add deps and fix certs (#23)

* [DP-1349] add yamllint to dependencies * [DP-1350] improve DLP certificate environment * [DP-1354] add wget dependency
ConsultingMD · Sep 26, 2022 · 7694112 · 7694112
1 parent 9ad1697
commit 7694112
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 8 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.1.7
+0.1.8
diff --git a/formula/ih-core.rb b/formula/ih-core.rb
@@ -1,5 +1,5 @@
 class IhCore < Formula
-  VERSION="0.1.7"
+  VERSION="0.1.8"
   desc "Brew formula for installing core tools used at Included Health engineering."
   homepage "https://github.com/ConsultingMD/homebrew-ih-public"
   license "CC BY-NC-ND 4.0"
@@ -18,6 +18,8 @@ class IhCore < Formula
   depends_on "envconsul"
   depends_on "openssl@3"
   depends_on "coreutils"
+  depends_on "yamllint"
+  depends_on "wget"
 
   def install
     lib.install Dir["lib/*"]

diff --git a/lib/core/certificates/certs/readme.md b/lib/core/certificates/certs/readme.md
@@ -3,3 +3,7 @@ These certificates are copied from https://github.com/ConsultingMD/paloaltonetwo
 They are used by the GlobalProtect VPN DLP MITM inspector.
 
 If these certs expire John Walsh is probably the person to talk to.
+
+The mozilla.pem file contains all the certs from https://curl.se/docs/caextract.html
+along with the DLP certs for the VPN, so it should be comprehensive
+enough to work as a CA bundle whether you're on the VPN or not.
diff --git a/lib/core/certificates/default/11_certificates.sh b/lib/core/certificates/default/11_certificates.sh
@@ -3,4 +3,14 @@
 # This script adds environment variables needed for
 # our DLP certificates to be respected
 
-export NODE_EXTRA_CA_CERTS="$HOME/.ih/certs/grand_rounds_chained_ca.pem"
+# Tell OpenSSL to use our cert bundle.
+export SSL_CERT_FILE="$HOME/.ih/certs/mozilla.pem"
+
+# Tell node and npm to use our cert bundle.
+export NODE_EXTRA_CA_CERTS="$SSL_CERT_FILE"
+
+# Tell Python requests library to use our cert bundle.
+export REQUESTS_CA_BUNDLE="$SSL_CERT_FILE"
+
+# Tell cURL to use our cert bundle.
+export CURL_CA_BUNDLE="$SSL_CERT_FILE"
diff --git a/lib/core/certificates/step.sh b/lib/core/certificates/step.sh
@@ -53,13 +53,12 @@ function ih::setup::core.certificates::install() {
 
   ih::log::info "Acquiring cert bundle from Mozilla"
   curl https://curl.se/ca/cacert.pem >"$MOZILLA_PATH"
-
-  curl https://curl.se/ca/cacert.pem >"$HOME/.ih/certs/mozilla.pem"
-  cat "$HOME/.ih/certs/grand_rounds_chained_ca.pem" >>"$HOME/.ih/certs/mozilla.pem"
-  npm config set cafile "$HOME/.ih/certs/mozilla.pem"
-
+  # Append our DLP certs to the mozilla bundle.
   cat "$CA_PATH" >>"$MOZILLA_PATH"
 
+  # Configure NPM to use the bundle.
+  npm config set cafile "$MOZILLA_PATH"
+
   local OPENSSL_PATH OPENSSL_FOUND REHASH_PATH
   OPENSSL_PATH=$(brew info openssl | grep -oE "/usr/local/etc/openssl.*")
   OPENSSL_FOUND=$?