Parse certs to get only CA ones

Signed-off-by: Mykola Morhun <mmorhun@redhat.com>
che-incubator · Sep 18, 2020 · 2c1c9a8 · 2c1c9a8
1 parent 1d9a704
commit 2c1c9a8
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 4 deletions.
diff --git a/package.json b/package.json
@@ -37,6 +37,7 @@
     "listr-verbose-renderer": "^0.6.0",
     "lodash": "^4.17.19",
     "mkdirp": "^1.0.4",
+    "node-forge": "^0.10.0",
     "node-notifier": "^6.0.0",
     "tslib": "^1"
   },
@@ -50,6 +51,7 @@
     "@types/js-yaml": "^3.12.2",
     "@types/listr": "^0.14.2",
     "@types/node": "^12",
+    "@types/node-forge": "^0.9.5",
     "cpx": "^1.5.0",
     "globby": "^11",
     "jest": "^24.9.0",

diff --git a/src/api/che.ts b/src/api/che.ts
@@ -16,6 +16,7 @@ import * as commandExists from 'command-exists'
 import * as fs from 'fs-extra'
 import * as https from 'https'
 import * as yaml from 'js-yaml'
+import * as nodeforge from 'node-forge'
 import * as os from 'os'
 import * as path from 'path'
 
@@ -125,8 +126,23 @@ export class CheHelper {
       return
     }
 
-    const rootCertStartPos = cheCaSecretContent.lastIndexOf('-----BEGIN CERTIFICATE-----')
-    return cheCaSecretContent.substring(rootCertStartPos)
+    const pemBeginHeader = '-----BEGIN CERTIFICATE-----'
+    const pemEndHeader = '-----END CERTIFICATE-----'
+    const certRegExp = new RegExp(`(^${pemBeginHeader}$(?:(?!${pemBeginHeader}).)*^${pemEndHeader}$)`, 'mgs')
+    const certsPem = cheCaSecretContent.match(certRegExp)
+
+    const caCertsPem: string[] = []
+    if (certsPem) {
+      for (const certPem of certsPem) {
+        const cert = nodeforge.pki.certificateFromPem(certPem)
+        const basicConstraintsExt = cert.getExtension('basicConstraints')
+        if (basicConstraintsExt && (basicConstraintsExt as any).cA) {
+          caCertsPem.push(certPem)
+        }
+      }
+    }
+
+    return caCertsPem.join('\n')
   }
 
   /**

diff --git a/src/commands/cacert/export.ts b/src/commands/cacert/export.ts
@@ -43,7 +43,7 @@ export default class Export extends Command {
     const cheHelper = new CheHelper(flags)
 
     if (!await kube.hasReadPermissionsForNamespace(flags.chenamespace)) {
-      throw new Error('E_PERM_DENIED - Permission for Che server namespace are required')
+      throw new Error(`E_PERM_DENIED - Permission for Che server namespace "${flags.chenamespace}" are required`)
     }
     if (!await cheHelper.cheNamespaceExist(flags.chenamespace)) {
       throw new Error(`E_BAD_NS - Namespace ${flags.chenamespace} does not exist. Please specify it with --chenamespace flag`)
@@ -55,7 +55,7 @@ export default class Export extends Command {
         const targetFile = await cheHelper.saveCheCaCert(cheCaCert, this.getTargetFile(flags.destination))
         this.log(`Eclipse Che self-signed CA certificate is exported to ${targetFile}`)
       } else {
-        this.log('Seems commonly trusted certificate is used.')
+        this.log('Self signed certificate secret not found. Is commonly trusted certificate used?')
       }
     } catch (error) {
       this.error(error)