vagrant-docker-certificates-manager 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 023a4ac2fc48aacbf0de2d60bfa2b91a8890318b623c2169538ea748db884367
-  data.tar.gz: 8b709c9e9c8a637e80df487b3ca0381e9ff1cd0c2334941024819a842050e4b6
+  metadata.gz: 1f64aa238bae8dbe7da5f4b4554bc04baa2d70c955384ff64811e03ef684c791
+  data.tar.gz: ac5625a4e633a4e487ff814307920171db797da2a87a7f384da04f616d91c7e8
 SHA512:
-  metadata.gz: 2cdba816ec1797ad404199e153bdb3e25b9b105bc62ea872d1068efbdaf0649e9e80ea8b1044c46f966b19e19cda29c85fb09c80af5632cf1acbe794e3152fc0
-  data.tar.gz: 8697e75304b157574141dc5b7ebeef2d81ffcc4c6bb27d23277f45f25418a40bb8c1e3de045f8b7bb418adfff601d3eb7058b2af15df97d4ecf16e92f324274e
+  metadata.gz: 4cb997ec0c8d99ed7f221a634b0a0ff0e88aab81516d496c4b541adde7a1e85a88a9ea4ed6c902fafa593a8be6357f5706113def410561cb2b8eb22461a25745
+  data.tar.gz: 638c3572ab9ffa1d6ce7a7c7c4605022c41f257ffc801b30ed7fc3ee7a4d30a118b7a8b1871cf27f93c7b24308f5aca6d0db49810431ba8074bc54de58b275be

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [0.3.0](https://github.com/julienpoirou/vagrant-docker-certificates-manager/compare/v0.2.0...v0.3.0) (2026-03-09)
+
+
+### Fonctionnalités ✨
+
+* **firefox:** Adding certificate management to Firefox ([6e067c3](https://github.com/julienpoirou/vagrant-docker-certificates-manager/commit/6e067c3a99f7963aa27b8cfc7b1e481a443af4ec))
+
+
+### Corrections 🐛
+
+* **rubocop:** Migrate rubocop-rspec from require to plugins ([9a22642](https://github.com/julienpoirou/vagrant-docker-certificates-manager/commit/9a226421d98aab0d781fd1ac3d0845e5b1c43ff4))
+* **rubocop:** Restore explicit *args for Ruby 3.1 compatibility ([595438d](https://github.com/julienpoirou/vagrant-docker-certificates-manager/commit/595438d061e2f1aafb7616b91110935ef4718a5c))
+
 ## [0.2.0](https://github.com/julienpoirou/vagrant-docker-certificates-manager/compare/v0.1.0...v0.2.0) (2025-08-20)
 
 

data/lib/vagrant-docker-certificates-manager/VERSION

@@ -1 +1 @@
-0.2.0
+0.3.0

data/lib/vagrant-docker-certificates-manager/actions/uninstall.rb

@@ -12,7 +12,7 @@ module VagrantDockerCertificatesManager
       def initialize(app, env); @app = app; @env = env; end
 
       def call(env)
-        cfg = env[:machine].config.docker_certs
+        cfg = env[:machine].config.docker_certificates
         UiHelpers.set_locale!(cfg.locale || "en")
         if cfg.remove_on_destroy
           Ui.say(env, :info, "uninstall.start", name: cfg.cert_name)

data/lib/vagrant-docker-certificates-manager/config.rb

@@ -19,7 +19,6 @@ module VagrantDockerCertificatesManager
     end
 
     def finalize!
-      @cert_path = @container_name unless @container_name.to_s.strip.empty?
       @install_on_up       = !!@install_on_up
       @remove_on_destroy   = !!@remove_on_destroy
       @manage_firefox      = !!@manage_firefox

data/lib/vagrant-docker-certificates-manager/helpers.rb

@@ -21,7 +21,8 @@ module VagrantDockerCertificatesManager
       error:    "❌",
       version:  "💾",
       broom:    "🧹",
-      question: "❓"
+      question: "❓",
+      bug:      "🐛"
     }.freeze
 
