jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

shell: rework code to use shell.spawn

Browse Source 
spawn gives out streams and we have more control over the stdout/stderr
buffers. otherwise, we have to provide a max buffer capture size to exec
This commit is contained in:
Girish Ramakrishnan
2024-10-15 10:10:15 +02:00
parent 7b648cddfd
commit 6c3ca9c364
18 changed files with 101 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/reverseproxy.js
View File

@@ -75,7 +75,7 @@ function nginxLocation(s) {
async function getCertificateDates(cert) {
assert.strictEqual(typeof cert, 'string');
const [error, result] = await safe(shell.exec('openssl x509 -startdate -enddate -subject -noout', { input: cert }));
const [error, result] = await safe(shell.spawn('openssl', ['x509', '-startdate', '-enddate', '-subject', '-noout'], { encoding: 'utf8', input: cert }));
if (error) return { startDate: null, endDate: null } ; // some error
const lines = result.trim().split('\n');
@@ -103,7 +103,7 @@ async function isOcspEnabled(certFilePath) {
// We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
// however, we cannot set the must-staple because first request to nginx fails because of it's OCSP caching behavior
const [error, result] = await safe(shell.exec(`openssl x509 -in ${certFilePath} -noout -ocsp_uri`, {}));
const [error, result] = await safe(shell.spawn('openssl', ['x509', '-in', certFilePath, '-noout', '-ocsp_uri'], { encoding: 'utf8' }));
return !error && result.length > 0; // no error and has uri
}
@@ -112,7 +112,7 @@ async function providerMatches(domainObject, cert) {
assert.strictEqual(typeof domainObject, 'object');
assert.strictEqual(typeof cert, 'string');
const [error, subjectAndIssuer] = await safe(shell.exec('openssl x509 -noout -subject -issuer', { input: cert }));
const [error, subjectAndIssuer] = await safe(shell.spawn('openssl', ['x509', '-noout', '-subject', '-issuer'], { encoding: 'utf8', input: cert }));
if (error) return false; // something bad happenned
const subject = subjectAndIssuer.match(/^subject=(.*)$/m)[1];
@@ -153,20 +153,20 @@ async function validateCertificate(subdomain, domain, certificate) {
// -checkhost checks for SAN or CN exclusively. SAN takes precedence and if present, ignores the CN.
const fqdn = dns.fqdn(subdomain, domain);
const [checkHostError, checkHostOutput] = await safe(shell.exec(`openssl x509 -noout -checkhost ${fqdn}`, { input: cert }));
const [checkHostError, checkHostOutput] = await safe(shell.spawn('openssl', ['x509', '-noout', '-checkhost', fqdn], { encoding: 'utf8', input: cert }));
if (checkHostError) throw new BoxError(BoxError.BAD_FIELD, 'Could not validate certificate');
if (checkHostOutput.indexOf('does match certificate') === -1) throw new BoxError(BoxError.BAD_FIELD, `Certificate is not valid for this domain. Expecting ${fqdn}`);
// check if public key in the cert and private key matches. pkey below works for RSA and ECDSA keys
const [pubKeyError1, pubKeyFromCert] = await safe(shell.exec('openssl x509 -noout -pubkey', { input: cert }));
const [pubKeyError1, pubKeyFromCert] = await safe(shell.spawn('openssl', ['x509', '-noout', '-pubkey'], { encoding: 'utf8', input: cert }));
if (pubKeyError1) throw new BoxError(BoxError.BAD_FIELD, 'Could not get public key from cert');
const [pubKeyError2, pubKeyFromKey] = await safe(shell.exec('openssl pkey -pubout', { input: key }));
const [pubKeyError2, pubKeyFromKey] = await safe(shell.spawn('openssl', ['pkey', '-pubout'], { encoding: 'utf8', input: key }));
if (pubKeyError2) throw new BoxError(BoxError.BAD_FIELD, 'Could not get public key from private key');
if (pubKeyFromCert !== pubKeyFromKey) throw new BoxError(BoxError.BAD_FIELD, 'Public key does not match the certificate.');
// check expiration
const [error] = await safe(shell.exec('openssl x509 -checkend 0', { input: cert }));
const [error] = await safe(shell.spawn('openssl', ['x509', '-checkend', '0'], { input: cert }));
if (error) throw new BoxError(BoxError.BAD_FIELD, 'Certificate has expired');
return null;
@@ -205,8 +205,7 @@ async function generateFallbackCertificate(domain) {
const configFile = path.join(os.tmpdir(), 'openssl-' + crypto.randomBytes(4).readUInt32LE(0) + '.conf');
safe.fs.writeFileSync(configFile, opensslConfWithSan, 'utf8');
// the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)
const certCommand = `openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=*.${cn} -extensions SAN -config ${configFile} -nodes`;
await shell.exec(certCommand, {});
await shell.spawn('openssl', ['req', '-x509', '-newkey', 'rsa:2048', '-keyout', keyFilePath, '-out', certFilePath, '-days', '800', '-subj', `/CN=*.${cn}`, '-extensions', 'SAN', '-config', configFile, '-nodes'], { encoding: 'utf8 '});
safe.fs.unlinkSync(configFile);
const cert = safe.fs.readFileSync(certFilePath, 'utf8');
@@ -740,7 +739,7 @@ async function writeDefaultConfig(options) {
const cn = 'cloudron-' + (new Date()).toISOString(); // randomize date a bit to keep firefox happy
// the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)
await shell.exec(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=${cn} -nodes`, {});
await shell.spawn('openssl', ['req', '-x509', '-newkey', 'rsa:2048', '-keyout', keyFilePath, '-out', certFilePath, '-days', '800', '-subj', `/CN=${cn}`, '-nodes'], { encoding: 'utf8' });
}
const data = {