From 04e1538ab962e707f54b5abad3bf2abe5f279757 Mon Sep 17 00:00:00 2001
From: Jurre Stender <jurrestender@gmail.com>
Date: Mon, 30 Aug 2021 17:55:24 +0200
Subject: [PATCH] Allow customers to specify custom CA image

In some cases a GHES instance might have custom CA certificates set up,
this is the case for our dev environments for example.

In order to support this, we need the proxy to be made aware of the
cert, otherwise it will refuse any requests made to the GHES instance.

This will look for a `CUSTOM_CA_PATH` environment variable (which should
be defined in the `runsvc.sh` file when running actions as a service),
and copy it into the proxy container and update its certificates.
---
 __tests__/proxy-integration.test.ts |  5 +++++
 src/proxy.ts                        | 22 ++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/__tests__/proxy-integration.test.ts b/__tests__/proxy-integration.test.ts
index 3c673ae..5d03748 100644
--- a/__tests__/proxy-integration.test.ts
+++ b/__tests__/proxy-integration.test.ts
@@ -53,6 +53,11 @@ describe('ProxyBuilder', () => {
     const containerInfo = await proxy.container.inspect()
     expect(containerInfo.Name).toBe('/job-1-proxy')
     expect(containerInfo.HostConfig.NetworkMode).toBe('job-1-network')
+    expect(containerInfo.Config.Cmd).toEqual([
+      'sh',
+      '-c',
+      '/usr/sbin/update-ca-certificates && /update-job-proxy'
+    ])
 
     const networkInfo = await proxy.network.inspect()
     expect(networkInfo.Name).toBe('job-1-network')
diff --git a/src/proxy.ts b/src/proxy.ts
index fe0a6bf..ea15ff9 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -1,3 +1,4 @@
+import fs from 'fs'
 import * as core from '@actions/core'
 import Docker, {Container, Network} from 'dockerode'
 import crypto from 'crypto'
@@ -15,6 +16,8 @@ const KEY_SIZE = 2048
 const KEY_EXPIRY_YEARS = 2
 const CONFIG_FILE_PATH = '/'
 const CONFIG_FILE_NAME = 'config.json'
+const CA_CERT_INPUT_PATH = '/usr/local/share/ca-certificates'
+const CUSTOM_CA_CERT_NAME = 'custom-ca-cert.crt'
 const CERT_SUBJECT = [
   {
     name: 'commonName',
@@ -74,6 +77,19 @@ export class ProxyBuilder {
       config
     )
 
+    if (process.env.CUSTOM_CA_PATH) {
+      // read the file defined at the CUSTOM_CA_PATH environment variable
+      const customCert = fs
+        .readFileSync(process.env.CUSTOM_CA_PATH, 'utf8')
+        .toString()
+      await ContainerService.storeCert(
+        CUSTOM_CA_CERT_NAME,
+        CA_CERT_INPUT_PATH,
+        container,
+        customCert
+      )
+    }
+
     const stream = await container.attach({
       stream: true,
       stdout: true,
@@ -161,6 +177,12 @@ export class ProxyBuilder {
       AttachStdout: true,
       AttachStderr: true,
       Env: [`JOB_ID=${jobID}`],
+      Cmd: [
+        'sh',
+        '-c',
+        '/usr/sbin/update-ca-certificates && /update-job-proxy'
+      ],
+
       HostConfig: {
         NetworkMode: networkName
       }