     module_function
@@ -32,31 +33,28 @@ module VagrantDockerCertificatesManager
       base  = File.expand_path("../../locales", __dir__)
       ::I18n.load_path |= Dir[File.join(base, "*.yml")]
       ::I18n.available_locales = SUPPORTED
-      default = ((ENV["VDCM_LANG"] || ENV["LANG"] || "en")[0,2] rescue "en").to_sym
+      default = ((ENV["VDCM_LANG"] || ENV["LANG"] || "en")[0, 2] rescue "en").to_sym
       ::I18n.default_locale = SUPPORTED.include?(default) ? default : :en
       ::I18n.backend.load_translations
       @i18n_setup = true
     end
 
     def set_locale!(lang, strict: false)
-        setup_i18n!
-
-        raw = (lang || ENV["VDCM_LANG"] || ENV["LANG"] || "en").to_s
-        sym = raw[0, 2].to_s.downcase.to_sym
-        sym = :en if sym.nil? || sym == :""
-
-        unless SUPPORTED.include?(sym)
-            if strict
-            raise UnsupportedLocaleError,
-                    "#{e(:error)} Unsupported language: #{sym}. Available: #{SUPPORTED.join(', ')}"
-            else
-            sym = :en
-            end
+      setup_i18n!
+      raw = (lang || ENV["VDCM_LANG"] || ENV["LANG"] || "en").to_s
+      sym = raw[0, 2].to_s.downcase.to_sym
+      sym = :en if sym.nil? || sym == :""
+      unless SUPPORTED.include?(sym)
+        if strict
+          raise UnsupportedLocaleError,
+                "#{e(:error)} Unsupported language: #{sym}. Available: #{SUPPORTED.join(', ')}"
+        else
+          sym = :en
         end
-
-    ::I18n.locale = sym
-    ::I18n.backend.load_translations
-    sym
+      end
+      ::I18n.locale = sym
+      ::I18n.backend.load_translations
+      sym
     end
 
     def e(key, no_emoji: false)
@@ -88,6 +86,20 @@ module VagrantDockerCertificatesManager
       v.is_a?(Hash) ? v : {}
     end
 
+    def exists?(key)
+      ::I18n.exists?(ns_key(key), ::I18n.locale)
+    end
+
+    def our_key?(k)
+      OUR_SPACES.any? { |ns| k.start_with?("#{NAMESPACE}.#{ns}") || k.start_with?(ns) }
+    end
+
+    def debug_enabled?
+      ENV["VDCM_DEBUG"].to_s == "1"
+    end
+
+    # ── display ───────────────────────────────────────────────────────────────
+
     def level_to_emoji(level)
       case level
       when :success then :success
@@ -114,10 +126,12 @@ module VagrantDockerCertificatesManager
     end
 
     def debug(env_or_ui, msg)
-      return unless ENV["VDCM_DEBUG"].to_s == "1"
-      say(env_or_ui, :info, nil, raw: "#{e(:question)} #{msg}")
+      return unless debug_enabled?
+      say(env_or_ui, :info, nil, raw: "#{e(:bug)} #{msg}")
     end
 
+    # ── help ──────────────────────────────────────────────────────────────────
+
     def print_general_help(no_emoji: false, ui: nil)
       setup_i18n!
       lines = []
@@ -142,7 +156,7 @@ module VagrantDockerCertificatesManager
       usage = t("#{base}.usage",       default: nil)
       desc  = t("#{base}.description", default: nil)
       opts  = t_hash("#{base}.options")
-      exs   = ::I18n.t("#{base}.examples", default: [])
+      exs   = ::I18n.t(ns_key("#{base}.examples"), default: [])
 
