SecureController - Code Metrics - bjarn/jale - Measure and Improve Code Quality continuously with Scrutinizer

SecureController A
last analyzed 2022-01-21 20:55 UTC

↳ Parent: src/controllers/secureController.ts

Complexity

Total Complexity

Size/Duplication

Total Lines	142
Duplicated Lines	0 %

Importance

Changes

Metric	Value
eloc	102
dl	0
loc	142
rs	10
c	0
b	0
f	0
wmc	11

7 Functions

Rating	Name	Size	Complexity
A	unsecureNginxConfig	11	1
A	isSecure	2	1
A	createSslCertificate	17	1
A	executeSecure	12	2
A	unsecure	19	2
A	executeUnsecure	8	2
A	secureNginxConfig	16	2

import execa from 'execa'
import {existsSync, readFileSync, unlinkSync, writeFileSync} from 'fs'
import {Config} from '../models/config'
import Nginx from '../services/nginx'
import opensslConfig from '../templates/openssl'
import {info, success, url, warning} from '../utils/console'
import {ensureDirectoryExists} from '../utils/filesystem'
import {getConfig, jaleSitesPath, jaleSslPath} from '../utils/jale'
import {serverNamesRegex} from '../utils/regex'

class SecureController {

    config: Config
    project: string
    hostname: string

    keyPath: string
    csrPath: string
    crtPath: string
    configPath: string

    constructor(project?: string) {
        this.config = getConfig()
        this.project = project || process.cwd().substring(process.cwd().lastIndexOf('/') + 1)

        const vhostConfig = readFileSync(`${jaleSitesPath}/${this.project}.conf`, 'utf-8')
        const serverNames = serverNamesRegex.exec(vhostConfig)
        this.hostname = `${this.project}.${this.config.tld}`
        // TODO catch this issue
        if (serverNames) {
            this.hostname = serverNames[0].split(' ')[1]
        }

        this.keyPath = `${jaleSslPath}/${this.project}.key`
        this.csrPath = `${jaleSslPath}/${this.project}.csr`
        this.crtPath = `${jaleSslPath}/${this.project}.crt`
        this.configPath = `${jaleSslPath}/${this.project}.conf`
    }

    executeSecure = async (): Promise<void> => {
        info(`Securing ${this.hostname}...`)
        await ensureDirectoryExists(jaleSslPath)

        await this.unsecure()

        await this.createSslCertificate()
        this.secureNginxConfig()

        await (new Nginx()).restart()

        success(`${this.hostname} has been secured and is now reachable via ${url(`https://${this.hostname}`)}.`)
    }

    executeUnsecure = async (): Promise<void> => {
        if (await this.unsecure()) {
            success(`${this.hostname} has been unsecured and is no longer reachable over https.`)
            await (new Nginx()).restart()
        }

        warning(`The site ${this.hostname} is not secured.`)
        return
    }

    isSecure = (): boolean => {
        return existsSync(this.configPath)
    }

    /**
     * Unsecure the current hostname.
     */
    private unsecure = async (): Promise<boolean> => {
        if (existsSync(this.crtPath)) {
            unlinkSync(this.csrPath)
            unlinkSync(this.keyPath)
            unlinkSync(this.crtPath)
            unlinkSync(this.configPath)

            await execa(
                'sudo',
                ['security', 'find-certificate', '-c', this.hostname, '-a', '-Z', '|', 'sudo', 'awk', '\'/SHA-1/{system("sudo security delete-certificate -Z "$NF)}\''],
                {shell: true, stdio: 'inherit'}
            )

            this.unsecureNginxConfig()

            return true
        }

        return false
    }

    /**
     * Generate a certificate to secure a site.
     *
     * This will first generate an OpenSSL config which will be used for the CSR. Then we will create a private key and
     * generate a CSR. We will then request the certificate and trust it in our keychain.
     */
    private createSslCertificate = async (): Promise<void> => {
        // Write OpenSSL config for hostname
        await writeFileSync(this.configPath, opensslConfig(this.hostname))

        // Generate private key
        await execa('openssl', ['genrsa', '-out', this.keyPath, '2048'])

