Remove mac-ca usage since it was only in tests (#6043)

* Make injecting CAs injectable, remove mac-ca as dependency * Fix win-ca failing on electron renderer on windows * Fix the matcher under features/ for main Signed-off-by: Sebastian Malton <sebastian@malton.name>
lensapp · Oct 26, 2022 · d4209ee · d4209ee
1 parent 37eb236
commit d4209ee
Show file tree

Hide file tree

Showing 24 changed files with 263 additions and 272 deletions.
diff --git a/integration/__tests__/app-preferences.tests.ts b/integration/__tests__/app-preferences.tests.ts
@@ -24,9 +24,10 @@ describe("preferences page tests", () => {
 
     await app.evaluate(async ({ app }) => {
       await app.applicationMenu
-        .getMenuItemById(process.platform === "darwin" ? "mac" : "file")
-        .submenu.getMenuItemById("navigate-to-preferences")
-        .click();
+        ?.getMenuItemById(process.platform === "darwin" ? "mac" : "file")
+        ?.submenu
+        ?.getMenuItemById("navigate-to-preferences")
+        ?.click();
     });
   }, 10*60*1000);
 

diff --git a/integration/__tests__/cluster-pages.tests.ts b/integration/__tests__/cluster-pages.tests.ts
@@ -14,10 +14,11 @@ import { minikubeReady } from "../helpers/minikube";
 import type { Frame, Page } from "playwright";
 import { groupBy, toPairs } from "lodash/fp";
 import { pipeline } from "@ogre-tools/fp";
+import { describeIf } from "../../src/test-utils/skippers";
 
 const TEST_NAMESPACE = "integration-tests";
 
-utils.describeIf(minikubeReady(TEST_NAMESPACE))("Minikube based tests", () => {
+describeIf(minikubeReady(TEST_NAMESPACE))("Minikube based tests", () => {
   let window: Page;
   let cleanup: undefined | (() => Promise<void>);
   let frame: Frame;

diff --git a/integration/helpers/utils.ts b/integration/helpers/utils.ts
@@ -18,14 +18,6 @@ export const appPaths: Partial<Record<NodeJS.Platform, string>> = {
   "darwin": "./dist/mac/OpenLens.app/Contents/MacOS/OpenLens",
 };
 
-export function itIf(condition: boolean) {
-  return condition ? it : it.skip;
-}
-
-export function describeIf(condition: boolean) {
-  return condition ? describe : describe.skip;
-}
-
 async function getMainWindow(app: ElectronApplication, timeout = 50_000): Promise<Page> {
   return new Promise((resolve, reject) => {
     const cleanup = disposer();

diff --git a/package.json b/package.json
@@ -250,7 +250,6 @@
     "js-yaml": "^4.1.0",
     "jsdom": "^16.7.0",
     "lodash": "^4.17.15",
-    "mac-ca": "^1.0.6",
     "marked": "^4.1.1",
     "md5-file": "^5.0.0",
     "mobx": "^6.6.2",

