Custom CA trust store with config option 'cafile' (#736)

Add support for local registries with TLS/SSL certificates issued by
private CAs certificates or self-signed certificates.

References #606, #631

Author: chlunde

Diff for: __tests__/__mocks__/request.js

@@ -49,11 +49,13 @@ const httpMock = {
   request(options: Object, callback?: ?Function): ClientRequest {
     const alias = getRequestAlias(options);
     const loc = path.join(CACHE_DIR, `${alias}.bin`);
+    // allow the client to bypass the local fs fixture cache by adding nocache to the query string
+    const allowCache = options.uri.href.indexOf('nocache') == -1;
 
     // TODO better way to do this
-    const httpModule = options.port === 443 ? https : http;
+    const httpModule = options.uri.href.startsWith('https:') ? https : http;
 
-    if (fs.existsSync(loc)) {
+    if (allowCache && fs.existsSync(loc)) {
       // cached
       options.agent = null;
       options.socketPath = null;

Diff for: __tests__/fixtures/certificates/cacerts.pem

@@ -0,0 +1,57 @@
+the first CA is a random CA not used in this test, to verify
+that multiple CAs work
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
+-----END CERTIFICATE-----
+comments should be stripped
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIJAM4nWEf/MeHVMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
+Q29tcGFueSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNjEwMTIwNTQ3NDla
+Fw0yNjEwMTAwNTQ3NDlaMFYxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0
+IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVCI5Ma6AR0
+oDv/OqactDMR4pA6CZJnNDYbjRIkjsXi3pXuAXbQ8J/lD7EKNhu8wxrM0PZvdE1s
+ERjgFmZlYYTJkoDQUr9HagwAhAHrUuAq6FsmogLOl1L4QmeddCxExLdTePJAvVxc
++fr3mk7I9Kt5FV1kDOZMyGqkLwKvcGXjx4ue+ZMgQZjWoU4Om7ktA57siAUkrxQg
+SonEnlSAlEQy6/wRSR2XQ85e+o1JHMIti4+h/Soo4BmHetec7zKvHjsL1kuT9s43
+YiVlj660cc/Rmqt61OqPrumeKeVLRLmOD71l0yjU8QEwvAvvzFwdTZQSPUVGb4Je
+9Apxn7MNnKMCAwEAAaNQME4wHQYDVR0OBBYEFFzPIkvacjl8MFC6eRCwSTyW5z9c
+MB8GA1UdIwQYMBaAFFzPIkvacjl8MFC6eRCwSTyW5z9cMAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAKN9RXWgMuEwhLYzG///duWTcIC7UfamGDVlezxa
+BkR+VGkRSlo4v+MaZKscG2D/NGh4PP5PQZr7okLQY6MIKmcFkIN1BDziEVfKICFs
+AIrcajDLyHaLcAmZv2VJe1sz12pmGZG7uTOncMAngZoNDNI0f4djzvmRd9nn4yGo
+o8vhLMzgdXhp3T7yaCjpbpZUd1bnggJXz9MO76EBcCkS3+HcRRr/0KMD/tk5tZUx
+s35hnRrJi9HvhFjZbJA/KGG8DJp4oyzEfbufmUJ7OdbMn++W3NtG1BrRhbKmH5og
+tpfAr88iJ6BFaXV/4JIxc4Fga8dvjJR3ueh5pT2om/rUzkQ=
+-----END CERTIFICATE-----
+another comment

Diff for: __tests__/fixtures/certificates/server-cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIJAM4nWEf/MeHVMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
+Q29tcGFueSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNjEwMTIwNTQ3NDla
+Fw0yNjEwMTAwNTQ3NDlaMFYxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0
+IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVCI5Ma6AR0
+oDv/OqactDMR4pA6CZJnNDYbjRIkjsXi3pXuAXbQ8J/lD7EKNhu8wxrM0PZvdE1s
+ERjgFmZlYYTJkoDQUr9HagwAhAHrUuAq6FsmogLOl1L4QmeddCxExLdTePJAvVxc
++fr3mk7I9Kt5FV1kDOZMyGqkLwKvcGXjx4ue+ZMgQZjWoU4Om7ktA57siAUkrxQg
+SonEnlSAlEQy6/wRSR2XQ85e+o1JHMIti4+h/Soo4BmHetec7zKvHjsL1kuT9s43
+YiVlj660cc/Rmqt61OqPrumeKeVLRLmOD71l0yjU8QEwvAvvzFwdTZQSPUVGb4Je
+9Apxn7MNnKMCAwEAAaNQME4wHQYDVR0OBBYEFFzPIkvacjl8MFC6eRCwSTyW5z9c
+MB8GA1UdIwQYMBaAFFzPIkvacjl8MFC6eRCwSTyW5z9cMAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAKN9RXWgMuEwhLYzG///duWTcIC7UfamGDVlezxa
+BkR+VGkRSlo4v+MaZKscG2D/NGh4PP5PQZr7okLQY6MIKmcFkIN1BDziEVfKICFs
+AIrcajDLyHaLcAmZv2VJe1sz12pmGZG7uTOncMAngZoNDNI0f4djzvmRd9nn4yGo
+o8vhLMzgdXhp3T7yaCjpbpZUd1bnggJXz9MO76EBcCkS3+HcRRr/0KMD/tk5tZUx
+s35hnRrJi9HvhFjZbJA/KGG8DJp4oyzEfbufmUJ7OdbMn++W3NtG1BrRhbKmH5og
+tpfAr88iJ6BFaXV/4JIxc4Fga8dvjJR3ueh5pT2om/rUzkQ=
+-----END CERTIFICATE-----

