fix: cert expire refresh (#93)

Author: rentallect

src/channel/channel.js

@@ -377,7 +377,7 @@ module.exports = class ZitiChannel {
 
       case edge_protocol.content_type.StateClosed:
 
-        this._ctx.logger.warn("conn[%d] failed to connect", conn.getId());
+        this._ctx.logger.warn("conn[%d] failed to connect on ch[%d]", conn.getId(), this.getId());
         conn.setState(edge_protocol.conn_state.Closed);
         break;
 
@@ -1001,7 +1001,7 @@ module.exports = class ZitiChannel {
             if (len > 2000) {
               len = 2000;
             }
-            this._ctx.logger.debug("recv <- unencrypted_data (first 2000): %s", m1.substring(0, len));
+            this._ctx.logger.trace("recv <- unencrypted_data (first 2000): %s", m1.substring(0, len));
           } catch (e) { /* nop */ }
 
           bodyView = unencrypted_data.message;
@@ -1011,7 +1011,7 @@ module.exports = class ZitiChannel {
             len = 2000;
           }
           let dbgStr = String.fromCharCode.apply(null, bodyView).substring(0, len);
-          this._ctx.logger.debug("recv <- data (first 2000): %s", dbgStr);
+          this._ctx.logger.trace("recv <- data (first 2000): %s", dbgStr);
 
           //temp debugging
           // if (dbgStr.includes("var openMe = (window.parent")) {

src/client.js

@@ -548,7 +548,7 @@ zitiFetch = async ( url, opts ) => {
   });
 
   _internal_generateKeyPair();
-  _internal_isIdentityPresent();
+  let identyPresent = await _internal_isIdentityPresent();
 
   // We only want to intercept fetch requests that target the Ziti HTTP Agent
   var regex = new RegExp( zitiConfig.httpAgent.self.host, 'g' );
@@ -572,6 +572,12 @@ zitiFetch = async ( url, opts ) => {
             reject( err );
           });
         });
+
+        // Trigger a page reload now that we have a fresh identity
+        updb.relodingPage();
+        setTimeout(function(){ 
+          window.location.reload();
+        }, 500);
       }
 
     })
@@ -864,6 +870,14 @@ _internal_isIdentityPresent = async ( ) => {
       let cert = await ls.getWithExpiry(zitiConstants.get().ZITI_IDENTITY_CERT);
       if (!isNull( cert ) && !isUndefined( cert )) {
         identyPresent = true;
+      } else {
+        // If cert expired, purge any session data we might have
+        await ls.removeItem( zitiConstants.get().ZITI_API_SESSION_TOKEN );
+        await ls.removeItem( zitiConstants.get().ZITI_NETWORK_SESSIONS );
+        // and also reset the channels
+        if (!isUndefined(ziti._ctx)) {
+          ziti._ctx.closeAllChannels();
+        }
       }
     }
 
@@ -1026,11 +1040,18 @@ if (!zitiConfig.serviceWorker.active) {
     /**
      *  Service Worker registration
      */
-    navigator.serviceWorker.register('ziti-sw.js', {scope: './'} ).then( function() {
+    navigator.serviceWorker.register('ziti-sw.js', {scope: './'} ).then( function( reg ) {
 
         if (navigator.serviceWorker.controller) {
             // If .controller is set, then this page is being actively controlled by our service worker.
             console.log('The Ziti service worker is now registered.');
+
+            // (function checkForUpdatedServiceWorker() {
+            //   console.log('checking for updated service worker.');
+            //   reg.update();
+            //   setTimeout( checkForUpdatedServiceWorker, 1000 * 60 * 30 );
+            // })();
+
         } else {
             // If .controller isn't set, then prompt the user to reload the page so that the service worker can take
             // control. Until that happens, the service worker's fetch handler won't be used.

src/context/context.js

@@ -1028,7 +1028,7 @@ ZitiContext.prototype.getControllerChannel = function() {
 /**
  * Remain in lazy-sleepy loop until specified channel is connected.
  * 
- * @param {*} conn 
+ * @param {*} channel 
  */
 ZitiContext.prototype.awaitChannelConnectComplete = function(ch) {
   return new Promise((resolve) => {
@@ -1086,6 +1086,9 @@ ZitiContext.prototype.closeChannelByEdgeRouter = function( edgeRouter ) {
   this._channels.delete( edgeRouter );  
 }
 
+ZitiContext.prototype.closeAllChannels = function() {
+  this._channels = new Map();
+}
 
 ZitiContext.prototype.getServiceIdByDNSHostName = function(name) {
   let service_id = result(find(this._services, function(obj) {

src/enroll/enroller.js

@@ -388,6 +388,17 @@ ZitiEnroller.prototype.createEphemeralCert = async function() {
     let expiryTime = pkiUtil.getExpiryTimeFromCertificate(certificate);
     let expiryDate = new Date(expiryTime);
 
+    //
+    let becomesUsableTime = pkiUtil.getBecomesUsableTimeFromCertificate(certificate);
+    let becomesUsableTimeString = pkiUtil.getBecomesUsableStringFromCertificate(certificate);
+    let now = new Date();
+    let nowTime = now.getTime();
+    self.logger.info('controllerClient.createCurrentApiSessionCertificate returned cert with NotBefore time [%o][%o], it is now [%o][%o], difference of [%o]', becomesUsableTime, becomesUsableTimeString, nowTime, now, (nowTime-becomesUsableTime));
+    if (nowTime < becomesUsableTime) {
+      self.logger.error('controllerClient.createCurrentApiSessionCertificate returned cert with NotBefore IN THE FUTURE', becomesUsableTimeString);
+    }
+    //
+
     self.logger.debug('controllerClient.createCurrentApiSessionCertificate returned cert with expiryTime: [%o] expiryDate:[%o]', expiryTime, expiryDate);
 
     await ls.setWithExpiry(zitiConstants.get().ZITI_IDENTITY_CERT, certPEM, expiryTime);

src/ui/identity_modal/reloading_page_html.js

@@ -0,0 +1,60 @@
+/*
+Copyright 2019-2020 Netfoundry, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+const MicroModal = require('micromodal');
+const isNull                = require('lodash.isnull');
+const isUndefined           = require('lodash.isundefined');
+
+/**
+ *	Inject HTML needed for the 'Reloading Page' Modal.
+ *
+ */  
+exports.inject = () => {
+
+    let self = this;
+
+    htmlString = `
+        <div class="modal micromodal-slide" id="ziti-reloadingpage-modal" aria-hidden="true">
+            <div class="wrapper">
+                <form class="form-signin" name="zitireloadingpage" id="ziti-reloadingpage-form">
+                    <header class="modal__header">
+                        <h2 class="modal__title" id="modal-1-title">
+                            <img src="https://ziti-logo.s3.amazonaws.com/ziti-logo_avatar.png" width=25 >
+                            <span>
+                                Now Reloading App
+                            </span>
+                        </h2>
+                    </header>
+                    <div style="text-align: center; padding-top: 15px;">
+                        <span id="ziti-keypair-error" style="color: #e80853; font-weight: 800; font-size: 0.9em;"></span> 
+                    </div>    
+                    <div style="text-align: center; padding-top: 15px;">
+                        <span id="ziti-keypair-progress" style="color: #145fe9; font-weight: 800; font-size: 0.9em;">Please Stand By</span> 
+                    </div>
+                </form>
+            </div>
+        </div>
+    `;
+       
+    if (isNull(document.body) || isUndefined(document.body)) {
+        var body = document.createElement("body");
+        document.documentElement.appendChild(body);
+    }
+
+    document.body.insertAdjacentHTML('afterbegin', htmlString);        
+}
+  

src/updb/updb.js

@@ -43,6 +43,7 @@ let updbModalHTML;
 if (typeof window !== 'undefined') {
 identityModalCSS      = require('../ui/identity_modal/css');
 updbModalHTML     = require('../ui/identity_modal/updb_prompt_html');
+reloadingpageModalHTML = require('../ui/identity_modal/reloading_page_html');
 }
 
 
@@ -197,6 +198,39 @@ ZitiUPDB.prototype.promptForCreds = async function() {
 }
 
 
+/**
+ * Display 'Reloading Page'
+ * 
+ * @params  {nothing}   
+ * @returns {nothing}   
+ */
+ ZitiUPDB.prototype.relodingPage = function() {
+
+  let self = this;
+
+  if (typeof window !== 'undefined') {
+
+    identityModalCSS.inject();
+    reloadingpageModalHTML.inject();
+  
+    MicroModal.init({
+      onShow: modal => console.info(`${modal.id} is shown`), // [1]
+      onClose: modal => console.info(`${modal.id} is hidden`), // [2]
+      openTrigger: 'ziti-data-micromodal-trigger', // [3]
+      closeTrigger: 'data-custom-close', // [4]
+      openClass: 'is-open', // [5]
+      disableScroll: true, // [6]
+      disableFocus: false, // [7]
+      awaitOpenAnimation: false, // [8]
+      awaitCloseAnimation: true, // [9]
+      debugMode: false // [10]
+    });
+  
+    MicroModal.show('ziti-reloadingpage-modal');
+  }
+}
+
+
 /**
  * Prompt the user for their creds
  * 

src/utils/pki.js

@@ -123,3 +123,23 @@ exports.getExpiryTimeFromCertificate = (certificate) => {
 exports.getExpiryStringFromCertificate = (certificate) => {
     return certificate.notAfter.toSchema().toDate().toString();
 }
+
+
+/**
+ *	Return time (in millis) for when Certificate becomes usable
+ *
+ * @param {Buffer} certificateBuffer
+ */  
+ exports.getBecomesUsableTimeFromCertificate = (certificate) => {
+    return certificate.notBefore.toSchema().toDate().getTime();
+}
+
+
+/**
+ *	Return time (human-readable) for when Certificate becomes usable
+ *
+ * @param {Buffer} certificateBuffer
+ */  
+exports.getBecomesUsableStringFromCertificate = (certificate) => {
+    return certificate.notBefore.toSchema().toDate().toString();
+}