Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove mac-ca usage since it was only in tests (#6043)
* Make injecting CAs injectable, remove mac-ca as dependency * Fix win-ca failing on electron renderer on windows * Fix the matcher under features/ for main Signed-off-by: Sebastian Malton <sebastian@malton.name>
- Loading branch information
Showing
24 changed files
with
263 additions
and
272 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
39 changes: 39 additions & 0 deletions
39
src/common/certificate-authorities/inject-system-cas.injectable.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
/** | ||
* Copyright (c) OpenLens Authors. All rights reserved. | ||
* Licensed under MIT License. See LICENSE in root directory for more information. | ||
*/ | ||
|
||
import { getInjectable } from "@ogre-tools/injectable"; | ||
import { globalAgent } from "https"; | ||
import { requestSystemCAsInjectionToken } from "./request-system-cas-token"; | ||
|
||
// DST Root CA X3, which was expired on 9.30.2021 | ||
const DSTRootCAX3 = "-----BEGIN CERTIFICATE-----\nMIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\nPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\nEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\nrz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\nOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\nxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\naeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\nHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\nSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\nikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\nAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\nR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\nJDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\nOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n-----END CERTIFICATE-----\n"; | ||
|
||
function isCertActive(cert: string) { | ||
const isExpired = typeof cert !== "string" || cert.includes(DSTRootCAX3); | ||
|
||
return !isExpired; | ||
} | ||
|
||
const injectSystemCAsInjectable = getInjectable({ | ||
id: "inject-system-cas", | ||
instantiate: (di) => { | ||
const requestSystemCAs = di.inject(requestSystemCAsInjectionToken); | ||
|
||
return async () => { | ||
for (const cert of await requestSystemCAs()) { | ||
if (isCertActive(cert)) { | ||
if (Array.isArray(globalAgent.options.ca) && !globalAgent.options.ca.includes(cert)) { | ||
globalAgent.options.ca.push(cert); | ||
} else { | ||
globalAgent.options.ca = [cert]; | ||
} | ||
} | ||
} | ||
}; | ||
}, | ||
}); | ||
|
||
export default injectSystemCAsInjectable; | ||
|
10 changes: 10 additions & 0 deletions
10
src/common/certificate-authorities/request-system-cas-token.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
/** | ||
* Copyright (c) OpenLens Authors. All rights reserved. | ||
* Licensed under MIT License. See LICENSE in root directory for more information. | ||
*/ | ||
|
||
import { getInjectionToken } from "@ogre-tools/injectable"; | ||
|
||
export const requestSystemCAsInjectionToken = getInjectionToken<() => Promise<string[]>>({ | ||
id: "request-system-cas-token", | ||
}); |
44 changes: 44 additions & 0 deletions
44
src/common/certificate-authorities/request-system-cas.injectable.darwin.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
/** | ||
* Copyright (c) OpenLens Authors. All rights reserved. | ||
* Licensed under MIT License. See LICENSE in root directory for more information. | ||
*/ | ||
import { getInjectable } from "@ogre-tools/injectable"; | ||
import execFileInjectable from "../fs/exec-file.injectable"; | ||
import loggerInjectable from "../logger.injectable"; | ||
import { requestSystemCAsInjectionToken } from "./request-system-cas-token"; | ||
|
||
// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Cheatsheet#other_assertions | ||
const certSplitPattern = /(?=-----BEGIN\sCERTIFICATE-----)/g; | ||
|
||
const requestSystemCAsInjectable = getInjectable({ | ||
id: "request-system-cas", | ||
instantiate: (di) => { | ||
const execFile = di.inject(execFileInjectable); | ||
const logger = di.inject(loggerInjectable); | ||
|
||
const execSecurity = async (...args: string[]) => { | ||
const output = await execFile("/usr/bin/security", args); | ||
|
||
return output.split(certSplitPattern); | ||
}; | ||
|
||
return async () => { | ||
try { | ||
const [trusted, rootCA] = await Promise.all([ | ||
execSecurity("find-certificate", "-a", "-p"), | ||
execSecurity("find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain"), | ||
]); | ||
|
||
return [...new Set([...trusted, ...rootCA])]; | ||
} catch (error) { | ||
logger.warn(`[INJECT-CAS]: Error injecting root CAs from MacOSX: ${error}`); | ||
} | ||
|
||
return []; | ||
}; | ||
}, | ||
causesSideEffects: true, | ||
injectionToken: requestSystemCAsInjectionToken, | ||
}); | ||
|
||
export default requestSystemCAsInjectable; |
14 changes: 14 additions & 0 deletions
14
src/common/certificate-authorities/request-system-cas.injectable.linux.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/** | ||
* Copyright (c) OpenLens Authors. All rights reserved. | ||
* Licensed under MIT License. See LICENSE in root directory for more information. | ||
*/ | ||
import { getInjectable } from "@ogre-tools/injectable"; | ||
import { requestSystemCAsInjectionToken } from "./request-system-cas-token"; | ||
|
||
const requestSystemCAsInjectable = getInjectable({ | ||
id: "request-system-cas", | ||
instantiate: () => async () => [], | ||
injectionToken: requestSystemCAsInjectionToken, | ||
}); | ||
|
||
export default requestSystemCAsInjectable; |
14 changes: 14 additions & 0 deletions
14
src/common/certificate-authorities/request-system-cas.injectable.testing-env.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/** | ||
* Copyright (c) OpenLens Authors. All rights reserved. | ||
* Licensed under MIT License. See LICENSE in root directory for more information. | ||
*/ | ||
import { getInjectable } from "@ogre-tools/injectable"; | ||
import { requestSystemCAsInjectionToken } from "./request-system-cas-token"; | ||
|
||
const requestSystemCAsInjectable = getInjectable({ | ||
id: "request-system-cas", | ||
instantiate: () => async () => [], | ||
injectionToken: requestSystemCAsInjectionToken, | ||
}); | ||
|
||
export default requestSystemCAsInjectable; |
45 changes: 45 additions & 0 deletions
45
src/common/certificate-authorities/request-system-cas.injectable.win32.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
/** | ||
* Copyright (c) OpenLens Authors. All rights reserved. | ||
* Licensed under MIT License. See LICENSE in root directory for more information. | ||
*/ | ||
import { getInjectable } from "@ogre-tools/injectable"; | ||
import execFileInjectable from "../fs/exec-file.injectable"; | ||
import { requestSystemCAsInjectionToken } from "./request-system-cas-token"; | ||
|
||
const pemEncoding = (hexEncodedCert: String) => { | ||
const certData = Buffer.from(hexEncodedCert, "hex").toString("base64"); | ||
const lines = ["-----BEGIN CERTIFICATE-----"]; | ||
|
||
for (let i = 0; i < certData.length; i += 64) { | ||
lines.push(certData.substring(i, i + 64)); | ||
} | ||
|
||
lines.push("-----END CERTIFICATE-----", ""); | ||
|
||
return lines.join("\r\n"); | ||
}; | ||
|
||
const requestSystemCAsInjectable = getInjectable({ | ||
id: "request-system-cas", | ||
instantiate: (di) => { | ||
const wincaRootsExePath: string = __non_webpack_require__.resolve("win-ca/lib/roots.exe"); | ||
const execFile = di.inject(execFileInjectable); | ||
|
||
return async () => { | ||
/** | ||
* This needs to be done manually because for some reason calling the api from "win-ca" | ||
* directly fails to load "child_process" correctly on renderer | ||
*/ | ||
const output = await execFile(wincaRootsExePath); | ||
|
||
return output | ||
.split("\r\n") | ||
.filter(Boolean) | ||
.map(pemEncoding); | ||
}; | ||
}, | ||
causesSideEffects: true, | ||
injectionToken: requestSystemCAsInjectionToken, | ||
}); | ||
|
||
export default requestSystemCAsInjectable; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.