Support for custom certificate upload using plain text (#36)

Author: lucasdillmann

Makefile

@@ -5,7 +5,7 @@ SNAPSHOT_TAG_SUFFIX := $(if $(filter-out ,$(PR_ID)),$(if $(filter-out 0,$(PR_ID)
 
 .prerequisites:
 	go work sync
-	cd frontend/ && npm i
+	cd frontend/ && npm ci
 
 .frontend-check:
 	cd frontend/ && npm run check
@@ -85,6 +85,21 @@ format: .prerequisites
 	go tool gofumpt -w .
 	cd frontend/ && npx prettier --write .
 
+update-dependencies:
+	cd api && go get -u all
+	cd application && go get -u all
+	cd certificate/commons && go get -u all
+	cd certificate/custom && go get -u all
+	cd certificate/letsencrypt && go get -u all
+	cd certificate/selfsigned && go get -u all
+	cd core && go get -u all
+	cd database && go get -u all
+	cd integration/docker && go get -u all
+	cd integration/truenas && go get -u all
+	cd vpn/tailscale && go get -u all
+	go work sync
+	cd frontend && npm update
+
 .build-prerequisites: .prerequisites .build-frontend .build-backend
 
 build-release: .build-prerequisites .build-release-docker-image .build-distribution-files

api/go.mod

@@ -35,10 +35,10 @@ require (
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	go.uber.org/mock v0.6.0 // indirect
 	golang.org/x/arch v0.23.0 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
-	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/crypto v0.44.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 )

certificate/custom/dynamic_fields.go

@@ -2,31 +2,106 @@ package custom
 
 import "dillmann.com.br/nginx-ignition/core/common/dynamicfields"
 
+const (
+	textFieldUploadModeID = "textField"
+	fileUploadModeID      = "fileUpload"
+)
+
 var (
-	publicKeyField = dynamicfields.DynamicField{
-		ID:          "publicKey",
+	uploadModeField = dynamicfields.DynamicField{
+		ID:          "uploadMode",
 		Priority:    0,
-		Description: "Certificate file (PEM encoded) with the public key",
+		Description: "Upload mode",
 		Required:    true,
 		Sensitive:   true,
-		Type:        dynamicfields.FileType,
+		Type:        dynamicfields.EnumType,
+		EnumOptions: &[]*dynamicfields.EnumOption{
+			{
+				ID:          textFieldUploadModeID,
+				Description: "PEM-encoded text",
+			},
+			{
+				ID:          fileUploadModeID,
+				Description: "PEM-encoded file",
+			},
+		},
+	}
+
+	publicKeyTextField = dynamicfields.DynamicField{
+		ID:          "publicKeyPem",
+		Priority:    1,
+		Description: "Public key",
+		Required:    true,
+		Sensitive:   true,
+		Type:        dynamicfields.MultiLineTextType,
+		Condition: &dynamicfields.Condition{
+			ParentField: uploadModeField.ID,
+			Value:       textFieldUploadModeID,
+		},
+	}
+
+	privateKeyTextField = dynamicfields.DynamicField{
+		ID:          "privateKeyPem",
+		Priority:    2,
+		Description: "Private key",
+		Required:    true,
+		Sensitive:   true,
+		Type:        dynamicfields.MultiLineTextType,
+		Condition: &dynamicfields.Condition{
+			ParentField: uploadModeField.ID,
+			Value:       textFieldUploadModeID,
+		},
+	}
+
+	certificationChainTextField = dynamicfields.DynamicField{
+		ID:          "certificationChainPem",
+		Priority:    3,
+		Description: "Certification chain",
+		Required:    false,
+		Sensitive:   true,
+		Type:        dynamicfields.MultiLineTextType,
+		Condition: &dynamicfields.Condition{
+			ParentField: uploadModeField.ID,
+			Value:       textFieldUploadModeID,
+		},
 	}
 
-	privateKeyField = dynamicfields.DynamicField{
-		ID:          "privateKey",
+	publicKeyFileField = dynamicfields.DynamicField{
+		ID:          "publicKeyFile",
 		Priority:    1,
-		Description: "Certificate file (PEM encoded) with the private key",
+		Description: "Public key",
 		Required:    true,
 		Sensitive:   true,
 		Type:        dynamicfields.FileType,
+		Condition: &dynamicfields.Condition{
+			ParentField: uploadModeField.ID,
+			Value:       fileUploadModeID,
+		},
 	}
 
