https - error in capturing key/cert file path

[larryschirmer]

When opening an https connection I noticed that express-gateway/lib/gateway/server.js is having issues properly capturing the file path in the .yml.

I made some minor changes to createTlsServer() which seem to have resolved the issue that I would like to propose here:

function createTlsServer(httpsConfig, app) {
	let defaultCert = null;
	let sniCerts = [];

	let domainCount = httpsConfig.tls.length;
	let domains = [];
	httpsConfig.tls.forEach(domainObj => {
		domains = [...domains, Object.getOwnPropertyNames(domainObj)];
	});

	for (let i = 0; i < domainCount; i++) {
		let domain = domains[i].toString();

		let certPaths = httpsConfig.tls[i][domain];

		let cert;
		if (domain === 'default') {
			cert = defaultCert = {};
		} else {
			cert = {};
			sniCerts.push([domain, cert]);
		}

		cert.key = fs.readFileSync(path.resolve(certPaths.key), 'utf-8');
		cert.cert = fs.readFileSync(path.resolve(certPaths.cert), 'utf-8');
		if (certPaths.ca && certPaths.ca.length) {
			cert.ca = certPaths.ca.map(ca => fs.readFileSync(path.resolve(ca), 'utf-8'));
		}
	}

	// see possible options https://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener
	let options = Object.assign({}, httpsConfig.options);

	if (defaultCert) {
		options.key = defaultCert.key;
		options.cert = defaultCert.cert;
		options.ca = defaultCert.ca;
	}

	if (sniCerts.length > 0) {
		options.SNICallback = (servername, cb) => {
			for (let [domain, cert] of sniCerts) {
				if (minimatch(servername, domain)) {
					logger.debug(`sni: using cert for ${domain}`);
					cb(null, tls.createSecureContext(cert));
					return;
				}
			}
			if (defaultCert) {
				logger.debug('sni: using default cert');
				cb(null, tls.createSecureContext(defaultCert));
			} else {
				logger.error('sni: no cert!');
				cb(new Error('cannot start TLS SNI - no cert configured'));
			}
		};
	}

	return https.createServer(options, app);
}

[kevinswiber]

Thanks, @larryschirmer! Can you turn this into a Pull Request?

[larryschirmer]

@kevinswiber

TL;DR

I need to close the current pull request and open a new one addressing the configuration documentation for gateway.config.yml. The issue can be resolved by removing the dashes before the domain names i.e.

https:
  port: 9443
  tls:
    - "*.demo.io":
        key: example/keys/demo.io.key.pem
        cert: example/keys/demo.io.cert.pem
    - "api.acme.com":
        key: example/keys/acme.com.key.pem
        cert: example/keys/acme.com.cert.pem
    - "default":
        key: example/keys/eg.io.key.pem
        cert: example/keys/eg.io.cert.pem

source: https - Express Gateway

https:
  port: 9443
  tls:
    "*.demo.io":
        key: example/keys/demo.io.key.pem
        cert: example/keys/demo.io.cert.pem
    "api.acme.com":
        key: example/keys/acme.com.key.pem
        cert: example/keys/acme.com.cert.pem
    "default":
        key: example/keys/eg.io.key.pem
        cert: example/keys/eg.io.cert.pem

proposed change -> will make into a new pull request

---

Full Info

I reviewed the test that feeds dummy data into httpsConfig in express-gateway/test/config-https-sni.test.js and found that the gateway config object is defined as

config.gatewayConfig = {
      https: {
        port: 10441,
        options: {
          requestCert: true,
          rejectUnauthorized: false
        },
        tls: {
          'a.example.com': {
            key: './test/fixtures/agent1-key.pem',
            cert: './test/fixtures/agent1-cert.pem',
            ca: ['./test/fixtures/ca2-cert.pem']
          },
          'b.example.com': {
            key: './test/fixtures/agent3-key.pem',
            cert: './test/fixtures/agent3-cert.pem'
          }
        }
      },
      apiEndpoints: { test: {} },
      policies: ['test'],
      pipelines: {
        pipeline1: {
          apiEndpoint: 'test',
          policies: { test: {} }
        }
      }
    };

where tls is an object that for in in server.js can loop over (as defined currently in the code).

The issue is that, the way the documentation for the https option is defined for gateway.config.yml causes the js-yaml module to parse the file in a way that makes tls into an array of objects rather than an object with properties.
Correct Output for httpsConfig

{
    "port": 9443,
    "tls": {
        "a.example.com": {
            "key": "./test/fixtures/agent1-key.pem",
            "cert": "./test/fixtures/agent1-cert.pem"
        },
        "b.example.com": {
            "key": "./test/fixtures/agent3-key.pem",
            "cert": "./test/fixtures/agent3-cert.pem"
        }
    }
}

Output for httpsConfig as defined in current documentation

{
    "port": 9443,
    "tls": [
            {
                "a.example.com": {
                    "key": "./test/fixtures/agent1-key.pem",
                    "cert": "./test/fixtures/agent1-cert.pem"
                }
            },
            {
                "b.example.com": {
                    "key": "./test/fixtures/agent3-key.pem",
                    "cert": "./test/fixtures/agent3-cert.pem"
                }
            }
        ]
}

where the https property is defined like below in gateway.config.yml

https:
  port: 9443
  tls:
    - "a.example.com":
        key: ./test/fixtures/agent1-key.pem
        cert: ./test/fixtures/agent1-cert.pem
    - "b.example.com":
        key: ./test/fixtures/agent3-key.pem
        cert: ./test/fixtures/agent3-cert.pem

In order to get the gatewayConfig object to parse properly, the data in the yml file needs have the dashes removed

https:
  port: 9443
  tls:
    "a.example.com":
        key: ./test/fixtures/agent1-key.pem
        cert: ./test/fixtures/agent1-cert.pem
    "b.example.com":
        key: ./test/fixtures/agent3-key.pem
        cert: ./test/fixtures/agent3-cert.pem

This behavior can be demonstrated by copying in the gateway.config.yml into the js-yaml demo page (parser for JavaScript - JS-YAML)

---

Next Steps

Tomorrow, I'll close the pull request that I have open for changing the server.js file and open another pr for changing the documentation.

Thanks for your patience

[altsang]

@larryschirmer - are you close to having this pull request?

[larryschirmer]

@altsang pull request submitted. Thanks for the reminder