diff --git a/src/common/__tests__/system-ca.test.ts b/src/common/__tests__/system-ca.test.ts
diff --git a/src/common/certificate-authorities/inject-system-cas.injectable.ts b/src/common/certificate-authorities/inject-system-cas.injectable.ts
@@ -0,0 +1,39 @@
+/**
+ * Copyright (c) OpenLens Authors. All rights reserved.
+ * Licensed under MIT License. See LICENSE in root directory for more information.
+ */
+
+import { getInjectable } from "@ogre-tools/injectable";
+import { globalAgent } from "https";
+import { requestSystemCAsInjectionToken } from "./request-system-cas-token";
+
+// DST Root CA X3, which was expired on 9.30.2021
+const DSTRootCAX3 = "-----BEGIN CERTIFICATE-----\nMIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\nPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\nEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\nrz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\nOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\nxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\naeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\nHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\nSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\nikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\nAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\nR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\nJDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\nOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n-----END CERTIFICATE-----\n";
+
+function isCertActive(cert: string) {
+  const isExpired = typeof cert !== "string" || cert.includes(DSTRootCAX3);
+
+  return !isExpired;
+}
+
+const injectSystemCAsInjectable = getInjectable({
+  id: "inject-system-cas",
+  instantiate: (di) => {
+    const requestSystemCAs = di.inject(requestSystemCAsInjectionToken);
+
+    return async () => {
+      for (const cert of await requestSystemCAs()) {
+        if (isCertActive(cert)) {
+          if (Array.isArray(globalAgent.options.ca) && !globalAgent.options.ca.includes(cert)) {
+            globalAgent.options.ca.push(cert);
+          } else {
+            globalAgent.options.ca = [cert];
+          }
+        }
+      }
+    };
+  },
+});
+
+export default injectSystemCAsInjectable;
+
diff --git a/src/common/certificate-authorities/request-system-cas-token.ts b/src/common/certificate-authorities/request-system-cas-token.ts
@@ -0,0 +1,10 @@
+/**
+ * Copyright (c) OpenLens Authors. All rights reserved.
+ * Licensed under MIT License. See LICENSE in root directory for more information.
+ */
+
+import { getInjectionToken } from "@ogre-tools/injectable";
+
+export const requestSystemCAsInjectionToken = getInjectionToken<() => Promise<string[]>>({
+  id: "request-system-cas-token",
+});
diff --git a/src/common/certificate-authorities/request-system-cas.injectable.darwin.ts b/src/common/certificate-authorities/request-system-cas.injectable.darwin.ts
@@ -0,0 +1,44 @@
+/**
+ * Copyright (c) OpenLens Authors. All rights reserved.
+ * Licensed under MIT License. See LICENSE in root directory for more information.
+ */
+import { getInjectable } from "@ogre-tools/injectable";
+import execFileInjectable from "../fs/exec-file.injectable";
+import loggerInjectable from "../logger.injectable";
+import { requestSystemCAsInjectionToken } from "./request-system-cas-token";
+
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Cheatsheet#other_assertions
+const certSplitPattern = /(?=-----BEGIN\sCERTIFICATE-----)/g;
+
+const requestSystemCAsInjectable = getInjectable({
+  id: "request-system-cas",
+  instantiate: (di) => {
+    const execFile = di.inject(execFileInjectable);
+    const logger = di.inject(loggerInjectable);
+
+    const execSecurity = async (...args: string[]) => {
+      const output = await execFile("/usr/bin/security", args);
+
+      return output.split(certSplitPattern);
+    };
+
+    return async () => {
+      try {
+        const [trusted, rootCA] = await Promise.all([
+          execSecurity("find-certificate", "-a", "-p"),
+          execSecurity("find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain"),
+        ]);
+
+        return [...new Set([...trusted, ...rootCA])];
+      } catch (error) {
+        logger.warn(`[INJECT-CAS]: Error injecting root CAs from MacOSX: ${error}`);
+      }
+
+      return [];
+    };
+  },
+  causesSideEffects: true,
+  injectionToken: requestSystemCAsInjectionToken,
+});
+
+export default requestSystemCAsInjectable;
diff --git a/src/common/certificate-authorities/request-system-cas.injectable.linux.ts b/src/common/certificate-authorities/request-system-cas.injectable.linux.ts
@@ -0,0 +1,14 @@
+/**
+ * Copyright (c) OpenLens Authors. All rights reserved.
+ * Licensed under MIT License. See LICENSE in root directory for more information.
+ */
+import { getInjectable } from "@ogre-tools/injectable";
+import { requestSystemCAsInjectionToken } from "./request-system-cas-token";
+
+const requestSystemCAsInjectable = getInjectable({
+  id: "request-system-cas",
+  instantiate: () => async () => [],
+  injectionToken: requestSystemCAsInjectionToken,
+});
+
+export default requestSystemCAsInjectable;
diff --git a/src/common/certificate-authorities/request-system-cas.injectable.testing-env.ts b/src/common/certificate-authorities/request-system-cas.injectable.testing-env.ts
@@ -0,0 +1,14 @@
+/**
+ * Copyright (c) OpenLens Authors. All rights reserved.
+ * Licensed under MIT License. See LICENSE in root directory for more information.
+ */
+import { getInjectable } from "@ogre-tools/injectable";
+import { requestSystemCAsInjectionToken } from "./request-system-cas-token";
+
+const requestSystemCAsInjectable = getInjectable({
+  id: "request-system-cas",
+  instantiate: () => async () => [],
+  injectionToken: requestSystemCAsInjectionToken,
+});
+
+export default requestSystemCAsInjectable;
diff --git a/src/common/certificate-authorities/request-system-cas.injectable.win32.ts b/src/common/certificate-authorities/request-system-cas.injectable.win32.ts
@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) OpenLens Authors. All rights reserved.
+ * Licensed under MIT License. See LICENSE in root directory for more information.
+ */
+import { getInjectable } from "@ogre-tools/injectable";
+import execFileInjectable from "../fs/exec-file.injectable";
+import { requestSystemCAsInjectionToken } from "./request-system-cas-token";
+
+const pemEncoding = (hexEncodedCert: String) => {
+  const certData = Buffer.from(hexEncodedCert, "hex").toString("base64");
+  const lines = ["-----BEGIN CERTIFICATE-----"];
+
+  for (let i = 0; i < certData.length; i += 64) {
+    lines.push(certData.substring(i, i + 64));
+  }
+
+  lines.push("-----END CERTIFICATE-----", "");
+
+  return lines.join("\r\n");
+};
+
+const requestSystemCAsInjectable = getInjectable({
+  id: "request-system-cas",
+  instantiate: (di) => {
+    const wincaRootsExePath: string = __non_webpack_require__.resolve("win-ca/lib/roots.exe");
+    const execFile = di.inject(execFileInjectable);
+
+    return async () => {
+      /**
+       * This needs to be done manually because for some reason calling the api from "win-ca"
+       * directly fails to load "child_process" correctly on renderer
+       */
+      const output = await execFile(wincaRootsExePath);
+
+      return output
+        .split("\r\n")
+        .filter(Boolean)
+        .map(pemEncoding);
+    };
+  },
+  causesSideEffects: true,
+  injectionToken: requestSystemCAsInjectionToken,
+});
+
+export default requestSystemCAsInjectable;
diff --git a/src/common/fs/exec-file.injectable.ts b/src/common/fs/exec-file.injectable.ts
@@ -8,30 +8,50 @@ import { execFile } from "child_process";
 import type { AsyncResult } from "../utils/async-result";
 
