Envd support for custom CA

Author: sitole

packages/envd/internal/api/api.gen.go

@@ -8,7 +8,9 @@ import (
 	"io"
 	"net/http"
 	"net/netip"
+	"os"
 	"os/exec"
+	"path/filepath"
 	"sync"
 	"time"
 
@@ -215,6 +217,10 @@ func (a *API) SetData(ctx context.Context, logger zerolog.Logger, data PostInitJ
 		a.defaults.Workdir = data.DefaultWorkdir
 	}
 
+	if data.CaCertificates != nil && len(*data.CaCertificates) > 0 {
+		go a.installCACerts(context.WithoutCancel(ctx), *data.CaCertificates)
+	}
+
 	if data.VolumeMounts != nil {
 		var wg sync.WaitGroup
 		for _, volume := range *data.VolumeMounts {
@@ -253,6 +259,33 @@ func (a *API) setupNfs(ctx context.Context, nfsTarget, path string) {
 	}
 }
 
+// installCACerts writes PEM-encoded CA certificates to the system trust store
+// and runs update-ca-certificates once to make them trusted by all TLS clients.
+func (a *API) installCACerts(ctx context.Context, certs []CACertificate) {
+	certDir := a.certDir
+
+	if err := os.MkdirAll(certDir, 0o755); err != nil {
+		a.logger.Error().Err(err).Msg("failed to create ca-certificates directory")
+
+		return
+	}
+
+	for _, c := range certs {
+		// Use filepath.Base to strip any directory components from the name.
+		certPath := certDir + "/" + filepath.Base(c.Name) + ".crt"
+		if err := os.WriteFile(certPath, []byte(c.Cert), 0o644); err != nil {
+			a.logger.Error().Err(err).Str("name", c.Name).Msg("failed to write CA certificate")
+
+			return
+		}
+	}
+
+	data, err := exec.CommandContext(ctx, "update-ca-certificates").CombinedOutput()
+
+	logFn := a.getLogger(err)
+	logFn.Str("output", string(data)).Msg("update-ca-certificates")
+}
+
 func (a *API) SetupHyperloop(address string) {
 	a.hyperloopLock.Lock()
 	defer a.hyperloopLock.Unlock()

packages/envd/internal/api/init.go

@@ -2,6 +2,13 @@ package api
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
 	"os"
 	"path/filepath"
 	"strings"
@@ -18,6 +25,29 @@ import (
 	utilsShared "github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
 
