Support only HTTPS for remote upgrade PGP (#2268)

Support only HTTPS for remote upgrade PGP (#2268)

Author: michalpristas

_meta/config/common.p2.yml.tmpl

@@ -114,9 +114,6 @@ inputs:
 #   target_directory: "${path.data}/downloads"
 #   # timeout for downloading package
 #   timeout: 120s
-#   # file path to a public key used for verifying downloaded artifacts
-#   # if not file is present agent will try to load public key from elastic.co website.
-#   pgpfile: "${path.data}/elastic.pgp"
 #   # install_path describes the location of installed packages/programs. It is also used
 #   # for reading program specifications.
 #   install_path: "${path.data}/install"

_meta/config/common.reference.p2.yml.tmpl

@@ -65,9 +65,6 @@ inputs:
 #   target_directory: "${path.data}/downloads"
 #   # timeout for downloading package
 #   timeout: 120s
-#   # file path to a public key used for verifying downloaded artifacts
-#   # if not file is present agent will try to load public key from elastic.co website.
-#   pgpfile: "${path.data}/elastic.pgp"
 #   # install_path describes the location of installed packages/programs. It is also used
 #   # for reading program specifications.
 #   install_path: "${path.data}/install"

_meta/config/elastic-agent.docker.yml.tmpl

@@ -64,9 +64,6 @@ inputs:
 #   target_directory: "${path.data}/downloads"
 #   # timeout for downloading package
 #   timeout: 120s
-#   # file path to a public key used for verifying downloaded artifacts
-#   # if not file is present agent will try to load public key from elastic.co website.
-#   pgpfile: "${path.data}/elastic.pgp"
 #   # install_path describes the location of installed packages/programs. It is also used
 #   # for reading program specifications.
 #   install_path: "${path.data}/install"

_meta/elastic-agent.fleet.yml

@@ -13,9 +13,6 @@ fleet:
 #   target_directory: "${path.data}/downloads"
 #   # timeout for downloading package
 #   timeout: 120s
-#   # file path to a public key used for verifying downloaded artifacts
-#   # if not file is present Elastic Agent will try to load public key from elastic.co website.
-#   pgpfile: "${path.data}/elastic.pgp"
 #   # install_path describes the location of installed packages/programs. It is also used
 #   # for reading program specifications.
 #   install_path: "${path.data}/install"

_meta/elastic-agent.yml

@@ -64,9 +64,6 @@ inputs:
 #   target_directory: "${path.data}/downloads"
 #   # timeout for downloading package
 #   timeout: 120s
-#   # file path to a public key used for verifying downloaded artifacts
-#   # if not file is present agent will try to load public key from elastic.co website.
-#   pgpfile: "${path.data}/elastic.pgp"
 #   # install_path describes the location of installed packages/programs. It is also used
 #   # for reading program specifications.
 #   install_path: "${path.data}/install"

elastic-agent.docker.yml

@@ -64,9 +64,6 @@ inputs:
 #   target_directory: "${path.data}/downloads"
 #   # timeout for downloading package
 #   timeout: 120s
-#   # file path to a public key used for verifying downloaded artifacts
-#   # if not file is present agent will try to load public key from elastic.co website.
-#   pgpfile: "${path.data}/elastic.pgp"
 #   # install_path describes the location of installed packages/programs. It is also used
 #   # for reading program specifications.
 #   install_path: "${path.data}/install"

elastic-agent.reference.yml

@@ -71,9 +71,6 @@ inputs:
 #   target_directory: "${path.data}/downloads"
 #   # timeout for downloading package
 #   timeout: 120s
-#   # file path to a public key used for verifying downloaded artifacts
-#   # if not file is present agent will try to load public key from elastic.co website.
-#   pgpfile: "${path.data}/elastic.pgp"
 #   # install_path describes the location of installed packages/programs. It is also used
 #   # for reading program specifications.
 #   install_path: "${path.data}/install"

elastic-agent.yml

@@ -120,9 +120,6 @@ inputs:
 #   target_directory: "${path.data}/downloads"
 #   # timeout for downloading package
 #   timeout: 120s
-#   # file path to a public key used for verifying downloaded artifacts
-#   # if not file is present agent will try to load public key from elastic.co website.
-#   pgpfile: "${path.data}/elastic.pgp"
 #   # install_path describes the location of installed packages/programs. It is also used
 #   # for reading program specifications.
 #   install_path: "${path.data}/install"

internal/pkg/agent/application/upgrade/artifact/download/verifier.go

@@ -13,6 +13,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -176,7 +177,24 @@ func PgpBytesFromSource(source string, client http.Client) ([]byte, error) {
 	return nil, errors.New("unknown pgp source")
 }
 
+func CheckValidDownloadUri(rawURI string) error {
+	uri, err := url.Parse(rawURI)
+	if err != nil {
+		return err
+	}
+
+	if !strings.EqualFold(uri.Scheme, "https") {
+		return fmt.Errorf("failed to check URI %q: HTTPS is required", rawURI)
+	}
+
+	return nil
+}
+
 func fetchPgpFromURI(uri string, client http.Client) ([]byte, error) {
+	if err := CheckValidDownloadUri(uri); err != nil {
+		return nil, err
+	}
+
 	resp, err := client.Get(uri)
 	if err != nil {
 		return nil, err

internal/pkg/agent/cmd/upgrade.go

@@ -82,6 +82,10 @@ func upgradeCmd(streams *cli.IOStreams, cmd *cobra.Command, args []string) error
 
 		pgpUri, _ := cmd.Flags().GetString(flagPGPBytesURI)
 		if len(pgpUri) > 0 {
+			if uriErr := download.CheckValidDownloadUri(pgpUri); uriErr != nil {
+				return uriErr
+			}
+
 			// URI is parsed later with proper TLS and Proxy config within downloader
 			pgpChecks = append(pgpChecks, download.PgpSourceURIPrefix+pgpUri)
 		}