From c338d03bd5e27f662115726c56fca9a35aca14b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Seux?= <g.seux@criteo.com>
Date: Thu, 2 Sep 2021 19:20:59 +0200
Subject: [PATCH] Validate ssl peers

Before this patch, ssl peers where not validated unless custom
certificate were provided. This led to less strict security and annoying
warnings from em-http library. See https://github.com/igrigorik/em-http-request/issues/339.

Now we properly take tls_verify_peer option (defaults to true) in
consideration. This should increase security.

Change-Id: I3620aa3de63e20976a204be45bce013d816acc52
---
 .rubocop.yml                        | 3 ++-
 lib/consul/async/consul_endpoint.rb | 3 ++-
 lib/consul/async/json_endpoint.rb   | 1 +
 lib/consul/async/vault_endpoint.rb  | 1 +
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index dfd157a..312cade 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -6,8 +6,9 @@ AllCops:
 Layout/LineLength:
   Max: 175
 
+# those metrics should be disabled
 Metrics/AbcSize:
-  Max: 90
+  Max: 92
 
 Metrics/BlockLength:
   Max: 188
diff --git a/lib/consul/async/consul_endpoint.rb b/lib/consul/async/consul_endpoint.rb
index 4789aee..b20c01f 100644
--- a/lib/consul/async/consul_endpoint.rb
+++ b/lib/consul/async/consul_endpoint.rb
@@ -265,7 +265,8 @@ def _handle_error(http, consul_index)
       def fetch
         options = {
           connect_timeout: 5, # default connection setup timeout
-          inactivity_timeout: conf.wait_duration + 1 + (conf.wait_duration / 16) # default connection inactivity (post-setup) timeout
+          inactivity_timeout: conf.wait_duration + 1 + (conf.wait_duration / 16), # default connection inactivity (post-setup) timeout
+          tls: { verify_peer: conf.tls_verify_peer }
         }
         unless conf.tls_cert_chain.nil?
           options[:tls] = {
diff --git a/lib/consul/async/json_endpoint.rb b/lib/consul/async/json_endpoint.rb
index 1c5f621..bdfd9d4 100644
--- a/lib/consul/async/json_endpoint.rb
+++ b/lib/consul/async/json_endpoint.rb
@@ -184,6 +184,7 @@ def _handle_error(http)
 
       def fetch
         options = {
+          tls: { verify_peer: conf.tls_verify_peer },
           connect_timeout: 5, # default connection setup timeout
           inactivity_timeout: 60 # default connection inactivity (post-setup) timeout
         }
diff --git a/lib/consul/async/vault_endpoint.rb b/lib/consul/async/vault_endpoint.rb
index 2046ca5..24f5d58 100644
--- a/lib/consul/async/vault_endpoint.rb
+++ b/lib/consul/async/vault_endpoint.rb
@@ -230,6 +230,7 @@ def _handle_error(http)
 
       def fetch
         options = {
+          tls: { verify_peer: conf.tls_verify_peer },
           connect_timeout: 5, # default connection setup timeout
           inactivity_timeout: 1 # default connection inactivity (post-setup) timeout
         }