1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2025-01-16 16:56:46 +01:00

Feat #13555 add server cert field, similar to client cert

This commit is contained in:
Cristóvão Gomes Ferreira (Personal) 2024-11-25 10:23:34 +00:00
parent b9e98d2706
commit 5e498ecf84
No known key found for this signature in database
5 changed files with 198 additions and 6 deletions

View file

@ -163,6 +163,14 @@
"client_cert_remove_msg": "Client certificate is removed", "client_cert_remove_msg": "Client certificate is removed",
"client_cert_subtitle": "Supports PKCS12 (.p12, .pfx) format only. Certificate Import/Remove is available only before login", "client_cert_subtitle": "Supports PKCS12 (.p12, .pfx) format only. Certificate Import/Remove is available only before login",
"client_cert_title": "SSL Client Certificate", "client_cert_title": "SSL Client Certificate",
"server_cert_dialog_msg_confirm": "OK",
"server_cert_import": "Import",
"server_cert_import_success_msg": "Server certificate is imported",
"server_cert_invalid_msg": "Invalid certificate file or wrong password",
"server_cert_remove": "Remove",
"server_cert_remove_msg": "Server certificate is removed",
"server_cert_subtitle": "Supports PKCS12 (.p12, .pfx) format only. Certificate Import/Remove is available only before login",
"server_cert_title": "SSL Server Certificate",
"common_add_to_album": "Add to album", "common_add_to_album": "Add to album",
"common_change_password": "Change Password", "common_change_password": "Change Password",
"common_create_new_album": "Create new album", "common_create_new_album": "Create new album",

View file

@ -173,6 +173,30 @@ class SSLClientCertStoreVal {
} }
} }
class SSLServerCertStoreVal {
final Uint8List data;
SSLServerCertStoreVal(this.data);
void save() {
final b64Str = base64Encode(data);
Store.put(StoreKey.sslServerCertData, b64Str);
}
static SSLServerCertStoreVal? load() {
final b64Str = Store.tryGet<String>(StoreKey.sslServerCertData);
if (b64Str == null) {
return null;
}
final Uint8List certData = base64Decode(b64Str);
return SSLServerCertStoreVal(certData);
}
static void delete() {
Store.delete(StoreKey.sslServerCertData);
}
}
class StoreKeyNotFoundException implements Exception { class StoreKeyNotFoundException implements Exception {
final StoreKey key; final StoreKey key;
StoreKeyNotFoundException(this.key); StoreKeyNotFoundException(this.key);
@ -199,6 +223,7 @@ enum StoreKey<T> {
backgroundBackup<bool>(14, type: bool), backgroundBackup<bool>(14, type: bool),
sslClientCertData<String>(15, type: String), sslClientCertData<String>(15, type: String),
sslClientPasswd<String>(16, type: String), sslClientPasswd<String>(16, type: String),
sslServerCertData<String>(17, type: String),
// user settings from [AppSettingsEnum] below: // user settings from [AppSettingsEnum] below:
loadPreview<bool>(100, type: bool), loadPreview<bool>(100, type: bool),
loadOriginal<bool>(101, type: bool), loadOriginal<bool>(101, type: bool),

View file

@ -6,16 +6,26 @@ import 'package:logging/logging.dart';
class HttpSSLCertOverride extends HttpOverrides { class HttpSSLCertOverride extends HttpOverrides {
static final Logger _log = Logger("HttpSSLCertOverride"); static final Logger _log = Logger("HttpSSLCertOverride");
final SSLClientCertStoreVal? _clientCert; final SSLClientCertStoreVal? _clientCert;
final SSLServerCertStoreVal? _rootCert;
late final SecurityContext? _ctxWithCert; late final SecurityContext? _ctxWithCert;
HttpSSLCertOverride() : _clientCert = SSLClientCertStoreVal.load() { HttpSSLCertOverride() : _clientCert = SSLClientCertStoreVal.load(), _rootCert = SSLServerCertStoreVal.load() {
if (_clientCert != null) { if (_clientCert != null || _rootCert != null) {
_ctxWithCert = SecurityContext(withTrustedRoots: true); _ctxWithCert = SecurityContext(withTrustedRoots: true);
if (_clientCert != null) {
if (_ctxWithCert != null) { if (_ctxWithCert != null) {
setClientCert(_ctxWithCert, _clientCert); setClientCert(_ctxWithCert, _clientCert);
} else { } else {
_log.severe("Failed to create security context with client cert!"); _log.severe("Failed to create security context with client cert!");
} }
}
if (_rootCert != null) {
if (_ctxWithCert != null) {
setRootCert(_ctxWithCert, _rootCert);
} else {
_log.severe("Failed to create security context with server cert!");
}
}
} else { } else {
_ctxWithCert = null; _ctxWithCert = null;
} }
@ -33,12 +43,26 @@ class HttpSSLCertOverride extends HttpOverrides {
return true; return true;
} }
static bool setRootCert(SecurityContext ctx, SSLServerCertStoreVal cert) {
try {
_log.info("Setting server certificate");
ctx.setTrustedCertificatesBytes(cert.data);
} catch (e) {
_log.severe("Failed to set SSL server cert: $e");
return false;
}
return true;
}
@override @override
HttpClient createHttpClient(SecurityContext? context) { HttpClient createHttpClient(SecurityContext? context) {
if (context != null) { if (context != null) {
if (_clientCert != null) { if (_clientCert != null) {
setClientCert(context, _clientCert); setClientCert(context, _clientCert);
} }
if (_rootCert != null) {
setRootCert(context, _rootCert);
}
} else { } else {
context = _ctxWithCert; context = _ctxWithCert;
} }