Diff for: __tests__/fixtures/certificates/server-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1QiOTGugEdKA7
+/zqmnLQzEeKQOgmSZzQ2G40SJI7F4t6V7gF20PCf5Q+xCjYbvMMazND2b3RNbBEY
+4BZmZWGEyZKA0FK/R2oMAIQB61LgKuhbJqICzpdS+EJnnXQsRMS3U3jyQL1cXPn6
+95pOyPSreRVdZAzmTMhqpC8Cr3Bl48eLnvmTIEGY1qFODpu5LQOe7IgFJK8UIEqJ
+xJ5UgJREMuv8EUkdl0POXvqNSRzCLYuPof0qKOAZh3rXnO8yrx47C9ZLk/bON2Il
+ZY+utHHP0ZqretTqj67pninlS0S5jg+9ZdMo1PEBMLwL78xcHU2UEj1FRm+CXvQK
+cZ+zDZyjAgMBAAECggEBAKRSKlgRG2f2ptDdaDlldMOboi6oPsc3wpCO14wsEjb5
+nlqDo1YowwvhqCESpcztil7AcWwHzILnxnQrqoL3w7mS17rpoSqBPnVU/leTE9Xf
+cDg6RMOQsITqRaETkB8V1NRx2wKbiE+0hndrgruL2KufIKxCqKMb1tE+uNORYq8q
+kFIBvUnhjLFzepZ749wYTx2Tkdrfe3Y3sW2a17LRr43s0Z41skX/9iz7GdIW8OLD
+Edfw7COvlxZQjtmLqwmoFd5YjOo8u6C6kr74H8OLplGN35cPc+L57kFqKvxV42Lq
+y+EirIZ3b8uItsuOPIf92snpfK9CmdwTCx5lrMmpqjkCgYEA8QKr8xmI3fhUxPD8
+9PYQlIa+pKMtX1sKgS3sA2ZD9bwRC9HmkXhYTYsrakbX2VaGe1dmc/7KMaNaVkrT
++BfMk9SACnoul7dXzV6amzM7AdrZYkJgejbmSJtYGz3YnHQTz4ipaffHfsKoWdvs
+LdvPgBBdfbYsvGxB5ya9kvcsLyUCgYEAwIgawo1mU5KC8BXOvzKSKJ6vTULtnF6d
+zf1OGv6atrS36Sg3ycqPL+kUy44bl1ckjh+VMp6rty/5Z/K1PKkyNniznxj9Epwu
+4O/aI/Q7SrKZmjH64gXWBmyj8doNHM3nFF9mSIjRromovuUeOcpFlATBCe0Pxpxt
+sGlhjnrMVicCgYBvIwlBv9uiaBpG+s3a9AEvTHdrGigZGbVdXlzAMI9UKNY/ehp1
+qGYn0+5AQszUVxcKl4ISKUL54tcMhdL7S5Y18T7eFfuYUJ53gJGQ0e366/1kVzGA
+CgLlJmVZoopZkxlzkRR2XiErbf4N+eEOQJeN+X3zM2ert8woGHBA7iP81QKBgBi0
+3oo8zvbGhFr+0WsjuDHSOzi07/zy/1khulYoef4cLsWSzaXtgnZpeKuubsf6/Mvo
+LaMzTWHSnDTEppFEPRdUYeh2snMi67kdzmZyvvEU/jUVWNaMXSyx4E/25Vve6Fpq
+65s/Q3kcXTUx/bD4zfjyqzr02uNny4Op4kUAaRxdAoGBAK0t4FVXTOWIf6xxgGMZ
+BBkNu6N1n/Io3pliCpYpZrBE/6NEOaEeniyaM0BbAatR+SemaYICnEj31ueonlIs
+PLUi9H177Cnu2DZwBMaWx78r260RIxF+bcdTBjQ51fXt7/44okFjHmCcRVA1q/Rc
+WdI83+niMywS/XVfLAMhnFWR
+-----END PRIVATE KEY-----

Diff for: __tests__/util/request-manager.js

@@ -0,0 +1,36 @@
+/* @flow */
+/* eslint max-len: 0 */
+
+import {NoopReporter} from '../../src/reporters/index.js';
+import Config from '../../src/config.js';
+import type {ConfigOptions} from '../../src/config.js';
+import * as fs from '../../src/util/fs.js';
+
+jasmine.DEFAULT_TIMEOUT_INTERVAL = 60000;
+
+const https = require('https');
+const path = require('path');
+
+async function createConfig(opts: ConfigOptions = {}): Promise<Config> {
+  const config = new Config(new NoopReporter());
+  await config.init(opts);
+  return config;
+}
+
+test('RequestManager.request with cafile', async () => {
+  let body;
+  const options = {
+    key: await fs.readFile(path.join(__dirname, '..', 'fixtures', 'certificates', 'server-key.pem')),
+    cert: await fs.readFile(path.join(__dirname, '..', 'fixtures', 'certificates', 'server-cert.pem')),
+  };
+  const server = https.createServer(options, (req, res) => { res.end('ok'); });
+  try {
+    server.listen(0);
+    const config = await createConfig({'cafile': path.join(__dirname, '..', 'fixtures', 'certificates', 'cacerts.pem')});
+    const port = server.address().port;
+    body = await config.requestManager.request({url: `https://localhost:${port}/?nocache`, headers: {Connection: 'close'}});
+  } finally {
+    server.close();
+  }
+  expect(body).toBe('ok');
+});

Diff for: src/config.js

@@ -17,7 +17,7 @@ const invariant = require('invariant');
 const path = require('path');
 const url = require('url');
 
-type ConfigOptions = {
+export type ConfigOptions = {
   cwd?: ?string,
   cacheFolder?: ?string,
   tempFolder?: ?string,
@@ -29,6 +29,7 @@ type ConfigOptions = {
   captureHar?: boolean,
   ignorePlatform?: boolean,
   ignoreEngines?: boolean,
+  cafile?: ?string,
 
   // Loosely compare semver for invalid cases like "0.01.0"
   looseSemver?: ?boolean,
@@ -178,6 +179,7 @@ export default class Config {
       httpProxy: String(this.getOption('proxy') || ''),
       httpsProxy: String(this.getOption('https-proxy') || ''),
       strictSSL: Boolean(this.getOption('strict-ssl')),
+      cafile: String(opts.cafile || this.getOption('cafile') || ''),
     });
   }
 

Diff for: src/util/request-manager.js

@@ -13,6 +13,7 @@ import type RequestT from 'request';
 const RequestCaptureHar = require('request-capture-har');
 const invariant = require('invariant');
 const url = require('url');
+const fs = require('fs');
 
 const successHosts = map();
 const controlOffline = network.isOffline();
@@ -39,6 +40,7 @@ type RequestParams<T> = {
   body?: mixed,
   proxy?: string,
   encoding?: ?string,
+  ca?: Array<string>,
   forever?: boolean,
   strictSSL?: boolean,
   headers?: {
@@ -67,6 +69,7 @@ export default class RequestManager {
     this.offlineQueue = [];
     this.captureHar = false;
     this.httpsProxy = null;
+    this.ca = null;
     this.httpProxy = null;
     this.strictSSL = true;
     this.userAgent = '';
@@ -85,6 +88,7 @@ export default class RequestManager {
   httpsProxy: ?string;
   httpProxy: ?string;
   strictSSL: boolean;
+  ca: ?Array<string>;
   offlineQueue: Array<RequestOptions>;
   queue: Array<Object>;
   max: number;
@@ -102,6 +106,7 @@ export default class RequestManager {
     httpProxy?: string,
     httpsProxy?: string,
     strictSSL?: boolean,
+    cafile?: string,
   }) {
     if (opts.userAgent != null) {
       this.userAgent = opts.userAgent;
@@ -126,6 +131,19 @@ export default class RequestManager {
     if (opts.strictSSL !== null && typeof opts.strictSSL !== 'undefined') {
       this.strictSSL = opts.strictSSL;
     }
+
+    if (opts.cafile != null && opts.cafile != '') {
+      // The CA bundle file can contain one or more certificates with comments/text between each PEM block.
+      // tls.connect wants an array of certificates without any comments/text, so we need to split the string
+      // and strip out any text in between the certificates
+      try {
+        const bundle = fs.readFileSync(opts.cafile).toString();
+        const hasPemPrefix = (block) => block.startsWith('-----BEGIN ');
+        this.ca = bundle.split(/(-----BEGIN .*\r?\n[^-]+\r?\n--.*)/).filter(hasPemPrefix);
+      } catch (err) {
+        this.reporter.error(`Could not open cafile: ${err.message}`);
+      }
+    }
   }
 
   /**
@@ -340,6 +358,10 @@ export default class RequestManager {
       params.proxy = proxy;
     }
 
+    if (this.ca != null) {
+      params.ca = this.ca;
+    }
+
     const request = this._getRequestModule();
     const req = request(params);