navy 4.1.2-rc.2 → 5.0.0

package/lib/util/has-update.js

@@ -1,87 +1,37 @@
-'use strict';
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
 
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
+exports.default = hasUpdate;
 
-var _regenerator = require('babel-runtime/regenerator');
-
-var _regenerator2 = _interopRequireDefault(_regenerator);
-
-var _asyncToGenerator2 = require('babel-runtime/helpers/asyncToGenerator');
-
-var _asyncToGenerator3 = _interopRequireDefault(_asyncToGenerator2);
-
-var _simpleDockerRegistryClient = require('simple-docker-registry-client');
-
-var _registryClient = require('./registry-client');
-
-var _dockerClient = require('./docker-client');
-
-var _dockerClient2 = _interopRequireDefault(_dockerClient);
-
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
-
-exports.default = function () {
-  var _ref = (0, _asyncToGenerator3.default)( /*#__PURE__*/_regenerator2.default.mark(function _callee(imageWithTag, currentImageId, navyFile) {
-    var imageConfig, currentImageContainerId, image, client, manifest, lastLayer;
-    return _regenerator2.default.wrap(function _callee$(_context) {
-      while (1) {
-        switch (_context.prev = _context.next) {
-          case 0:
-            _context.next = 2;
-            return _dockerClient2.default.getImage(currentImageId).inspect();
-
-          case 2:
-            imageConfig = _context.sent;
-            currentImageContainerId = imageConfig.ContainerConfig.Image;
-            image = (0, _simpleDockerRegistryClient.imageFromImageWithTag)(imageWithTag);
-            _context.next = 7;
-            return (0, _registryClient.getRegistryClient)(image, navyFile);
-
-          case 7:
-            client = _context.sent;
-            manifest = void 0;
-            _context.prev = 9;
-            _context.next = 12;
-            return client.request((0, _simpleDockerRegistryClient.localImageFromImage)(image) + '/manifests/' + (0, _simpleDockerRegistryClient.tagFromImageWithTag)(imageWithTag));
-
-          case 12:
-            manifest = _context.sent;
-            _context.next = 20;
-            break;
-
-          case 15:
-            _context.prev = 15;
-            _context.t0 = _context['catch'](9);
-
-            if (!(_context.t0.body && _context.t0.body.errors[0].code === 'MANIFEST_UNKNOWN')) {
-              _context.next = 19;
-              break;
-            }
+var _simpleDockerRegistryClient = require("simple-docker-registry-client");
 
-            return _context.abrupt('return', 'UNKNOWN_REMOTE');
+var _registryClient = require("./registry-client");
 
-          case 19:
-            return _context.abrupt('return', 'UNKNOWN_ERROR');
+var _dockerClient = _interopRequireDefault(require("./docker-client"));
 
-          case 20:
-            lastLayer = JSON.parse(manifest.history[0].v1Compatibility);
-            return _context.abrupt('return', lastLayer.container_config.Image !== currentImageContainerId);
+async function hasUpdate(imageWithTag, currentImageId, navyFile) {
+  const imageConfig = await _dockerClient.default.getImage(currentImageId).inspect();
+  const currentImageContainerId = imageConfig.ContainerConfig.Image;
+  const image = (0, _simpleDockerRegistryClient.imageFromImageWithTag)(imageWithTag);
+  const client = await (0, _registryClient.getRegistryClient)(image, navyFile);
+  let manifest;
 
-          case 22:
-          case 'end':
-            return _context.stop();
-        }
-      }
-    }, _callee, this, [[9, 15]]);
-  }));
+  try {
+    manifest = await client.request((0, _simpleDockerRegistryClient.localImageFromImage)(image) + '/manifests/' + (0, _simpleDockerRegistryClient.tagFromImageWithTag)(imageWithTag));
+  } catch (ex) {
+    if (ex.body && ex.body.errors[0].code === 'MANIFEST_UNKNOWN') {
+      return 'UNKNOWN_REMOTE';
+    }
 
-  function hasUpdate(_x, _x2, _x3) {
-    return _ref.apply(this, arguments);
+    return 'UNKNOWN_ERROR';
   }
 
