Skip to content

Commit

Permalink
fix(CustomSSL): validator and ssl proxy updater fixed (#1080)
Browse files Browse the repository at this point in the history
* fix(CustomSSL): ssl key and cert validator

* feat(SSLProxyUpdate): add ssl proxy update queue to system

* fix(domain): update ssl status function
  • Loading branch information
tanmoysrt authored Nov 9, 2024
1 parent f4ea505 commit b915425
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 49 deletions.
56 changes: 50 additions & 6 deletions swiftwave_service/core/domain.operations.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,10 @@ import (
"crypto/x509"
"encoding/pem"
"errors"
"gorm.io/gorm"
"strings"
"time"

"gorm.io/gorm"
)

// This file contains the operations for the Domain model.
Expand All @@ -33,7 +35,7 @@ func (domain *Domain) FindById(_ context.Context, db gorm.DB, id uint) error {
}

func (domain *Domain) Create(_ context.Context, db gorm.DB) error {
err := domain.fillSSLInfo()
err := domain.validateAndFillSSLInfo()
if err != nil {
return err
}
Expand All @@ -42,7 +44,7 @@ func (domain *Domain) Create(_ context.Context, db gorm.DB) error {
}

func (domain *Domain) Update(_ context.Context, db gorm.DB) error {
err := domain.fillSSLInfo()
err := domain.validateAndFillSSLInfo()
if err != nil {
return err
}
Expand All @@ -66,16 +68,58 @@ func (domain *Domain) Delete(_ context.Context, db gorm.DB) error {

func (domain *Domain) UpdateSSLStatus(_ context.Context, db gorm.DB, status DomainSSLStatus) error {
domain.SSLStatus = status
tx := db.Where("id = ?", domain.ID).Update("ssl_status", status)
tx := db.Model(&domain).Where("id = ?", domain.ID).Update("ssl_status", status)
return tx.Error
}

func (domain *Domain) fillSSLInfo() error {
func (domain *Domain) validateAndFillSSLInfo() error {
if domain == nil || domain.SSLFullChain == "" {
return nil
}

// if ssl full chain or private key is missing \n at the end , add it
if !strings.HasSuffix(domain.SSLFullChain, "\n") {
domain.SSLFullChain = domain.SSLFullChain + "\n"
}
if !strings.HasSuffix(domain.SSLPrivateKey, "\n") {
domain.SSLPrivateKey = domain.SSLPrivateKey + "\n"
}

// validate private key
keyBytes := []byte(domain.SSLPrivateKey)
block, _ := pem.Decode(keyBytes)
if block == nil {
return errors.New("failed to decode SSL private key")
}
// Attempt parsing the key as any supported private key format
isValidated := false
_, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err == nil {
isValidated = true // Key is valid PKCS8
}

if !isValidated {

_, err = x509.ParsePKCS1PrivateKey(block.Bytes)
if err == nil {
isValidated = true // Key is valid PKCS1
}
}

if !isValidated {
_, err = x509.ParseECPrivateKey(block.Bytes)
if err == nil {
isValidated = true // Key is valid EC
}
}

if !isValidated {
return errors.New("provided private keys is not a valid private key (RSA, PKCS8, PKCS1, or EC)")
}

// validate full chain certificate
certBytes := []byte(domain.SSLFullChain)
block, _ := pem.Decode(certBytes)
block, _ = pem.Decode(certBytes)
if block == nil {
return errors.New("failed to decode SSL full chain certificate")
}
Expand Down
10 changes: 0 additions & 10 deletions swiftwave_service/graphql/domain.resolvers.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

33 changes: 0 additions & 33 deletions swiftwave_service/graphql/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package graphql

import (
"context"
"encoding/pem"
"errors"
"fmt"
"log"
Expand All @@ -18,7 +17,6 @@ import (
"github.com/swiftwave-org/swiftwave/swiftwave_service/graphql/model"
"github.com/swiftwave-org/swiftwave/swiftwave_service/logger"
"github.com/swiftwave-org/swiftwave/swiftwave_service/manager"
"golang.org/x/crypto/ssh"
"gorm.io/gorm"
)

Expand Down Expand Up @@ -55,37 +53,6 @@ func sanitizeFileName(fileName string) string {
return fileName
}

func ValidateSSLFullChainCertificate(certString string) error {
// Parse the SSL public key (including certificates)
pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(certString))
if err != nil {
return fmt.Errorf("failed to parse SSL public key: %v", err)
}

// Check if it's an SSH certificate
_, ok := pubKey.(*ssh.Certificate)
if !ok {
return fmt.Errorf("provided file is not an SSL certificate")
}

return nil
}

func ValidateSSLPrivateKey(privateKeyString string) error {
// Decode the PEM block
block, _ := pem.Decode([]byte(privateKeyString))
if block == nil {
return fmt.Errorf("failed to decode PEM block from private key")
}

// Try to parse the key as an SSH private key
_, err := ssh.ParseRawPrivateKey(block.Bytes)
if err != nil {
return fmt.Errorf("failed to parse SSL private key: %v", err)
}
return nil
}

func FetchDockerManager(ctx context.Context, db *gorm.DB) (*containermanger.Manager, error) {
// Fetch a random swarm manager
swarmManagerServer, err := core.FetchSwarmManager(db)
Expand Down
1 change: 1 addition & 0 deletions swiftwave_service/worker/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ func Queues() []string {
redirectRuleApplyQueueName,
redirectRuleDeleteQueueName,
sslGenerateQueueName,
sslProxyUpdateQueueName,
deletePersistentVolumeQueueName,
persistentVolumeBackupQueueName,
persistentVolumeRestoreQueueName,
Expand Down

0 comments on commit b915425

Please sign in to comment.