        // Generate certificate request with private key
        const subject = `/C=/ST=/O=/localityName=/commonName=*.${this.hostname}/organizationalUnitName=/emailAddress=/`
        await execa('openssl', ['req', '-new', '-key', this.keyPath, '-out', this.csrPath, '-subj',
            subject, '-config', this.configPath, '-passin', 'pass:'])

        await execa('openssl', ['x509', '-req', '-days', '365', '-in', this.csrPath, '-signkey',
            this.keyPath, '-out', this.crtPath, '-extensions', 'v3_req', '-extfile', this.configPath])

        // TODO: Make this cross-platform compatible.
        await execa('sudo', ['security', 'add-trusted-cert', '-d', '-r', 'trustRoot', '-k', '/Library/Keychains/System.keychain', this.crtPath])
    }

    /**
     * Make sure the Nginx config works with SSL.
     */
    private secureNginxConfig = () => {
        let nginxConfig = readFileSync(`${jaleSitesPath}/${this.project}.conf`, 'utf-8')
        if (nginxConfig.includes('listen 443 ssl http2')) {
            // TODO: Implement a nicer check. This is just a rushed thing to prevent duplicate ssl entries. Maybe it's
            // fine, but I ain't so sure about that.
            return
        }

        nginxConfig = nginxConfig.replace('listen [::]:80;', `listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    ssl_certificate ${this.crtPath};
    ssl_certificate_key ${this.keyPath};\n`)

        writeFileSync(`${jaleSitesPath}/${this.project}.conf`, nginxConfig)
    }

    /**
     * Clean up the Nginx config by removing references to the key en cert and stop listening on port 443.
     */
    private unsecureNginxConfig = () => {
        let nginxConfig = readFileSync(`${jaleSitesPath}/${this.project}.conf`, 'utf-8')

        nginxConfig = nginxConfig.replace(`listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    ssl_certificate ${this.crtPath};
    ssl_certificate_key ${this.keyPath};\n`, 'listen [::]:80;')

        writeFileSync(`${jaleSitesPath}/${this.project}.conf`, nginxConfig)
    }
}

export default SecureController

1			import execa from 'execa'
2			import {existsSync, readFileSync, unlinkSync, writeFileSync} from 'fs'
3			import {Config} from '../models/config'
4			import Nginx from '../services/nginx'
5			import opensslConfig from '../templates/openssl'
6			import {info, success, url, warning} from '../utils/console'
7			import {ensureDirectoryExists} from '../utils/filesystem'
8			import {getConfig, jaleSitesPath, jaleSslPath} from '../utils/jale'
9			import {serverNamesRegex} from '../utils/regex'
10
11			class SecureController {
12
13			config: Config
14			project: string
15			hostname: string
16
17			keyPath: string
18			csrPath: string
19			crtPath: string
20			configPath: string
21
22			constructor(project?: string) {
23			this.config = getConfig()
24			this.project = project \|\| process.cwd().substring(process.cwd().lastIndexOf('/') + 1)
25
26			const vhostConfig = readFileSync(`${jaleSitesPath}/${this.project}.conf`, 'utf-8')
27			const serverNames = serverNamesRegex.exec(vhostConfig)
28			this.hostname = `${this.project}.${this.config.tld}`
29			// TODO catch this issue
30			if (serverNames) {
31			this.hostname = serverNames[0].split(' ')[1]
32			}
33
34			this.keyPath = `${jaleSslPath}/${this.project}.key`
35			this.csrPath = `${jaleSslPath}/${this.project}.csr`
36			this.crtPath = `${jaleSslPath}/${this.project}.crt`
37			this.configPath = `${jaleSslPath}/${this.project}.conf`
38			}
39
40			executeSecure = async (): Promise<void> => {
41			info(`Securing ${this.hostname}...`)
42			await ensureDirectoryExists(jaleSslPath)
43
44			await this.unsecure()
45
46			await this.createSslCertificate()
47			this.secureNginxConfig()
48
49			await (new Nginx()).restart()
50
51			success(`${this.hostname} has been secured and is now reachable via ${url(`https://${this.hostname}`)}.`)
52			}
53
54			executeUnsecure = async (): Promise<void> => {
55			if (await this.unsecure()) {
56			success(`${this.hostname} has been unsecured and is no longer reachable over https.`)
57			await (new Nginx()).restart()
58			}
59
60			warning(`The site ${this.hostname} is not secured.`)
61			return
62			}
63
64			isSecure = (): boolean => {
65			return existsSync(this.configPath)
66			}
67
68			/**
69			* Unsecure the current hostname.
70			*/
71			private unsecure = async (): Promise<boolean> => {
72			if (existsSync(this.crtPath)) {
73			unlinkSync(this.csrPath)
74			unlinkSync(this.keyPath)
75			unlinkSync(this.crtPath)
76			unlinkSync(this.configPath)
77
78			await execa(
79			'sudo',
80			['security', 'find-certificate', '-c', this.hostname, '-a', '-Z', '\|', 'sudo', 'awk', '\'/SHA-1/{system("sudo security delete-certificate -Z "$NF)}\''],
81			{shell: true, stdio: 'inherit'}
82			)
83
84			this.unsecureNginxConfig()
85
86			return true
87			}
88
89			return false
90			}
91
92			/**
93			* Generate a certificate to secure a site.
94			*
95			* This will first generate an OpenSSL config which will be used for the CSR. Then we will create a private key and
96			* generate a CSR. We will then request the certificate and trust it in our keychain.
97			*/
98			private createSslCertificate = async (): Promise<void> => {
99			// Write OpenSSL config for hostname
100			await writeFileSync(this.configPath, opensslConfig(this.hostname))
101
102			// Generate private key
103			await execa('openssl', ['genrsa', '-out', this.keyPath, '2048'])
104
105			// Generate certificate request with private key
106			const subject = `/C=/ST=/O=/localityName=/commonName=*.${this.hostname}/organizationalUnitName=/emailAddress=/`
107			await execa('openssl', ['req', '-new', '-key', this.keyPath, '-out', this.csrPath, '-subj',
108			subject, '-config', this.configPath, '-passin', 'pass:'])
109
110			await execa('openssl', ['x509', '-req', '-days', '365', '-in', this.csrPath, '-signkey',
111			this.keyPath, '-out', this.crtPath, '-extensions', 'v3_req', '-extfile', this.configPath])
112
113			// TODO: Make this cross-platform compatible.
114			await execa('sudo', ['security', 'add-trusted-cert', '-d', '-r', 'trustRoot', '-k', '/Library/Keychains/System.keychain', this.crtPath])
115			}
116
117			/**
118			* Make sure the Nginx config works with SSL.
119			*/
120			private secureNginxConfig = () => {
121			let nginxConfig = readFileSync(`${jaleSitesPath}/${this.project}.conf`, 'utf-8')
122			if (nginxConfig.includes('listen 443 ssl http2')) {
123			// TODO: Implement a nicer check. This is just a rushed thing to prevent duplicate ssl entries. Maybe it's
124			// fine, but I ain't so sure about that.
125			return
126			}
127
128			nginxConfig = nginxConfig.replace('listen [::]:80;', `listen [::]:80;
129			listen 443 ssl http2;
130			listen [::]:443 ssl http2;
131
132			ssl_certificate ${this.crtPath};
133			ssl_certificate_key ${this.keyPath};\n`)
134
135			writeFileSync(`${jaleSitesPath}/${this.project}.conf`, nginxConfig)
136			}
137
138			/**
139			* Clean up the Nginx config by removing references to the key en cert and stop listening on port 443.
140			*/
141			private unsecureNginxConfig = () => {
142			let nginxConfig = readFileSync(`${jaleSitesPath}/${this.project}.conf`, 'utf-8')
143
144			nginxConfig = nginxConfig.replace(`listen [::]:80;
145			listen 443 ssl http2;
146			listen [::]:443 ssl http2;
147
148			ssl_certificate ${this.crtPath};
149			ssl_certificate_key ${this.keyPath};\n`, 'listen [::]:80;')
150
151			writeFileSync(`${jaleSitesPath}/${this.project}.conf`, nginxConfig)
152			}
153			}
154
155			export default SecureController

bjarn / jale

SecureController A last analyzed 2022-01-21 20:55 UTC

Complexity

Size/Duplication

Importance

7 Functions

Duplication Side-by-Side

Filter issues like

SecureController A
last analyzed 2022-01-21 20:55 UTC