-  return hasUpdate;
-}();
+  const lastLayer = JSON.parse(manifest.history[0].v1Compatibility);
+  return lastLayer.container_config.Image !== currentImageContainerId;
+}
 
 module.exports = exports.default;

package/lib/util/https.js

@@ -0,0 +1,213 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.createCert = createCert;
+exports.generateRootCa = generateRootCa;
+exports.getCertsPath = getCertsPath;
+exports.removeCert = removeCert;
+
+var _path = _interopRequireDefault(require("path"));
+
+var _config = require("../config");
+
+var _errors = require("../errors");
+
+var _chalk = _interopRequireDefault(require("chalk"));
+
+var _fs = _interopRequireDefault(require("fs"));
+
+var _nodeForge = require("node-forge");
+
+var _navy = require("../navy");
+
+const debug = require('debug')('navy:https');
+
+function getCertsPath(create = false) {
+  const certsPath = _path.default.join((0, _config.getConfigDir)(), 'tls-certs');
+
+  if (!_fs.default.existsSync(certsPath)) {
+    if (create) {
+      debug(`Create ${certsPath} dir`); // $FlowIgnore
+
+      _fs.default.mkdirSync(certsPath, {
+        recursive: true
+      });
+    } else {
+      return '';
+    }
+  }
+
+  return certsPath;
+}
+
+async function removeCert(opts) {
+  const certsPath = getCertsPath();
+  const navy = await (0, _navy.getNavy)(opts.navy);
+  const serviceUrl = await navy.url(opts.disable);
+  const baseName = serviceUrl.split('//')[1];
+  const extensions = ['crt', 'key'];
+
+  for (const ext of extensions) {
+    const file = `${certsPath}/${baseName}.${ext}`;
+
+    if (_fs.default.existsSync(file)) {
+      try {
+        await _fs.default.unlinkSync(file);
+        debug(`File ${file} removed.`);
+      } catch (err) {
+        throw new _errors.NavyError(err);
+      }
+    }
+  }
+}
+
+async function generateRootCa() {
+  const tlsRootCaDir = (0, _config.getConfig)().tlsRootCaDir || _config.DEFAULT_TLS_ROOT_CA_DIR;
+
+  if (!_fs.default.existsSync(tlsRootCaDir)) {
+    debug(`Creating ${tlsRootCaDir} Root CA dir`);
+
+    try {
+      // $FlowIgnore
+      _fs.default.mkdirSync(tlsRootCaDir, {
+        recursive: true
+      });
+    } catch (err) {
+      throw new _errors.NavyError(err);
+    }
+  }
+
+  if (_fs.default.existsSync(`${tlsRootCaDir}/ca.crt`) && _fs.default.existsSync(`${tlsRootCaDir}/ca.key`)) {
+    debug(`Root CA already exists, skipping generation`);
+    return;
+  }
+
+  debug('Generating Root CA');
+  debug('Generating 2048-bit key-pair...');
+
+  const keys = _nodeForge.pki.rsa.generateKeyPair(2048);
+
+  debug('Creating self-signed certificate...');
+
+  const cert = _nodeForge.pki.createCertificate();
+
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = '01';
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 5);
+  const attrs = [{
+    name: 'commonName',
+    value: 'navy-dev-ca.local'
+  }, {
+    name: 'organizationName',
+    value: 'navy-dev'
+  }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([{
+    name: 'basicConstraints',
+    cA: true
+  }, {
+    name: 'subjectKeyIdentifier'
+  }, {
+    name: 'authorityKeyIdentifier'
