agent_ucs_bladecenter: Fix TLS certificate validation issue

Change-Id: Ia6ade9fa54bc55944a3add757f9db10f40c9e63a
Checkmk · Oct 22, 2024 · 42ee462 · 42ee462
1 parent 1cd390c
commit 42ee462
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 6 deletions.
diff --git a/cmk/plugins/ucs_bladecenter/server_side_calls/special_agent.py b/cmk/plugins/ucs_bladecenter/server_side_calls/special_agent.py
@@ -30,6 +30,8 @@ def agent_ucsbladecenter_arguments(
 
     if params.certificate_validation is False:
         command_arguments.append("--no-cert-check")
+    else:
+        command_arguments.extend(["--cert-server-name", host_config.name])
 
     command_arguments.append(host_config.primary_ip_config.address)
 

diff --git a/cmk/special_agents/agent_ucs_bladecenter.py b/cmk/special_agents/agent_ucs_bladecenter.py
@@ -30,6 +30,7 @@
 from cmk.utils.password_store import replace_passwords
 
 from cmk.special_agents.v0_unstable.misc import vcrtrace
+from cmk.special_agents.v0_unstable.request_helper import HostnameValidationAdapter
 
 ElementAttributes = dict[str, str]
 
@@ -367,14 +368,23 @@ class CommunicationException(MKException):
 
 
 class Server:
-    def __init__(self, hostname: str, username: str, password: str, verify_ssl: bool) -> None:
+    def __init__(
+        self,
+        hostname: str,
+        username: str,
+        password: str,
+        cert_check: bool | str,
+    ) -> None:
         self._url = "https://%s/nuova" % hostname
         self._username = username
         self._password = password
         self._session = requests.Session()
-        self._verify_ssl = verify_ssl
+        self._verify_ssl = bool(cert_check)
         self._cookie: str | None = None
 
+        if isinstance(cert_check, str):
+            self._session.mount(self._url, HostnameValidationAdapter(cert_check))
+
     def login(self) -> None:
         logging.debug("Server.login: Login")
         attributes: ElementAttributes = {
@@ -571,10 +581,13 @@ def parse_arguments(argv: Sequence[str]) -> argparse.Namespace:
         "--vcrtrace",
         action=vcrtrace(before_record_request=Server.filter_credentials),
     )
-    parser.add_argument(
-        "--no-cert-check",
-        action="store_true",
-        help="Disables the checking of the servers ssl certificate.",
+    cert_args = parser.add_mutually_exclusive_group()
+    cert_args.add_argument(
+        "--no-cert-check", action="store_true", help="Do not verify TLS certificate"
+    )
+    cert_args.add_argument(
+        "--cert-server-name",
+        help="Use this server name for TLS certificate validation.",
     )
     parser.add_argument("--debug", action="store_true", help="Raise Python exceptions.")
     parser.add_argument("-u", "--username", required=True, help="The username.")

diff --git a/tests/unit/cmk/plugins/ucs_bladecenter/server_side_calls/test_special_agent.py b/tests/unit/cmk/plugins/ucs_bladecenter/server_side_calls/test_special_agent.py
@@ -43,6 +43,8 @@
                     "username",
                     "-p",
                     Secret(23).unsafe(),
+                    "--cert-server-name",
+                    "hostname",
                     "address",
                 ]
             ),