       if title.nil? && usage.nil? && desc.nil? && opts.empty? && exs.empty?
         return print_general_help(no_emoji: no_emoji, ui: ui)
@@ -171,9 +185,5 @@ module VagrantDockerCertificatesManager
         lines.each { |ln| puts ln }
       end
     end
-
-    def our_key?(k)
-      OUR_SPACES.any? { |ns| k.start_with?("#{NAMESPACE}.#{ns}") || k.start_with?(ns) }
-    end
   end
 end

data/lib/vagrant-docker-certificates-manager/util/os.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "open3"
+require "base64"
 require_relative "cert"
 
 module VagrantDockerCertificatesManager
@@ -9,50 +10,57 @@ module VagrantDockerCertificatesManager
 
     def detect
       if defined?(Vagrant) && Vagrant.const_defined?(:Util) && Vagrant::Util.const_defined?(:Platform)
-        return :mac if Vagrant::Util::Platform.darwin?
+        return :mac     if Vagrant::Util::Platform.darwin?
         return :windows if Vagrant::Util::Platform.windows?
-        return :linux if Vagrant::Util::Platform.linux?
+        return :linux   if Vagrant::Util::Platform.linux?
       else
         plat = RbConfig::CONFIG["host_os"].downcase
-        return :mac if plat.include?("darwin")
+        return :mac     if plat.include?("darwin")
         return :windows if plat =~ /mswin|mingw|windows/
-        return :linux if plat.include?("linux")
+        return :linux   if plat.include?("linux")
       end
       :unknown
     end
 
-    def run(cmd)
-      out, err, st = Open3.capture3(cmd)
+    # Runs an external command safely using the array form (no shell interpolation).
+    def run(*args)
+      out, err, st = Open3.capture3(*args)
       [st.success?, out, err]
     end
 
-    def mac_add_trusted_cert(path, name)
-      ok, *_ = run(%(sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "#{path}"))
-      ok
+    # ── macOS ─────────────────────────────────────────────────────────────────
+
+    def mac_add_trusted_cert(path, _name)
+      run("sudo", "security", "add-trusted-cert",
+          "-d", "-r", "trustRoot",
+          "-k", "/Library/Keychains/System.keychain",
+          path.to_s).first
     end
 
     def mac_has_cert_fingerprint?(fp)
-      ok, out, _ = run(%(security find-certificate -a -Z /Library/Keychains/System.keychain 2>/dev/null))
-      return false unless ok
-      out.include?(fp)
+      ok, out, = run("security", "find-certificate", "-a", "-Z",
+                     "/Library/Keychains/System.keychain")
+      ok && out.include?(fp.to_s)
     end
 
     def mac_remove_by_fp(fp)
-      ok, out, _ = run(%(security find-certificate -a -Z /Library/Keychains/System.keychain 2>/dev/null))
+      ok, out, = run("security", "find-certificate", "-a", "-Z",
+                     "/Library/Keychains/System.keychain")
       return true unless ok
-      hash = out.lines.find { |l| l =~ /SHA-1 hash:\s*#{fp}/i } ? fp : nil
+      hash = out.lines.find { |l| l =~ /SHA-1 hash:\s*#{Regexp.escape(fp)}/i } ? fp : nil
       return true unless hash
-      run(%(sudo security delete-certificate -Z #{hash} /Library/Keychains/System.keychain)).first
+      run("sudo", "security", "delete-certificate",
+          "-Z", hash.to_s, "/Library/Keychains/System.keychain").first
     end
 
+    # ── Linux ─────────────────────────────────────────────────────────────────
+
     def linux_install_cert(path, name, nss: true, firefox: false)
       dest = "/usr/local/share/ca-certificates/#{Cert::MARKER.downcase}-#{name}.crt"
-      ok1, = run(%(sudo cp "#{path}" "#{dest}"))
-      ok2, = run("sudo update-ca-certificates")
-      okn = true
-      okn &&= linux_nss_install(path, name) if nss
-      okf = true
-      okf &&= linux_firefox_install(path, name) if firefox
+      ok1, = run("sudo", "cp", path.to_s, dest)
+      ok2, = run("sudo", "update-ca-certificates")
+      okn = nss     ? linux_nss_install(path, name)     : true
+      okf = firefox ? linux_firefox_install(path, name) : true
       ok1 && ok2 && okn && okf
     end
 