View file

@ -14,6 +14,7 @@ import 'package:immich_mobile/providers/user.provider.dart';
import 'package:immich_mobile/services/immich_logger.service.dart'; import 'package:immich_mobile/services/immich_logger.service.dart';
import 'package:immich_mobile/utils/http_ssl_cert_override.dart'; import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
import 'package:immich_mobile/widgets/settings/ssl_client_cert_settings.dart'; import 'package:immich_mobile/widgets/settings/ssl_client_cert_settings.dart';
import 'package:immich_mobile/widgets/settings/ssl_server_cert_settings.dart';
import 'package:logging/logging.dart'; import 'package:logging/logging.dart';
class AdvancedSettings extends HookConsumerWidget { class AdvancedSettings extends HookConsumerWidget {
@ -66,6 +67,7 @@ class AdvancedSettings extends HookConsumerWidget {
), ),
const CustomeProxyHeaderSettings(), const CustomeProxyHeaderSettings(),
SslClientCertSettings(isLoggedIn: ref.read(currentUserProvider) != null), SslClientCertSettings(isLoggedIn: ref.read(currentUserProvider) != null),
SslServerCertSettings(isLoggedIn: ref.read(currentUserProvider) != null),
]; ];
return SettingsSubPageScaffold(settings: advancedSettings); return SettingsSubPageScaffold(settings: advancedSettings);

View file

@ -0,0 +1,133 @@
import 'dart:io';
import 'package:easy_localization/easy_localization.dart';
import 'package:file_picker/file_picker.dart';
import 'package:flutter/material.dart';
import 'package:flutter/services.dart';
import 'package:immich_mobile/entities/store.entity.dart';
import 'package:immich_mobile/extensions/build_context_extensions.dart';
import 'package:immich_mobile/extensions/theme_extensions.dart';
import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
class SslServerCertSettings extends StatefulWidget {
const SslServerCertSettings({super.key, required this.isLoggedIn});
final bool isLoggedIn;
@override
State<StatefulWidget> createState() => _SslServerCertSettingsState();
}
class _SslServerCertSettingsState extends State<SslServerCertSettings> {
_SslServerCertSettingsState()
: isCertExist = SSLServerCertStoreVal.load() != null;
bool isCertExist;
@override
Widget build(BuildContext context) {
return ListTile(
contentPadding: const EdgeInsets.symmetric(horizontal: 20),
horizontalTitleGap: 20,
isThreeLine: true,
title: Text(
"server_cert_title".tr(),
style: context.textTheme.bodyLarge?.copyWith(
fontWeight: FontWeight.w500,
),
),
subtitle: Column(
crossAxisAlignment: CrossAxisAlignment.start,
children: [
Text(
"server_cert_subtitle".tr(),
style: context.textTheme.bodyMedium?.copyWith(
color: context.colorScheme.onSurfaceSecondary,
),
),
const SizedBox(
height: 6,
),
Row(
mainAxisSize: MainAxisSize.max,
mainAxisAlignment: MainAxisAlignment.center,
crossAxisAlignment: CrossAxisAlignment.center,
children: [
ElevatedButton(
onPressed: widget.isLoggedIn ? null : () => importCert(context),
child: Text("server_cert_import".tr()),
),
const SizedBox(
width: 15,
),
ElevatedButton(
onPressed: widget.isLoggedIn || !isCertExist
? null
: () => removeCert(context),
child: Text("server_cert_remove".tr()),
),
],
),
],
),
);
}
void showMessage(BuildContext context, String message) {
showDialog(
context: context,
builder: (ctx) => AlertDialog(
content: Text(message),
actions: [
TextButton(
onPressed: () => ctx.pop(),
child: Text("server_cert_dialog_msg_confirm".tr()),
),
],
),
);
}
void storeCert(BuildContext context, Uint8List data) {
final cert = SSLServerCertStoreVal(data);
// Test whether the certificate is valid
final isCertValid = HttpSSLCertOverride.setRootCert(
SecurityContext(withTrustedRoots: true),
cert,
);
if (!isCertValid) {
showMessage(context, "server_cert_invalid_msg".tr());
return;
}
cert.save();
HttpOverrides.global = HttpSSLCertOverride();
setState(
() => isCertExist = true,
);
showMessage(context, "client_cert_import_success_msg".tr());
}
Future<void> importCert(BuildContext ctx) async {
FilePickerResult? res = await FilePicker.platform.pickFiles(
type: FileType.custom,
allowedExtensions: [
'p12',
'pfx',
],
);
if (res != null) {
File file = File(res.files.single.path!);
final data = await file.readAsBytes();
storeCert(context, data);
}
}
void removeCert(BuildContext context) {
SSLServerCertStoreVal.delete();
HttpOverrides.global = HttpSSLCertOverride();
setState(
() => isCertExist = false,
);
showMessage(context, "server_cert_remove_msg".tr());
}
}