mirror of
https://github.com/immich-app/immich.git
synced 2025-01-16 16:56:46 +01:00
Feat #13555 add server cert field, similar to client cert
This commit is contained in:
parent
b9e98d2706
commit
5e498ecf84
5 changed files with 198 additions and 6 deletions
|
@ -163,6 +163,14 @@
|
||||||
"client_cert_remove_msg": "Client certificate is removed",
|
"client_cert_remove_msg": "Client certificate is removed",
|
||||||
"client_cert_subtitle": "Supports PKCS12 (.p12, .pfx) format only. Certificate Import/Remove is available only before login",
|
"client_cert_subtitle": "Supports PKCS12 (.p12, .pfx) format only. Certificate Import/Remove is available only before login",
|
||||||
"client_cert_title": "SSL Client Certificate",
|
"client_cert_title": "SSL Client Certificate",
|
||||||
|
"server_cert_dialog_msg_confirm": "OK",
|
||||||
|
"server_cert_import": "Import",
|
||||||
|
"server_cert_import_success_msg": "Server certificate is imported",
|
||||||
|
"server_cert_invalid_msg": "Invalid certificate file or wrong password",
|
||||||
|
"server_cert_remove": "Remove",
|
||||||
|
"server_cert_remove_msg": "Server certificate is removed",
|
||||||
|
"server_cert_subtitle": "Supports PKCS12 (.p12, .pfx) format only. Certificate Import/Remove is available only before login",
|
||||||
|
"server_cert_title": "SSL Server Certificate",
|
||||||
"common_add_to_album": "Add to album",
|
"common_add_to_album": "Add to album",
|
||||||
"common_change_password": "Change Password",
|
"common_change_password": "Change Password",
|
||||||
"common_create_new_album": "Create new album",
|
"common_create_new_album": "Create new album",
|
||||||
|
|
|
@ -173,6 +173,30 @@ class SSLClientCertStoreVal {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class SSLServerCertStoreVal {
|
||||||
|
final Uint8List data;
|
||||||
|
|
||||||
|
SSLServerCertStoreVal(this.data);
|
||||||
|
|
||||||
|
void save() {
|
||||||
|
final b64Str = base64Encode(data);
|
||||||
|
Store.put(StoreKey.sslServerCertData, b64Str);
|
||||||
|
}
|
||||||
|
|
||||||
|
static SSLServerCertStoreVal? load() {
|
||||||
|
final b64Str = Store.tryGet<String>(StoreKey.sslServerCertData);
|
||||||
|
if (b64Str == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
final Uint8List certData = base64Decode(b64Str);
|
||||||
|
return SSLServerCertStoreVal(certData);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void delete() {
|
||||||
|
Store.delete(StoreKey.sslServerCertData);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
class StoreKeyNotFoundException implements Exception {
|
class StoreKeyNotFoundException implements Exception {
|
||||||
final StoreKey key;
|
final StoreKey key;
|
||||||
StoreKeyNotFoundException(this.key);
|
StoreKeyNotFoundException(this.key);
|
||||||
|
@ -199,6 +223,7 @@ enum StoreKey<T> {
|
||||||
backgroundBackup<bool>(14, type: bool),
|
backgroundBackup<bool>(14, type: bool),
|
||||||
sslClientCertData<String>(15, type: String),
|
sslClientCertData<String>(15, type: String),
|
||||||
sslClientPasswd<String>(16, type: String),
|
sslClientPasswd<String>(16, type: String),
|
||||||
|
sslServerCertData<String>(17, type: String),
|
||||||
// user settings from [AppSettingsEnum] below:
|
// user settings from [AppSettingsEnum] below:
|
||||||
loadPreview<bool>(100, type: bool),
|
loadPreview<bool>(100, type: bool),
|
||||||
loadOriginal<bool>(101, type: bool),
|
loadOriginal<bool>(101, type: bool),
|
||||||
|
|
|
@ -6,16 +6,26 @@ import 'package:logging/logging.dart';
|
||||||
class HttpSSLCertOverride extends HttpOverrides {
|
class HttpSSLCertOverride extends HttpOverrides {
|
||||||
static final Logger _log = Logger("HttpSSLCertOverride");
|
static final Logger _log = Logger("HttpSSLCertOverride");
|
||||||
final SSLClientCertStoreVal? _clientCert;
|
final SSLClientCertStoreVal? _clientCert;
|
||||||
|
final SSLServerCertStoreVal? _rootCert;
|
||||||
late final SecurityContext? _ctxWithCert;
|
late final SecurityContext? _ctxWithCert;
|
||||||
|
|
||||||
HttpSSLCertOverride() : _clientCert = SSLClientCertStoreVal.load() {
|
HttpSSLCertOverride() : _clientCert = SSLClientCertStoreVal.load(), _rootCert = SSLServerCertStoreVal.load() {
|
||||||
if (_clientCert != null) {
|
if (_clientCert != null || _rootCert != null) {
|
||||||
_ctxWithCert = SecurityContext(withTrustedRoots: true);
|
_ctxWithCert = SecurityContext(withTrustedRoots: true);
|
||||||
|
if (_clientCert != null) {
|
||||||
if (_ctxWithCert != null) {
|
if (_ctxWithCert != null) {
|
||||||
setClientCert(_ctxWithCert, _clientCert);
|
setClientCert(_ctxWithCert, _clientCert);
|
||||||
} else {
|
} else {
|
||||||
_log.severe("Failed to create security context with client cert!");
|
_log.severe("Failed to create security context with client cert!");
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
if (_rootCert != null) {
|
||||||
|
if (_ctxWithCert != null) {
|
||||||
|
setRootCert(_ctxWithCert, _rootCert);
|
||||||
|
} else {
|
||||||
|
_log.severe("Failed to create security context with server cert!");
|
||||||
|
}
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
_ctxWithCert = null;
|
_ctxWithCert = null;
|
||||||
}
|
}
|
||||||
|
@ -33,12 +43,26 @@ class HttpSSLCertOverride extends HttpOverrides {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool setRootCert(SecurityContext ctx, SSLServerCertStoreVal cert) {
|
||||||
|
try {
|
||||||
|
_log.info("Setting server certificate");
|
||||||
|
ctx.setTrustedCertificatesBytes(cert.data);
|
||||||
|
} catch (e) {
|
||||||
|
_log.severe("Failed to set SSL server cert: $e");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
@override
|
@override
|
||||||
HttpClient createHttpClient(SecurityContext? context) {
|
HttpClient createHttpClient(SecurityContext? context) {
|
||||||
if (context != null) {
|
if (context != null) {
|
||||||
if (_clientCert != null) {
|
if (_clientCert != null) {
|
||||||
setClientCert(context, _clientCert);
|
setClientCert(context, _clientCert);
|
||||||
}
|
}
|
||||||
|
if (_rootCert != null) {
|
||||||
|
setRootCert(context, _rootCert);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
context = _ctxWithCert;
|
context = _ctxWithCert;
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,7 @@ import 'package:immich_mobile/providers/user.provider.dart';
|
||||||
import 'package:immich_mobile/services/immich_logger.service.dart';
|
import 'package:immich_mobile/services/immich_logger.service.dart';
|
||||||
import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
|
import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
|
||||||
import 'package:immich_mobile/widgets/settings/ssl_client_cert_settings.dart';
|
import 'package:immich_mobile/widgets/settings/ssl_client_cert_settings.dart';
|
||||||
|
import 'package:immich_mobile/widgets/settings/ssl_server_cert_settings.dart';
|
||||||
import 'package:logging/logging.dart';
|
import 'package:logging/logging.dart';
|
||||||
|
|
||||||
class AdvancedSettings extends HookConsumerWidget {
|
class AdvancedSettings extends HookConsumerWidget {
|
||||||
|
@ -66,6 +67,7 @@ class AdvancedSettings extends HookConsumerWidget {
|
||||||
),
|
),
|
||||||
const CustomeProxyHeaderSettings(),
|
const CustomeProxyHeaderSettings(),
|
||||||
SslClientCertSettings(isLoggedIn: ref.read(currentUserProvider) != null),
|
SslClientCertSettings(isLoggedIn: ref.read(currentUserProvider) != null),
|
||||||
|
SslServerCertSettings(isLoggedIn: ref.read(currentUserProvider) != null),
|
||||||
];
|
];
|
||||||
|
|
||||||
return SettingsSubPageScaffold(settings: advancedSettings);
|
return SettingsSubPageScaffold(settings: advancedSettings);
|
||||||
|
|
133
mobile/lib/widgets/settings/ssl_server_cert_settings.dart
Normal file
133
mobile/lib/widgets/settings/ssl_server_cert_settings.dart
Normal file
|
@ -0,0 +1,133 @@
|
||||||
|
import 'dart:io';
|
||||||
|
|
||||||
|
import 'package:easy_localization/easy_localization.dart';
|
||||||
|
import 'package:file_picker/file_picker.dart';
|
||||||
|
import 'package:flutter/material.dart';
|
||||||
|
import 'package:flutter/services.dart';
|
||||||
|
import 'package:immich_mobile/entities/store.entity.dart';
|
||||||
|
import 'package:immich_mobile/extensions/build_context_extensions.dart';
|
||||||
|
import 'package:immich_mobile/extensions/theme_extensions.dart';
