jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

shell: make require take a tag

Browse Source
This commit is contained in:
Girish Ramakrishnan
2024-10-14 19:10:31 +02:00
parent 02823c4158
commit a9e1d7641d
27 changed files with 162 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/reverseproxy.js
View File

@@ -58,7 +58,7 @@ const acme2 = require('./acme2.js'),
paths = require('./paths.js'),
safe = require('safetydance'),
settings = require('./settings.js'),
shell = require('./shell.js'),
shell = require('./shell.js')('reverseproxy'),
tasks = require('./tasks.js'),
validator = require('validator');
@@ -75,7 +75,7 @@ function nginxLocation(s) {
async function getCertificateDates(cert) {
assert.strictEqual(typeof cert, 'string');
const [error, result] = await safe(shell.exec('getCertificateDates', 'openssl x509 -startdate -enddate -subject -noout', { input: cert }));
const [error, result] = await safe(shell.exec('openssl x509 -startdate -enddate -subject -noout', { input: cert }));
if (error) return { startDate: null, endDate: null } ; // some error
const lines = result.trim().split('\n');
@@ -103,7 +103,7 @@ async function isOcspEnabled(certFilePath) {
// We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
// however, we cannot set the must-staple because first request to nginx fails because of it's OCSP caching behavior
const [error, result] = await safe(shell.exec('isOscpEnabled', `openssl x509 -in ${certFilePath} -noout -ocsp_uri`, {}));
const [error, result] = await safe(shell.exec(`openssl x509 -in ${certFilePath} -noout -ocsp_uri`, {}));
return !error && result.length > 0; // no error and has uri
}
@@ -112,7 +112,7 @@ async function providerMatches(domainObject, cert) {
assert.strictEqual(typeof domainObject, 'object');
assert.strictEqual(typeof cert, 'string');
const [error, subjectAndIssuer] = await safe(shell.exec('providerMatches', 'openssl x509 -noout -subject -issuer', { input: cert }));
const [error, subjectAndIssuer] = await safe(shell.exec('openssl x509 -noout -subject -issuer', { input: cert }));
if (error) return false; // something bad happenned
const subject = subjectAndIssuer.match(/^subject=(.*)$/m)[1];
@@ -153,20 +153,20 @@ async function validateCertificate(subdomain, domain, certificate) {
// -checkhost checks for SAN or CN exclusively. SAN takes precedence and if present, ignores the CN.
const fqdn = dns.fqdn(subdomain, domain);
const [checkHostError, checkHostOutput] = await safe(shell.exec('validateCertificate', `openssl x509 -noout -checkhost ${fqdn}`, { input: cert }));
const [checkHostError, checkHostOutput] = await safe(shell.exec(`openssl x509 -noout -checkhost ${fqdn}`, { input: cert }));
if (checkHostError) throw new BoxError(BoxError.BAD_FIELD, 'Could not validate certificate');
if (checkHostOutput.indexOf('does match certificate') === -1) throw new BoxError(BoxError.BAD_FIELD, `Certificate is not valid for this domain. Expecting ${fqdn}`);
// check if public key in the cert and private key matches. pkey below works for RSA and ECDSA keys
const [pubKeyError1, pubKeyFromCert] = await safe(shell.exec('validateCertificate', 'openssl x509 -noout -pubkey', { input: cert }));
const [pubKeyError1, pubKeyFromCert] = await safe(shell.exec('openssl x509 -noout -pubkey', { input: cert }));
if (pubKeyError1) throw new BoxError(BoxError.BAD_FIELD, 'Could not get public key from cert');
const [pubKeyError2, pubKeyFromKey] = await safe(shell.exec('validateCertificate', 'openssl pkey -pubout', { input: key }));
const [pubKeyError2, pubKeyFromKey] = await safe(shell.exec('openssl pkey -pubout', { input: key }));
if (pubKeyError2) throw new BoxError(BoxError.BAD_FIELD, 'Could not get public key from private key');
if (pubKeyFromCert !== pubKeyFromKey) throw new BoxError(BoxError.BAD_FIELD, 'Public key does not match the certificate.');
// check expiration
const [error] = await safe(shell.exec('validateCertificate', 'openssl x509 -checkend 0', { input: cert }));
const [error] = await safe(shell.exec('openssl x509 -checkend 0', { input: cert }));
if (error) throw new BoxError(BoxError.BAD_FIELD, 'Certificate has expired');
return null;
@@ -174,7 +174,7 @@ async function validateCertificate(subdomain, domain, certificate) {
async function notifyCertChange() {
await mailServer.checkCertificate();
await shell.promises.sudo('notifyCertChange', [ RESTART_SERVICE_CMD, 'box' ], {}); // directory server
await shell.promises.sudo([ RESTART_SERVICE_CMD, 'box' ], {}); // directory server
const allApps = (await apps.list()).filter(app => app.runState !== apps.RSTATE_STOPPED);
for (const app of allApps) {
if (app.manifest.addons?.tls) await setupTlsAddon(app);
@@ -184,7 +184,7 @@ async function notifyCertChange() {
async function reload() {
if (constants.TEST) return;
const [error] = await safe(shell.promises.sudo('reload', [ RESTART_SERVICE_CMD, 'nginx' ], {}));
const [error] = await safe(shell.promises.sudo([ RESTART_SERVICE_CMD, 'nginx' ], {}));
if (error) throw new BoxError(BoxError.NGINX_ERROR, `Error reloading nginx: ${error.message}`);
}
@@ -206,7 +206,7 @@ async function generateFallbackCertificate(domain) {
safe.fs.writeFileSync(configFile, opensslConfWithSan, 'utf8');
// the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)
const certCommand = `openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=*.${cn} -extensions SAN -config ${configFile} -nodes`;
await shell.exec('generateFallbackCertificate', certCommand, {});
await shell.exec(certCommand, {});
safe.fs.unlinkSync(configFile);
const cert = safe.fs.readFileSync(certFilePath, 'utf8');
@@ -740,7 +740,7 @@ async function writeDefaultConfig(options) {
const cn = 'cloudron-' + (new Date()).toISOString(); // randomize date a bit to keep firefox happy
// the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)
await shell.exec('writeDefaultConfig', `openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=${cn} -nodes`, {});
await shell.exec(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=${cn} -nodes`, {});
}
const data = {