nexpose 5.2.0 → 5.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 226804f061b34388cd0155b1df7baf53feadac6c
-  data.tar.gz: 9999ed21b40eb28c4486abb55e16fd9663f0ce83
+  metadata.gz: 66875e048dcb1dd081e1ccc2fb97b11820d21539
+  data.tar.gz: 3aa8c1daab1a48863388b39a19e5e59c42dbde4d
 SHA512:
-  metadata.gz: b24bf8a742c9faf2e1cd66c8b603cc41229ecf3fe7840b235c4c33fae6c23bcbc782c1152f8b8c860457ef64b8f526c71b8763c25dc6d6533a616ba0a77c40a1
-  data.tar.gz: 9c1c6b3418dd18d1627de2955a0cd1fe151d86c2ae972e0bc35488832af377f57ae71d52aad31861719ab8ba964f510a1cc500d75a8cdab2463d019c83648b57
+  metadata.gz: 9c5dc066cb954cb27640d9d95d571c584958f6645323e1f50473409a26a7d84ea6bdc864fb739a9ef6d75bd2c19c080f60ba4936fb7bce77d622cc28e327aba2
+  data.tar.gz: 17cb67e994f1d621feb14640a92b2c7418b40a37e288e72617483538be157982a04c5c7b683102a6e52f9d63b84838db20ebb04092613ce9a00caadeb38c4e79

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    nexpose (5.2.0)
+    nexpose (5.3.0)
 
 GEM
   remote: https://rubygems.org/

data/lib/nexpose/ajax.rb

@@ -135,7 +135,11 @@ module Nexpose
       http = Net::HTTP.new(nsc.host, nsc.port)
       http.read_timeout = timeout if timeout
       http.use_ssl = true
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      if nsc.trust_store.nil?
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      else
+        http.cert_store = nsc.trust_store
+      end
       http
     end
 

data/lib/nexpose/api_request.rb

@@ -17,11 +17,14 @@ module Nexpose
     attr_reader :raw_response
     attr_reader :raw_response_data
 
-    def initialize(req, url, api_version = '1.1')
+    attr_reader :trust_store
+
+    def initialize(req, url, api_version = '1.1', trust_store = nil)
       @url = url
       @req = req
       @api_version = api_version
       @url = @url.sub('API_VERSION', @api_version)
+      @trust_store = trust_store
       prepare_http_client
     end
 
@@ -34,7 +37,11 @@ module Nexpose
       #      a confirmation when the nexpose host is not localhost. In a perfect world, we would present
       #      the server signature before accepting it, but this requires either a direct callback inside
       #      of this module back to whatever UI, or opens a race condition between accept and attempt.
-      @http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      if @trust_store.nil?
+        @http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      else
+        @http.cert_store = @trust_store
+      end
       @headers = {'Content-Type' => 'text/xml'}
       @success = false
     end
@@ -93,7 +100,7 @@ module Nexpose
         # drops our HTTP connection before processing. We try 5 times to establish a
         # connection in these situations. The actual exception occurs in the Ruby
         # http library, which is why we use such generic error classes.
-      rescue OpenSSL::SSL::SSLError
+      rescue OpenSSL::SSL::SSLError => e
         if @conn_tries < 5
           @conn_tries += 1
           retry
@@ -133,8 +140,8 @@ module Nexpose
       @res.root.attributes(*args)
     end
 
-    def self.execute(url, req, api_version='1.1', options = {})
-      obj = self.new(req.to_s, url, api_version)
+    def self.execute(url, req, api_version = '1.1', options = {}, trust_store = nil)
+      obj = self.new(req.to_s, url, api_version, trust_store)
       obj.execute(options)
       raise APIError.new(obj, "Action failed: #{obj.error}") unless obj.success
       obj

data/lib/nexpose/connection.rb

@@ -8,6 +8,19 @@ module Nexpose
   #   # Create a new Nexpose::Connection from a URI or "URI" String
   #   nsc = Connection.from_uri('https://10.1.40.10:3780', 'nxadmin', 'password')
   #
+  #   # Create a new Nexpose::Connection with a specific port
+  #   nsc = Connection.new('10.1.40.10', 'nxadmin', 'password', 443)
+  #
+  #   # Create a new Nexpose::Connection with a silo identifier
+  #   nsc = Connection.new('10.1.40.10', 'nxadmin', 'password', 3780, 'default')
+  #
+  #   # Create a new Nexpose::Connection with a two-factor authentication (2FA) token
+  #   nsc = Connection.new('10.1.40.10', 'nxadmin', 'password', 3780, nil, '123456')
+  #
+  #   # Create a new Nexpose::Connection with an excplicitly trusted web certificate
+  #   trusted_cert = ::File.read('cert.pem')
+  #   nsc = Connection.new('10.1.40.10', 'nxadmin', 'password', 3780, nil, nil, trusted_cert)
+  #
   #   # Login to NSC and Establish a Session ID
   #   nsc.login
   #
@@ -44,20 +57,34 @@ module Nexpose
     # The last XML response received by this object, useful for debugging.
     attr_reader :response_xml
 
+    # The trust store to validate connections against if any
+    attr_reader :trust_store
+
     # A constructor to load a Connection object from a URI
-    def self.from_uri(uri, user, pass, silo_id = nil, token = nil)
+    def self.from_uri(uri, user, pass, silo_id = nil, token = nil, trust_cert = nil)
       uri = URI.parse(uri)
-      new(uri.host, user, pass, uri.port, silo_id, token)
+      new(uri.host, user, pass, uri.port, silo_id, token, trust_cert)
     end
 
     # A constructor for Connection
-    def initialize(ip, user, pass, port = 3780, silo_id = nil, token = nil)
+    #
+    # @param [String] ip The IP address or hostname/FQDN of the Nexpose console.
+    # @param [String] user The username for Nexpose sessions.
+    # @param [String] pass The password for Nexpose sessions.
+    # @param [Fixnum] port The port number of the Nexpose console.
+    # @param [String] silo_id The silo identifier for Nexpose sessions.
+    # @param [String] token The two-factor authentication (2FA) token for Nexpose sessions.
+    # @param [String] trust_cert The PEM-formatted web certificate of the Nexpose console. Used for SSL validation.
+    def initialize(ip, user, pass, port = 3780, silo_id = nil, token = nil, trust_cert = nil)
       @host = ip
       @port = port
       @username = user
       @password = pass
       @token = token
       @silo_id = silo_id
+      unless trust_cert.nil?
+        @trust_store = create_trust_store(trust_cert)
+      end
       @session_id = nil
       @url = "https://#{@host}:#{@port}/api/API_VERSION/xml"
     end
@@ -88,7 +115,7 @@ module Nexpose
     def execute(xml, version = '1.1', options = {})
       @request_xml = xml.to_s
       @api_version = version
-      response = APIRequest.execute(@url, @request_xml, @api_version, options)
+      response = APIRequest.execute(@url, @request_xml, @api_version, options, @trust_store)
       @response_xml = response.raw_response_data
       response
     end
@@ -104,7 +131,11 @@ module Nexpose
       uri = URI.parse(url)
       http = Net::HTTP.new(@host, @port)
       http.use_ssl = true
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX: security issue
+      if @trust_store.nil?
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX: security issue
+      else
+        http.cert_store = @trust_store
+      end
       headers = {'Cookie' => "nexposeCCSessionID=#{@session_id}"}
       resp = http.get(uri.to_s, headers)
 
@@ -114,5 +145,14 @@ module Nexpose
         resp.body
       end
     end
+
+    def create_trust_store(trust_cert)
+      store = OpenSSL::X509::Store.new
+      store.trust
+      store.add_cert(OpenSSL::X509::Certificate.new(trust_cert))
+      store
+    end
+
+    private :create_trust_store
   end
 end

data/lib/nexpose/version.rb

@@ -1,4 +1,4 @@
 module Nexpose
   # The latest version of the Nexpose gem
-  VERSION = '5.2.0'
+  VERSION = '5.3.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nexpose
 version: !ruby/object:Gem::Version
-  version: 5.2.0
+  version: 5.3.0
 platform: ruby
 authors:
 - HD Moore
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-31 00:00:00.000000000 Z
+date: 2017-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler