@aifabrix/builder 2.42.1 → 2.44.0

package/lib/utils/dev-ca-install.js

@@ -22,60 +22,210 @@ const SSL_UNTRUSTED_CODES = [
   'CERT_UNTRUSTED',
   'SELF_SIGNED_CERT_IN_CHAIN',
   'UNABLE_TO_GET_ISSUER_CERT',
-  'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+  'UNABLE_TO_GET_ISSUER_CERT_LOCALLY',
+  'CERT_HAS_EXPIRED'
 ];
 
+const SSL_HOSTNAME_MISMATCH_CODES = ['ERR_TLS_CERT_ALTNAME_INVALID'];
+
+/**
+ * Walks err and nested err.cause (fetch wraps TLS failures).
+ * @param {Error|undefined|null} err - Error chain root
+ * @param {function(Error): void} fn - Visitor
+ * @param {number} [maxDepth=12]
+ */
+function walkErrorCauseChain(err, fn, maxDepth = 12) {
+  let e = err;
+  let depth = 0;
+  while (e && depth < maxDepth) {
+    fn(e);
+    e = e.cause;
+    depth++;
+  }
+}
+
 /**
  * Returns true if the error indicates an untrusted/self-signed server certificate.
  * @param {Error} err - Thrown error (e.g. from devApi.getHealth)
  * @returns {boolean}
  */
 function isSslUntrustedError(err) {
-  const code = err?.code || err?.cause?.code;
-  const msg = (err?.message || '').toUpperCase();
-  return SSL_UNTRUSTED_CODES.some(c => code === c || msg.includes(c));
+  if (!err) return false;
+  let untrusted = false;
+  walkErrorCauseChain(err, (e) => {
+    const code = e && e.code;
+    const msg = ((e && e.message) || '').toUpperCase();
+    if (SSL_UNTRUSTED_CODES.some(c => code === c || msg.includes(c))) {
+      untrusted = true;
+    }
+  });
+  return untrusted;
 }
 