@@ -62,71 +70,149 @@ module VagrantDockerCertificatesManager
 
     def linux_uninstall_cert(name, nss: true, firefox: false)
       dest = "/usr/local/share/ca-certificates/#{Cert::MARKER.downcase}-#{name}.crt"
-      run(%(sudo rm -f "#{dest}"))
-      run("sudo update-ca-certificates")
-      linux_nss_uninstall(name) if nss
+      run("sudo", "rm", "-f", dest)
+      run("sudo", "update-ca-certificates")
+      linux_nss_uninstall(name)     if nss
       linux_firefox_uninstall(name) if firefox
       true
     end
 
     def linux_nss_install(path, name)
-      db = %(sql:"$HOME/.pki/nssdb")
-      run(%(certutil -d #{db} -A -t "C,," -n "#{Cert.nickname_for(name)}" -i "#{path}")).first
+      db = "sql:#{File.join(Dir.home, '.pki', 'nssdb')}"
+      run("certutil", "-d", db, "-A", "-t", "C,,",
+          "-n", Cert.nickname_for(name), "-i", path.to_s).first
     end
 
     def linux_nss_uninstall(name)
-      db = %(sql:"$HOME/.pki/nssdb")
-      run(%(certutil -d #{db} -D -n "#{Cert.nickname_for(name)}"))
+      db = "sql:#{File.join(Dir.home, '.pki', 'nssdb')}"
+      run("certutil", "-d", db, "-D", "-n", Cert.nickname_for(name))
       true
     end
 
     def linux_firefox_profiles
-      home = ENV["HOME"]
+      home = Dir.home
       [
         "#{home}/.mozilla/firefox",
         "#{home}/.var/app/org.mozilla.firefox/.mozilla/firefox",
         "#{home}/snap/firefox/common/.mozilla/firefox"
-      ].select { |d| File.directory?(d) }.flat_map { |base| Dir.glob(File.join(base, "*.default*")) }
+      ].select { |d| File.directory?(d) }
+       .flat_map { |base| Dir.glob(File.join(base, "*.default*")) }
     end
 
     def linux_firefox_install(path, name)
-      profiles = linux_firefox_profiles
-      profiles.all? do |profile|
-        run(%(certutil -A -n "#{Cert.nickname_for(name)}" -t "C,," -i "#{path}" -d "sql:#{profile}")).first
+      linux_firefox_profiles.all? do |profile|
+        run("certutil", "-A",
+            "-n", Cert.nickname_for(name), "-t", "C,,",
+            "-i", path.to_s, "-d", "sql:#{profile}").first
       end
     end
 