-	certificationChainField = dynamicfields.DynamicField{
-		ID:          "certificationChain",
+	privateKeyFileField = dynamicfields.DynamicField{
+		ID:          "privateKeyFile",
 		Priority:    2,
-		Description: "Certification chain file (PEM encoded)",
+		Description: "Private key",
+		Required:    true,
+		Sensitive:   true,
+		Type:        dynamicfields.FileType,
+		Condition: &dynamicfields.Condition{
+			ParentField: uploadModeField.ID,
+			Value:       fileUploadModeID,
+		},
+	}
+
+	certificationChainFileField = dynamicfields.DynamicField{
+		ID:          "certificationChainFile",
+		Priority:    3,
+		Description: "Certification chain",
 		Required:    false,
 		Sensitive:   true,
 		Type:        dynamicfields.FileType,
+		Condition: &dynamicfields.Condition{
+			ParentField: uploadModeField.ID,
+			Value:       fileUploadModeID,
+		},
 	}
 )

certificate/custom/provider.go

@@ -32,9 +32,13 @@ func (p *Provider) Name() string {
 
 func (p *Provider) DynamicFields() []*dynamicfields.DynamicField {
 	return []*dynamicfields.DynamicField{
-		&publicKeyField,
-		&privateKeyField,
-		&certificationChainField,
+		&uploadModeField,
+		&publicKeyTextField,
+		&privateKeyTextField,
+		&certificationChainTextField,
+		&publicKeyFileField,
+		&privateKeyFileField,
+		&certificationChainFileField,
 	}
 }
 
@@ -48,24 +52,34 @@ func (p *Provider) Issue(_ context.Context, request *certificate.IssueRequest) (
 	}
 
 	params := request.Parameters
-	privateKeyStr, _ := params[privateKeyField.ID].(string)
-	publicKeyStr, _ := request.Parameters[publicKeyField.ID].(string)
-
-	chainStr, chainPresent := request.Parameters[certificationChainField.ID].(string)
+	fileUploadMode := params[uploadModeField.ID] == fileUploadModeID
+
+	var privateKeyStr, publicKeyStr, chainStr string
+	var chainPresent bool
+
+	if fileUploadMode {
+		privateKeyStr, _ = params[privateKeyFileField.ID].(string)
+		publicKeyStr, _ = params[publicKeyFileField.ID].(string)
+		chainStr, chainPresent = params[certificationChainFileField.ID].(string)
+	} else {
+		privateKeyStr, _ = params[privateKeyTextField.ID].(string)
+		publicKeyStr, _ = params[publicKeyTextField.ID].(string)
+		chainStr, chainPresent = params[certificationChainTextField.ID].(string)
+	}
 
-	privateKey, err := parsePrivateKey(privateKeyStr)
+	privateKey, err := parsePrivateKey(privateKeyStr, fileUploadMode)
 	if err != nil {
 		return nil, coreerror.New("Invalid private key", true)
 	}
 
-	publicKey, err := parseCertificate(publicKeyStr)
+	publicKey, err := parseCertificate(publicKeyStr, fileUploadMode)
 	if err != nil {
 		return nil, coreerror.New("Invalid public key", true)
 	}
 
 	var chain []*x509.Certificate
 	if chainPresent && chainStr != "" {
-		chain, err = parseCertificateChain(chainStr)
+		chain, err = parseCertificateChain(chainStr, fileUploadMode)
 		if err != nil {
 			return nil, coreerror.New("Invalid certification chain", true)
 		}
@@ -91,8 +105,8 @@ func (p *Provider) Renew(_ context.Context, cert *certificate.Certificate) (*cer
 	return cert, nil
 }
 
-func parsePrivateKey(key string) ([]byte, error) {
-	decodedKey, err := base64.StdEncoding.DecodeString(key)
+func parsePrivateKey(key string, base64Encoded bool) ([]byte, error) {
+	decodedKey, err := stringToByteArray(key, base64Encoded)
 	if err != nil {
 		return nil, coreerror.New("Failed to decode key", true)
 	}
@@ -105,8 +119,8 @@ func parsePrivateKey(key string) ([]byte, error) {
 	return block.Bytes, nil
 }
 