 /**
- * Fetch CA PEM from Builder Server via GET {baseUrl}/install-ca.
- * Uses rejectUnauthorized: false only for this endpoint (dev setup).
- * @param {string} baseUrl - Builder Server base URL (no trailing slash)
- * @returns {Promise<Buffer>} CA certificate PEM
+ * True when the server cert is trusted enough to verify but the hostname does not match (wrong SAN).
+ * Installing the dev CA does not fix this.
+ * @param {Error} err - Thrown error
+ * @returns {boolean}
  */
-function fetchInstallCa(baseUrl) {
+function isSslHostnameMismatchError(err) {
+  if (!err) return false;
+  let mismatch = false;
+  walkErrorCauseChain(err, (e) => {
+    const code = e && e.code;
+    if (SSL_HOSTNAME_MISMATCH_CODES.includes(code)) {
+      mismatch = true;
+    }
+  });
+  return mismatch;
+}
+
+const MAX_INSTALL_CA_REDIRECTS = 5;
+const PEM_CERT_BLOCK_RE = /-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/;
+const JSON_CA_KEYS = [
+  'caCertificate', 'ca', 'certificate', 'pem', 'rootCa', 'rootCertificate', 'caPem', 'data'
+];
+
+/**
+ * One-line preview of a response body for errors (no PEM secrets expected in typical error HTML).
+ * @param {string} body
+ * @param {number} maxLen
+ * @returns {string}
+ */
+function truncateBodyForError(body, maxLen = 180) {
+  const oneLine = String(body || '').replace(/\s+/g, ' ').trim();
+  if (oneLine.length <= maxLen) return oneLine || '(empty)';
+  return `${oneLine.slice(0, maxLen)}…`;
+}
+
+/**
+ * @param {Object} j - Parsed JSON object
+ * @returns {string|null} PEM or null
+ */
+function pemFromJsonObject(j) {
+  if (!j || typeof j !== 'object' || Array.isArray(j)) return null;
+  for (const k of JSON_CA_KEYS) {
+    if (typeof j[k] !== 'string') continue;
+    const m = j[k].match(PEM_CERT_BLOCK_RE);
+    if (m) return m[0].trim();
+  }
+  return null;
+}
+
+/**
+ * Extract first PEM certificate from install-ca response: raw PEM, JSON field, or HTML/text wrapper.
+ * @param {string} raw - Response body as UTF-8
+ * @returns {string|null} PEM text or null
+ */
+function extractCaPemFromBody(raw) {
+  if (!raw || typeof raw !== 'string') return null;
+  const s = raw.trim();
+  try {
+    const fromJson = pemFromJsonObject(JSON.parse(s));
+    if (fromJson) return fromJson;
+  } catch {
+    /* not JSON */
+  }
+  const block = s.match(PEM_CERT_BLOCK_RE);
+  return block ? block[0].trim() : null;
+}
+
+/**
+ * Resolve install-ca response body to PEM buffer or reject with context.
+ * @param {import('http').IncomingMessage} res
+ * @param {string} absoluteUrl
+ * @param {Buffer[]} chunks
+ * @param {function(Buffer):void} resolve
+ * @param {function(Error):void} reject
+ */
+function finalizeInstallCaResponse(res, absoluteUrl, chunks, resolve, reject) {
+  const body = Buffer.concat(chunks).toString('utf8');
+  const status = res.statusCode || 0;
+  if (status < 200 || status >= 300) {
+    reject(
+      new Error(
+        `install-ca returned HTTP ${status}. ${truncateBodyForError(body)} — open ${absoluteUrl} in a browser or ask your admin to serve PEM at /install-ca.`
+      )
+    );
+    return;
+  }
+  const pem = extractCaPemFromBody(body);
+  if (!pem) {
+    const hint = body.trim().startsWith('<') ? 'Received HTML (SPA or error page). ' : '';
+    reject(
+      new Error(
+        `${hint}Invalid CA response: expected PEM certificate. ${truncateBodyForError(body)} — try: ${absoluteUrl}`
+      )
+    );
+    return;
+  }
+  resolve(Buffer.from(`${pem}\n`, 'utf8'));
+}
+
+/**
+ * GET absolute install-ca URL with insecure TLS; follow redirects (resolve relative Location).
+ * @param {string} absoluteUrl - Full https URL
+ * @param {number} redirectCount - Redirect depth
+ * @returns {Promise<Buffer>} CA PEM
+ */
+function fetchInstallCaAbsolute(absoluteUrl, redirectCount) {
   return new Promise((resolve, reject) => {
-    const url = `${baseUrl.replace(/\/+$/, '')}/install-ca`;
-    const urlObj = new URL(url);
+    if (redirectCount > MAX_INSTALL_CA_REDIRECTS) {
+      reject(new Error(`install-ca: too many redirects (max ${MAX_INSTALL_CA_REDIRECTS})`));
+      return;
+    }
+    const urlObj = new URL(absoluteUrl);
     if (urlObj.protocol !== 'https:') {
       reject(new Error('install-ca requires https URL'));
       return;
     }
     const agent = new https.Agent({ rejectUnauthorized: false });
     const req = https.get(
-      url,
+      absoluteUrl,
       { agent },
       (res) => {
         if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
-          req.destroy();
-          fetchInstallCa(res.headers.location).then(resolve).catch(reject);
+          res.destroy();
+          let nextUrl;
+          try {
+            nextUrl = new URL(res.headers.location, absoluteUrl).href;
+          } catch {
+            reject(new Error(`install-ca: invalid redirect Location: ${res.headers.location}`));
+            return;
+          }
+          fetchInstallCaAbsolute(nextUrl, redirectCount + 1).then(resolve).catch(reject);
           return;
         }
+
         const chunks = [];
         res.on('data', c => chunks.push(c));
-        res.on('end', () => {
-          const body = Buffer.concat(chunks).toString('utf8');
-          if (!body || !body.includes('-----BEGIN CERTIFICATE-----')) {
-            reject(new Error('Invalid CA response: expected PEM certificate'));
-            return;
-          }
-          resolve(Buffer.from(body, 'utf8'));
-        });
+        res.on('end', () => finalizeInstallCaResponse(res, absoluteUrl, chunks, resolve, reject));
       }
     );
     req.on('error', reject);
   });
 }
 
