From 7d8e88643258f03ec92b53258b71ae8343e45c10 Mon Sep 17 00:00:00 2001 From: Jonathan Cobb Date: Thu, 2 Jul 2020 05:30:56 -0400 Subject: [PATCH] re-add cert validation host --- .../src/main/java/bubble/server/BubbleConfiguration.java | 1 + .../resources/ansible/roles/bubble/files/bubble_role.json | 4 +++- .../resources/ansible/roles/bubble/templates/bubble.env.j2 | 2 ++ .../ansible/roles/mitmproxy/files/bubble_role.json | 3 ++- .../ansible/roles/mitmproxy/templates/bubble_config.py.j2 | 1 + bubble-server/src/main/resources/bubble-config.yml | 2 ++ .../packer/roles/mitmproxy/files/bubble_conn_check.py | 6 +++++- 7 files changed, 16 insertions(+), 3 deletions(-) diff --git a/bubble-server/src/main/java/bubble/server/BubbleConfiguration.java b/bubble-server/src/main/java/bubble/server/BubbleConfiguration.java index 312bb612..075822ae 100644 --- a/bubble-server/src/main/java/bubble/server/BubbleConfiguration.java +++ b/bubble-server/src/main/java/bubble/server/BubbleConfiguration.java @@ -215,6 +215,7 @@ public class BubbleConfiguration extends PgRestServerConfiguration @Getter @Setter private LegalInfo legal = new LegalInfo(); @Getter @Setter private AppLinks appLinks = new AppLinks(); + @Getter @Setter private String certificateValidationHost; @Override @JsonIgnore public Handlebars getHandlebars() { return BubbleHandlebars.instance.getHandlebars(); } diff --git a/bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json b/bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json index 98928312..71298cdf 100644 --- a/bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json +++ b/bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json @@ -37,7 +37,9 @@ {"name": "app_link_android", "value": "[[appLinks.android]]"}, {"name": "app_link_windows", "value": "[[appLinks.windows]]"}, {"name": "app_link_macosx", "value": "[[appLinks.macosx]]"}, - {"name": "app_link_linux", "value": "[[appLinks.linux]]"} + {"name": "app_link_linux", "value": "[[appLinks.linux]]"}, + + {"name": "cert_validation_host", "value": "[[configuration.certificateValidationHost]]"} ], "optionalConfigNames": ["restore_key", "restore_timeout", "error_url", "error_key", "error_env"] } \ No newline at end of file diff --git a/bubble-server/src/main/resources/ansible/roles/bubble/templates/bubble.env.j2 b/bubble-server/src/main/resources/ansible/roles/bubble/templates/bubble.env.j2 index c20748ca..f4a263b7 100644 --- a/bubble-server/src/main/resources/ansible/roles/bubble/templates/bubble.env.j2 +++ b/bubble-server/src/main/resources/ansible/roles/bubble/templates/bubble.env.j2 @@ -20,3 +20,5 @@ export APP_LINK_ANDROID={{ app_link_android }} export APP_LINK_WINDOWS={{ app_link_windows }} export APP_LINK_MACOSX={{ app_link_macosx }} export APP_LINK_LINUX={{ app_link_linux }} + +export CERT_VALIDATION_HOST={{ cert_validation_host }} diff --git a/bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json b/bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json index ef957b04..4c8f21c8 100644 --- a/bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json +++ b/bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json @@ -11,6 +11,7 @@ {"name": "sage_ip6", "value": "[[sageNode.ip6]]"}, {"name": "cert_name", "value": "bubble-[[network.shortId]]"}, {"name": "cert_org", "value": "Bubble [[network.shortId]]"}, - {"name": "cert_cn", "value": "[[network.certCNAME]]"} + {"name": "cert_cn", "value": "[[network.certCNAME]]"}, + {"name": "cert_validation_host", "value": "[[configuration.certificateValidationHost]]"} ] } \ No newline at end of file diff --git a/bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2 b/bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2 index 9c6bb04f..0651a0d4 100644 --- a/bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2 +++ b/bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2 @@ -6,3 +6,4 @@ bubble_ssl_port = '{{ ssl_port }}' bubble_sage_host = '{{ sage_host }}' bubble_sage_ip4 = '{{ sage_ip4 }}' bubble_sage_ip6 = '{{ sage_ip6 }}' +cert_validation_host = '{{ cert_validation_host }}' \ No newline at end of file diff --git a/bubble-server/src/main/resources/bubble-config.yml b/bubble-server/src/main/resources/bubble-config.yml index 4f35fdcb..5c35b0d7 100644 --- a/bubble-server/src/main/resources/bubble-config.yml +++ b/bubble-server/src/main/resources/bubble-config.yml @@ -109,3 +109,5 @@ appLinks: windows: {{APP_LINK_WINDOWS}} macosx: {{APP_LINK_MACOSX}} linux: {{APP_LINK_LINUX}} + +certificateValidationHost: {{CERT_VALIDATION_HOST}} diff --git a/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_conn_check.py b/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_conn_check.py index d65b90fa..e6341b4b 100644 --- a/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_conn_check.py +++ b/bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_conn_check.py @@ -28,7 +28,7 @@ from mitmproxy.exceptions import TlsProtocolException from mitmproxy.net import tls as net_tls from bubble_api import bubble_log, bubble_conn_check, bubble_activity_log, redis_set -from bubble_config import bubble_sage_host, bubble_sage_ip4, bubble_sage_ip6 +from bubble_config import bubble_sage_host, bubble_sage_ip4, bubble_sage_ip6, cert_validation_host import redis import json import subprocess @@ -210,6 +210,10 @@ def next_layer(next_layer): bubble_log('next_layer: enabling passthru for server='+server_addr+' because security_level='+security_level+' for client='+client_addr) check = FORCE_PASSTHRU + elif fqdns is not None and len(fqdns) == 1 and cert_validation_host == fqdns[0]: + bubble_log('next_layer: NOT enabling passthru for server='+server_addr+' because fqdn is cert_validation_host ('+cert_validation_host+') for client='+client_addr) + return + elif security_level == SEC_STD and no_fqdns: bubble_log('next_layer: enabling passthru for server='+server_addr+' because no FQDN found and security_level='+security_level+' for client='+client_addr) check = FORCE_PASSTHRU