nodemailer/wildduck
1
1
Fork 0
mirror of https://github.com/nodemailer/wildduck.git synced 2025-09-16 18:14:32 +08:00
Code Issues Projects Releases Packages Wiki Activity
wildduck/lib/api/certs.js
NickOvt 905b463a63
fix(api-listings-pagination): ZMS-225 Encode page in next and previous cursor (#818) 
* implement a mongopaging wrapper to encode page in the cursor

* update mongopaging validation schema to properly use base64url encoding

* list messages endpoint use embedded page in cursor instead of explicit user-provided

* addresses, auth, certs for listing endpoints use mongopaging wrapper

* dkim, domainaliases, filters - listing endpoints use mongopaging wrapper

* messages, storage, users, webhooks - listing endpoints use mongopaging wrapper

* mongopaging wrapper - if page negative due to externally crafter cursor, default to page 1
2025-05-27 15:39:04 +03:00

637 lines
25 KiB
JavaScript
Raw Blame History

'use strict';
const config = require('wild-config');
const Joi = require('joi');
const ObjectId = require('mongodb').ObjectId;
const CertHandler = require('../cert-handler');
const TaskHandler = require('../task-handler');
const tools = require('../tools');
const roles = require('../roles');
const { nextPageCursorSchema, previousPageCursorSchema, sessSchema, sessIPSchema, booleanSchema } = require('../schemas');
const { successRes, totalRes, pageRes, previousCursorRes, nextCursorRes } = require('../schemas/response/general-schemas');
const { mongopagingFindWrapper } = require('../mongopaging-find-wrapper');
const certificateSchema = Joi.string()
.empty('')
.trim()
.regex(/^-+BEGIN CERTIFICATE-+\s/, 'Certificate format');
const privateKeySchema = Joi.string()
.empty('')
.trim()
.regex(/^-+BEGIN (RSA )?PRIVATE KEY-+\s/, 'Certificate key format');
module.exports = (db, server) => {
const certHandler = new CertHandler({
cipher: config.certs && config.certs.cipher,
secret: config.certs && config.certs.secret,
database: db.database,
redis: db.redis,
users: db.users,
acmeConfig: config.acme
});
const taskHandler = new TaskHandler({
database: db.database
});
server.get(
{
name: 'getTLSCertificates',
path: '/certs',
summary: 'List registered TLS certificates',
tags: ['Certs'],
validationObjs: {
requestBody: {},
queryParams: {
query: Joi.string().empty('').trim().max(255).example('example.com').description('Partial match of a server name'),
altNames: booleanSchema.default(false).description('Match `query` value against SAN as well (including wildcard names)').example('true'),
limit: Joi.number().default(20).min(1).max(250).description('How many records to return'),
next: nextPageCursorSchema,
previous: previousPageCursorSchema,
sess: sessSchema,
ip: sessIPSchema
},
pathParams: {},
response: {
200: {
description: 'Success',
model: Joi.object({
success: successRes,
query: Joi.string().description('Initial query'),
total: totalRes,
page: pageRes,
previousCursor: previousCursorRes,
nextCursor: nextCursorRes,
results: Joi.array()
.items(
Joi.object({
id: Joi.string().required().description('ID of the certificate').example('609d201236d1d936948f23b1'),
servername: Joi.string()
.required()
.description('The server name this certificate applies to')
.example('imap.example.com'),
acme: booleanSchema
.required()
.description('If true then private key and certificate are managed automatically by ACME'),
description: Joi.string().required().description('Key description').example('Some notes about this certificate'),
fingerprint: Joi.string()
.required()
.description('Key fingerprint (SHA1)')
.example('59:8b:ed:11:5b:4f:ce:b4:e5:1a:2f:35:b1:6f:7d:93:40:c8:2f:9c:38:3b:cd:f4:04:92:a1:0e:17:2c:3f:f3'),
created: Joi.date().required().description('Datestring').example('2024-03-13T20:06:46.179Z'),
expires: Joi.date().required().description('Certificate expiration time').example('2024-04-26T21:55:55.000Z'),
autogenerated: Joi.boolean().description('Was the certificate automatically generated on SNI request'),
altNames: Joi.array()
.items(Joi.string().required())
.required()
.description('SAN servernames listed in the certificate')