+/**
+ * Fetch CA PEM from Builder Server via GET {baseUrl}/install-ca.
+ * Uses rejectUnauthorized: false only for this endpoint (dev setup).
+ * @param {string} baseUrl - Builder Server base URL (no trailing slash)
+ * @returns {Promise<Buffer>} CA certificate PEM
+ */
+function fetchInstallCa(baseUrl) {
+  const url = `${baseUrl.replace(/\/+$/, '')}/install-ca`;
+  let urlObj;
+  try {
+    urlObj = new URL(url);
+  } catch {
+    return Promise.reject(new Error('install-ca: invalid server URL'));
+  }
+  if (urlObj.protocol !== 'https:') {
+    return Promise.reject(new Error('install-ca requires https URL'));
+  }
+  return fetchInstallCaAbsolute(urlObj.href, 0);
+}
+
 /**
  * Install CA PEM into OS trust store (platform-specific).
  * @param {Buffer|string} caPem - CA certificate PEM
@@ -131,9 +281,21 @@ function promptInstallCa() {
   });
 }
 
+/**
+ * True when installCaPlatform failed because Linux needs root to update the system CA store.
+ * @param {unknown} err - Caught error
+ * @returns {boolean}
+ */
+function isLinuxCaSudoRequiredError(err) {
+  const msg = err && typeof err.message === 'string' ? err.message : '';
+  return /Linux CA install requires sudo/i.test(msg);
+}
+
 module.exports = {
   isSslUntrustedError,
+  isSslHostnameMismatchError,
   fetchInstallCa,
   installCaPlatform,
-  promptInstallCa
+  promptInstallCa,
+  isLinuxCaSudoRequiredError
 };

package/lib/utils/dev-cert-helper.js

@@ -6,9 +6,163 @@
 
 const fs = require('fs');
 const path = require('path');
-const { execSync } = require('child_process');
+const { execFileSync } = require('child_process');
 const os = require('os');
 