+// generateTestCACert creates a minimal self-signed CA certificate and returns
+// it as a PEM-encoded string. The cert is not written to disk.
+func generateTestCACert(t *testing.T) string {
+	t.Helper()
+
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	template := &x509.Certificate{
+		SerialNumber:          big.NewInt(1),
+		Subject:               pkix.Name{CommonName: "Test CA"},
+		NotBefore:             time.Now().Add(-time.Minute),
+		NotAfter:              time.Now().Add(time.Hour),
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+	}
+
+	der, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	require.NoError(t, err)
+
+	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}))
+}
+
 func TestSimpleCases(t *testing.T) {
 	t.Parallel()
 	testCases := map[string]func(string) string{
@@ -585,3 +615,82 @@ func TestSetData(t *testing.T) {
 		assert.Equal(t, "value", val)
 	})
 }
+
+func TestInstallCACerts(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+
+	newAPIWithTempCertDir := func(t *testing.T) (*API, string) {
+		t.Helper()
+		api := newTestAPI(nil, &mockMMDSClient{})
+		api.certDir = t.TempDir()
+		return api, api.certDir
+	}
+
+	t.Run("writes single cert file with .crt extension", func(t *testing.T) {
+		t.Parallel()
+		api, certDir := newAPIWithTempCertDir(t)
+		certPEM := generateTestCACert(t)
+
+		api.installCACerts(ctx, []CACertificate{{Name: "my-proxy-ca", Cert: certPEM}})
+
+		content, err := os.ReadFile(filepath.Join(certDir, "my-proxy-ca.crt"))
+		require.NoError(t, err)
+		assert.Equal(t, certPEM, string(content))
+	})
+
+	t.Run("writes multiple cert files", func(t *testing.T) {
+		t.Parallel()
+		api, certDir := newAPIWithTempCertDir(t)
+		cert1 := generateTestCACert(t)
+		cert2 := generateTestCACert(t)
+
+		api.installCACerts(ctx, []CACertificate{
+			{Name: "ca-one", Cert: cert1},
+			{Name: "ca-two", Cert: cert2},
+		})
+
+		content, err := os.ReadFile(filepath.Join(certDir, "ca-one.crt"))
+		require.NoError(t, err)
+		assert.Equal(t, cert1, string(content))
+
+		content, err = os.ReadFile(filepath.Join(certDir, "ca-two.crt"))
+		require.NoError(t, err)
+		assert.Equal(t, cert2, string(content))
+	})
+
+	t.Run("strips directory traversal from name", func(t *testing.T) {
+		t.Parallel()
+		api, certDir := newAPIWithTempCertDir(t)
+		certPEM := generateTestCACert(t)
+
+		api.installCACerts(ctx, []CACertificate{{Name: "../../../etc/evil", Cert: certPEM}})
+
+		// filepath.Base("../../../etc/evil") == "evil", so the file lands inside certDir
+		content, err := os.ReadFile(filepath.Join(certDir, "evil.crt"))
+		require.NoError(t, err)
+		assert.Equal(t, certPEM, string(content))
+
+		// Nothing should have escaped the temp dir
+		_, err = os.ReadFile("/etc/evil.crt")
+		assert.True(t, os.IsNotExist(err))
+	})
+
+	t.Run("cert content is valid PEM", func(t *testing.T) {
+		t.Parallel()
+		api, certDir := newAPIWithTempCertDir(t)
+		certPEM := generateTestCACert(t)
+
+		api.installCACerts(ctx, []CACertificate{{Name: "valid-ca", Cert: certPEM}})
+
+		raw, err := os.ReadFile(filepath.Join(certDir, "valid-ca.crt"))
+		require.NoError(t, err)
+
+		block, _ := pem.Decode(raw)
+		require.NotNil(t, block, "expected valid PEM block in written file")
+		assert.Equal(t, "CERTIFICATE", block.Type)
+
+		_, err = x509.ParseCertificate(block.Bytes)
+		require.NoError(t, err, "expected parseable X.509 certificate")
+	})
+}

packages/envd/internal/api/init_test.go

@@ -37,8 +37,14 @@ type API struct {
 
 	lastSetTime *utils.AtomicMax
 	initLock    sync.Mutex
+
+	// certDir is the directory where CA certificates are written before
+	// update-ca-certificates is run. Overridable in tests.
+	certDir string
 }
 
+const systemCertDir = "/usr/local/share/ca-certificates"
+
 func New(l *zerolog.Logger, defaults *execcontext.Defaults, mmdsChan chan *host.MMDSOpts, isNotFC bool) *API {
 	return &API{
 		logger:      l,
@@ -48,6 +54,7 @@ func New(l *zerolog.Logger, defaults *execcontext.Defaults, mmdsChan chan *host.
 		mmdsClient:  &DefaultMMDSClient{},
 		lastSetTime: utils.NewAtomicMax(),
 		accessToken: &SecureToken{},
+		certDir:     systemCertDir,
 	}
 }
 

packages/envd/internal/api/store.go

@@ -1,3 +1,3 @@
 package pkg
 
-const Version = "0.5.8"
+const Version = "0.5.9"

packages/envd/pkg/version.go

@@ -64,6 +64,11 @@ paths:
                 defaultWorkdir:
                   type: string
                   description: The default working directory to use for operations
+                caCertificates:
+                  type: array
+                  description: CA certificates to install into the system trust store
+                  items:
+                    $ref: "#/components/schemas/CACertificate"
       responses:
         "204":
           description: Env vars set, the time and metadata is synced with the host
@@ -378,6 +383,20 @@ components:
         username:
           type: string
           description: User for setting ownership and resolving relative paths
+    CACertificate:
+      type: object
+      description: A CA certificate to install into the system trust store
+      additionalProperties: false
+      required:
+        - name
+        - cert
+      properties:
+        name:
+          type: string
+          description: Filename (without extension) for the certificate
+        cert:
+          type: string
+          description: PEM-encoded CA certificate
     VolumeMount:
       type: object
       description: Volume mount configuration