-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(feature) Return CA Certificate path/data #41
Conversation
@zetlen hate to bother you, but would it be possible to get a review on this PR as well? It is also blocking a PR/issue @ gatsbyjs. It is a bit more involved, but the behavior is necessary; unless, of course, you have a better alternative. |
@Js-Brecht Thanks for your patience. I'm reviewing now. |
Thanks for taking the time 🙂 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your patience and for this excellent addition--it should add some flexibility for our use cases as well!
One small change request to the API. I know you want to expedite this, but I'm trying to get public API changes right so we don't have release churn.
Separates `returnCa` into `getCaPath` and `getCaBuffer` Co-Authored-By: James Zetlen <zetlen@gmail.com>
Co-Authored-By: James Zetlen <zetlen@gmail.com>
interface ICaBuffer { | ||
ca: Buffer; | ||
} | ||
interface ICaPath { | ||
caPath: string; | ||
} | ||
interface IDomainData { | ||
key: Buffer; | ||
cert: Buffer; | ||
} | ||
type IReturnCa<O extends Options> = O['getCaBuffer'] extends true ? ICaBuffer : false; | ||
type IReturnCaPath<O extends Options> = O['getCaPath'] extends true ? ICaPath : false; | ||
type IReturnData<O extends Options = {}> = (IDomainData) & (IReturnCa<O>) & (IReturnCaPath<O>); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zetlen Because of the additional flexibility of the API, I wrote these types that will cause the return value to be more explicit, depending on what flags you set when you call certificateFor()
.
Let me know if you think this is too much/too complicated. The alternative is to limit it to two different return types, but then you wind up with Partial
properties:
type ReturnData = {
key: Buffer,
cert: Buffer
} | {
ca?: Buffer,
caPath?: string,
key: Buffer,
cert: Buffer
}
This probably wouldn't be an issue, ultimately. I just wanted it to be more clear what you're getting for what you give, and also get the benefits of strong types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the self-documenting types!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I approve of the types; there are lot of ways to type this, but if it populates autosuggest correctly, then that's all that matters. Thanks for thinking about it carefully.
Just wanted to get those updates out, so I could get your opinion. Running tests now |
Tests are 💯 |
Bumps [configstore](https://github.com/yeoman/configstore) from 3.1.5 to 5.0.1. - [Release notes](https://github.com/yeoman/configstore/releases) - [Commits](yeoman/configstore@v3.1.5...v5.0.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR changes three things:
returnCa
option to receive the CA certificate path or data (as a buffer)The reason for this new feature is because node likes to throw errors when trying to fetch from a site that is using a self-signed (or private CA signed) certificate, since it maintains its own trust store. There are a couple of methods to fix this, which I will detail below, but in order to use them, the CA certificate must be readable. It just made sense to perform the read/return the path internally, since
devcert
already knows where everything is, instead of making the user do it.The error that is occurring is
unable to verify the first certificate
. In order to fix that, you have to add the CA to node's trusted store, or completely bypass by telling node not to reject unauthorized certificates (insecure).You can:
The issue with the last method is it replaces all of the predefined certs as well. Preferred method would be number 2, because node then reads and appends that cert to its trust store when it starts the server.
This is why we need to be able to retrieve the path to the CA cert, or the CA cert data itself.
How I achieve this on the receiving end is like this:
It's destructured like that so that the
ca
parameter isn't passed tohttps
, because that indicates peer authentication.Related
Issue gatsbyjs/gatsby#14990