v0.0.4: add homebrew openssl store

- skip installed certificates
- add homebrew openssl store

Author: geemus

trust/trust.go

@@ -109,6 +109,13 @@ func (c *Command) run(ctx context.Context, tty termenv.File) error {
 		SysFS:  rootFS,
 	}
 
+	brewStore := &truststore.Brew{
+		RootDir: "/",
+
+		DataFS: rootFS,
+		SysFS:  rootFS,
+	}
+
 	for _, cert := range *certs.Items {
 		blk, _ := pem.Decode([]byte(cert.TextualEncoding))
 
@@ -150,17 +157,48 @@ func (c *Command) run(ctx context.Context, tty termenv.File) error {
 			continue
 		}
 
-		if installed, err := systemStore.InstallCA(ca); installed {
-			fmt.Fprintf(tty, "  - installed in the system store.\n")
-		} else if err != nil {
+		if err := install(tty, ca, systemStore, "system"); err != nil {
+			return err
+		}
+		if err := install(tty, ca, nssStore, "Network Security Services (NSS)"); err != nil {
 			return err
 		}
-		if installed, err := nssStore.InstallCA(ca); installed {
-			fmt.Fprintf(tty, "  - installed in the Network Security Services (NSS) store.\n")
-		} else if err != nil {
+		if err := install(tty, ca, brewStore, "Homebrew OpenSSL (ca-certificates)"); err != nil {
 			return err
 		}
 	}
 
 	return nil
 }
+
+type trustStore interface {
+	Check() (bool, error)
+	CheckCA(*truststore.CA) (bool, error)
+	InstallCA(*truststore.CA) (bool, error)
+}
+
+func install(tty termenv.File, ca *truststore.CA, store trustStore, name string) error {
+	if ok, err := store.Check(); !ok {
+		if err != nil {
+			fmt.Fprintf(tty, "  - skipping the %s store: %s\n", name, err)
+		} else {
+			fmt.Fprintf(tty, "  - skipping the %s store\n", name)
+		}
+		return nil
+	}
+
+	if ok, err := store.CheckCA(ca); err != nil {
+		fmt.Fprintf(tty, "  - skipping the %s store: %s\n", name, err)
+		return nil
+	} else if ok {
+		fmt.Fprintf(tty, "  - already installed in the %s store.\n", name)
+		return nil
+	}
+
+	if installed, err := store.InstallCA(ca); err != nil {
+		return err
+	} else if installed {
+		fmt.Fprintf(tty, "  - installed in the %s store.\n", name)
+	}
+	return nil
+}

truststore/brew.go

@@ -0,0 +1,88 @@
+package truststore
+
+import (
+	"bytes"
+	"encoding/pem"
+	"path/filepath"
+	"strings"
+)
+
+const certPath = "etc/ca-certificates/cert.pem"
+
+type Brew struct {
+	RootDir string
+
+	DataFS DataFS
+	SysFS  CmdFS
+
+	brewPath   string
+	prefixPath string
+
+	certPath string
+}
+
+func (s *Brew) Check() (bool, error) {
+	if s.brewPath == "" {
+		var err error
+		if s.brewPath, err = s.SysFS.LookPath("brew"); err != nil {
+			return false, err
+		}
+	}
+
+	if s.prefixPath == "" {
+		path, err := s.SysFS.Exec(s.SysFS.Command(s.brewPath, "--prefix"))
+		if err != nil {
+			return false, err
+		}
+		s.prefixPath = strings.TrimPrefix(strings.TrimSpace(string(path)), s.RootDir)
+	}
+
+	if s.certPath == "" {
+		path := filepath.Join(s.prefixPath, certPath)
+		if _, err := s.SysFS.Stat(path); err != nil {
+			return false, err
+		}
+		s.certPath = path
+	}
+
+	return true, nil
+}
+
+func (s *Brew) CheckCA(ca *CA) (bool, error) {
+	if ok, err := s.Check(); !ok {
+		return ok, err
+	}
+
+	buf, err := s.DataFS.ReadFile(s.certPath)
+	if err != nil {
+		return false, err
+	}
+
+	var blk *pem.Block
+	for len(buf) > 0 {
+		if blk, buf = pem.Decode(buf); blk == nil {
+			return false, nil
+		}
+
+		if bytes.Equal(ca.Raw, blk.Bytes) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func (s *Brew) InstallCA(ca *CA) (bool, error) {
+	if ok, err := s.Check(); !ok {
+		return ok, err
+	}
+
+	blk := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: ca.Raw,
+	}
+
+	if err := s.DataFS.AppendToFile(s.certPath, pem.EncodeToMemory(blk)); err != nil {
+		return false, err
+	}
+	return true, nil
+}

truststore/brew_test.go

@@ -0,0 +1,76 @@
+package truststore
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"flag"
+	"testing"
+
+	"github.com/anchordotdev/cli/truststore/internal/must"
+)
+
+var (
+	_ = flag.Bool("prism-verbose", false, "ignored")
+	_ = flag.Bool("prism-proxy", false, "ignored")
+)
+
+func TestBrewCheck(t *testing.T) {
+	t.Skip("pending mock filesystem")
+
+	brew := &Brew{
+		RootDir: "/",
+		DataFS:  RootFS(),
+		SysFS:   RootFS(),
+	}
+
+	ok, err := brew.Check()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if want, got := true, ok; want != got {
+		t.Errorf("want check %t, got %t", want, got)
+	}
+
+	if ok, err = brew.CheckCA(ca); err != nil {
+		t.Fatal(err)
+	}
+	if want, got := false, ok; want != got {
+		t.Errorf("want check ca %t, got %t", want, got)
+	}
+
+	if ok, err = brew.InstallCA(ca); err != nil {
+		t.Fatal(err)
+	}
+	if want, got := true, ok; want != got {
+		t.Errorf("want install ca %t, got %t", want, got)
+	}
+
+	if ok, err = brew.CheckCA(ca); err != nil {
+		t.Fatal(err)
+	}
+	if want, got := true, ok; want != got {
+		t.Errorf("want check ca %t, got %t", want, got)
+	}
+}
+
+var (
+	ca = mustCA(must.CA(&x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:   "Example CA",
+			Organization: []string{"Example, Inc"},
+		},
+		KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+
+		ExtraExtensions: []pkix.Extension{},
+	}))
+)
+
+func mustCA(cert *must.Certificate) *CA {
+	uniqueName := cert.Leaf.SerialNumber.Text(16)
+
+	return &CA{
+		Certificate: cert.Leaf,
+		FilePath:    "example-ca-" + uniqueName + ".pem",
+		UniqueName:  uniqueName,
+	}
+}

truststore/fs.go

@@ -1,10 +1,15 @@
 package truststore
 
 import (
+	"errors"
 	"io/fs"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"os/user"
+	"path/filepath"
+	"reflect"
+	"strings"
 	"sync"
 )
 
@@ -17,15 +22,30 @@ type CmdFS interface {
 	LookPath(cmd string) (string, error)
 }
 
-func RootFS() CmdFS {
+type DataFS interface {
+	fs.StatFS
+	fs.ReadFileFS
+
+	AppendToFile(name string, p []byte) error
+}
+
+type FS interface {
+	CmdFS
+	DataFS
+}
+
+func RootFS() FS {
 	return &rootFS{
-		StatFS: os.DirFS("/").(fs.StatFS),
+		StatFS:   os.DirFS("/").(fs.StatFS),
+		rootPath: "/",
 	}
 }
 
 type rootFS struct {
 	fs.StatFS
 
+	rootPath string
+
 	sudoWarningOnce sync.Once
 }
 
@@ -68,3 +88,54 @@ func (r *rootFS) SudoExec(cmd *exec.Cmd) (out []byte, err error) {
 func (r *rootFS) LookPath(cmd string) (string, error) {
 	return exec.LookPath(cmd)
 }
+
+func (r *rootFS) AppendToFile(name string, p []byte) error {
+	if err := r.checkFile(name); err != nil {
+		return err
+	}
+
+	f, err := os.OpenFile(filepath.Join(r.rootPath, name), os.O_APPEND|os.O_WRONLY, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	if _, err := f.Write(p); err != nil {
+		return err
+	}
+	return f.Close()
+}
+
+func (r *rootFS) ReadFile(name string) ([]byte, error) {
+	if err := r.checkFile(name); err != nil {
+		return nil, err
+	}
+
+	f, err := os.OpenFile(filepath.Join(r.rootPath, name), os.O_RDONLY, 0444)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	return ioutil.ReadAll(f)
+}
+
+func (r *rootFS) checkFile(name string) error {
+	infoFS, err := r.StatFS.Stat(strings.Trim(name, string(os.PathSeparator)))
+	if err != nil {
+		return err
+	}
+
+	infoOS, err := os.Stat(filepath.Join(r.rootPath, name))
+	if err != nil {
+		return err
+	}
+
+	if infoFS.Name() == infoOS.Name() && infoFS.Size() == infoOS.Size() &&
+		infoFS.Mode() == infoOS.Mode() && infoFS.ModTime().Equal(infoOS.ModTime()) &&
+		reflect.DeepEqual(infoFS.Sys(), infoOS.Sys()) {
+		return nil
+	}
+
+	return errors.New("file system setup is misconfigured or corrupt")
+}