+/**
+ * @param {string} dir
+ * @returns {string|null}
+ */
+function tryOpenSSLExe(dir) {
+  if (!dir) return null;
+  const trimmed = dir.trim();
+  if (!trimmed) return null;
+  const exe = path.join(trimmed, 'openssl.exe');
+  return fs.existsSync(exe) ? exe : null;
+}
+
+/**
+ * Git for Windows often adds ...\\Git\\cmd to PATH but not ...\\Git\\usr\\bin (so `where openssl` fails).
+ * @param {string} pathEnv
+ * @returns {string|null}
+ */
+function findOpenSSLViaGitCmdOnPath(pathEnv) {
+  if (!pathEnv || typeof pathEnv !== 'string') return null;
+  const needle = `${path.sep}git${path.sep}cmd`.toLowerCase();
+  for (const segment of pathEnv.split(path.delimiter)) {
+    const normalized = path.normalize(segment.trim());
+    if (!normalized) continue;
+    const lower = normalized.toLowerCase();
+    const cmdIdx = lower.lastIndexOf(needle);
+    if (cmdIdx === -1) continue;
+    const gitRoot = normalized.slice(0, cmdIdx + `${path.sep}git`.length);
+    const fromUsrBin = tryOpenSSLExe(path.join(gitRoot, 'usr', 'bin'));
+    if (fromUsrBin) return fromUsrBin;
+  }
+  return null;
+}
+
+/**
+ * First openssl.exe found in PATH directory entries.
+ * @param {string} pathEnv
+ * @returns {string|null}
+ */
+function findOpenSSLInPathDirs(pathEnv) {
+  if (!pathEnv || typeof pathEnv !== 'string') return null;
+  for (const segment of pathEnv.split(path.delimiter)) {
+    const found = tryOpenSSLExe(segment);
+    if (found) return found;
+  }
+  return null;
+}
+
+/**
+ * Windows: Git\\cmd on PATH without usr\\bin, per-user Git, standard install dirs.
+ * @returns {string}
+ */
+function resolveOpenSSLExecutableWin32() {
+  const pf = process.env.ProgramFiles || 'C:\\Program Files';
+  const pf86 = process.env['ProgramFiles(x86)'] || 'C:\\Program Files (x86)';
+  const pf64 = process.env.ProgramW6432 || pf;
+  const localAppData = process.env.LOCALAPPDATA || '';
+  const pathEnv = process.env.Path || process.env.PATH || '';
+
+  const fromGitPath = findOpenSSLViaGitCmdOnPath(pathEnv);
+  if (fromGitPath) return fromGitPath;
+
+  const fromPathDirs = findOpenSSLInPathDirs(pathEnv);
+  if (fromPathDirs) return fromPathDirs;
+
+  const candidates = [
+    path.join(pf64, 'Git', 'usr', 'bin', 'openssl.exe'),
+    path.join(pf, 'Git', 'usr', 'bin', 'openssl.exe'),
+    path.join(pf86, 'Git', 'usr', 'bin', 'openssl.exe'),
+    localAppData ? path.join(localAppData, 'Programs', 'Git', 'usr', 'bin', 'openssl.exe') : '',
+    path.join(pf64, 'OpenSSL-Win64', 'bin', 'openssl.exe'),
+    path.join(pf, 'OpenSSL-Win64', 'bin', 'openssl.exe'),
+    path.join(pf64, 'OpenSSL', 'bin', 'openssl.exe'),
+    path.join(pf, 'OpenSSL', 'bin', 'openssl.exe')
+  ];
+  for (const c of candidates) {
+    if (c && fs.existsSync(c)) return c;
+  }
+  return 'openssl.exe';
+}
+
+/**
+ * Executable used for OpenSSL (PATH name or absolute path). Admin Windows shells often
+ * omit Git usr\\bin; probe standard install locations when plain "openssl" is unavailable.
+ * @returns {string}
+ */
+function resolveOpenSSLExecutable() {
+  const fromEnv = process.env.AIFABRIX_OPENSSL;
+  if (fromEnv && typeof fromEnv === 'string' && fs.existsSync(fromEnv.trim())) {
+    return path.normalize(fromEnv.trim());
+  }
+  if (process.platform === 'win32') {
+    return resolveOpenSSLExecutableWin32();
+  }
+  return 'openssl';
+}
+
+/**
+ * Run OpenSSL with argv (no shell); works when openssl is only on disk, not on PATH.
+ * @param {string[]} args
+ * @param {Object} [opts] - Extra options for execFileSync (encoding utf8 applied by default)
+ * @returns {string|Buffer}
+ */
+function runOpenSSL(args, opts) {
+  const exe = resolveOpenSSLExecutable();
+  return execFileSync(exe, args, {
+    stdio: ['pipe', 'pipe', 'pipe'],
+    encoding: 'utf8',
+    ...opts
+  });
+}
+
+/**
+ * OpenSSL argv for CSR generation (CN is typically dev-01, dev-02, …).
+ * @param {string} cn - Distinguished name CN value
+ * @param {string} keyPath - Output key path
+ * @param {string} csrPath - Output CSR path
+ * @returns {string[]}
+ */
+function opensslCsrArgs(cn, keyPath, csrPath) {
+  return [
+    'req',
+    '-new',
+    '-newkey',
+    'rsa:2048',
+    '-keyout',
+    keyPath,
+    '-nodes',
+    '-subj',
+    `/CN=${cn}`,
+    '-out',
+    csrPath
+  ];
+}
+
+/**
+ * Map OpenSSL spawn/read failures to a clear Error for CSR generation.
+ * @param {Error & { code?: string }} err
+ * @returns {Error}
+ */
+function csrGenerationError(err) {
+  const code = err && err.code;
+  const msg = err && err.message ? String(err.message) : '';
+  if (code === 'ENOENT') {
+    return new Error(
+      'OpenSSL is required for certificate generation. Install OpenSSL or Git for Windows, add Git usr\\bin or openssl to PATH, or set AIFABRIX_OPENSSL to the full path of openssl.exe.'
+    );
+  }
+  const stderr = err && err.stderr ? String(err.stderr).trim() : '';
+  if (typeof err.status === 'number' && err.status !== 0 && stderr) {
+    return new Error(`OpenSSL failed: ${stderr}`);
+  }
+  return new Error(`CSR generation failed: ${msg}`);
+}
+
 /**
  * Generate a key pair and CSR for developer certificate. Uses OpenSSL when available.
  * CN in CSR is set to dev-<developerId> per Builder Server convention.
@@ -26,20 +180,14 @@ function generateCSR(developerId) {
   const keyPath = path.join(tmpDir, 'key.pem');
   const csrPath = path.join(tmpDir, 'csr.pem');
   try {
-    execSync(
-      `openssl req -new -newkey rsa:2048 -keyout "${keyPath}" -nodes -subj "/CN=${cn}" -out "${csrPath}"`,
-      { stdio: 'pipe', encoding: 'utf8' }
-    );
+    try {
+      runOpenSSL(opensslCsrArgs(cn, keyPath, csrPath));
+    } catch (sslErr) {
+      throw csrGenerationError(sslErr);
+    }
     const keyPem = fs.readFileSync(keyPath, 'utf8');
     const csrPem = fs.readFileSync(csrPath, 'utf8');
     return { csrPem, keyPem };
-  } catch (err) {
-    if (err.message && (err.message.includes('openssl') || err.message.includes('ENOENT'))) {
-      throw new Error(
-        'OpenSSL is required for certificate generation. Install OpenSSL and ensure it is on PATH, or use a system that provides it (e.g. Git for Windows).'
-      );
-    }
-    throw new Error(`CSR generation failed: ${err.message}`);
   } finally {
     try {
       fs.unlinkSync(keyPath);
@@ -91,6 +239,22 @@ function readClientKeyPem(certDir) {
   }
 }
 