+  }]);
+
+  try {
+    // self-sign certificate
+    cert.sign(keys.privateKey, _nodeForge.md.sha256.create()); // PEM-format keys and cert
+
+    const pem = {
+      privateKey: _nodeForge.pki.privateKeyToPem(keys.privateKey),
+      publicKey: _nodeForge.pki.publicKeyToPem(keys.publicKey),
+      certificate: _nodeForge.pki.certificateToPem(cert)
+    };
+
+    _fs.default.writeFileSync(tlsRootCaDir + '/ca.key', pem.privateKey, {
+      mode: 0o400
+    });
+
+    _fs.default.writeFileSync(tlsRootCaDir + '/ca.pub.key', pem.publicKey, {
+      mode: 0o640
+    });
+
+    _fs.default.writeFileSync(tlsRootCaDir + '/ca.crt', pem.certificate, {
+      mode: 0o640
+    });
+
+    console.log(_chalk.default.green(`✅ CA Certificate created at ${tlsRootCaDir}/ca.crt`));
+    console.log(_chalk.default.yellow(`⚠️  Importing a self-signed CA into a browser/truststore/keychain is not advisable ⚠️`));
+  } catch (e) {
+    throw new _errors.NavyError(e);
+  }
+}
+
+async function createCert(opts) {
+  const tlsRootCaDir = (0, _config.getConfig)().tlsRootCaDir || _config.DEFAULT_TLS_ROOT_CA_DIR;
+
+  const certName = opts.hostName || opts.serviceUrl.split('//')[1];
+  const certsPath = getCertsPath(true);
+
+  if (_fs.default.existsSync(`${certsPath}/${certName}.crt`)) {
+    debug(`Certificate for ${certName} already exists, skipping generation`);
+    return;
+  }
+
+  await generateRootCa();
+
+  const caCertString = _fs.default.readFileSync(`${tlsRootCaDir}/ca.crt`, 'utf8');
+
+  const caKeyString = _fs.default.readFileSync(`${tlsRootCaDir}/ca.key`, 'utf8');
+
+  debug(`Generating cert for ${certName} in ${certsPath}`);
+
+  const privateCAKey = _nodeForge.pki.privateKeyFromPem(caKeyString);
+
+  const keys = _nodeForge.pki.rsa.generateKeyPair(2048);
+
+  const cert = _nodeForge.pki.createCertificate();
+
+  const caCert = _nodeForge.pki.certificateFromPem(caCertString);
+
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = Math.floor(Math.random() * (99 - 2) + 2).toString();
+  cert.validity.notBefore = new Date();
+  cert.validity.notBefore.setDate(cert.validity.notBefore.getDate() - 1);
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 2);
+  const attrs = [{
+    name: 'commonName',
+    value: certName
+  }, {
+    name: 'organizationName',
+    value: 'navy-dev'
+  }];
+
+  try {
+    cert.setSubject(attrs);
+    cert.setIssuer(caCert.subject.attributes);
+    cert.setExtensions([{
+      name: 'extKeyUsage',
+      serverAuth: true
+    }]);
+    cert.sign(privateCAKey, _nodeForge.md.sha256.create()); // PEM-format keys and cert
+
+    const pem = {
+      privateKey: _nodeForge.pki.privateKeyToPem(keys.privateKey),
+      certificate: _nodeForge.pki.certificateToPem(cert) // publicKey: pki.publicKeyToPem(keys.publicKey),
+
+    };
+
+    _fs.default.writeFileSync(`${certsPath}/${certName}.key`, pem.privateKey);
+
+    _fs.default.writeFileSync(`${certsPath}/${certName}.crt`, pem.certificate); // fs.writeFileSync(`${certsPath}/${certName}.pub.key`, pem.publicKey)
+
+  } catch (e) {
+    throw new _errors.NavyError(e);
+  }
+}

package/lib/util/navyrc.js

@@ -1,60 +1,22 @@
-'use strict';
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
 
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
+exports.default = getNavyRc;
 
-var _regenerator = require('babel-runtime/regenerator');
-
-var _regenerator2 = _interopRequireDefault(_regenerator);
-
-var _asyncToGenerator2 = require('babel-runtime/helpers/asyncToGenerator');
-
-var _asyncToGenerator3 = _interopRequireDefault(_asyncToGenerator2);
-
-var _path = require('path');
-
-var _path2 = _interopRequireDefault(_path);
-
-var _fs = require('./fs');
+var _path = _interopRequireDefault(require("path"));
 
-var _fs2 = _interopRequireDefault(_fs);
+var _fs = _interopRequireDefault(require("./fs"));
 
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
-
-exports.default = function () {
-  var _ref = (0, _asyncToGenerator3.default)( /*#__PURE__*/_regenerator2.default.mark(function _callee(dir) {
-    return _regenerator2.default.wrap(function _callee$(_context) {
-      while (1) {
-        switch (_context.prev = _context.next) {
-          case 0:
-            _context.prev = 0;
-            _context.t0 = JSON;
-            _context.next = 4;
-            return _fs2.default.readFileAsync(_path2.default.join(dir, '.navyrc'));
-
-          case 4:
-            _context.t1 = _context.sent;
-            return _context.abrupt('return', _context.t0.parse.call(_context.t0, _context.t1));
-
-          case 8:
-            _context.prev = 8;
-            _context.t2 = _context['catch'](0);
-            return _context.abrupt('return', null);
-
-          case 11:
-          case 'end':
-            return _context.stop();
-        }
-      }
-    }, _callee, this, [[0, 8]]);
-  }));
-
-  function getNavyRc(_x) {
-    return _ref.apply(this, arguments);
+async function getNavyRc(dir) {
+  try {
+    return JSON.parse(await _fs.default.readFileAsync(_path.default.join(dir, '.navyrc')));
+  } catch (ex) {
+    return null;
   }
-
-  return getNavyRc;
-}();
+}
 
 module.exports = exports.default;

package/lib/util/registry-client.js

@@ -1,122 +1,40 @@
-'use strict';
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
 
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.getRegistryClient = undefined;
-
-var _regenerator = require('babel-runtime/regenerator');
-
-var _regenerator2 = _interopRequireDefault(_regenerator);
-
-var _asyncToGenerator2 = require('babel-runtime/helpers/asyncToGenerator');
-
-var _asyncToGenerator3 = _interopRequireDefault(_asyncToGenerator2);
-
-// the url which docker stores in .docker/config.json for auth
-
-var getDockerUserConfig = function () {
-  var _ref = (0, _asyncToGenerator3.default)( /*#__PURE__*/_regenerator2.default.mark(function _callee() {
-    var rawConfig, config;
-    return _regenerator2.default.wrap(function _callee$(_context) {
-      while (1) {
-        switch (_context.prev = _context.next) {
-          case 0:
-            (0, _invariant2.default)(process.env.HOME, 'NO_HOME_DIRECTORY: No home directory available');
-
-            _context.prev = 1;
-            _context.next = 4;
-            return _fs2.default.readFileAsync(_path2.default.join(process.env.HOME, '.docker', 'config.json'));
-
-          case 4:
-            rawConfig = _context.sent;
-            config = JSON.parse(rawConfig);
-            return _context.abrupt('return', config);
-
-          case 9:
-            _context.prev = 9;
-            _context.t0 = _context['catch'](1);
-            return _context.abrupt('return', null);
-
-          case 12:
-          case 'end':
-            return _context.stop();
-        }
-      }
-    }, _callee, this, [[1, 9]]);
-  }));
-
-  return function getDockerUserConfig() {
-    return _ref.apply(this, arguments);
-  };
-}();
-
-var getRegistryClient = exports.getRegistryClient = function () {
-  var _ref2 = (0, _asyncToGenerator3.default)( /*#__PURE__*/_regenerator2.default.mark(function _callee2(image, navyFile) {
-    var registry, opts, auth;
-    return _regenerator2.default.wrap(function _callee2$(_context2) {
-      while (1) {
-        switch (_context2.prev = _context2.next) {
-          case 0:
-            registry = registryFromImage(image);
-            opts = {
-              registry: 'https://' + registry,
-              allowUnauthorized: navyFile && navyFile.ignoreUnauthorizedRequestsForRegistries && navyFile.ignoreUnauthorizedRequestsForRegistries.indexOf(registry) !== -1
-
-              // try and work out auth
-            };
-            _context2.t0 = getAuthForRegistry;
-            _context2.t1 = registry;
-            _context2.next = 6;
-            return getDockerUserConfig();
-
-          case 6:
-            _context2.t2 = _context2.sent;
-            auth = (0, _context2.t0)(_context2.t1, _context2.t2);
-
-            opts.credentials = credentialsFromAuth(auth);
-
-            return _context2.abrupt('return', {
-              request: function request(url) {
-                return (0, _simpleDockerRegistryClient.registryRequest)(url, opts);
-              }
-            });
-
-          case 10:
-          case 'end':
-            return _context2.stop();
-        }
-      }
-    }, _callee2, this);
-  }));
-
-  return function getRegistryClient(_x, _x2) {
-    return _ref2.apply(this, arguments);
-  };
-}();
-
+exports.credentialsFromAuth = credentialsFromAuth;
 exports.getAuthForRegistry = getAuthForRegistry;
+exports.getRegistryClient = getRegistryClient;
 exports.registryFromImage = registryFromImage;
-exports.credentialsFromAuth = credentialsFromAuth;
 
-var _path = require('path');
+var _path = _interopRequireDefault(require("path"));
 
-var _path2 = _interopRequireDefault(_path);
+var _invariant = _interopRequireDefault(require("invariant"));
 
-var _invariant = require('invariant');
+var _simpleDockerRegistryClient = require("simple-docker-registry-client");
 
-var _invariant2 = _interopRequireDefault(_invariant);
+var _fs = _interopRequireDefault(require("./fs"));
 
-var _simpleDockerRegistryClient = require('simple-docker-registry-client');
+const DEFAULT_REGISTRY = 'registry-1.docker.io'; // docker v2 registry URL
 
-var _fs = require('./fs');
+const DEFAULT_REGISTRY_AUTH = 'https://index.docker.io/v1/'; // the url which docker stores in .docker/config.json for auth
 
-var _fs2 = _interopRequireDefault(_fs);
+async function getDockerUserConfig() {
+  (0, _invariant.default)(process.env.HOME, "NO_HOME_DIRECTORY: No home directory available");
 
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+  try {
+    const rawConfig = await _fs.default.readFileAsync(_path.default.join(process.env.HOME, '.docker', 'config.json'));
+    const config = JSON.parse(rawConfig);
+    return config;
+  } catch (ex) {
+    return null;
+  }
+}
 
-var DEFAULT_REGISTRY = 'registry-1.docker.io'; // docker v2 registry URL
-var DEFAULT_REGISTRY_AUTH = 'https://index.docker.io/v1/';function getAuthForRegistry(registry, dockerUserConfig) {
+function getAuthForRegistry(registry, dockerUserConfig) {
   if (registry === DEFAULT_REGISTRY) {
     registry = DEFAULT_REGISTRY_AUTH;
   }
@@ -129,19 +47,16 @@ var DEFAULT_REGISTRY_AUTH = 'https://index.docker.io/v1/';function getAuthForReg
 }
 
 function registryFromImage(image) {
-  var parsedRegistry = image.match(/([a-zA-Z0-9-.:]+)\/[a-zA-Z0-9-]+\/[a-zA-Z0-9-]+/);
-  var registry = parsedRegistry != null && parsedRegistry.length > 1 ? parsedRegistry[1] : DEFAULT_REGISTRY;
-
+  const parsedRegistry = image.match(/([a-zA-Z0-9-.:]+)\/[a-zA-Z0-9-]+\/[a-zA-Z0-9-]+/);
+  const registry = parsedRegistry != null && parsedRegistry.length > 1 ? parsedRegistry[1] : DEFAULT_REGISTRY;
   return registry;
 }
 
 function credentialsFromAuth(auth) {
   if (auth && auth.auth) {
-    (0, _invariant2.default)(auth.auth.match(/^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$/) != null, 'DOCKER_CONFIG_INVALID_AUTH_BASE64: Invalid base64 string in docker/config.json for registry authentication');
-
-    var decoded = Buffer.from(auth.auth, 'base64').toString();
-    var parts = decoded.split(':');
-
+    (0, _invariant.default)(auth.auth.match(/^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$/) != null, "DOCKER_CONFIG_INVALID_AUTH_BASE64: Invalid base64 string in docker/config.json for registry authentication");
+    const decoded = Buffer.from(auth.auth, 'base64').toString();
+    const parts = decoded.split(':');
     return {
       username: parts[0],
       password: parts[1]
@@ -149,4 +64,18 @@ function credentialsFromAuth(auth) {
   }
 
   return null;
+}
+
+async function getRegistryClient(image, navyFile) {
+  const registry = registryFromImage(image);
+  const opts = {
+    registry: `https://${registry}`,
+    allowUnauthorized: navyFile && navyFile.ignoreUnauthorizedRequestsForRegistries && navyFile.ignoreUnauthorizedRequestsForRegistries.indexOf(registry) !== -1
+  }; // try and work out auth
+
+  const auth = getAuthForRegistry(registry, await getDockerUserConfig());
+  opts.credentials = credentialsFromAuth(auth);
+  return {
+    request: url => (0, _simpleDockerRegistryClient.registryRequest)(url, opts)
+  };
 }