     def linux_firefox_uninstall(name)
       linux_firefox_profiles.each do |profile|
-        run(%(certutil -D -n "#{Cert.nickname_for(name)}" -d "sql:#{profile}"))
+        run("certutil", "-D", "-n", Cert.nickname_for(name), "-d", "sql:#{profile}")
+      end
+      true
+    end
+
+    # ── Windows ───────────────────────────────────────────────────────────────
+
+    # Firefox on Windows does not ship with NSS certutil, so we enable
+    # security.enterprise_roots.enabled in each profile's user.js instead.
+    # This makes Firefox delegate trust to the Windows system cert store,
+    # which already contains the CA installed by win_install_cert.
+
+    FIREFOX_ENTERPRISE_ROOTS_PREF = 'user_pref("security.enterprise_roots.enabled", true);'
+    FIREFOX_ENTERPRISE_ROOTS_KEY  = "security.enterprise_roots.enabled"
+
+    def win_firefox_profiles
+      appdata = (ENV["APPDATA"] || File.join(Dir.home, "AppData", "Roaming")).tr("\\", "/")
+      base    = "#{appdata}/Mozilla/Firefox/Profiles"
+      return [] unless File.directory?(base)
+      Dir.glob("#{base}/*").select { |d| File.directory?(d) }
+    end
+
+    def win_firefox_enable_enterprise_roots
+      win_firefox_profiles.each do |profile|
+        user_js = File.join(profile, "user.js")
+        content = File.exist?(user_js) ? File.read(user_js) : ""
+        next if content.include?(FIREFOX_ENTERPRISE_ROOTS_KEY)
+        File.open(user_js, "a") { |f| f.puts FIREFOX_ENTERPRISE_ROOTS_PREF }
+      end
+      true
+    rescue StandardError
+      false
+    end
+
+    def win_firefox_disable_enterprise_roots
+      win_firefox_profiles.each do |profile|
+        user_js = File.join(profile, "user.js")
+        next unless File.exist?(user_js)
+        updated = File.read(user_js)
+                      .lines
+                      .reject { |l| l.include?(FIREFOX_ENTERPRISE_ROOTS_KEY) }
+                      .join
+        File.write(user_js, updated)
       end
       true
+    rescue StandardError
+      false
     end
 
     def win_install_cert(path, name)
-      ok, out, err = run(%(certutil -addstore -f "ROOT" "#{path}"))
-      return false unless ok
-      fp = Cert.sha1(path)
-      ps = %(
-        $cert = Get-ChildItem Cert:\\LocalMachine\\Root | Where-Object { $_.Thumbprint -eq "#{fp}" };
-        if ($cert) { $cert.FriendlyName = "#{Cert.nickname_for(name)}"; }
-      ).strip
-      run(%(powershell -NoProfile -NonInteractive -Command "#{ps}"))
+      fp   = Cert.sha1(path)
+      nick = Cert.nickname_for(name).gsub("'", "''")
+      abs  = File.expand_path(path).tr("/", "\\").gsub("'", "''")
+
+      ps = <<~PS
+        $ErrorActionPreference = 'Stop'
+        Import-Certificate -FilePath '#{abs}' -CertStoreLocation Cert:\\LocalMachine\\Root | Out-Null
+        $cert = Get-ChildItem Cert:\\LocalMachine\\Root | Where-Object { $_.Thumbprint -eq '#{fp}' }
+        if ($cert) { $cert.FriendlyName = '#{nick}' }
+      PS
+      encoded = Base64.strict_encode64(ps.encode("UTF-16LE"))
+
+      # Try non-elevated first (works if already admin)
+      ok, = run("powershell", "-NoProfile", "-NonInteractive", "-EncodedCommand", encoded)
+
+      unless ok
+        # Elevate via UAC
+        elev = "Start-Process PowerShell -Verb RunAs -Wait " \
+               "-ArgumentList '-NonInteractive','-NoProfile','-EncodedCommand','#{encoded}'"
+        elev_encoded = Base64.strict_encode64(elev.encode("UTF-16LE"))
+        ok, = run("powershell", "-NoProfile", "-NonInteractive", "-EncodedCommand", elev_encoded)
+        return false unless ok
+      end
+
+      win_firefox_enable_enterprise_roots
       true
     end
 
     def win_has_cert_fingerprint?(fp)
-        ps = %q{
-            $c = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Thumbprint -eq "__FP__" };
-            if ($c) { "YES" } else { "NO" }
-        }.strip.gsub("__FP__", fp.to_s)
-
-        ok, out, _ = run(%(powershell -NoProfile -NonInteractive -Command "#{ps}"))
-        ok && out.to_s.strip == "YES"
+      ps = "if (Get-ChildItem Cert:\\LocalMachine\\Root | " \
+           "Where-Object { $_.Thumbprint -eq '#{fp}' }) { 'YES' } else { 'NO' }"
+      ok, out, = run("powershell", "-NoProfile", "-NonInteractive",
+                     "-EncodedCommand", Base64.strict_encode64(ps.encode("UTF-16LE")))
+      ok && out.to_s.strip == "YES"
     end
 