.example(['example.com', 'www.example.com'])
})
.required()
.description('Certificate listing')
.$_setFlag('objectName', 'GetTLSCertResult')
)
.required()
}).$_setFlag('objectName', 'GetTLSCertsResponse')
}
}
}
},
tools.responseWrapper(async (req, res) => {
res.charSet('utf-8');
const { requestBody, queryParams, pathParams } = req.route.spec.validationObjs;
const schema = Joi.object({
...requestBody,
...queryParams,
...pathParams
});
const result = schema.validate(req.params, {
abortEarly: false,
convert: true,
allowUnknown: true
});
if (result.error) {
res.status(400);
return res.json({
error: result.error.message,
code: 'InputValidationError',
details: tools.validationErrors(result)
});
}
// permissions check
req.validate(roles.can(req.role).readAny('certs'));
let query = result.value.query;
let altNames = result.value.altNames;
let limit = result.value.limit;
let pageNext = result.value.next;
let pagePrevious = result.value.previous;
let filter = query
? {
servername: {
$regex: tools.escapeRegexStr(query),
$options: ''
}
}
: {};
if (query && altNames) {
filter = {
$or: [
filter,
{
altNames: {
$regex: tools.escapeRegexStr(query),
$options: ''
}
}
]
};
if (query.indexOf('.') >= 0) {
let wcMatch = '*' + query.substr(query.indexOf('.'));
filter.$or.push({ altNames: wcMatch });
}
}
let total = await db.database.collection('certs').countDocuments(filter);
let opts = {
limit,
query: filter,
paginatedField: 'servername',
sortAscending: true
};
if (pageNext) {
opts.next = pageNext;
}
if (pagePrevious) {
opts.previous = pagePrevious;
}
let listingWrapper;
try {
listingWrapper = await mongopagingFindWrapper(db.database.collection('certs'), opts);
} catch (err) {
res.status(500);
return res.json({
error: 'MongoDB Error: ' + err.message,
code: 'InternalDatabaseError'
});
}
let response = {
success: true,
query,
total,
page: listingWrapper.page,
previousCursor: listingWrapper.previousCursor,
nextCursor: listingWrapper.nextCursor,
results: (listingWrapper.listing.results || []).map(certData => ({
id: certData._id.toString(),
servername: certData.servername,
description: certData.description,
fingerprint: certData.fingerprint,
expires: certData.expires,
autogenerated: certData.autogenerated,
altNames: certData.altNames,
acme: !!certData.acme,
created: certData.created
}))
};
return res.json(response);
})
);
server.get(
{
path: '/certs/resolve/:servername',
summary: 'Resolve ID for a server name',
name: 'resolveTLSCertificate',
tags: ['Certs'],
validationObjs: {
requestBody: {},
queryParams: {
sess: sessSchema,
ip: sessIPSchema
},
pathParams: {
servername: Joi.string().hostname().description('Server name').required().example('example.com')
},
response: {
200: {
description: 'Success',
model: Joi.object({
success: successRes,
id: Joi.string().required().description('Unique ID of the cert (24 byte hex)').example('609d201236d1d936948f23b1')
}).$_setFlag('objectName', 'ResolveIdResponse')
}
}
}
},
tools.responseWrapper(async (req, res) => {
res.charSet('utf-8');
const { requestBody, queryParams, pathParams } = req.route.spec.validationObjs;
const schema = Joi.object({
...requestBody,
...queryParams,
...pathParams
});
const result = schema.validate(req.params, {
abortEarly: false,
convert: true
});
if (result.error) {
res.status(400);
return res.json({
error: result.error.message,
code: 'InputValidationError',
details: tools.validationErrors(result)
});
}
// permissions check
req.validate(roles.can(req.role).readAny('certs'));
let servername = tools.normalizeDomain(result.value.servername);
let certData;
try {
certData = await db.database.collection('certs').findOne(
{
servername
},
{
projection: { _id: 1 }
}
);
} catch (err) {
res.status(500);
return res.json({
error: 'MongoDB Error: ' + err.message,
code: 'InternalDatabaseError'
});
}
if (!certData) {
res.status(404);
return res.json({
error: 'This servername does not exist',
code: 'CertNotFound'
});
}
return res.json({
success: true,
id: certData._id.toString()
});
})
);
server.post(
{
path: '/certs',
summary: 'Create or update TLS certificate for server name',
tags: ['Certs'],
name: 'updateTLSCertificate',
