Rework cert detection a bit (#1532)

* This is a WIP... so there might be an error thrown when running on actual pro *(hopefully not)*... working on it now, so possible downtime expectation perhaps. Works on local pro so far. * Check for backup alternate keys * Ensure keys are in UTF-8 Auto-merge
OpenUserJS · Oct 28, 2018 · 586dfe9 · 586dfe9
1 parent 1f29b34
commit 586dfe9
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 64 deletions.
diff --git a/app.js b/app.js
@@ -1,10 +1,5 @@
 'use strict';
 
-// Define some pseudo module globals
-var isPro = require('./libs/debug').isPro;
-var isDev = require('./libs/debug').isDev;
-var isDbg = require('./libs/debug').isDbg;
-
 // Stamp a message for stdout...
 console.log('Starting application...');
 
@@ -13,6 +8,16 @@ if (isPro) {
   console.warn('Starting application...');
 }
 
+// Define some pseudo module globals
+var isPro = require('./libs/debug').isPro;
+var isDev = require('./libs/debug').isDev;
+var isDbg = require('./libs/debug').isDbg;
+
+var isSecured = require('./libs/debug').isSecured;
+var privkey = require('./libs/debug').privkey;
+var fullchain = require('./libs/debug').fullchain;
+var chain = require('./libs/debug').chain;
+
 //
 var path = require('path');
 var crypto = require('crypto');
@@ -80,10 +85,6 @@ var https = require('https');
 var sslOptions = null;
 var server = http.createServer(app);
 var secureServer = null;
-var privkey = './keys/private.key';
-var fullchain = './keys/cert.crt';
-var chain = './keys/intermediate.crt';
-var secured = null;
 
 app.set('port', process.env.PORT || 8080);
 app.set('securePort', process.env.SECURE_PORT || null);
@@ -268,20 +269,11 @@ app.use(function (aReq, aRes, aNext) {
 });
 
 // Force HTTPS
-secured = true;
-try {
-  fs.accessSync(privkey, fs.constants.F_OK);
-  fs.accessSync(fullchain, fs.constants.F_OK);
-  fs.accessSync(chain, fs.constants.F_OK);
-} catch (aE) {
-  secured = false;
-}
-
-if (app.get('securePort') && secured) {
+if (app.get('securePort') && isSecured) {
   sslOptions = {
-    key: fs.readFileSync(privkey),
-    cert: fs.readFileSync(fullchain),
-    ca: fs.readFileSync(chain),
+    key: fs.readFileSync(privkey, 'utf8'),
+    cert: fs.readFileSync(fullchain, 'utf8'),
+    ca: fs.readFileSync(chain, 'utf8'),
     ciphers: [
       'ECDHE-RSA-AES128-GCM-SHA256',
       'ECDHE-ECDSA-AES128-GCM-SHA256',
@@ -359,7 +351,7 @@ app.use(session({
   unset: 'destroy',
   cookie: {
     maxAge: 5 * 60 * 1000, // minutes in ms NOTE: Expanded after successful auth
-    secure: (isPro && secured ? true : false),
+    secure: (isPro && isSecured ? true : false),
     sameSite: 'lax' // NOTE: Current auth necessity
   },
   rolling: true,
@@ -508,7 +500,7 @@ function pingCert() {
   });
 };
 
-if (secured) {
+if (isSecured) {
   pingCertTimer = setInterval(pingCert, 60 * 60 * 1000); // NOTE: Check every hour
 }
 

diff --git a/controllers/scriptStorage.js b/controllers/scriptStorage.js
@@ -4,6 +4,7 @@
 var isPro = require('../libs/debug').isPro;
 var isDev = require('../libs/debug').isDev;
 var isDbg = require('../libs/debug').isDbg;
+var isSecured = require('../libs/debug').isSecured;
 var statusError = require('../libs/debug').statusError;
 
 //
@@ -249,54 +250,59 @@ var sourceMinBruteforce = new ExpressBrute(store, {
 });
 
 var githubHookAddresses = [];
-request({
-  url: 'https://api.github.com/meta',
-  headers: {
-    'User-Agent': 'OpenUserJS'
-  }
-}, function (aErr, aRes, aBody) {
-  var meta = null;
 
-  if (aErr
-    || aRes.statusCode !== 200
-      || !/^application\/json;/.test(aRes.headers['content-type'])) {
+if (isSecured) {
+  request({
+    url: 'https://api.github.com/meta',
+    headers: {
+      'User-Agent': 'OpenUserJS'
+    }
+  }, function (aErr, aRes, aBody) {
+    var meta = null;
 
-    console.error([
-      colors.red('Error retrieving GitHub `hooks`'),
-      aRes.statusCode,
-      aRes.headers['content-type'],
-      aErr
-    ].join('\n'));
-    return;
-  }
+    if (aErr
+      || aRes.statusCode !== 200
+        || !/^application\/json;/.test(aRes.headers['content-type'])) {
 
-  try {
-    meta = JSON.parse(aBody);
-  } catch (aE) {
-    console.error(colors.red('Error retrieving GitHub `hooks`', aE));
-    return;
-  }
+      console.error([
+        colors.red('Error retrieving GitHub `hooks`'),
+        aRes.statusCode,
+        aRes.headers['content-type'],
+        aErr
+      ].join('\n'));
+      return;
+    }
+
+    try {
+      meta = JSON.parse(aBody);
+    } catch (aE) {
+      console.error(colors.red('Error retrieving GitHub `hooks`', aE));
+      return;
+    }
 
-  if (meta && meta.hooks && Array.isArray(meta.hooks)) {
-    meta.hooks.forEach(function (aEl, aIdx, aArr) {
-      if (typeof aEl === 'string' && /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2}$/.test(aEl)) {
-        githubHookAddresses.push(aEl);
+    if (meta && meta.hooks && Array.isArray(meta.hooks)) {
+      meta.hooks.forEach(function (aEl, aIdx, aArr) {
+        if (typeof aEl === 'string' && /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2}$/.test(aEl)) {
+          githubHookAddresses.push(aEl);
+        } else {
+          console.warn(
+            colors.yellow('GitHub `hooks` element', aEl, 'does not match IPv4 CIDR specification')
+          );
+        }
+      });
+      if (githubHookAddresses.length > 0) {
+        console.log(colors.green('Using GitHub `hooks` of'), githubHookAddresses);
       } else {
-        console.warn(
-          colors.yellow('GitHub `hooks` element', aEl, 'does not match IPv4 CIDR specification')
-        );
+        console.error(colors.red('Error retrieving GitHub `hooks`... no compatible elements found'));
       }
-    });
-    if (githubHookAddresses.length > 0) {
-      console.log(colors.green('Using GitHub `hooks` of'), githubHookAddresses);
+
     } else {
-      console.error(colors.red('Error retrieving GitHub `hooks`... no compatible elements found'));
+      console.error(colors.red('Error retrieving GitHub `hooks`'));
     }
-
-  } else {
-    console.error(colors.red('Error retrieving GitHub `hooks`'));
-  }
-});
+  });
+} else {
+  console.warn(colors.yellow('Disabling GitHub `hooks` in unsecure mode'));
+}
 
 //
 function getInstallNameBase(aReq, aOptions) {

diff --git a/libs/debug.js b/libs/debug.js
@@ -1,9 +1,56 @@
 'use strict';
 
+var fs = require('fs');
+
 var isPro = process.env.NODE_ENV === 'production';
 var isDev = !isPro;
 var isDbg = typeof v8debug === 'object';
 
+var isSecure = null;
+var privkey = null;
+var fullchain = null;
+var chain = null;
+
+try {
+  // Check for primary keys
+  privkey = './keys/private.key';
+  fullchain = './keys/cert.crt';
+  chain = './keys/intermediate.crt';
+
+  fs.accessSync(privkey, fs.constants.F_OK);
+  fs.accessSync(fullchain, fs.constants.F_OK);
+  fs.accessSync(chain, fs.constants.F_OK);
+
+  exports.privkey = privkey;
+  exports.fullchain = fullchain;
+  exports.chain = chain;
+  exports.isSecured = true;
+
+} catch (aE) {
+  // Check for backup alternate keys
+  try {
+    privkey = './keys/priv.pem';
+    fullchain = './keys/fullchain.pem';
+    chain = './keys/chain.pem';
+
+    fs.accessSync(privkey, fs.constants.F_OK);
+    fs.accessSync(fullchain, fs.constants.F_OK);
+    fs.accessSync(chain, fs.constants.F_OK);
+
+    exports.privkey = privkey;
+    exports.fullchain = fullchain;
+    exports.chain = chain;
+    exports.isSecured = true;
+
+  } catch (aE) {
+    // Ensure that all items are nulled or equivalent
+    exports.privkey = null;
+    exports.fullchain = null;
+    exports.chain = null;
+    exports.isSecured = false;
+  }
+}
+
 exports.isPro = isPro;
 exports.isDev = isDev;
 exports.isDbg = isDbg;