Remove optional x509 dependency.

Didn't compile on Node 10,
and was probably not widely used anyway.

Author: RubenVerborgh

CHANGELOG.md

@@ -9,8 +9,6 @@
 - Fix the use of allow handler.
 - Misc. cleanups and improvements.
 - Add .well-known folder and set up with public access.
-- Node.js 8 is required, Node.js 10 will also work, except for the
-  x509 optional dependency, which is only needed in corner cases.
 
 ## 4.0.0
 - OIDC is now supported as authentication method in addition to WebID-TLS.

README.md

@@ -166,7 +166,6 @@ $ solid start --help
     --config-path [value]
     --db-path [value]
     --auth [value]                Pick an authentication strategy for WebID: `tls` or `oidc`
-    --certificate-header [value]
     --owner [value]               Set the owner of the storage (overwrites the root ACL file)
     --ssl-key [value]             Path to the SSL private key in PEM format
     --ssl-cert [value]            Path to the SSL certificate key in PEM format

bin/lib/options.js

@@ -81,12 +81,6 @@ module.exports = [
       return answers.webid
     }
   },
-  {
-    name: 'certificate-header',
-    question: 'Accept client certificates through this HTTP header (for reverse proxies)',
-    default: '',
-    prompt: false
-  },
   {
     name: 'useOwner',
     question: 'Do you already have a WebID?',

lib/api/authn/webid-tls.js

@@ -1,14 +1,8 @@
 const webid = require('webid/tls')
 const debug = require('../../debug').authentication
-let x509 // optional dependency, load lazily
-
-const CERTIFICATE_MATCHER = /^-----BEGIN CERTIFICATE-----\n(?:[A-Za-z0-9+/=]+\n)+-----END CERTIFICATE-----$/m
 
 function initialize (app, argv) {
   app.use('/', handler)
-  if (argv.certificateHeader) {
-    app.locals.certificateHeader = argv.certificateHeader.toLowerCase()
-  }
 }
 
 function handler (req, res, next) {
@@ -20,7 +14,7 @@ function handler (req, res, next) {
   }
 
   // No certificate? skip
-  const certificate = getCertificateViaTLS(req) || getCertificateViaHeader(req)
+  const certificate = getCertificateViaTLS(req)
   if (!certificate) {
     setEmptySession(req)
     return next()
@@ -50,47 +44,6 @@ function getCertificateViaTLS (req) {
   debug('No peer certificate received during TLS handshake.')
 }
 
-// Tries to obtain a client certificate retrieved through an HTTP header
-function getCertificateViaHeader (req) {
-  // Only allow header-based certificates if explicitly enabled
-  const headerName = req.app.locals.certificateHeader
-  if (!headerName) return
-
-  // Try to retrieve the certificate from the header
-  const header = req.headers[headerName]
-  if (!header) {
-    return debug(`No certificate received through the ${headerName} header.`)
-  }
-  // The certificate's newlines have been replaced by tabs
-  // in order to fit in an HTTP header (NGINX does this automatically)
-  const rawCertificate = header.replace(/\t/g, '\n')
-
-  // Ensure the header contains a valid certificate
-  // (x509 unsafely interprets it as a file path otherwise)
-  if (!CERTIFICATE_MATCHER.test(rawCertificate)) {
-    return debug(`Invalid value for the ${headerName} header.`)
-  }
-
-  // Parse and convert the certificate to the format the webid library expects
-  if (!x509) {
-    try {
-      x509 = require('x509')
-    } catch (e) {
-      x509 = { parseCert: () => { throw new Error() } }
-    }
-  }
-  try {
-    const { publicKey, extensions } = x509.parseCert(rawCertificate)
-    return {
-      modulus: publicKey.n,
-      exponent: '0x' + parseInt(publicKey.e, 10).toString(16),
-      subjectaltname: extensions && extensions.subjectAlternativeName
-    }
-  } catch (error) {
-    debug(`Invalid certificate received through the ${headerName} header.`)
-  }
-}
-
 function setEmptySession (req) {
   req.session.userId = ''
 }

lib/create-server.js

@@ -34,8 +34,7 @@ function createServer (argv, app) {
   }
 
   let server
-  const needsTLS = argv.sslKey || argv.sslCert ||
-                 (ldp.webid || ldp.multiuser) && !argv.certificateHeader
+  const needsTLS = argv.sslKey || argv.sslCert
   if (!needsTLS) {
     server = http.createServer(app)
   } else {

package-lock.json

@@ -73,9 +73,6 @@
     "vhost": "^3.0.2",
     "webid": "^0.3.10"
   },
-  "optionalDependencies": {
-    "x509": "^0.3.2"
-  },
   "devDependencies": {
     "@trust/oidc-op": "^0.3.0",
     "chai": "^3.5.0",

package.json

@@ -936,107 +936,3 @@ describe('ACL with WebID+TLS', function () {
     })
   })
 })
-
-describe('ACL with WebID through X-SSL-Cert', function () {
-  let hasX509
-  try {
-    require('x509')
-    hasX509 = true
-  } catch (error) {
-    hasX509 = false
-  }
-
-  var ldpHttpsServer
-  before(function (done) {
-    const ldp = ldnode.createServer({
-      mount: '/test',
-      root: rootPath,
-      webid: true,
-      auth: 'tls',
-      certificateHeader: 'X-SSL-Cert'
-    })
-    ldpHttpsServer = ldp.listen(3456, done)
-  })
-
-  after(function () {
-    if (ldpHttpsServer) ldpHttpsServer.close()
-    fs.removeSync(path.join(rootPath, 'index.html'))
-    fs.removeSync(path.join(rootPath, 'index.html.acl'))
-  })
-
-  function prepareRequest (certHeader, setResponse) {
-    return done => {
-      const options = {
-        url: address.replace('https', 'http') + '/acl-tls/write-acl/.acl',
-        headers: { 'X-SSL-Cert': certHeader }
-      }
-      request(options, function (error, response) {
-        setResponse(response)
-        done(error)
-      })
-    }
-  }
-
-  describe('without certificate', function () {
-    var response
-    before(prepareRequest('', res => { response = res }))
-
-    it('should return 401', function () {
-      assert.propertyVal(response, 'statusCode', 401)
-    })
-  })
-
-  describe('with a valid certificate', function () {
-    // Escape certificate for usage in HTTP header
-    const escapedCert = userCredentials.user1.cert.toString()
-                        .replace(/\n/g, '\t')
-
-    var response
-    before(prepareRequest(escapedCert, res => { response = res }))
-
-    it('should return 200', function () {
-      hasX509 || this.skip()
-      assert.propertyVal(response, 'statusCode', 200)
-    })
-
-    it('should set the User header', function () {
-      hasX509 || this.skip()
-      assert.propertyVal(response.headers, 'user', 'https://user1.databox.me/profile/card#me')
-    })
-  })
-
-  describe('with a local filename as certificate', function () {
-    const certFile = path.join(__dirname, '../keys/user1-cert.pem')
-
-    var response
-    before(prepareRequest(certFile, res => { response = res }))
-
-    it('should return 401', function () {
-      assert.propertyVal(response, 'statusCode', 401)
-    })
-  })
-
-  describe('with an invalid certificate value', function () {
-    var response
-    before(prepareRequest('xyz', res => { response = res }))
-
-    it('should return 401', function () {
-      assert.propertyVal(response, 'statusCode', 401)
-    })
-  })
-
-  describe('with an invalid certificate', function () {
-    const invalidCert =
-`-----BEGIN CERTIFICATE-----
-ABCDEF
------END CERTIFICATE-----`
-    .replace(/\n/g, '\t')
-
-    var response
-    before(prepareRequest(invalidCert, res => { response = res }))
-
-    it('should return 401', function () {
-      assert.propertyVal(response, 'statusCode', 401)
-    })
-  })
-})