Update scripts (#1771)

* use shared cert authority

* add comment

* fix path

* ignore certs

.gitignore

@@ -12,6 +12,7 @@ node_modules
 
 # production
 /build
+/data/certs
 
 # misc
 .DS_Store

package.json

@@ -58,7 +58,7 @@
     "lint:css": "stylelint 'src/**/*.tsx'",
     "lint:bash": "shellcheck $(find . -type f \\( -iname '*\\.sh' -or -iname '*\\.bash' \\) | grep -v 'node_modules' )",
     "prestart": "npm run-script build:css",
-    "start": "DISABLE_NEW_JSX_TRANSFORM=true HTTPS=${HTTPS:-true} craco start",
+    "start": "./script/start.bash",
     "start:static": "export REACT_APP_ENV=${REACT_APP_ENV:-test} && npm run-script build && npm run-script prerender:local && npm run-script server",
     "clean": "rm -rf ./build",
     "build": "export DISABLE_NEW_JSX_TRANSFORM=true && npm run-script build:css && npm run-script build:js",

script/make-certificate.bash

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# spell-checker: ignore pipefail newkey outform keyout extfile
+set -euo pipefail; if [ -n "${DEBUG-}" ]; then set -x; fi
+
+project_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." >/dev/null 2>&1 && pwd )"
+shared_certificate_dir=~/.openstax/certs
+
+mkdir -p "$project_dir/data/certs"
+mkdir -p "$shared_certificate_dir"
+cd "$project_dir/data/certs"
+
+host=${HOST:-localhost}
+
+# links about this logic
+#  - https://stackoverflow.com/questions/43929436/subject-alternative-name-missing-err-ssl-version-or-cipher-mismatch
+#  - https://stackoverflow.com/questions/64597721/neterr-cert-validity-too-long-the-server-certificate-has-a-validity-period-t
+#  - https://devopscube.com/create-self-signed-certificates-openssl/
+
+if [ ! -f "$shared_certificate_dir/CA.cer" ] || [ ! -f "$shared_certificate_dir/CA.pvk" ]; then
+  echo "creating self signed authority"
+  cat << EOF > "$shared_certificate_dir/cert.cfn"
+[ req ]
+distinguished_name = req_distinguished_name
+x509_extensions = root_ca
+
+[ req_distinguished_name ]
+commonName = openstax.local
+
+[ root_ca ]
+basicConstraints = critical, CA:true
+EOF
+  openssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -config "$shared_certificate_dir/cert.cfn" -subj "/CN=Openstax.local" \
+    -keyout "$shared_certificate_dir/CA.pvk" -out "$shared_certificate_dir/CA.cer" 
+fi
+
+if [ ! -f "$host.pvk" ] || [ ! -f "$host.cer" ]; then
+  cat << EOF > "$project_dir/data/certs/$host.ext"
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth
+
+[alt_names]
+DNS.1 = $host
+EOF
+  openssl req -newkey rsa:2048 -keyout "$host.pvk" -out "$host.req" -subj /CN="$host" -sha256 -nodes
+  openssl x509 -req -CA "$shared_certificate_dir"/CA.cer -CAkey "$shared_certificate_dir"/CA.pvk -in "$host.req" -out "$host.cer" -days 397 -extfile "$host.ext" -sha256 -set_serial 0x1111
+fi

script/start.bash

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# spell-checker: ignore pipefail
+set -euo pipefail; if [ -n "${DEBUG-}" ]; then set -x; fi
+
+project_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." >/dev/null 2>&1 && pwd )"
+shared_certificate_dir=~/.openstax/certs
+
+mkdir -p "$project_dir/data"
+
+./script/make-certificate.bash
+
+cd "$project_dir"
+
+# nodejs does not use system certs by default
+# - https://github.com/nodejs/node/issues/39657
+export NODE_EXTRA_CA_CERTS="$shared_certificate_dir/CA.cer"
+export SSL_CRT_FILE="$project_dir/data/certs/${HOST:-localhost}.cer"
+export SSL_KEY_FILE="$project_dir/data/certs/${HOST:-localhost}.pvk"
+export HTTPS=${HTTPS:-true}
+export BROWSER=none
+export DISABLE_NEW_JSX_TRANSFORM=true
+
+yarn craco start

script/trust-localhost.bash

@@ -1,3 +1,7 @@
-#!/bin/bash
-openssl s_client -showcerts -connect localhost:3000 </dev/null 2>/dev/null|openssl x509 -outform PEM >/tmp/localhost.pem
-sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/localhost.pem 
+#!/usr/bin/env bash
+# spell-checker: ignore pipefail Keychains keychain
+set -euo pipefail; if [ -n "${DEBUG-}" ]; then set -x; fi
+
+shared_certificate_dir=~/.openstax/certs
+
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$shared_certificate_dir"/CA.cer