mirror of
https://github.com/bunny-lab-io/Borealis.git
synced 2025-12-15 01:55:48 -07:00
Added Server Cert Caching to Updater Script
This commit is contained in:
192
Update.ps1
192
Update.ps1
@@ -313,158 +313,29 @@ function Resolve-BorealisServerUrl {
|
|||||||
return $builder.Uri.AbsoluteUri.TrimEnd('/')
|
return $builder.Uri.AbsoluteUri.TrimEnd('/')
|
||||||
}
|
}
|
||||||
|
|
||||||
function Get-BorealisCertificateCandidates {
|
function Get-AgentCertificateCachePath {
|
||||||
param(
|
param(
|
||||||
[string]$AgentRoot
|
[string]$AgentRoot
|
||||||
)
|
)
|
||||||
|
|
||||||
$paths = @()
|
$settingsDir = Get-AgentSettingsDirectory -AgentRoot $AgentRoot
|
||||||
if ($env:BOREALIS_ROOT_CA_PATH) {
|
if (-not $settingsDir) { return '' }
|
||||||
$paths += $env:BOREALIS_ROOT_CA_PATH
|
return (Join-Path $settingsDir 'server_certificate.crt')
|
||||||
}
|
|
||||||
if ($AgentRoot) {
|
|
||||||
$paths += (Join-Path $AgentRoot 'Certificates\borealis-root-ca.pem')
|
|
||||||
$paths += (Join-Path $AgentRoot 'Certificates\engine-root-ca.pem')
|
|
||||||
$paths += (Join-Path $AgentRoot 'Certificates\borealis-server-bundle.pem')
|
|
||||||
$paths += (Join-Path $AgentRoot 'Certificates\Agent\Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $AgentRoot 'Certificates\Agent\Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
$paths += (Join-Path $AgentRoot 'Settings\server_certificate.pem')
|
|
||||||
}
|
|
||||||
if ($AgentRoot) {
|
|
||||||
$paths += (Join-Path $AgentRoot 'Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $AgentRoot 'Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
$agentParent = ''
|
|
||||||
try { $agentParent = Split-Path $AgentRoot -Parent } catch { $agentParent = '' }
|
|
||||||
if ($agentParent) {
|
|
||||||
$paths += (Join-Path $agentParent 'Certificates\Agent\Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $agentParent 'Certificates\Agent\Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
}
|
|
||||||
}
|
|
||||||
$paths += (Join-Path $scriptDir 'Engine\Certificates\borealis-root-ca.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Engine\Certificates\borealis-server-bundle.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Certificates\borealis-root-ca.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Certificates\Agent\Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Certificates\Agent\Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Agent\Certificates\Agent\Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Agent\Certificates\Agent\Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Agent\Borealis\Settings\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Data\Agent\Certificates\Agent\Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Data\Agent\Certificates\Agent\Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
$paths += (Join-Path $scriptDir 'Data\Engine\Certificates\borealis-root-ca.pem')
|
|
||||||
|
|
||||||
$programData = $env:ProgramData
|
|
||||||
if ($programData) {
|
|
||||||
$paths += (Join-Path $programData 'Borealis\Certificates\Agent\Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $programData 'Borealis\Certificates\Agent\Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
}
|
|
||||||
$localApp = $env:LOCALAPPDATA
|
|
||||||
if ($localApp) {
|
|
||||||
$paths += (Join-Path $localApp 'Borealis\Certificates\Agent\Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $localApp 'Borealis\Certificates\Agent\Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
}
|
|
||||||
$commonApp = $env:COMMONAPPDATA
|
|
||||||
if ($commonApp) {
|
|
||||||
$paths += (Join-Path $commonApp 'Borealis\Certificates\Agent\Trusted_Server_Cert\server_certificate.pem')
|
|
||||||
$paths += (Join-Path $commonApp 'Borealis\Certificates\Agent\Trusted_Server_Cert\server_bundle.pem')
|
|
||||||
}
|
|
||||||
|
|
||||||
return $paths | Where-Object { $_ } | Select-Object -Unique
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function Get-BorealisCertificatePaths {
|
function Get-ExistingServerCertificatePath {
|
||||||
param(
|
param(
|
||||||
[string]$AgentRoot
|
[string]$AgentRoot
|
||||||
)
|
)
|
||||||
|
|
||||||
$paths = @()
|
