.empty()) {
+    chan_args.SetSslTargetNameOverride(hostname_override);
+  }
   return grpc::CreateCustomChannel(server_address, creds, chan_args);
 }
 

diff --git a/collector/lib/GRPC.h b/collector/lib/GRPC.h
@@ -32,7 +32,7 @@ namespace collector {
 std::shared_ptr<grpc::ChannelCredentials> TLSCredentialsFromFiles(
     const std::string& ca_cert_path, const std::string& client_cert_path, const std::string& client_key_path);
 
-std::shared_ptr<grpc::Channel> CreateChannel(const std::string& server_address, const std::shared_ptr<grpc::ChannelCredentials>& creds);
+std::shared_ptr<grpc::Channel> CreateChannel(const std::string& server_address, const std::string& hostname_override, const std::shared_ptr<grpc::ChannelCredentials>& creds);
 
 }  // namespace collector
 

diff --git a/collector/lib/Utility.cpp b/collector/lib/Utility.cpp
@@ -154,6 +154,13 @@ std::string GetHostPath(const std::string& file) {
   return host_file;
 }
 
+const char* GetSNIHostname() {
+  const char* hostname = std::getenv("SNI_HOSTNAME");
+  if (hostname && *hostname) return hostname;
+
+  return "";
+}
+
 const char* GetHostname() {
   const char* hostname = std::getenv("NODE_HOSTNAME");
   if (hostname && *hostname) return hostname;

diff --git a/collector/lib/Utility.h b/collector/lib/Utility.h
@@ -55,6 +55,9 @@ std::string Base64Decode(std::string const& encoded_string);
 // Get path using host prefix from SYSDIG_HOST_ROOT env var
 std::string GetHostPath(const std::string& file);
 
+// Get SNI hostname from SNI_HOSTNAME env var
+const char* GetSNIHostname();
+
 // Get hostname from NODE_HOSTNAME env var
 const char* GetHostname();
-Original file line number
+Diff line change
@@ Expand Up / @@ -269,7 +269,7 @@ int main(int argc, char **argv) { @@
           }
         }
-        grpc_channel = collector::CreateChannel(args->GRPCServer(), creds);
+        grpc_channel = collector::CreateChannel(args->GRPCServer(), GetSNIHostname(), creds);
       }
       config.grpc_channel = std::move(grpc_channel);
@@ Expand Down @@