+/**
+ * Read Builder Server root CA PEM (ca.pem) for TLS verification in Node.
+ * Node does not use the OS trust store the same way as browsers; this file is used with tls.rootCertificates.
+ * @param {string} certDir - Directory containing ca.pem
+ * @returns {string|null} PEM content or null if not found
+ */
+function readServerCaPem(certDir) {
+  const caPath = path.join(certDir, 'ca.pem');
+  try {
+    return fs.readFileSync(caPath, 'utf8');
+  } catch (e) {
+    if (e.code === 'ENOENT') return null;
+    throw e;
+  }
+}
+
 /**
  * Get certificate validity end (notAfter) from cert.pem in certDir using OpenSSL.
  * @param {string} certDir - Directory containing cert.pem
@@ -100,10 +264,7 @@ function getCertValidNotAfter(certDir) {
   const certPath = path.join(certDir, 'cert.pem');
   try {
     if (!fs.existsSync(certPath)) return null;
-    const out = execSync(
-      `openssl x509 -enddate -noout -in "${certPath}"`,
-      { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }
-    );
+    const out = runOpenSSL(['x509', '-enddate', '-noout', '-in', certPath], { encoding: 'utf8' });
     const match = out.match(/notAfter=(.+)/);
     if (!match) return null;
     const date = new Date(match[1].trim());
@@ -113,10 +274,98 @@ function getCertValidNotAfter(certDir) {
   }
 }
 
+/**
+ * Parse developer-id digits from OpenSSL `x509 -subject -noout` output (subject=RDN… line).
+ * Expects CN in the form dev-<digits> per Builder client-cert convention.
+ *
+ * @param {string} subjectOutput - stdout from openssl x509 -subject
+ * @returns {string|null} Developer id as in the CN (e.g. "01"), or null if missing/invalid
+ */
+function parseDeveloperIdFromX509SubjectOutput(subjectOutput) {
+  if (!subjectOutput || typeof subjectOutput !== 'string') return null;
+  const upper = subjectOutput.replace(/\r\n/g, '\n');
+  const cnMatch = upper.match(/CN\s*=\s*dev-([0-9]+)/i);
+  if (!cnMatch) return null;
+  return cnMatch[1];
+}
+
+/**
+ * Whether two developer-id strings refer to the same non-negative integer (e.g. "2" vs "02").
+ * @param {string} configId - Id from config
+ * @param {string} certIdDigits - Id digits from certificate CN
+ * @returns {boolean}
+ */
+function developerIdsMatchNumeric(configId, certIdDigits) {
+  if (
+    configId === null ||
+    configId === undefined ||
+    certIdDigits === null ||
+    certIdDigits === undefined
+  ) {
+    return false;
+  }
+  const a = String(configId).trim();
+  const b = String(certIdDigits).trim();
+  if (!/^[0-9]+$/.test(a) || !/^[0-9]+$/.test(b)) return false;
+  return parseInt(a, 10) === parseInt(b, 10);
+}
+
+/**
+ * Read client certificate subject and return developer-id digits from CN=dev-<id>.
+ * @param {string} certDir - Directory containing cert.pem
+ * @returns {string|null} Id string from CN or null if cert missing/unreadable or CN invalid
+ */
+function getCertSubjectDeveloperId(certDir) {
+  const certPath = path.join(certDir, 'cert.pem');
+  try {
+    if (!certDir || typeof certDir !== 'string') return null;
+    if (!fs.existsSync(certPath)) return null;
+    const out = runOpenSSL(['x509', '-subject', '-noout', '-in', certPath], { encoding: 'utf8' });
+    return parseDeveloperIdFromX509SubjectOutput(out);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Normalize PEM: JSON-escaped \\n to real newlines (Docker/OpenSSL).
+ * @param {string} pem
+ * @returns {string}
+ */
+function normalizePemNewlines(pem) {
+  if (typeof pem !== 'string') return pem;
+  return pem.replace(/\\n/g, '\n');
+}
+
+/**
+ * Distinct PEM blocks joined for ca.pem (HTTPS root + issue-cert CA, deduped).
+ * @param {...(string|null|undefined)} pems
+ * @returns {string|null}
+ */
+function mergeCaPemBlocks(...pems) {
+  const blocks = [];
+  const seen = new Set();
+  for (const p of pems) {
+    if (!p || typeof p !== 'string') continue;
+    const normalized = normalizePemNewlines(p.trim());
+    if (!normalized) continue;
+    if (seen.has(normalized)) continue;
+    seen.add(normalized);
+    blocks.push(normalized);
+  }
+  return blocks.length ? blocks.join('\n\n') : null;
+}
+
 module.exports = {
   generateCSR,
   getCertDir,
   readClientCertPem,
   readClientKeyPem,
-  getCertValidNotAfter
+  readServerCaPem,
+  getCertValidNotAfter,
+  getCertSubjectDeveloperId,
+  parseDeveloperIdFromX509SubjectOutput,
+  developerIdsMatchNumeric,
+  normalizePemNewlines,
+  mergeCaPemBlocks
 };