$path = Get-AgentCertificateCachePath -AgentRoot $AgentRoot
|
||||||
$existing = @()
|
if ($path -and (Test-Path $path -PathType Leaf)) {
|
||||||
foreach ($candidate in (Get-BorealisCertificateCandidates -AgentRoot $AgentRoot)) {
|
return $path
|
||||||
$exists = $false
|
|
||||||
try { $exists = Test-Path $candidate -PathType Leaf } catch {}
|
|
||||||
if ($exists) {
|
|
||||||
$existing += $candidate
|
|
||||||
$paths += $candidate
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($paths.Count -eq 0) {
|
|
||||||
$searchRoots = @()
|
|
||||||
if ($AgentRoot) { $searchRoots += $AgentRoot }
|
|
||||||
$searchRoots += $scriptDir
|
|
||||||
$searchRoots = $searchRoots | Where-Object { $_ } | Select-Object -Unique
|
|
||||||
foreach ($root in $searchRoots) {
|
|
||||||
try {
|
|
||||||
if (-not (Test-Path $root -PathType Container)) { continue }
|
|
||||||
Write-UpdateLog ("Scanning {0} for server certificate bundles." -f $root) 'DEBUG'
|
|
||||||
$filters = @('server_certificate.pem','server_bundle.pem','borealis-root-ca.pem','engine-root-ca.pem')
|
|
||||||
foreach ($filter in $filters) {
|
|
||||||
$foundCerts = Get-ChildItem -Path $root -Recurse -Filter $filter -ErrorAction SilentlyContinue -File
|
|
||||||
foreach ($item in $foundCerts) {
|
|
||||||
if ($item -and ($paths -notcontains $item.FullName)) {
|
|
||||||
$paths += $item.FullName
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if ($paths.Count -gt 0) { break }
|
|
||||||
}
|
|
||||||
if ($paths.Count -gt 0) { break }
|
|
||||||
} catch {}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-UpdateLog ("Resolved {0} TLS certificate candidate(s)." -f ($paths.Count)) 'DEBUG'
|
|
||||||
return $paths
|
|
||||||
}
|
|
||||||
|
|
||||||
function Get-BorealisTrustBundlePath {
|
|
||||||
param(
|
|
||||||
[string]$AgentRoot
|
|
||||||
)
|
|
||||||
|
|
||||||
$paths = Get-BorealisCertificatePaths -AgentRoot $AgentRoot
|
|
||||||
if ($paths -and $paths.Count -gt 0) {
|
|
||||||
Write-UpdateLog ("Using TLS trust bundle: {0}" -f $paths[0]) 'DEBUG'
|
|
||||||
return $paths[0]
|
|
||||||
}
|
|
||||||
Write-UpdateLog "No TLS trust bundle located; HTTPS requests will rely on system store." 'WARN'
|
|
||||||
return ''
|
return ''
|
||||||
}
|
}
|
||||||
|
|
||||||
function Get-AgentCertificateDirectory {
|
function Save-ServerCertificateCache {
|
||||||
param(
|
|
||||||
[string]$AgentRoot
|
|
||||||
)
|
|
||||||
|
|
||||||
$envRoot = $env:BOREALIS_AGENT_CERT_ROOT
|
|
||||||
if ($envRoot) {
|
|
||||||
return $envRoot
|
|
||||||
}
|
|
||||||
|
|
||||||
$envCertRoot = $env:BOREALIS_CERTIFICATES_ROOT
|
|
||||||
if (-not $envCertRoot) { $envCertRoot = $env:BOREALIS_CERT_ROOT }
|
|
||||||
if ($envCertRoot) {
|
|
||||||
return (Join-Path $envCertRoot 'Agent')
|
|
||||||
}
|
|
||||||
|
|
||||||
$settingsDir = Get-AgentSettingsDirectory -AgentRoot $AgentRoot
|
|
||||||
$candidate = $settingsDir
|
|
||||||
for ($i = 0; $i -lt 3; $i++) {
|
|
||||||
if (-not $candidate) { break }
|
|
||||||
$parent = Split-Path -Path $candidate -Parent
|
|
||||||
if (-not $parent) { break }
|
|
||||||
$candidate = $parent
|
|
||||||
}
|
|
||||||
|
|
||||||
if (-not $candidate) {
|
|
||||||
$candidate = Split-Path -Path $settingsDir -Parent
|
|
||||||
}
|
|
||||||
if (-not $candidate) {
|
|
||||||
$candidate = $scriptDir
|
|
||||||
}
|
|
||||||
|
|
||||||
return (Join-Path $candidate 'Certificates\Agent')
|
|
||||||
}
|
|
||||||
|
|
||||||
function Save-BorealisServerCertificate {
|
|
||||||
param(
|
param(
|
||||||
[string]$AgentRoot,
|
[string]$AgentRoot,
|
||||||
[string]$CertificatePem
|
[string]$CertificatePem
|
||||||
@@ -474,28 +345,27 @@ function Save-BorealisServerCertificate {
|
|||||||
return ''
|
return ''
|
||||||
}
|
}
|
||||||
|
|
||||||
$baseDir = Get-AgentCertificateDirectory -AgentRoot $AgentRoot
|
$targetPath = Get-AgentCertificateCachePath -AgentRoot $AgentRoot
|
||||||
if (-not $baseDir) {
|
if (-not $targetPath) {
|
||||||
return ''
|
return ''
|
||||||
}
|
}
|
||||||
|
|
||||||
$targetDir = Join-Path $baseDir 'Trusted_Server_Cert'
|
$targetDir = Split-Path -Path $targetPath -Parent
|
||||||
try {
|
try {
|
||||||
if (-not (Test-Path $targetDir -PathType Container)) {