-func parseCertificate(cert string) (*x509.Certificate, error) {
-	decodedCert, err := base64.StdEncoding.DecodeString(cert)
+func parseCertificate(cert string, base64Encoded bool) (*x509.Certificate, error) {
+	decodedCert, err := stringToByteArray(cert, base64Encoded)
 	if err != nil {
 		return nil, coreerror.New("Failed to decode certificate", true)
 	}
@@ -119,8 +133,8 @@ func parseCertificate(cert string) (*x509.Certificate, error) {
 	return x509.ParseCertificate(block.Bytes)
 }
 
-func parseCertificateChain(chain string) ([]*x509.Certificate, error) {
-	decodedChain, err := base64.StdEncoding.DecodeString(chain)
+func parseCertificateChain(chain string, base64Encoded bool) ([]*x509.Certificate, error) {
+	decodedChain, err := stringToByteArray(chain, base64Encoded)
 	if err != nil {
 		return nil, coreerror.New("Failed to decode chain", true)
 	}
@@ -132,7 +146,7 @@ func parseCertificateChain(chain string) ([]*x509.Certificate, error) {
 		}
 
 		cert += "-----END CERTIFICATE-----"
-		parsedCert, err := parseCertificate(cert)
+		parsedCert, err := parseCertificate(cert, false)
 		if err != nil {
 			return nil, err
 		}
@@ -151,3 +165,11 @@ func encodeChain(chain []*x509.Certificate) []string {
 
 	return encodedChain
 }
+
+func stringToByteArray(value string, base64Encoded bool) ([]byte, error) {
+	if base64Encoded {
+		return base64.StdEncoding.DecodeString(value)
+	}
+
+	return []byte(value), nil
+}

core/host/validator.go

@@ -329,6 +329,8 @@ func (v *validator) validateExecuteCodeRoute(route *Route, index int) {
 }
 
 func (v *validator) validateVPNs(ctx context.Context, host *Host) error {
+	vpnNameUsage := make(map[uuid.UUID]map[string]int)
+
 	for index, value := range host.VPNs {
 		basePath := "vpns[" + strconv.Itoa(index) + "]"
 		vpnIdPath := basePath + ".vpnId"
@@ -343,6 +345,16 @@ func (v *validator) validateVPNs(ctx context.Context, host *Host) error {
 			continue
 		}
 
+		if vpnNameUsage[value.VPNID] == nil {
+			vpnNameUsage[value.VPNID] = make(map[string]int)
+		}
+
+		if vpnNameUsage[value.VPNID][value.Name] > 0 {
+			v.delegate.Add(namePath, "Name was already used before")
+		}
+
+		vpnNameUsage[value.VPNID][value.Name]++
+
 		vpnData, err := v.vpnCommands.Get(ctx, value.VPNID)
 		if err != nil {
 			return err

database/common/migrations/scripts/postgres/020_minor_fixes.up.sql

@@ -0,0 +1,2 @@
+alter table host_vpn drop constraint pk_host_vpn;
+alter table host_vpn add constraint pk_host_vpn primary key (host_id, vpn_id, name);

database/common/migrations/scripts/sqlite/020_minor_fixes.up.sql

@@ -0,0 +1,21 @@
+drop index idx_host_vpn_host_id;
+drop index idx_host_vpn_vpn_id;
+alter table host_vpn rename to host_vpn_old;
+
+create table host_vpn (
+    host_id uuid not null,
+    vpn_id  uuid not null,
+    name varchar(256) not null,
+    host varchar(256),
+    constraint pk_host_vpn primary key (host_id, vpn_id, name),
+    constraint fk_host_vpn_host foreign key (host_id) references host (id),
+    constraint fk_host_vpn_vpn foreign key (vpn_id) references vpn (id)
+);
+
+create index idx_host_vpn_host_id on host_vpn (host_id);
+create index idx_host_vpn_vpn_id on host_vpn (vpn_id);
+
+insert into host_vpn (host_id, vpn_id, name, host)
+    select host_id, vpn_id, name, host from host_vpn_old;
+
+drop table host_vpn_old;

database/go.mod

@@ -37,10 +37,10 @@ require (
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
-	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
-	modernc.org/libc v1.66.10 // indirect
+	modernc.org/libc v1.67.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )