Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: trust system ca #320 #397

Draft
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

siipimutteri
Copy link

@siipimutteri siipimutteri commented Feb 25, 2023

Changelog

Added option in AWS SSO integration for trusting system CA's. Fixes #320.

Bugfixes

Enhancements

Users can opt-in to use system's CA certificate store instead of Node's built-in for trusting custom CA's when using AWS SSO integration.

Notes

Screenshot of new opt-in setting in "Add new integration" and Edit screens:
image

Built with:

nvm use
npm install
cd packages/core
npm install
npm run build
cd ../desktop-app
npm install ../core
npm run build-and-run-dev

Test environment:
Create small AWS EC2 t3.nano Ubuntu in public subnet, use/create key pair for being able to login with ssh
Allow 51820/UDP and 22/TCP in from your public ip
Login to EC2 with SSH: ssh -i ~/.ssh/your-key.pem ubuntu@<ec2 public ip>
Install mitmproxy:

get https://snapshots.mitmproxy.org/9.0.1/mitmproxy-9.0.1-linux.tar.gz
tar xzf mitmproxy-9.0.1-linux.tar.gz

Start mitmproxy in transparent wireguard mode: ./mitmweb --mode wireguard

Install Wireguard into your machine
Copy wireguard configuration from EC2 machine's mitmproxy output. Eg:

[Interface]
PrivateKey = 4G..U=
Address = 10.0.0.1/32
DNS = 10.0.0.53

[Peer]
PublicKey = Pq..4=
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.15.79:51820

Replace DNS with eg. 1.1.1.1 and Endpoint's IP with EC2 public IP.
Activate Wireguard connection and test AWS SSO login with Leapp. It should fail with cert error.
Open magical http://mitm.it address with your browser and add mitmproxy's CA as trusted with provided instructions.
Opt-in "Trust system CA" and test AWS SSO login again. It should work.

CLI doesn't work at least with mitmproxy+wireguard combo and fails with connection refused error. It's yet to be tested if the issue exists also with other use cases.

Tests aren't written yet.

@siipimutteri siipimutteri changed the title 320 trust system ca feat: trust system ca #320 Feb 25, 2023
@andreacavagna01 andreacavagna01 marked this pull request as draft April 7, 2023 09:03
@andreacavagna01
Copy link
Contributor

Moving this PR to draft because there is still works to do to be accepted

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 2 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Self Signed Certs preventing Login
3 participants