Delegate HTTPS handling to Miniflare (#11449)

* Delegate HTTPS handling to Miniflare

* Create spotty-phones-pull.md

* fix lint

* fix test

* fix lint

* fix lint

Author: penalosa

.changeset/spotty-phones-pull.md

@@ -0,0 +1,5 @@
+---
+"wrangler": minor
+---
+
+Delegate generation of HTTPS certificates to Miniflare

packages/miniflare/src/http/cert.ts

@@ -34,21 +34,21 @@ mCWw+vbGTBwIr/9X1S4UL1/f3zDICC7YSA==
 // emailAddress            = optional
 
 // [ req_distinguished_name ]
-// countryName                     = US
+// countryName                     = Country Name
 // countryName_default             = US
 // countryName_min                 = 2
 // countryName_max                 = 2
-// stateOrProvinceName             = Texas
+// stateOrProvinceName             = State or Province Name
 // stateOrProvinceName_default     = Texas
-// localityName                    = Austin
-// localityName_default            = Austin ## This is the default value
-// 0.organizationName              = Cloudflare ## Print this message
-// 0.organizationName_default      = Cloudflare ## This is the default value
-// organizationalUnitName          = Workers ## Print this message
-// organizationalUnitName_default  = Workers## This is the default value
-// commonName                      = localhost
+// localityName                    = Locality
+// localityName_default            = Austin
+// 0.organizationName              = Organization Name
+// 0.organizationName_default      = Cloudflare
+// organizationalUnitName          = Organizational Unit Name
+// organizationalUnitName_default  = Workers
+// commonName                      = Common Name
 // commonName_max                  = 64
-// emailAddress                    = [email protected]
+// emailAddress                    = Email Address
 // emailAddress_max                = 64
 
 // [ v3_ca ]
@@ -58,21 +58,38 @@ mCWw+vbGTBwIr/9X1S4UL1/f3zDICC7YSA==
 // nsComment = "OpenSSL Generated Certificate"
 // keyUsage = keyCertSign,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 // extendedKeyUsage = serverAuth,clientAuth,codeSigning,timeStamping
+// subjectAltName = @alt_names
+
+// [alt_names]
+// DNS.0 = localhost
+// IP.1 = 127.0.0.1
+
+// Interactive answers:
+// Country Name [US]:
+// State or Province Name [Texas]:
+// Locality [Austin]:
+// Organization Name [Cloudflare]:
+// Organizational Unit Name [Workers]:
+// Common Name []:localhost
+// Email Address []:wrangler@cloudflare.com
 export const CERT = `
 -----BEGIN CERTIFICATE-----
-MIICcDCCAhegAwIBAgIUE97EcbEWw3YZMN/ucGBSzJ/5qA4wCgYIKoZIzj0EAwIw
-VTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4x
-EzARBgNVBAoMCkNsb3VkZmxhcmUxEDAOBgNVBAsMB1dvcmtlcnMwIBcNMjMwNjIy
-MTg1ODQ3WhgPMjEyMzA1MjkxODU4NDdaMFUxCzAJBgNVBAYTAlVTMQ4wDAYDVQQI
-DAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRMwEQYDVQQKDApDbG91ZGZsYXJlMRAw
-DgYDVQQLDAdXb3JrZXJzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtrIEgzog
-jrUHIvB4qgjg/cT7blhWuLUfSUp6H62NCo21NrVWgPtCmCWw+vbGTBwIr/9X1S4U
-L1/f3zDICC7YSKOBwjCBvzAdBgNVHQ4EFgQUSXahTksi00c6KhUECHIY4FLW7Sow
-HwYDVR0jBBgwFoAUSXahTksi00c6KhUECHIY4FLW7SowDwYDVR0TAQH/BAUwAwEB
-/zAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
-CwYDVR0PBAQDAgL0MDEGA1UdJQQqMCgGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
-BQUHAwMGCCsGAQUFBwMIMAoGCCqGSM49BAMCA0cAMEQCIE2qnXbKTHQ8wtwI+9XR
-h4ivDyz7w7iGxn3+ccmj/CQqAiApdX/Iz/jGRzi04xFlE4GoPVG/zaMi64ckmIpE
-ez/dHA==
+MIIDBzCCAq2gAwIBAgIUaEibZTawMcz6xQ/0rGNlEBKwkUowCgYIKoZIzj0EAwIw
+gZExCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGlu
+MRMwEQYDVQQKDApDbG91ZGZsYXJlMRAwDgYDVQQLDAdXb3JrZXJzMRIwEAYDVQQD
+DAlsb2NhbGhvc3QxJjAkBgkqhkiG9w0BCQEWF3dyYW5nbGVyQGNsb3VkZmxhcmUu
+Y29tMCAXDTI1MTAwMjEzMzQ1MloYDzIxMjUwOTA4MTMzNDUyWjCBkTELMAkGA1UE
+BhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xEzARBgNVBAoM
+CkNsb3VkZmxhcmUxEDAOBgNVBAsMB1dvcmtlcnMxEjAQBgNVBAMMCWxvY2FsaG9z
+dDEmMCQGCSqGSIb3DQEJARYXd3JhbmdsZXJAY2xvdWRmbGFyZS5jb20wWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAAS2sgSDOiCOtQci8HiqCOD9xPtuWFa4tR9JSnof
+rY0KjbU2tVaA+0KYJbD69sZMHAiv/1fVLhQvX9/fMMgILthIo4HeMIHbMB0GA1Ud
+DgQWBBRJdqFOSyLTRzoqFQQIchjgUtbtKjAfBgNVHSMEGDAWgBRJdqFOSyLTRzoq
+FQQIchjgUtbtKjAPBgNVHRMBAf8EBTADAQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVu
+U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTALBgNVHQ8EBAMCAvQwMQYDVR0lBCow
+KAYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwgwGgYDVR0R
+BBMwEYIJbG9jYWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0gAMEUCIQDNxEiZc6Q6
+8hK0q3y/9lDWc+dHr74gAnBHVJZEo5uyRQIgW6eL31hH7qouqUi9+efWU1N85n0z
+X3kip4YDAFo8ozE=
 -----END CERTIFICATE-----
 `;

