#RI-3728 - Base BE implementation. Import certs by plain values

#RI-3684 - Base BE implementation. Import certs from files

Author: Artem

redisinsight/api/src/common/utils/certificate-import.util.ts

@@ -0,0 +1,7 @@
+import { parse } from 'path';
+import { readFileSync } from 'fs';
+
+export const isValidPemCertificate = (cert: string): boolean => cert.startsWith('-----BEGIN CERTIFICATE-----');
+export const isValidPemPrivateKey = (cert: string): boolean => cert.startsWith('-----BEGIN PRIVATE KEY-----');
+export const getPemBodyFromFileSync = (path: string): string => readFileSync(path).toString('utf8');
+export const getCertNameFromFilename = (path: string): string => parse(path).name;

redisinsight/api/src/common/utils/index.ts

@@ -0,0 +1 @@
+export * from './certificate-import.util';

redisinsight/api/src/constants/error-messages.ts

@@ -17,6 +17,10 @@ export default {
   INCORRECT_CREDENTIALS: (url) => `Could not connect to ${url}, please check the Username or Password.`,
 
   CA_CERT_EXIST: 'This ca certificate name is already in use.',
+  INVALID_CA_BODY: 'Invalid CA body',
+  INVALID_CERTIFICATE_BODY: 'Invalid certificate body',
+  INVALID_PRIVATE_KEY: 'Invalid private key',
+  CERTIFICATE_NAME_IS_NOT_DEFINED: 'Certificate name is not defined',
   CLIENT_CERT_EXIST: 'This client certificate name is already in use.',
   INVALID_CERTIFICATE_ID: 'Invalid certificate id.',
   SENTINEL_MASTER_NAME_REQUIRED: 'Sentinel master name must be specified.',