|
||||||
|
import 'package:immich_mobile/utils/http_ssl_cert_override.dart';
|
||||||
|
|
||||||
|
class SslServerCertSettings extends StatefulWidget {
|
||||||
|
const SslServerCertSettings({super.key, required this.isLoggedIn});
|
||||||
|
|
||||||
|
final bool isLoggedIn;
|
||||||
|
|
||||||
|
@override
|
||||||
|
State<StatefulWidget> createState() => _SslServerCertSettingsState();
|
||||||
|
}
|
||||||
|
|
||||||
|
class _SslServerCertSettingsState extends State<SslServerCertSettings> {
|
||||||
|
_SslServerCertSettingsState()
|
||||||
|
: isCertExist = SSLServerCertStoreVal.load() != null;
|
||||||
|
|
||||||
|
bool isCertExist;
|
||||||
|
|
||||||
|
@override
|
||||||
|
Widget build(BuildContext context) {
|
||||||
|
return ListTile(
|
||||||
|
contentPadding: const EdgeInsets.symmetric(horizontal: 20),
|
||||||
|
horizontalTitleGap: 20,
|
||||||
|
isThreeLine: true,
|
||||||
|
title: Text(
|
||||||
|
"server_cert_title".tr(),
|
||||||
|
style: context.textTheme.bodyLarge?.copyWith(
|
||||||
|
fontWeight: FontWeight.w500,
|
||||||
|
),
|
||||||
|
),
|
||||||
|
subtitle: Column(
|
||||||
|
crossAxisAlignment: CrossAxisAlignment.start,
|
||||||
|
children: [
|
||||||
|
Text(
|
||||||
|
"server_cert_subtitle".tr(),
|
||||||
|
style: context.textTheme.bodyMedium?.copyWith(
|
||||||
|
color: context.colorScheme.onSurfaceSecondary,
|
||||||
|
),
|
||||||
|
),
|
||||||
|
const SizedBox(
|
||||||
|
height: 6,
|
||||||
|
),
|
||||||
|
Row(
|
||||||
|
mainAxisSize: MainAxisSize.max,
|
||||||
|
mainAxisAlignment: MainAxisAlignment.center,
|
||||||
|
crossAxisAlignment: CrossAxisAlignment.center,
|
||||||
|
children: [
|
||||||
|
ElevatedButton(
|
||||||
|
onPressed: widget.isLoggedIn ? null : () => importCert(context),
|
||||||
|
child: Text("server_cert_import".tr()),
|
||||||
|
),
|
||||||
|
const SizedBox(
|
||||||
|
width: 15,
|
||||||
|
),
|
||||||
|
ElevatedButton(
|
||||||
|
onPressed: widget.isLoggedIn || !isCertExist
|
||||||
|
? null
|
||||||
|
: () => removeCert(context),
|
||||||
|
child: Text("server_cert_remove".tr()),
|
||||||
|
),
|
||||||
|
],
|
||||||
|
),
|
||||||
|
],
|
||||||
|
),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
void showMessage(BuildContext context, String message) {
|
||||||
|
showDialog(
|
||||||
|
context: context,
|
||||||
|
builder: (ctx) => AlertDialog(
|
||||||
|
content: Text(message),
|
||||||
|
actions: [
|
||||||
|
TextButton(
|
||||||
|
onPressed: () => ctx.pop(),
|
||||||
|
child: Text("server_cert_dialog_msg_confirm".tr()),
|
||||||
|
),
|
||||||
|
],
|
||||||
|
),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
void storeCert(BuildContext context, Uint8List data) {
|
||||||
|
final cert = SSLServerCertStoreVal(data);
|
||||||
|
// Test whether the certificate is valid
|
||||||
|
final isCertValid = HttpSSLCertOverride.setRootCert(
|
||||||
|
SecurityContext(withTrustedRoots: true),
|
||||||
|
cert,
|
||||||
|
);
|
||||||
|
if (!isCertValid) {
|
||||||
|
showMessage(context, "server_cert_invalid_msg".tr());
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
cert.save();
|
||||||
|
HttpOverrides.global = HttpSSLCertOverride();
|
||||||
|
setState(
|
||||||
|
() => isCertExist = true,
|
||||||
|
);
|
||||||
|
showMessage(context, "client_cert_import_success_msg".tr());
|
||||||
|
}
|
||||||
|
|
||||||
|
Future<void> importCert(BuildContext ctx) async {
|
||||||
|
FilePickerResult? res = await FilePicker.platform.pickFiles(
|
||||||
|
type: FileType.custom,
|
||||||
|
allowedExtensions: [
|
||||||
|
'p12',
|
||||||
|
'pfx',
|
||||||
|
],
|
||||||
|
);
|
||||||
|
if (res != null) {
|
||||||
|
File file = File(res.files.single.path!);
|
||||||
|
final data = await file.readAsBytes();
|
||||||
|
storeCert(context, data);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void removeCert(BuildContext context) {
|
||||||
|
SSLServerCertStoreVal.delete();
|
||||||
|
HttpOverrides.global = HttpSSLCertOverride();
|
||||||
|
setState(
|
||||||
|
() => isCertExist = false,
|
||||||
|
);
|
||||||
|
showMessage(context, "server_cert_remove_msg".tr());
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue