memos-mcp 1.0.0

package/src/cert-manager.test.ts

@@ -0,0 +1,322 @@
+/**
+ * Tests for Certificate Manager
+ */
+
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert";
+import { existsSync, mkdirSync, writeFileSync, unlinkSync, readFileSync } from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import {
+  getAllIntermediateCerts,
+  getIntermediateCerts,
+  refreshAllCerts,
+  clearCache,
+  getCacheStatus,
+} from "./cert-manager.ts";
+
+// Test cache directory (same as in cert-manager.ts)
+const CERT_CACHE_DIR = path.join(os.homedir(), ".cache", "memos-mcp", "certs");
+const CACHE_FILE = path.join(CERT_CACHE_DIR, "cert-cache.json");
+
+describe("CertManager", () => {
+  // Store original cache if exists
+  let originalCache: string | null = null;
+
+  beforeEach(() => {
+    // Backup original cache if it exists (sync for beforeEach)
+    if (existsSync(CACHE_FILE)) {
+      originalCache = readFileSync(CACHE_FILE, "utf-8");
+    }
+  });
+
+  afterEach(async () => {
+    // Restore original cache
+    if (originalCache) {
+      writeFileSync(CACHE_FILE, originalCache);
+    } else if (existsSync(CACHE_FILE)) {
+      // If there was no original cache, remove the test one
+      unlinkSync(CACHE_FILE);
+    }
+    originalCache = null;
+  });
+
+  describe("clearCache", () => {
+    it("should remove the cache file", async () => {
+      // Ensure cache exists first
+      if (!existsSync(CERT_CACHE_DIR)) {
+        mkdirSync(CERT_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(CACHE_FILE, JSON.stringify({ version: 1, certs: {} }));
+
+      await clearCache();
+
+      assert.strictEqual(existsSync(CACHE_FILE), false);
+    });
+
+    it("should not throw if cache file does not exist", async () => {
+      // Ensure cache doesn't exist
+      if (existsSync(CACHE_FILE)) {
+        unlinkSync(CACHE_FILE);
+      }
+
+      await assert.doesNotReject(async () => await clearCache());
+    });
+  });
+
+  describe("getCacheStatus", () => {
+    it("should return empty object when cache is empty", async () => {
+      await clearCache();
+
+      const status = await getCacheStatus();
+
+      assert.deepStrictEqual(status, {});
+    });
+
+    it("should return status for cached certificates", async () => {
+      // Clear in-memory cache first so it reloads from file
+      await clearCache();
+
+      // Create a mock cache
+      const mockCache = {
+        version: 1,
+        certs: {
+          E8: {
+            pem: "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----",
+            fetchedAt: Date.now(),
+            expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000, // 1 year from now
+          },
+        },
+      };
+
+      if (!existsSync(CERT_CACHE_DIR)) {
+        mkdirSync(CERT_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(CACHE_FILE, JSON.stringify(mockCache));
+
+      const status = await getCacheStatus();
+
+      assert.ok(status.E8);
+      assert.ok(status.E8.fetchedAt instanceof Date);
+      assert.ok(status.E8.expiresAt instanceof Date);
+      assert.strictEqual(typeof status.E8.needsRefresh, "boolean");
+    });
+
+    it("should indicate needsRefresh for old cache entries", async () => {
+      // Clear in-memory cache first so it reloads from file
+      await clearCache();
+
+      // Create an old cache entry (40 days ago)
+      const fortyDaysAgo = Date.now() - 40 * 24 * 60 * 60 * 1000;
+      const mockCache = {
+        version: 1,
+        certs: {
+          E8: {
+            pem: "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----",
+            fetchedAt: fortyDaysAgo,
+            expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
+          },
+        },
+      };
+
+      if (!existsSync(CERT_CACHE_DIR)) {
+        mkdirSync(CERT_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(CACHE_FILE, JSON.stringify(mockCache));
+
+      const status = await getCacheStatus();