 export interface ExecFile {
+  (filePath: string): Promise<AsyncResult<string, { stderr: string; error: Error }>>;
+  (filePath: string, argsOrOptions: string[] | ExecFileOptions): Promise<AsyncResult<string, { stderr: string; error: Error }>>;
   (filePath: string, args: string[], options: ExecFileOptions): Promise<AsyncResult<string, { stderr: string; error: Error }>>;
 }
 
 const execFileInjectable = getInjectable({
   id: "exec-file",
 
-  instantiate: (): ExecFile => (filePath, args, options) => new Promise((resolve) => {
-    execFile(filePath, args, options, (error, stdout, stderr) => {
-      if (error) {
-        resolve({
-          callWasSuccessful: false,
-          error: {
-            error,
-            stderr,
-          },
-        });
-      } else {
-        resolve({
-          callWasSuccessful: true,
-          response: stdout,
+  instantiate: (): ExecFile => {
+    return (filePath: string, argsOrOptions?: string[] | ExecFileOptions, maybeOptions?: ExecFileOptions) => {
+      const { args, options } = (() => {
+        if (Array.isArray(argsOrOptions)) {
+          return {
+            args: argsOrOptions,
+            options: maybeOptions ?? {},
+          };
+        } else {
+          return {
+            args: [],
+            options: argsOrOptions ?? {},
+          };
+        }
+      })();
+
+      return new Promise((resolve) => {
+        execFile(filePath, args, options, (error, stdout, stderr) => {
+          if (error) {
+            resolve({
+              callWasSuccessful: false,
+              error: {
+                error,
+                stderr,
+              },
+            });
+          } else {
+            resolve({
+              callWasSuccessful: true,
+              response: stdout,
+            });
+          }
         });
-      }
-    });
-  }),
+      });
+    };
+  },
 
   causesSideEffects: true,
 });