     def win_remove_by_fp(fp)
-      run(%(certutil -delstore "ROOT" #{fp})).first
+      ps = <<~PS
+        $ErrorActionPreference = 'Stop'
+        Get-ChildItem Cert:\\LocalMachine\\Root |
+          Where-Object { $_.Thumbprint -eq '#{fp}' } |
+          Remove-Item
+      PS
+      encoded = Base64.strict_encode64(ps.encode("UTF-16LE"))
+
+      ok, = run("powershell", "-NoProfile", "-NonInteractive", "-EncodedCommand", encoded)
+      return true if ok
+
+      elev = "Start-Process PowerShell -Verb RunAs -Wait " \
+             "-ArgumentList '-NonInteractive','-NoProfile','-EncodedCommand','#{encoded}'"
+      elev_encoded = Base64.strict_encode64(elev.encode("UTF-16LE"))
+      ok = run("powershell", "-NoProfile", "-NonInteractive", "-EncodedCommand", elev_encoded).first
+      win_firefox_disable_enterprise_roots if ok
+      ok
     end
   end
 end

data/lib/vagrant-docker-certificates-manager/util/registry.rb

@@ -19,7 +19,7 @@ module VagrantDockerCertificatesManager
       ensure_dir!
       return {} unless File.exist?(db_path)
       JSON.parse(File.read(db_path))
-    rescue
+    rescue StandardError
       {}
     end
 

data/lib/vagrant-docker-certificates-manager/version.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
 module VagrantDockerCertificatesManager
-  VERSION = begin
-    path = File.expand_path("VERSION", __dir__)
-    File.exist?(path) ? File.read(path).strip : "0.1.0"
-  rescue
-    "0.1.0"
+  unless defined?(VERSION)
+    VERSION = begin
+      path = File.expand_path("VERSION", __dir__)
+      File.exist?(path) ? File.read(path).strip : "0.1.0"
+    rescue StandardError
+      "0.1.0"
+    end
   end
 end

data/locales/en.yml

@@ -80,14 +80,3 @@ en:
       success: "Certificate %{name} removed."
       fail: "Failed to remove certificate %{name}."
       skip: "Remove on destroy disabled; skipping."
-
-    errors:
-      invalid_path: "Invalid certificate path: %{path}"
-      missing_path_remove: "You must provide a path for removal."
-      not_found_for_remove: "No tracked certificate found for path: %{path}"
-      already_present: "The certificate %{name} already exists."
-      install_failed: "Certificate installation failed."
-      uninstall_failed: "Certificate removal failed."
-      remove_failed: "Remove failed."
-      os_unsupported: "Unsupported OS for this action."
-      unknown_command: "Unknown command: %{cmd}"

data/locales/fr.yml

@@ -80,14 +80,3 @@ fr:
       success: "Certificat %{name} supprimé."
       fail: "Échec de la suppression du certificat %{name}."
       skip: "Suppression à la destruction désactivée ; on ignore."
-
-    errors:
-      invalid_path: "Chemin de certificat invalide : %{path}"
-      missing_path_remove: "Vous devez fournir un chemin à supprimer."
-      not_found_for_remove: "Aucun certificat suivi pour le chemin : %{path}"
-      already_present: "Le certificat %{name} existe déjà."
-      install_failed: "Échec de l'installation du certificat."
-      uninstall_failed: "Échec de la suppression du certificat."
-      remove_failed: "Échec de la suppression."
-      os_unsupported: "Système non pris en charge pour cette action."
-      unknown_command: "Commande inconnue : %{cmd}"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vagrant-docker-certificates-manager
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Julien Poirou
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-08-20 00:00:00.000000000 Z
+date: 2026-03-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: i18n