+
+      assert.strictEqual(status.E8.needsRefresh, true);
+    });
+
+    it("should indicate needsRefresh for soon-to-expire certificates", async () => {
+      // Clear in-memory cache first so it reloads from file
+      await clearCache();
+
+      // Create a cache entry that expires in 20 days
+      const twentyDaysFromNow = Date.now() + 20 * 24 * 60 * 60 * 1000;
+      const mockCache = {
+        version: 1,
+        certs: {
+          E8: {
+            pem: "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----",
+            fetchedAt: Date.now(),
+            expiresAt: twentyDaysFromNow,
+          },
+        },
+      };
+
+      if (!existsSync(CERT_CACHE_DIR)) {
+        mkdirSync(CERT_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(CACHE_FILE, JSON.stringify(mockCache));
+
+      const status = await getCacheStatus();
+
+      assert.strictEqual(status.E8.needsRefresh, true);
+    });
+  });
+
+  describe("getIntermediateCerts", () => {
+    it("should return empty array for unknown certificate names", async () => {
+      const result = await getIntermediateCerts(["UNKNOWN_CERT"]);
+
+      assert.deepStrictEqual(result, []);
+    });
+
+    it("should return cached certificate if available and fresh", async () => {
+      // Clear in-memory cache first so it reloads from file
+      await clearCache();
+
+      // Create a fresh cache
+      const mockCache = {
+        version: 1,
+        certs: {
+          E8: {
+            pem: "-----BEGIN CERTIFICATE-----\nMOCK_E8_CERT\n-----END CERTIFICATE-----",
+            fetchedAt: Date.now(),
+            expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
+          },
+        },
+      };
+
+      if (!existsSync(CERT_CACHE_DIR)) {
+        mkdirSync(CERT_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(CACHE_FILE, JSON.stringify(mockCache));
+
+      const result = await getIntermediateCerts(["E8"]);
+
+      assert.ok(result.length === 1);
+      assert.ok(result[0].includes("MOCK_E8_CERT"));
+    });
+
+    it("should return multiple certificates when requested", async () => {
+      // Clear in-memory cache first so it reloads from file
+      await clearCache();
+
+      // Create cache with multiple certs
+      const mockCache = {
+        version: 1,
+        certs: {
+          E8: {
+            pem: "-----BEGIN CERTIFICATE-----\nMOCK_E8\n-----END CERTIFICATE-----",
+            fetchedAt: Date.now(),
+            expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
+          },
+          R3: {
+            pem: "-----BEGIN CERTIFICATE-----\nMOCK_R3\n-----END CERTIFICATE-----",
+            fetchedAt: Date.now(),
+            expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
+          },
+        },
+      };
+
+      if (!existsSync(CERT_CACHE_DIR)) {
+        mkdirSync(CERT_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(CACHE_FILE, JSON.stringify(mockCache));
+
+      const result = await getIntermediateCerts(["E8", "R3"]);
+
+      assert.strictEqual(result.length, 2);
+      assert.ok(result.some((c) => c.includes("MOCK_E8")));
+      assert.ok(result.some((c) => c.includes("MOCK_R3")));
+    });
+  });
+
+  describe("getAllIntermediateCerts (integration)", () => {
+    it("should fetch and cache certificates from Let's Encrypt", async () => {
+      // Clear cache first
+      await clearCache();
+
+      // This is an integration test - it actually fetches from the network
+      const certs = await getAllIntermediateCerts();
+
+      // Should have fetched at least some certificates
+      assert.ok(certs.length > 0, "Should have fetched certificates");
+      assert.ok(
+        certs.some((c) => c.includes("-----BEGIN CERTIFICATE-----")),
+        "Should contain PEM certificates",
+      );
+
+      // Check cache was populated
+      const status = await getCacheStatus();
+      const cachedCerts = Object.keys(status);
+      assert.ok(cachedCerts.length > 0, "Should have cached certificates");
+    });
+  });
+
+  describe("refreshAllCerts (integration)", () => {
+    it("should refresh all certificates", async () => {
+      // Clear cache first
+      await clearCache();
+
+      // Refresh all certs
+      await refreshAllCerts();
+
+      // Check cache was populated
+      const status = await getCacheStatus();
+      const cachedCerts = Object.keys(status);
+
+      // Should have cached multiple certificates
+      assert.ok(cachedCerts.length >= 5, `Expected at least 5 certs, got ${cachedCerts.length}`);
+
+      // All should have been recently fetched
+      const now = Date.now();
+      for (const [name, info] of Object.entries(status)) {
+        const fetchedAge = now - info.fetchedAt.getTime();
+        // Should have been fetched within the last minute
+        assert.ok(fetchedAge < 60000, `${name} should have been fetched recently, age: ${fetchedAge}ms`);
+      }
+    });
+  });
+
+  describe("cache persistence", () => {
+    it("should persist cache across calls", async () => {
+      // Clear in-memory cache first so it reloads from file
+      await clearCache();
+
+      // Create initial cache
+      const mockCache = {
+        version: 1,
+        certs: {
+          TEST: {
+            pem: "-----BEGIN CERTIFICATE-----\nTEST_PERSIST\n-----END CERTIFICATE-----",
+            fetchedAt: Date.now(),
+            expiresAt: Date.now() + 365 * 24 * 60 * 60 * 1000,
+          },
+        },
+      };
+
+      if (!existsSync(CERT_CACHE_DIR)) {
+        mkdirSync(CERT_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(CACHE_FILE, JSON.stringify(mockCache));
+
+      // Read status - this loads the cache
+      const status1 = await getCacheStatus();
+      assert.ok(status1.TEST);
+
+      // Read again - should still have the same data
+      const status2 = await getCacheStatus();
+      assert.ok(status2.TEST);
+      assert.strictEqual(status1.TEST.fetchedAt.getTime(), status2.TEST.fetchedAt.getTime());
+    });
+
+    it("should handle corrupted cache gracefully", async () => {
+      // Clear in-memory cache first so it reloads from file
+      await clearCache();
+
+      // Write corrupted cache
+      if (!existsSync(CERT_CACHE_DIR)) {
+        mkdirSync(CERT_CACHE_DIR, { recursive: true });
+      }
+      writeFileSync(CACHE_FILE, "not valid json {{{");
+
+      // Should not throw, should return empty
+      const status = await getCacheStatus();
+      assert.deepStrictEqual(status, {});
+    });
+  });
+});

package/src/cert-manager.ts

@@ -0,0 +1,346 @@
+/**
+ * Certificate Manager
+ * Automatically fetches, caches, and refreshes intermediate CA certificates
+ * for servers with incomplete certificate chains.
+ *
+ * Uses native Node.js APIs - no external dependencies like curl or openssl CLI.
+ */
+
+import fs from "node:fs/promises";
+import path from "node:path";
+import os from "node:os";
+import crypto from "node:crypto";
+import { Agent } from "undici";
+import tls from "node:tls";
+
+// Official Let's Encrypt certificate URLs (HTTPS - secure)
+// Source: https://letsencrypt.org/certificates/
+const INTERMEDIATE_CERT_URLS: Record<string, string> = {
+  // Let's Encrypt ECDSA intermediates (2024)
+  E5: "https://letsencrypt.org/certs/2024/e5.pem",
+  E6: "https://letsencrypt.org/certs/2024/e6.pem",
+  E7: "https://letsencrypt.org/certs/2024/e7.pem",
+  E8: "https://letsencrypt.org/certs/2024/e8.pem",
+  E9: "https://letsencrypt.org/certs/2024/e9.pem",
+  // Let's Encrypt RSA intermediates (2024)
+  R10: "https://letsencrypt.org/certs/2024/r10.pem",
+  R11: "https://letsencrypt.org/certs/2024/r11.pem",
+  // Legacy intermediates
+  R3: "https://letsencrypt.org/certs/2024/r3.pem",
+  R4: "https://letsencrypt.org/certs/2024/r4.pem",
+};
+
+// Cache directory for certificates