description:
'Add a new TLS certificate for a server name or update existing one. You can add a single certificate for each server name but SAN names are supported as well. For example you can add a certificate for "mydomain.com" that includes "*.mydomain.com" in SAN and the same certificate would be used for requests that do not have it\'s own server name registered but match the SAN value.\n> NB! you must ensure yourself that the `servername` value is actually listed in certificate\'s common name or SAN as WildDuck is going to use this certificate regardless.',
validationObjs: {
pathParams: {},
queryParams: {},
requestBody: {
servername: Joi.string().empty('').hostname().required().label('ServerName').description('Server name this TLS certificate applies to'),
privateKey: Joi.string()
.when('acme', {
switch: [
{
is: false,
then: privateKeySchema.required()
},
{
is: true,
then: privateKeySchema.required().optional()
}
]
})
.description('PEM formatted TLS private key. Optional if certificate is managed by ACME')
.label('PrivateKey'),
cert: Joi.string()
.when('acme', {
switch: [
{
is: false,
then: certificateSchema.required()
},
{
is: true,
then: certificateSchema.optional()
}
]
})
.description(
'PEM formatted TLS certificate or a certificate bundle with concatenated certificate and CA chain. Optional if certificate is managed by ACME'
)
.label('Certificate'),
ca: Joi.array()
.items(certificateSchema.label('CACert'))
.label('CACertList')
.description('CA chain certificates. Not needed if `cert` value is a bundle'),
description: Joi.string().empty('').max(1024).trim().label('Description').description('Certificate description'),
acme: booleanSchema
.default(false)
.label('ACMEManaged')
.description('If true then private key and certificate are managed automatically by ACME'),
sess: sessSchema,
ip: sessIPSchema
},
response: {
200: {
description: 'Success',
model: Joi.object({
success: successRes,
id: Joi.string().required().description('ID of the certificate').example('609d201236d1d936948f23b1'),
servername: Joi.string().required().description('The server name this certificate applies to').example('imap.example.com'),
description: Joi.string().required().description('Key description').example('Some notes about this certificate'),
fingerprint: Joi.string()
.required()
.description('Key fingerprint (SHA1)')
.example('59:8b:ed:11:5b:4f:ce:b4:e5:1a:2f:35:b1:6f:7d:93:40:c8:2f:9c:38:3b:cd:f4:04:92:a1:0e:17:2c:3f:f3'),
expires: Joi.date().required().description('Certificate expiration time').example('2024-06-26T21:55:55.000Z'),
altNames: Joi.array()
.items(Joi.string().required())
.required()
.description('SAN servernames listed in the certificate')
.example(['example.com', 'www.example.com']),
acme: booleanSchema.required().description('If true then private key and certificate are managed automatically by ACME')
}).$_setFlag('objectName', 'UpdateTLSCertResponse')
}
}
}
},
tools.responseWrapper(async (req, res) => {
res.charSet('utf-8');
const { requestBody, queryParams, pathParams } = req.route.spec.validationObjs;
const schema = Joi.object({
...requestBody,
...queryParams,
...pathParams
});
const result = schema.validate(req.params, {
abortEarly: false,
convert: true
});
if (result.error) {
res.status(400);
return res.json({
error: result.error.message,
code: 'InputValidationError',
details: tools.validationErrors(result)
});
}
// permissions check
req.validate(roles.can(req.role).createAny('certs'));
let response;
try {
response = await certHandler.set(result.value);
} catch (err) {
switch (err.code) {
case 'InputValidationError':
res.status(400);
break;
case 'CertNotFound':
res.status(404);
break;
default:
res.status(500);
}
return res.json({
error: err.message,
code: err.code
});
}
if (response) {
response.success = true;
}
if (result.value.acme) {
await taskHandler.ensure('acme', { servername: result.value.servername }, { servername: result.value.servername });
}
return res.json(response);
})
);
server.get(
{
path: '/certs/:cert',
summary: 'Request TLS certificate information',
name: 'getTLSCertificate',
tags: ['Certs'],
validationObjs: {
requestBody: {},
queryParams: {
sess: sessSchema,
ip: sessIPSchema
},
pathParams: {
cert: Joi.string().hex().lowercase().length(24).required().description('ID of the TLS certificate').example('609d201236d1d936948f23b1')
},
response: {
200: {
description: 'Success',
model: Joi.object({
success: successRes,
id: Joi.string().required().description('ID of the certificate').example('609d201236d1d936948f23b1'),
servername: Joi.string().required().description('The server name this certificate applies to').example('imap.example.com'),
description: Joi.string().required().description('Key description').example('Some notes about this certificate'),
fingerprint: Joi.string()
.required()
.description('Key fingerprint (SHA1)')
.example('59:8b:ed:11:5b:4f:ce:b4:e5:1a:2f:35:b1:6f:7d:93:40:c8:2f:9c:38:3b:cd:f4:04:92:a1:0e:17:2c:3f:f3'),
expires: Joi.date().required().description('Certificate expiration time').example('2024-06-26T21:55:55.000Z'),
created: Joi.date().required().description('Created datestring').example('2024-05-13T20:06:46.179Z'),
autogenerated: Joi.boolean().description('Was the certificate automatically generated on SNI request'),
altNames: Joi.array()
.items(Joi.string().required())
.required()
.description('SAN servernames listed in the certificate')
.example(['example.com', 'www.example.com']),
acme: booleanSchema.required().description('If true then private key and certificate are managed automatically by ACME'),
hasCert: booleanSchema.required().description('True if certificate actually has the certificate or private key')
}).$_setFlag('objectName', 'GetTLSCertResponse')
}
}
}
},
tools.responseWrapper(async (req, res) => {
res.charSet('utf-8');
const { requestBody, queryParams, pathParams } = req.route.spec.validationObjs;
const schema = Joi.object({
...requestBody,
...queryParams,
...pathParams
});
const result = schema.validate(req.params, {
abortEarly: false,
convert: true
});
if (result.error) {
res.status(400);
return res.json({
error: result.error.message,
code: 'InputValidationError',
details: tools.validationErrors(result)
});
}
// permissions check
req.validate(roles.can(req.role).readAny('certs'));
let cert = new ObjectId(result.value.cert);
let response;
try {
response = await certHandler.get({ _id: cert }, false);
} catch (err) {
switch (err.code) {
case 'InputValidationError':
res.status(400);
break;
case 'CertNotFound':
res.status(404);
break;
default:
res.status(500);
}
return res.json({
error: err.message,
code: err.code
});
}
if (response) {
response.success = true;
} else {
response.success = false;
}
return res.json(response);
})
);
server.del(
{
path: '/certs/:cert',
summary: 'Delete a TLS certificate',
name: 'deleteTLSCert',
tags: ['Certs'],
validationObjs: {
requestBody: {},
queryParams: {
sess: sessSchema,
ip: sessIPSchema
},
pathParams: {
cert: Joi.string().hex().lowercase().length(24).required().description('ID of the TLS certificate').example('609d201236d1d936948f23b1')
},
response: {
200: {
description: 'Success',
model: Joi.object({
success: successRes
}).$_setFlag('objectName', 'SuccessResponse')
}
}
}
},
tools.responseWrapper(async (req, res) => {
res.charSet('utf-8');
const { requestBody, queryParams, pathParams } = req.route.spec.validationObjs;
const schema = Joi.object({
...requestBody,
...queryParams,
...pathParams
});
const result = schema.validate(req.params, {
abortEarly: false,
convert: true
});
if (result.error) {
res.status(400);
return res.json({
error: result.error.message,
code: 'InputValidationError',
details: tools.validationErrors(result)
});
}
// permissions check
req.validate(roles.can(req.role).deleteAny('certs'));
let cert = new ObjectId(result.value.cert);
let response;
try {
response = await certHandler.del({ _id: cert });
} catch (err) {
switch (err.code) {
case 'InputValidationError':
res.status(400);
break;
case 'CertNotFound':
res.status(404);
break;
default:
res.status(500);
}
return res.json({
error: err.message,
code: err.code
});
}
return res.json({
success: response
});
})
);
};
Reference in a new issue View git blame Copy permalink