Merge pull request #229 from github/mctofu/default-node-ca-cert

Default to NODE_EXTRA_CA_CERTS config for proxy cert
github · Jul 26, 2022 · 8b0699b · 8b0699b
2 parents 5086a77 + 509bd79
commit 8b0699b
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 9 deletions.
diff --git a/__tests__/proxy-integration.test.ts b/__tests__/proxy-integration.test.ts
@@ -100,6 +100,33 @@ integration('ProxyBuilder', () => {
     await proxy.shutdown()
   })
 
+  jest.setTimeout(20000)
+  it('copies in the default node custom root CA if configured', async () => {
+    // make a tmp dir at the repo root unless it already exists
+    const tmpDir = path.join(__dirname, '../tmp')
+    if (!fs.existsSync(tmpDir)) {
+      fs.mkdirSync(tmpDir)
+    }
+    const certPath = path.join(__dirname, '../tmp/custom-cert.crt')
+    fs.writeFileSync(certPath, 'ca-pem-contents')
+    process.env.NODE_EXTRA_CA_CERTS = certPath
+
+    const proxy = await builder.run(jobId, credentials)
+    await proxy.container.start()
+
+    const id = proxy.container.id
+    const proc = spawnSync('docker', [
+      'exec',
+      id,
+      'cat',
+      '/usr/local/share/ca-certificates/custom-ca-cert.crt'
+    ])
+    const stdout = proc.stdout.toString()
+    expect(stdout).toEqual('ca-pem-contents')
+
+    await proxy.shutdown()
+  })
+
   jest.setTimeout(20000)
   it('forwards custom proxy urls if configured', async () => {
     const url = 'http://example.com'

diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/dist/main/index.js.map b/dist/main/index.js.map
diff --git a/src/proxy.ts b/src/proxy.ts
@@ -86,12 +86,11 @@ export class ProxyBuilder {
       config
     )
 
-    if (process.env.CUSTOM_CA_PATH) {
+    const customCAPath = this.customCAPath()
+    if (customCAPath) {
       core.info('Detected custom CA certificate, adding to proxy')
 
-      const customCert = fs
-        .readFileSync(process.env.CUSTOM_CA_PATH, 'utf8')
-        .toString()
+      const customCert = fs.readFileSync(customCAPath, 'utf8').toString()
       await ContainerService.storeCert(
         CUSTOM_CA_CERT_NAME,
         CA_CERT_INPUT_PATH,
@@ -224,4 +223,12 @@ export class ProxyBuilder {
     core.info(`Created proxy container: ${container.id}`)
     return container
   }
+
+  private customCAPath(): string | undefined {
+    if ('CUSTOM_CA_PATH' in process.env) {
+      return process.env.CUSTOM_CA_PATH
+    }
+    // default to node.js configuration
+    return process.env.NODE_EXTRA_CA_CERTS
+  }
 }