redisinsight/api/src/modules/database-import/certificate-import.service.ts

@@ -0,0 +1,216 @@
+import { Injectable } from '@nestjs/common';
+import { CaCertificate } from 'src/modules/certificate/models/ca-certificate';
+import { InjectRepository } from '@nestjs/typeorm';
+import { CaCertificateEntity } from 'src/modules/certificate/entities/ca-certificate.entity';
+import { Repository } from 'typeorm';
+import { EncryptionService } from 'src/modules/encryption/encryption.service';
+import { ModelEncryptor } from 'src/modules/encryption/model.encryptor';
+import { ClientCertificate } from 'src/modules/certificate/models/client-certificate';
+import { ClientCertificateEntity } from 'src/modules/certificate/entities/client-certificate.entity';
+import { classToClass } from 'src/utils';
+import {
+  getCertNameFromFilename,
+  getPemBodyFromFileSync,
+  isValidPemCertificate,
+  isValidPemPrivateKey,
+} from 'src/common/utils';
+import {
+  InvalidCaCertificateBodyException, InvalidCertificateNameException,
+  InvalidClientCertificateBodyException, InvalidClientPrivateKeyException,
+} from 'src/modules/database-import/exceptions';
+
+@Injectable()
+export class CertificateImportService {
+  private caCertEncryptor: ModelEncryptor;
+
+  private clientCertEncryptor: ModelEncryptor;
+
+  constructor(
+    @InjectRepository(CaCertificateEntity)
+    private readonly caCertRepository: Repository<CaCertificateEntity>,
+    @InjectRepository(ClientCertificateEntity)
+    private readonly clientCertRepository: Repository<ClientCertificateEntity>,
+    private readonly encryptionService: EncryptionService,
+  ) {
+    this.caCertEncryptor = new ModelEncryptor(encryptionService, ['certificate']);
+    this.clientCertEncryptor = new ModelEncryptor(encryptionService, ['certificate', 'key']);
+  }
+
+  /**
+   * Validate data + prepare CA certificate to be imported along with new database
+   * @param cert
+   */
+  async processCaCertificate(cert: Partial<CaCertificate>): Promise<CaCertificate> {
+    let toImport: Partial<CaCertificate> = {
+      certificate: null,
+      name: cert.name,
+    };
+
+    if (isValidPemCertificate(cert.certificate)) {
+      toImport.certificate = cert.certificate;
+    } else {
+      try {
+        toImport.certificate = getPemBodyFromFileSync(cert.certificate);
+        toImport.name = getCertNameFromFilename(cert.certificate);
+      } catch (e) {
+        // ignore error
+        toImport = null;
+      }
+    }
+
+    if (!toImport?.certificate || !isValidPemCertificate(toImport.certificate)) {
+      throw new InvalidCaCertificateBodyException();
+    }
+
+    if (!toImport?.name) {
+      throw new InvalidCertificateNameException();
+    }
+
+    return this.prepareCaCertificateForImport(toImport);
+  }
+
+  /**
+   * Use existing certificate if found
+   * Generate unique name for new certificate
+   * @param cert
+   * @private
+   */
+  private async prepareCaCertificateForImport(cert: Partial<CaCertificate>): Promise<CaCertificate> {
+    const encryptedModel = await this.caCertEncryptor.encryptEntity(cert as CaCertificate);
+    const existing = await this.caCertRepository.createQueryBuilder('c')
+      .select('c.id')
+      .where({ certificate: cert.certificate })
+      .orWhere({ certificate: encryptedModel.certificate })
+      .getOne();
+
+    if (existing) {
+      return existing;
+    }
+
+    const name = await CertificateImportService.determineAvailableName(
+      cert.name,
+      this.caCertRepository,
+    );
+
+    return classToClass(CaCertificate, {
+      ...cert,
+      name,
+    });
+  }
+
+  /**
+   * Validate data + prepare CA certificate to be imported along with new database
+   * @param cert
+   */
+  async processClientCertificate(cert: Partial<ClientCertificateEntity>): Promise<ClientCertificate> {
+    const toImport: Partial<ClientCertificate> = {
+      certificate: null,
+      key: null,
+      name: cert.name,
+    };
+
+    if (isValidPemCertificate(cert.certificate)) {
+      toImport.certificate = cert.certificate;
+    } else {
+      try {
+        toImport.certificate = getPemBodyFromFileSync(cert.certificate);
+        toImport.name = getCertNameFromFilename(cert.certificate);
+      } catch (e) {
+        // ignore error
+        toImport.certificate = null;
+        toImport.name = null;
+      }
+    }
+
+    if (isValidPemPrivateKey(cert.key)) {
+      toImport.key = cert.key;
+    } else {
+      try {
+        toImport.key = getPemBodyFromFileSync(cert.key);
+      } catch (e) {
+        // ignore error
+        toImport.key = null;
+      }
+    }
+
+    if (!toImport?.certificate || !isValidPemCertificate(toImport.certificate)) {
+      throw new InvalidClientCertificateBodyException();
+    }
+
+    if (!toImport?.key || !isValidPemPrivateKey(toImport.key)) {
+      throw new InvalidClientPrivateKeyException();
+    }
+
+    if (!toImport?.name) {
+      throw new InvalidCertificateNameException();
+    }
+
+    return this.prepareClientCertificateForImport(toImport);
+  }
+
+  /**
+   * Use existing certificate if found
+   * Generate unique name for new certificate
+   * @param cert
+   * @private
+   */
+  private async prepareClientCertificateForImport(cert: Partial<ClientCertificate>): Promise<ClientCertificate> {
+    const encryptedModel = await this.clientCertEncryptor.encryptEntity(cert as ClientCertificate);
+    const existing = await this.clientCertRepository.createQueryBuilder('c')
+      .select('c.id')
+      .where({
+        certificate: cert.certificate,
+        key: cert.key,
+      })
+      .orWhere({
+        certificate: encryptedModel.certificate,
+        key: encryptedModel.key,
+      })
+      .getOne();
+
+    if (existing) {
+      return existing;
+    }
+
+    const name = await CertificateImportService.determineAvailableName(
+      cert.name,
+      this.clientCertRepository,
+    );
+
+    return classToClass(ClientCertificate, {
+      ...cert,
+      name,
+    });
+  }
+
+  /**
+   * Find available name for certificate using such pattern "{N}_{name}"
+   * @param originalName
+   * @param repository
+   */
+  static async determineAvailableName(originalName: string, repository: Repository<any>): Promise<string> {
+    let index = 0;
+
+    // temporary solution
+    // investigate how to make working "regexp" for sqlite
+    // https://github.com/kriasoft/node-sqlite/issues/55
+    // https://www.sqlite.org/c3ref/create_function.html
+    while (true) {
+      let name = originalName;
+
+      if (index) {
+        name = `${index}_${name}`;
+      }
+
+      if (!await repository
+        .createQueryBuilder('c')
+        .where({ name })
+        .select(['c.id'])
+        .getOne()) {
+        return name;
+      }
+
+      index += 1;
+    }
+  }
+}

redisinsight/api/src/modules/database-import/database-import.module.ts

@@ -2,11 +2,13 @@ import { Module } from '@nestjs/common';
 import { DatabaseImportController } from 'src/modules/database-import/database-import.controller';
 import { DatabaseImportService } from 'src/modules/database-import/database-import.service';
 import { DatabaseImportAnalytics } from 'src/modules/database-import/database-import.analytics';
+import { CertificateImportService } from 'src/modules/database-import/certificate-import.service';
 
 @Module({
   controllers: [DatabaseImportController],
   providers: [
     DatabaseImportService,
+    CertificateImportService,
     DatabaseImportAnalytics,
   ],
 })

redisinsight/api/src/modules/database-import/database-import.service.ts

@@ -21,6 +21,7 @@ import {
   UnableToParseDatabaseImportFileException,
 } from 'src/modules/database-import/exceptions';
 import { ValidationException } from 'src/common/exceptions';
+import { CertificateImportService } from 'src/modules/database-import/certificate-import.service';
 
 @Injectable()
 export class DatabaseImportService {
@@ -36,9 +37,17 @@ export class DatabaseImportService {
     ['port', ['port']],
     ['db', ['db']],
     ['isCluster', ['cluster']],
+    ['tls', ['tls', 'ssl']],
+    ['tlsServername', ['tlsServername', 'sni_name', 'sni_server_name']],
+    ['tlsCaName', ['caCert.name']],
+    ['tlsCaCert', ['caCert.certificate', 'sslOptions.ca', 'ssl_ca_cert_path']],
+    ['tlsClientName', ['clientCert.name']],
+    ['tlsClientCert', ['clientCert.certificate', 'sslOptions.cert', 'ssl_local_cert_path']],
+    ['tlsClientKey', ['clientCert.key', 'sslOptions.key', 'ssl_private_key_path']],
   ];
 
   constructor(
+    private readonly certificateImportService: CertificateImportService,
     private readonly databaseRepository: DatabaseRepository,
     private readonly analytics: DatabaseImportAnalytics,
   ) {}
@@ -115,6 +124,8 @@ export class DatabaseImportService {
    */
   private async createDatabase(item: any, index: number): Promise<DatabaseImportResult> {
     try {
+      let status = DatabaseImportStatus.Success;
+      const errors = [];
       const data: any = {};
 
       this.fieldsMapSchema.forEach(([field, paths]) => {
@@ -140,6 +151,33 @@ export class DatabaseImportService {
         data.connectionType = ConnectionType.STANDALONE;
       }
 
+      if (data?.tlsCaCert) {
+        try {
+          data.tls = true;
+          data.caCert = await this.certificateImportService.processCaCertificate({
+            certificate: data.tlsCaCert,
+            name: data?.tlsCaName,
+          });
+        } catch (e) {
+          status = DatabaseImportStatus.Partial;
+          errors.push(e);
+        }
+      }
+
+      if (data?.tlsClientCert || data?.tlsClientKey) {
+        try {
+          data.tls = true;
+          data.clientCert = await this.certificateImportService.processClientCertificate({
+            certificate: data.tlsClientCert,
+            key: data.tlsClientKey,
+            name: data?.tlsClientName,
+          });
+        } catch (e) {
+          status = DatabaseImportStatus.Partial;
+          errors.push(e);
+        }
+      }
+
       const dto = plainToClass(
         ImportDatabaseDto,
         // additionally replace empty strings ("") with null
@@ -148,6 +186,9 @@ export class DatabaseImportService {
             acc[key] = data[key] === '' ? null : data[key];
             return acc;
           }, {}),
+        {
+          groups: ['security'],
+        },
       );
 
       await this.validator.validateOrReject(dto, {
@@ -160,9 +201,10 @@ export class DatabaseImportService {
 
       return {
         index,
-        status: DatabaseImportStatus.Success,
+        status,
         host: database.host,
         port: database.port,
+        errors: errors?.length ? errors : undefined,
       };
     } catch (e) {
       let errors = [e];

redisinsight/api/src/modules/database-import/dto/import.database.dto.ts

@@ -1,13 +1,19 @@
-import { PickType } from '@nestjs/swagger';
+import { ApiPropertyOptional, getSchemaPath, PickType } from '@nestjs/swagger';
 import { Database } from 'src/modules/database/models/database';
 import { Expose, Type } from 'class-transformer';
 import {
-  IsInt, IsNotEmpty, Max, Min,
+  IsInt, IsNotEmpty, IsNotEmptyObject, IsOptional, Max, Min, ValidateNested,
 } from 'class-validator';
+import { caCertTransformer } from 'src/modules/certificate/transformers/ca-cert.transformer';
+import { CreateCaCertificateDto } from 'src/modules/certificate/dto/create.ca-certificate.dto';
+import { UseCaCertificateDto } from 'src/modules/certificate/dto/use.ca-certificate.dto';
+import { CreateClientCertificateDto } from 'src/modules/certificate/dto/create.client-certificate.dto';
+import { clientCertTransformer } from 'src/modules/certificate/transformers/client-cert.transformer';
+import { UseClientCertificateDto } from 'src/modules/certificate/dto/use.client-certificate.dto';
 
 export class ImportDatabaseDto extends PickType(Database, [
   'host', 'port', 'name', 'db', 'username', 'password',
-  'connectionType',
+  'connectionType', 'tls', 'verifyServerCert',
 ] as const) {
   @Expose()
   @IsNotEmpty()
@@ -16,4 +22,26 @@ export class ImportDatabaseDto extends PickType(Database, [
   @Min(0)
   @Max(65535)
   port: number;
+
+  @Expose()
+  @IsOptional()
+  @IsNotEmptyObject()
+  @Type(caCertTransformer)
+  @ValidateNested()
+  caCert?: CreateCaCertificateDto | UseCaCertificateDto;
+
+  @ApiPropertyOptional({
+    description: 'Client Certificate',
+    oneOf: [
+      { $ref: getSchemaPath(CreateClientCertificateDto) },
+      { $ref: getSchemaPath(UseCaCertificateDto) },
+    ],
+  })
+  @Expose()
+  @IsOptional()
+  @IsNotEmptyObject()
+  @Type(clientCertTransformer)
+  @ValidateNested()
+  clientCert?: CreateClientCertificateDto | UseClientCertificateDto;
+
 }