Validate rsa private key and certificate content format

src/lib/deploy/deploy-support.js

@@ -1,14 +1,15 @@
 'use strict';
 
 const fs = require('fs-extra');
+const path = require('path');
 const ram = require('../ram');
 const debug = require('debug')('fun:deploy');
 const promiseRetry = require('../retry');
 const getProfile = require('../profile').getProfile;
 
-const { green, red } = require('colors');
-const { processApiParameters } = require('./deploy-support-api');
-const { getCloudApiClient, getSlsClient, getMnsClient } = require('../client');
+const {green, red} = require('colors');
+const {processApiParameters} = require('./deploy-support-api');
+const {getCloudApiClient, getSlsClient, getMnsClient} = require('../client');
 
 const {
   getOtsClient,
@@ -75,7 +76,9 @@ async function makeLogstore({
         console.log(red(`\t\tretry ${times} times`));
 
         retry(ex);
-      } else { exists = false; }
+      } else {
+        exists = false;
+      }
     }
   });
 
@@ -153,7 +156,9 @@ async function slsProjectExist(slsClient, projectName) {
 
         console.log(red(`\tretry ${times} times`));
         retry(ex);
-      } else { projectExist = false; }
+      } else {
+        projectExist = false;
+      }
     }
   });
   return projectExist;
@@ -250,12 +255,50 @@ async function makeCustomDomain({
     let privateKey = certConfig.PrivateKey;
     let certificate = certConfig.Certificate;
 
-    if (privateKey && privateKey.endsWith('.pem')) {
-      certConfig.PrivateKey = await fs.readFile(privateKey, 'utf-8');
-    }
-    if (certificate && certificate.endsWith('.pem')) {
-      certConfig.Certificate = await fs.readFile(certificate, 'utf-8');
-    }
+    if (privateKey) {
+      //region resolve RSA private key content
+      let p = path.resolve(__dirname, privateKey);
+      // private key is provided by local file
+      if (fs.pathExistsSync(p)) {
+        certConfig.PrivateKey = fs.readFileSync(p, 'utf-8');
+      } // or it is hardcoded
+      //endregion
+
+      //region validate RSA private key content
+      let expectedPrefix = '-----BEGIN RSA PRIVATE KEY-----', expectedSuffix = '-----END RSA PRIVATE KEY-----';
+      if (!certConfig.PrivateKey.startsWith(expectedPrefix) || !certConfig.PrivateKey.endsWith(expectedSuffix)) {
+        throw new Error(red(`
+        Please provide a valid PEM encoded RSA private key for ${domainName}.
+        It's content MUST start with "${expectedPrefix}" AND end with "${expectedSuffix}".
+
+        See:
+        http://fileformats.archiveteam.org/wiki/PEM_encoded_RSA_private_key`));
+      }
+      //endregion
+    } // private key is not provided
+
+    if (certificate) {
+      //region resolve certificate content
+      let p = path.resolve(__dirname, certificate);
+      // certificate is provided by local file
+      if (fs.pathExistsSync(p)) {
+        certConfig.Certificate = fs.readFileSync(p, 'utf-8');
+      } // or it is hardcoded
+      //endregion
+
+      //region validate certificate content
+      let expectedPrefix = '-----BEGIN CERTIFICATE-----', expectedSuffix = '-----END CERTIFICATE-----';
+      if (!certConfig.Certificate.startsWith(expectedPrefix) || !certConfig.Certificate.endsWith(expectedSuffix)) {
+        throw new Error(red(`
+        Please provide a valid PEM encoded certificate for ${domainName}.
+        It's content MUST start with "${expectedPrefix}" AND end with "${expectedSuffix}".
+
+        See:
+        http://fileformats.archiveteam.org/wiki/PEM_encoded_certificate`));
+      }
+      //endregion
+    } // certificate is not provided
+
     Object.assign(options, {
       certConfig
     });
@@ -373,9 +416,11 @@ async function makeApi(group, {
         'requestPath': requestPath
       }, requestConfig);
 
-      const { apiRequestParameters,
+      const {
+        apiRequestParameters,
         apiServiceParameters,
-        apiServiceParametersMap } = processApiParameters(requestParameters, serviceParameters, serviceParametersMap);
+        apiServiceParametersMap
+      } = processApiParameters(requestParameters, serviceParameters, serviceParametersMap);
 
       const profile = await getProfile();
 
@@ -676,4 +721,4 @@ module.exports = {
   makeApiTrigger, makeSlsProject, makeOtsInstance,
   makeCustomDomain, makeLogstoreIndex, makeSlsAuto,
   listCustomDomains
-};
+};

test/fs-extra.test.js

@@ -0,0 +1,17 @@
+let fs = require('fs-extra');
+let path = require('path');
+const expect = require('expect.js');
+
+describe('fs-extra module Tests', function () {
+
+  it('should exists', function () {
+    let p = path.resolve(__dirname, '../LICENSE');
+    expect(fs.pathExistsSync(p)).to.be(true);
+    console.log(fs.readFileSync(p, 'utf-8'));
+  });
+
+  it('should not exists', function () {
+    let p = path.resolve(__dirname, '-----BEGIN RSA PRIVATE KEY-----');
+    expect(fs.pathExistsSync(p)).to.be(false);
+  });
+});