+const CERT_CACHE_DIR = path.join(os.homedir(), ".cache", "memos-mcp", "certs");
+
+// Refresh interval: 30 days in milliseconds
+const REFRESH_INTERVAL_MS = 30 * 24 * 60 * 60 * 1000;
+
+interface CertCacheEntry {
+  pem: string;
+  fetchedAt: number;
+  expiresAt: number;
+}
+
+interface CertCache {
+  version: number;
+  certs: Record<string, CertCacheEntry>;
+}
+
+// In-memory cache
+let memoryCache: CertCache | null = null;
+
+// Cached https agent
+let cachedAgent: Agent | null = null;
+
+/**
+ * Ensure cache directory exists
+ */
+async function ensureCacheDir(): Promise<void> {
+  try {
+    await fs.mkdir(CERT_CACHE_DIR, { recursive: true });
+  } catch {
+    // Directory may already exist
+  }
+}
+
+/**
+ * Get path to cache file
+ */
+function getCacheFilePath(): string {
+  return path.join(CERT_CACHE_DIR, "cert-cache.json");
+}
+
+/**
+ * Load certificate cache from disk
+ */
+async function loadCache(): Promise<CertCache> {
+  if (memoryCache) {
+    return memoryCache;
+  }
+
+  try {
+    const cacheFile = getCacheFilePath();
+    const data = await fs.readFile(cacheFile, "utf-8");
+    memoryCache = JSON.parse(data) as CertCache;
+    return memoryCache;
+  } catch {
+    // Cache corrupted or unreadable, start fresh
+  }
+  memoryCache = { version: 1, certs: {} };
+  return memoryCache;
+}
+
+/**
+ * Save certificate cache to disk
+ */
+async function saveCache(cache: CertCache): Promise<void> {
+  memoryCache = cache;
+  try {
+    await ensureCacheDir();
+    const cacheFile = getCacheFilePath();
+    await fs.writeFile(cacheFile, JSON.stringify(cache, null, 2));
+  } catch {
+    // Ignore cache write errors - not critical
+  }
+}
+
+/**
+ * Convert DER buffer to PEM string
+ */
+function derToPem(der: Buffer): string {
+  const base64 = der.toString("base64");
+  const lines: string[] = [];
+  for (let i = 0; i < base64.length; i += 64) {
+    lines.push(base64.slice(i, i + 64));
+  }
+  return `-----BEGIN CERTIFICATE-----\n${lines.join("\n")}\n-----END CERTIFICATE-----`;
+}
+
+/**
+ * Parse certificate expiration date from PEM using Node.js crypto
+ */
+function getCertExpirationDate(pem: string): Date | null {
+  try {
+    const cert = new crypto.X509Certificate(pem);
+    return new Date(cert.validTo);
+  } catch {
+    // Ignore parsing errors
+  }
+  return null;
+}
+
+/**
+ * Download certificate from URL (async) - returns DER buffer
+ */
+async function downloadCertAsync(url: string): Promise<Buffer | null> {
+  try {
+    const response = await fetch(url, {
+      signal: AbortSignal.timeout(10000),
+    });
+
+    if (!response.ok) {
+      return null;
+    }
+
+    const arrayBuffer = await response.arrayBuffer();
+    return Buffer.from(arrayBuffer);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Download certificate and return as PEM (async)
+ * Handles both PEM (from HTTPS URLs) and DER (legacy AIA URLs) formats
+ */
+async function downloadCert(url: string): Promise<string | null> {
+  const data = await downloadCertAsync(url);
+  if (!data || data.length === 0) {
+    return null;
+  }
+
+  try {
+    // Check if it's already PEM format (starts with "-----BEGIN")
+    const dataStr = data.toString("utf8");
+    if (dataStr.startsWith("-----BEGIN")) {
+      // Verify it's a valid certificate by parsing it
+      new crypto.X509Certificate(dataStr);
+      return dataStr.trim();
+    }
+
+    // Otherwise assume DER format and convert to PEM
+    const pem = derToPem(data);
+    // Verify it's a valid certificate by parsing it
+    new crypto.X509Certificate(pem);
+    return pem;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if a cached certificate needs refresh
+ */
+function needsRefresh(entry: CertCacheEntry): boolean {
+  const now = Date.now();
+
+  // Refresh if:
+  // 1. Cache is older than REFRESH_INTERVAL_MS
+  // 2. Certificate expires within 30 days
+  const cacheAge = now - entry.fetchedAt;