|
if (-not (Test-Path $targetDir -PathType Container)) {
|
||||||
New-Item -ItemType Directory -Force -Path $targetDir | Out-Null
|
New-Item -ItemType Directory -Force -Path $targetDir | Out-Null
|
||||||
}
|
}
|
||||||
} catch {
|
} catch {
|
||||||
Write-UpdateLog ("Failed to create TLS certificate directory {0}: {1}" -f $targetDir, $_.Exception.Message) 'WARN'
|
Write-UpdateLog ("Failed to create certificate cache directory {0}: {1}" -f $targetDir, $_.Exception.Message) 'WARN'
|
||||||
return ''
|
return ''
|
||||||
}
|
}
|
||||||
|
|
||||||
$targetPath = Join-Path $targetDir 'server_certificate.pem'
|
|
||||||
try {
|
try {
|
||||||
Set-Content -Path $targetPath -Value $CertificatePem -Encoding UTF8
|
Set-Content -Path $targetPath -Value $CertificatePem -Encoding UTF8
|
||||||
Write-UpdateLog ("Saved server certificate to {0}" -f $targetPath) 'INFO'
|
Write-UpdateLog ("Cached server certificate to {0}" -f $targetPath) 'INFO'
|
||||||
return $targetPath
|
return $targetPath
|
||||||
} catch {
|
} catch {
|
||||||
Write-UpdateLog ("Failed to save server certificate: {0}" -f $_.Exception.Message) 'WARN'
|
Write-UpdateLog ("Failed to cache server certificate: {0}" -f $_.Exception.Message) 'WARN'
|
||||||
return ''
|
return ''
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -675,19 +545,15 @@ function Initialize-BorealisTlsContext {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
$candidatePaths = Get-BorealisCertificateCandidates -AgentRoot $AgentRoot
|
|
||||||
|
|
||||||
$trusted = @()
|
$trusted = @()
|
||||||
foreach ($path in $candidatePaths) {
|
$cachedCertPath = Get-ExistingServerCertificatePath -AgentRoot $AgentRoot
|
||||||
$exists = $false
|
if ($cachedCertPath) {
|
||||||
try { $exists = Test-Path $path -PathType Leaf } catch {}
|
Write-UpdateLog ("Using cached TLS certificate: {0}" -f $cachedCertPath) 'INFO'
|
||||||
$existsText = if ($exists) { 'true' } else { 'false' }
|
|
||||||
Write-Verbose ("Evaluating Borealis TLS candidate: {0} (exists={1})" -f $path, $existsText)
|
|
||||||
Write-UpdateLog ("TLS candidate {0} exists={1}" -f $path, $existsText) 'DEBUG'
|
|
||||||
if (-not $exists) { continue }
|
|
||||||
try {
|
try {
|
||||||
$trusted += Get-CertificatesFromPem -Path $path
|
$trusted += Get-CertificatesFromPem -Path $cachedCertPath
|
||||||
} catch {}
|
} catch {
|
||||||
|
Write-UpdateLog ("Failed to load cached TLS certificate: {0}" -f $_.Exception.Message) 'WARN'
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($trusted.Count -gt 0) {
|
if ($trusted.Count -gt 0) {
|
||||||
@@ -960,8 +826,10 @@ function Invoke-AgentHttpRequest {
|
|||||||
return $null
|
return $null
|
||||||
}
|
}
|
||||||
|
|
||||||
$cafile = Get-BorealisTrustBundlePath -AgentRoot $AgentRoot
|
$cafile = Get-ExistingServerCertificatePath -AgentRoot $AgentRoot
|
||||||
if (-not $cafile) {
|
if ($cafile) {
|
||||||
|
Write-UpdateLog ("Using cached TLS certificate for helper: {0}" -f $cafile) 'DEBUG'
|
||||||
|
} else {
|
||||||
Write-UpdateLog "No TLS bundle available; helper will skip certificate validation for this request." 'WARN'
|
Write-UpdateLog "No TLS bundle available; helper will skip certificate validation for this request." 'WARN'
|
||||||
}
|
}
|
||||||
$payload = @{
|
$payload = @{
|
||||||
@@ -1029,8 +897,12 @@ function Invoke-AgentHttpRequest {
|
|||||||
return $null
|
return $null
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($json.certificate -and (-not $cafile)) {
|
if ($json.certificate) {
|
||||||
Save-BorealisServerCertificate -AgentRoot $AgentRoot -CertificatePem $json.certificate
|
$savedPath = Save-ServerCertificateCache -AgentRoot $AgentRoot -CertificatePem $json.certificate
|
||||||
|
if ($savedPath) {
|
||||||
|
$script:BorealisTlsInitialized = $false
|
||||||
|
Initialize-BorealisTlsContext -AgentRoot $AgentRoot -ServerBaseUrl $Uri
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Write-UpdateLog ("Python helper completed HTTP call with status {0}." -f $json.status) 'DEBUG'
|
Write-UpdateLog ("Python helper completed HTTP call with status {0}." -f $json.status) 'DEBUG'
|
||||||
|
|||||||
Reference in New Issue
Block a user