Merge pull request #190 from torresashjiancyber/VC-53768-logos-fix-c

security: CWE-295: TLS verification disabled — VC-53768

Author: stkomitov

examples/get_cert.py

@@ -42,12 +42,13 @@ def main():
         # Connection will be chosen automatically based on which arguments are passed.
         # If token is passed CyberArk Certificate Manager, SaaS connection will be used.
         # If user, password, and URL CyberArk Certificate Manager, Self-Hosted will be used.
-        conn = Connection(url=url, token=token, user=user, password=password,
-                          http_request_kwargs={'verify': False})
         # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy, you can specify
         # a trust bundle using requests vars:
+        conn = Connection(url=url, token=token, user=user, password=password,
+                         http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        # Lab/testing only — DO NOT use in production:
         # conn = Connection(url=url, token=token, user=user, password=password,
-        #                  http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        #                   http_request_kwargs={'verify': False})
 
     request = CertificateRequest(common_name=f"{randomword(10)}.venafi.example.com")
     request.san_dns = ["www.client.venafi.example.com", "ww1.client.venafi.example.com"]

examples/ssh_certificates/get_cert_ssh.py

@@ -31,11 +31,12 @@ def main():
     user = environ.get('TPP_USER')
     password = environ.get('TPP_PASSWORD')
 
-    connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
     # If your CyberArk Certificate Manager, Self-Hosted server certificate is signed with your own CA, or available only via proxy,
     # you can specify a trust bundle using requests vars:
-    # connector = venafi_connection(url=url, api_key=api_key, access_token=access_token,
-    #                          http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    connector = venafi_connection(url=url, user=user, password=password,
+                             http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    # Lab/testing only — DO NOT use in production:
+    # connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
 
     # Create an Authentication object to request a token with the proper scope to manage SSH certificates
     auth = Authentication(user=user, password=password, scope=SCOPE_SSH)

examples/ssh_certificates/get_cert_ssh_service.py

@@ -31,11 +31,12 @@ def main():
     user = environ.get('TPP_USER')
     password = environ.get('TPP_PASSWORD')
 
-    connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
     # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy,
     # you can specify a trust bundle using requests vars:
-    # connector = venafi_connection(url=url, api_key=api_key, access_token=access_token,
-    #                          http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    connector = venafi_connection(url=url, user=user, password=password,
+                             http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    # Lab/testing only — DO NOT use in production:
+    # connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
 
     # Create an Authentication object to request a token with the proper scope to manage SSH certificates
     auth = Authentication(user=user, password=password, scope=SCOPE_SSH)

examples/tpp/get_cert_tpp_token.py

@@ -41,11 +41,12 @@ def main():
         # If user and password are passed, you can get a new token from them.
         # If access_token and refresh_token are passed, there is no need for the username and password.
         # If only access_token is passed, the Connection will fail when token expires, as there is no way to refresh it.
-        conn = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
         # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy, you can specify
         # a trust bundle using requests vars:
-        # conn = token_connection(url=url, user=user, password=password,
-        #                         http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        conn = venafi_connection(url=url, user=user, password=password,
+                                http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        # Lab/testing only — DO NOT use in production:
+        # conn = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
 
     request = CertificateRequest(common_name=f"{random_word(10)}.venafi.example.com")
     request.san_dns = ["www.client.venafi.example.com", "ww1.client.venafi.example.com"]

vcert/connection_cloud.py

@@ -155,6 +155,9 @@ def __init__(self, token, url=None, http_request_kwargs=None):
             http_request_kwargs['timeout'] = 180
         self._http_request_kwargs = http_request_kwargs
 
+        if self._http_request_kwargs.get('verify') is False:
+            log.warning("TLS certificate verification is DISABLED; credentials and private keys will be transmitted over unverified connections. This configuration is only appropriate for isolated test environments.")
+
     def __str__(self):
         return f"[Cloud] {self._base_url}"
 

vcert/connection_tpp.py

@@ -46,6 +46,9 @@ def __init__(self, user, password, url, http_request_kwargs=None):
             http_request_kwargs['timeout'] = 180
         self._http_request_kwargs = http_request_kwargs or {}
 
+        if self._http_request_kwargs.get('verify') is False:
+            log.warning("TLS certificate verification is DISABLED; credentials and private keys will be transmitted over unverified connections. This configuration is only appropriate for isolated test environments.")
+
     def __setattr__(self, key, value):
         if key == '_base_url':
             value = self._normalize_and_verify_base_url(value)

vcert/connection_tpp_token.py

@@ -52,6 +52,9 @@ def __init__(self, url, user=None, password=None, access_token=None, refresh_tok
             http_request_kwargs['timeout'] = 180
         self._http_request_kwargs = http_request_kwargs or {}
 
+        if self._http_request_kwargs.get('verify') is False:
+            log.warning("TLS certificate verification is DISABLED; credentials and private keys will be transmitted over unverified connections. This configuration is only appropriate for isolated test environments.")
+
     def __setattr__(self, key, value):
         if key == '_base_url':
             value = self._normalize_and_verify_base_url(value)