+  const timeUntilExpiry = entry.expiresAt - now;
+  const thirtyDays = 30 * 24 * 60 * 60 * 1000;
+
+  return cacheAge > REFRESH_INTERVAL_MS || timeUntilExpiry < thirtyDays;
+}
+
+/**
+ * Get a certificate by name, fetching/refreshing as needed (async)
+ */
+async function getCertificate(name: string): Promise<string | null> {
+  const url = INTERMEDIATE_CERT_URLS[name];
+  if (!url) {
+    return null;
+  }
+
+  const cache = await loadCache();
+  const cached = cache.certs[name];
+
+  // Return cached cert if valid and fresh
+  if (cached && !needsRefresh(cached)) {
+    return cached.pem;
+  }
+
+  // Try to fetch fresh certificate
+  const pem = await downloadCert(url);
+  if (pem) {
+    const expirationDate = getCertExpirationDate(pem);
+    cache.certs[name] = {
+      pem,
+      fetchedAt: Date.now(),
+      expiresAt: expirationDate?.getTime() ?? Date.now() + 365 * 24 * 60 * 60 * 1000,
+    };
+    await saveCache(cache);
+    return pem;
+  }
+
+  // Fall back to cached cert if fetch failed
+  if (cached) {
+    return cached.pem;
+  }
+
+  return null;
+}
+
+/**
+ * Get all intermediate certificates (fetches/refreshes as needed)
+ * Returns array of PEM strings
+ */
+export async function getAllIntermediateCerts(): Promise<string[]> {
+  const certs: string[] = [];
+
+  const results = await Promise.all(Object.keys(INTERMEDIATE_CERT_URLS).map((name) => getCertificate(name)));
+
+  for (const cert of results) {
+    if (cert) {
+      certs.push(cert);
+    }
+  }
+
+  return certs;
+}
+
+/**
+ * Get specific intermediate certificates by name
+ */
+export async function getIntermediateCerts(names: string[]): Promise<string[]> {
+  const results = await Promise.all(names.map((name) => getCertificate(name)));
+  return results.filter((cert): cert is string => cert !== null);
+}
+
+/**
+ * Force refresh all certificates
+ */
+export async function refreshAllCerts(): Promise<void> {
+  // Clear memory cache to force fresh fetch
+  memoryCache = null;
+  cachedAgent = null;
+
+  const cache: CertCache = { version: 1, certs: {} };
+
+  const entries = Object.entries(INTERMEDIATE_CERT_URLS);
+  const results = await Promise.all(
+    entries.map(async ([name, url]) => {
+      const pem = await downloadCert(url);
+      return { name, pem };
+    }),
+  );
+
+  for (const { name, pem } of results) {
+    if (pem) {
+      const expirationDate = getCertExpirationDate(pem);
+      cache.certs[name] = {
+        pem,
+        fetchedAt: Date.now(),
+        expiresAt: expirationDate?.getTime() ?? Date.now() + 365 * 24 * 60 * 60 * 1000,
+      };
+    }
+  }
+
+  await saveCache(cache);
+}
+
+/**
+ * Clear the certificate cache
+ */
+export async function clearCache(): Promise<void> {
+  memoryCache = null;
+  cachedAgent = null;
+  try {
+    const cacheFile = getCacheFilePath();
+    await fs.unlink(cacheFile);
+  } catch {
+    // Ignore errors - file may not exist
+  }
+}
+
+/**
+ * Get cache status for debugging
+ */
+export async function getCacheStatus(): Promise<
+  Record<string, { fetchedAt: Date; expiresAt: Date; needsRefresh: boolean }>
+> {
+  const cache = await loadCache();
+  const status: Record<string, { fetchedAt: Date; expiresAt: Date; needsRefresh: boolean }> = {};
+
+  for (const [name, entry] of Object.entries(cache.certs)) {
+    status[name] = {
+      fetchedAt: new Date(entry.fetchedAt),
+      expiresAt: new Date(entry.expiresAt),
+      needsRefresh: needsRefresh(entry),
+    };
+  }
+
+  return status;
+}
+
+/**
+ * Get an HTTPS agent configured with intermediate certificates
+ * Creates agent lazily and caches it
+ */
+export async function getHttpsAgent(): Promise<Agent> {
+  if (cachedAgent) {
+    return cachedAgent;
+  }
+
+  const intermediateCerts = await getAllIntermediateCerts();
+
+  cachedAgent = new Agent({
+    connect: {
+      ca: [...tls.rootCertificates, ...intermediateCerts],
+    },
+  });
+
+  return cachedAgent;
+}