Support for custom CA certificates (#14207)

Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com>
2022-06-01 11:14:27 +05:30 · 2022-06-01 11:14:27 +05:30 · 73e43fadbd
commit 73e43fadbd
parent 95e6b4fb98
4 changed files with 107 additions and 6 deletions
--- a/2
+++ b/2
@ -15,7 +15,7 @@ RUN apt-get update \
  && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
    supervisor curl cron certbot nginx gnupg wget netcat openssh-client \
    software-properties-common gettext openjdk-11-jre \
-    python3-pip python-setuptools git \
+    python3-pip python-setuptools git ca-certificates-java \
  && pip install --no-cache-dir git+https://github.com/coderanger/supervisor-stdout@973ba19967cdaf46d9c1634d1675fc65b9574f6e \
  && apt-get remove -y git python3-pip

--- a/app/server/appsmith-plugins/restApiPlugin/src/main/java/com/external/plugins/RestApiPlugin.java
+++ b/app/server/appsmith-plugins/restApiPlugin/src/main/java/com/external/plugins/RestApiPlugin.java
@ -322,6 +322,11 @@ public class RestApiPlugin extends BasePlugin {
                        sslContextSpec.sslContext(sslContextSpec1);
                    });

+            if ("true".equals(System.getProperty("java.net.useSystemProxies"))
+                    && (!System.getProperty("http.proxyHost", "").isEmpty() || !System.getProperty("https.proxyHost", "").isEmpty())) {
+                httpClient = httpClient.proxyWithSystemProperties();
+            }
+
            WebClient.Builder webClientBuilder = WebClient.builder().clientConnector(new ReactorClientHttpConnector(httpClient));

            // Adding headers from datasource
--- a/deploy/docker/entrypoint.sh
+++ b/deploy/docker/entrypoint.sh
@ -2,7 +2,9 @@

 set -e

-function get_maximum_heap(){ 
+stacks_path=/appsmith-stacks
+
+function get_maximum_heap() {
    resource=$(ulimit -u)
    echo "Resource : $resource"
    if [[ "$resource" -le 256 ]]; then
@ -12,7 +14,7 @@ function get_maximum_heap(){
    fi
 }

-function setup_backend_heap_arg(){
+function setup_backend_heap_arg() {
    if [[ ! -z ${maximum_heap} ]]; then
      export APPSMITH_JAVA_HEAP_ARG="-Xmx${maximum_heap}m"
    fi
@ -25,7 +27,7 @@ init_env_file() {

  # Build an env file with current env variables. We single-quote the values, as well as escaping any single-quote characters.
  printenv | grep -E '^APPSMITH_|^MONGO_' | sed "s/'/'\"'\"'/; s/=/='/; s/$/'/" > "$TEMPLATES_PATH/pre-define.env"
-  
+
  echo "Initialize .env file"
  if ! [[ -e "$ENV_PATH" ]]; then
    # Generate new docker.env file when initializing container for first time or in Heroku which does not have persistent volume
@ -59,6 +61,24 @@ init_env_file() {
  set +o allexport
 }

+setup_proxy_variables() {
+  export NO_PROXY="${NO_PROXY-localhost,127.0.0.1}"
+
+  # If one of HTTPS_PROXY or https_proxy are set, copy it to the other. If both are set, prefer HTTPS_PROXY.
+  if [[ -n ${HTTPS_PROXY-} ]]; then
+    export https_proxy="$HTTPS_PROXY"
+  elif [[ -n ${https_proxy-} ]]; then
+    export HTTPS_PROXY="$https_proxy"
+  fi
+
+  # If one of HTTP_PROXY or http_proxy are set, copy it to the other. If both are set, prefer HTTP_PROXY.
+  if [[ -n ${HTTP_PROXY-} ]]; then
+    export http_proxy="$HTTP_PROXY"
+  elif [[ -n ${http_proxy-} ]]; then
+    export HTTP_PROXY="$http_proxy"
+  fi
+}
+
 unset_unused_variables() {
  # Check for enviroment vairalbes
  echo "Checking environment configuration"
@ -172,6 +192,42 @@ mount_letsencrypt_directory() {
  ln -s /appsmith-stacks/letsencrypt /etc/letsencrypt
 }

+is_empty_directory() {
+  [[ -d $1 && -z "$(ls -A "$1")" ]]
+}
+
+check_setup_custom_ca_certificates() {
+  local stacks_ca_certs_path
+  stacks_ca_certs_path="$stacks_path/ca-certs"
+
+  local container_ca_certs_path
+  container_ca_certs_path="/usr/local/share/ca-certificates"
+
+  if [[ -d $stacks_ca_certs_path ]]; then
+    if [[ ! -L $container_ca_certs_path ]]; then
+      if is_empty_directory "$container_ca_certs_path"; then
+        rmdir -v "$container_ca_certs_path"
+      else
+        echo "The 'ca-certificates' directory inside the container is not empty. Please clear it and restart to use certs from 'stacks/ca-certs' directory." >&2
+        return
+      fi
+    fi
+
+    ln --verbose --force --symbolic --no-target-directory "$stacks_ca_certs_path" "$container_ca_certs_path"
+
+  elif [[ ! -e $container_ca_certs_path ]]; then
+    rm -vf "$container_ca_certs_path"  # If it exists as a broken symlink, this will be needed.
+    mkdir -v "$container_ca_certs_path"
+
+  fi
+
+  if [[ -n "$(ls "$stacks_ca_certs_path"/*.pem 2>/dev/null)" ]]; then
+    echo "Looks like you have some '.pem' files in your 'ca-certs' folder. Please rename them to '.crt' to be picked up autatically.".
+  fi
+
+  update-ca-certificates --fresh
+}
+
 configure_supervisord() {
  SUPERVISORD_CONF_PATH="/opt/appsmith/templates/supervisord"
  if [[ -n "$(ls -A /etc/supervisor/conf.d)" ]]; then
@ -218,19 +274,25 @@ check_redis_compatible_page_size() {

 # Main Section
 init_env_file
+setup_proxy_variables
 unset_unused_variables
+
 check_mongodb_uri
 if [[ -z "${DYNO}" ]]; then
  # Don't run MongoDB if running in a Heroku dyno.
  init_mongodb
  init_replica_set
-else 
+else
  # These functions are used to limit heap size for Backend process when deployed on Heroku
  get_maximum_heap
  setup_backend_heap_arg
 fi
+
+check_setup_custom_ca_certificates
 mount_letsencrypt_directory
+
 check_redis_compatible_page_size
+
 configure_supervisord

 CREDENTIAL_PATH="/etc/nginx/passwords"
--- a/deploy/docker/scripts/run-java.sh
+++ b/deploy/docker/scripts/run-java.sh
@ -1,4 +1,38 @@
 #!/bin/bash

+set -o errexit
+set -o pipefail
+set -o nounset
+
+http_proxy_host=""
+http_proxy_port=""
+https_proxy_host=""
+https_proxy_port=""
+
+if [[ ${HTTP_PROXY-} =~ ^http://(.*):(.*)$ ]]; then
+  http_proxy_host="${BASH_REMATCH[1]}"
+  http_proxy_port="${BASH_REMATCH[2]}"
+fi
+
+if [[ ${HTTPS_PROXY-} =~ ^http://(.*):(.*)$ ]]; then
+  https_proxy_host="${BASH_REMATCH[1]}"
+  https_proxy_port="${BASH_REMATCH[2]}"
+fi
+
+if ! isset NO_PROXY; then
+  # A default for this value is set in entrypoint.sh script.
+  NO_PROXY=""
+fi
+
 # Ref -Dlog4j2.formatMsgNoLookups=true https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
-exec java ${APPSMITH_JAVA_ARGS:-} ${APPSMITH_JAVA_HEAP_ARG:-} -Dserver.port=8080 -Djava.security.egd=file:/dev/./urandom -Dlog4j2.formatMsgNoLookups=true -jar server.jar
+exec java ${APPSMITH_JAVA_ARGS:-} ${APPSMITH_JAVA_HEAP_ARG:-} \
+  -Dserver.port=8080 \
+  -Djava.security.egd=file:/dev/./urandom \
+  -Dlog4j2.formatMsgNoLookups=true \
+  -Djava.net.useSystemProxies=true \
+  -Dhttp.proxyHost="$http_proxy_host" \
+  -Dhttp.proxyPort="$http_proxy_port" \
+  -Dhttps.proxyHost="$https_proxy_host" \
+  -Dhttps.proxyPort="$https_proxy_port" \
+  -Dhttp.nonProxyHosts="${NO_PROXY/,/|}" \
+  -jar server.jar