From 76941125b46aa3e7ed7f6d5797d30707b0393e8d Mon Sep 17 00:00:00 2001 From: Steve Ruble Date: Mon, 26 Sep 2022 11:56:51 -0400 Subject: [PATCH] add deps and fix certs (#23) * [DP-1349] add yamllint to dependencies * [DP-1350] improve DLP certificate environment * [DP-1354] add wget dependency --- VERSION | 2 +- formula/ih-core.rb | 4 +++- lib/core/certificates/certs/readme.md | 4 ++++ lib/core/certificates/default/11_certificates.sh | 12 +++++++++++- lib/core/certificates/step.sh | 9 ++++----- 5 files changed, 23 insertions(+), 8 deletions(-) diff --git a/VERSION b/VERSION index 1180819..699c6c6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.1.7 +0.1.8 diff --git a/formula/ih-core.rb b/formula/ih-core.rb index c457fff..5304b0b 100644 --- a/formula/ih-core.rb +++ b/formula/ih-core.rb @@ -1,5 +1,5 @@ class IhCore < Formula - VERSION="0.1.7" + VERSION="0.1.8" desc "Brew formula for installing core tools used at Included Health engineering." homepage "https://github.com/ConsultingMD/homebrew-ih-public" license "CC BY-NC-ND 4.0" @@ -18,6 +18,8 @@ class IhCore < Formula depends_on "envconsul" depends_on "openssl@3" depends_on "coreutils" + depends_on "yamllint" + depends_on "wget" def install lib.install Dir["lib/*"] diff --git a/lib/core/certificates/certs/readme.md b/lib/core/certificates/certs/readme.md index e5597b2..ffeb14f 100644 --- a/lib/core/certificates/certs/readme.md +++ b/lib/core/certificates/certs/readme.md @@ -3,3 +3,7 @@ These certificates are copied from https://github.com/ConsultingMD/paloaltonetwo They are used by the GlobalProtect VPN DLP MITM inspector. If these certs expire John Walsh is probably the person to talk to. + +The mozilla.pem file contains all the certs from https://curl.se/docs/caextract.html +along with the DLP certs for the VPN, so it should be comprehensive +enough to work as a CA bundle whether you're on the VPN or not. diff --git a/lib/core/certificates/default/11_certificates.sh b/lib/core/certificates/default/11_certificates.sh index 7b1614b..7c8dc39 100644 --- a/lib/core/certificates/default/11_certificates.sh +++ b/lib/core/certificates/default/11_certificates.sh @@ -3,4 +3,14 @@ # This script adds environment variables needed for # our DLP certificates to be respected -export NODE_EXTRA_CA_CERTS="$HOME/.ih/certs/grand_rounds_chained_ca.pem" +# Tell OpenSSL to use our cert bundle. +export SSL_CERT_FILE="$HOME/.ih/certs/mozilla.pem" + +# Tell node and npm to use our cert bundle. +export NODE_EXTRA_CA_CERTS="$SSL_CERT_FILE" + +# Tell Python requests library to use our cert bundle. +export REQUESTS_CA_BUNDLE="$SSL_CERT_FILE" + +# Tell cURL to use our cert bundle. +export CURL_CA_BUNDLE="$SSL_CERT_FILE" diff --git a/lib/core/certificates/step.sh b/lib/core/certificates/step.sh index 3eb95d2..ce1ad33 100644 --- a/lib/core/certificates/step.sh +++ b/lib/core/certificates/step.sh @@ -53,13 +53,12 @@ function ih::setup::core.certificates::install() { ih::log::info "Acquiring cert bundle from Mozilla" curl https://curl.se/ca/cacert.pem >"$MOZILLA_PATH" - - curl https://curl.se/ca/cacert.pem >"$HOME/.ih/certs/mozilla.pem" - cat "$HOME/.ih/certs/grand_rounds_chained_ca.pem" >>"$HOME/.ih/certs/mozilla.pem" - npm config set cafile "$HOME/.ih/certs/mozilla.pem" - + # Append our DLP certs to the mozilla bundle. cat "$CA_PATH" >>"$MOZILLA_PATH" + # Configure NPM to use the bundle. + npm config set cafile "$MOZILLA_PATH" + local OPENSSL_PATH OPENSSL_FOUND REHASH_PATH OPENSSL_PATH=$(brew info openssl | grep -oE "/usr/local/etc/openssl.*") OPENSSL_FOUND=$?