feat: trust system ca #320 #397

siipimutteri · 2023-02-25T23:02:40Z

Changelog

Added option in AWS SSO integration for trusting system CA's. Fixes #320.

Bugfixes

Enhancements

Users can opt-in to use system's CA certificate store instead of Node's built-in for trusting custom CA's when using AWS SSO integration.

Notes

Screenshot of new opt-in setting in "Add new integration" and Edit screens:

Built with:

nvm use
npm install
cd packages/core
npm install
npm run build
cd ../desktop-app
npm install ../core
npm run build-and-run-dev

Test environment:
Create small AWS EC2 t3.nano Ubuntu in public subnet, use/create key pair for being able to login with ssh
Allow 51820/UDP and 22/TCP in from your public ip
Login to EC2 with SSH: ssh -i ~/.ssh/your-key.pem ubuntu@<ec2 public ip>
Install mitmproxy:

get https://snapshots.mitmproxy.org/9.0.1/mitmproxy-9.0.1-linux.tar.gz
tar xzf mitmproxy-9.0.1-linux.tar.gz

Start mitmproxy in transparent wireguard mode: ./mitmweb --mode wireguard

Install Wireguard into your machine
Copy wireguard configuration from EC2 machine's mitmproxy output. Eg:

[Interface]
PrivateKey = 4G..U=
Address = 10.0.0.1/32
DNS = 10.0.0.53

[Peer]
PublicKey = Pq..4=
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.15.79:51820

Replace DNS with eg. 1.1.1.1 and Endpoint's IP with EC2 public IP.
Activate Wireguard connection and test AWS SSO login with Leapp. It should fail with cert error.
Open magical http://mitm.it address with your browser and add mitmproxy's CA as trusted with provided instructions.
Opt-in "Trust system CA" and test AWS SSO login again. It should work.

CLI doesn't work at least with mitmproxy+wireguard combo and fails with connection refused error. It's yet to be tested if the issue exists also with other use cases.

Tests aren't written yet.