packages/wrangler/package.json

@@ -148,7 +148,6 @@
 		"prompts": "^2.4.2",
 		"resolve": "^1.22.8",
 		"rimraf": "catalog:default",
-		"selfsigned": "^2.0.1",
 		"semiver": "^1.1.0",
 		"shell-quote": "^1.8.1",
 		"signal-exit": "^3.0.7",

packages/wrangler/src/__tests__/https-options.test.ts

@@ -1,179 +1,36 @@
 import * as fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { getGlobalWranglerConfigPath } from "@cloudflare/workers-utils";
-import { getHttpsOptions } from "../https-options";
-import { mockConsoleMethods } from "./helpers/mock-console";
+import { validateHttpsOptions } from "../https-options";
 import { runInTempDir } from "./helpers/run-in-tmp";
 
-vi.mock("node:fs", async (importOriginal) => {
-	// eslint-disable-next-line @typescript-eslint/consistent-type-imports
-	const fsOriginal = await importOriginal<typeof import("node:fs")>();
-	return { ...fsOriginal };
-});
-
-describe("getHttpsOptions()", () => {
+describe("validateHttpsOptions()", () => {
 	runInTempDir();
-	const std = mockConsoleMethods();
 
-	it("should use cached values if they have not expired", async () => {
-		fs.mkdirSync(path.resolve(getGlobalWranglerConfigPath(), "local-cert"), {
-			recursive: true,
-		});
-		fs.writeFileSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/key.pem"),
-			"PRIVATE KEY"
-		);
-		fs.writeFileSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/cert.pem"),
-			"PUBLIC KEY"
-		);
-		const result = await getHttpsOptions();
-		expect(result.key).toEqual("PRIVATE KEY");
-		expect(result.cert).toEqual("PUBLIC KEY");
-		expect(std.out).toMatchInlineSnapshot(`""`);
-		expect(std.warn).toMatchInlineSnapshot(`""`);
-		expect(std.err).toMatchInlineSnapshot(`""`);
-	});
-
-	it("should generate and cache new keys if none are cached", async () => {
-		const result = await getHttpsOptions();
-		const key = fs.readFileSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/key.pem"),
-			"utf8"
-		);
-		const cert = fs.readFileSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/cert.pem"),
-			"utf8"
-		);
-		expect(result.key).toEqual(key);
-		expect(result.cert).toEqual(cert);
-		expect(std.out).toMatchInlineSnapshot(
-			`"Generating new self-signed certificate..."`
-		);
-		expect(std.warn).toMatchInlineSnapshot(`""`);
-		expect(std.err).toMatchInlineSnapshot(`""`);
-	});
-
-	it("should generate and cache new keys if cached files have expired", async () => {
-		fs.mkdirSync(path.resolve(getGlobalWranglerConfigPath(), "local-cert"), {
-			recursive: true,
-		});
-		const ORIGINAL_KEY = "EXPIRED PRIVATE KEY";
-		const ORIGINAL_CERT = "EXPIRED PUBLIC KEY";
-
-		const old = new Date(2000);
-		fs.writeFileSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/key.pem"),
-			ORIGINAL_KEY
-		);
-		fs.utimesSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/key.pem"),
-			old,
-			old
-		);
-		fs.writeFileSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/cert.pem"),
-			ORIGINAL_CERT
-		);
-		fs.utimesSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/cert.pem"),
-			old,
-			old
-		);
-
-		const result = await getHttpsOptions();
-		const key = fs.readFileSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/key.pem"),
-			"utf8"
-		);
-		const cert = fs.readFileSync(
-			path.resolve(getGlobalWranglerConfigPath(), "local-cert/cert.pem"),
-			"utf8"
-		);
-		expect(key).not.toEqual(ORIGINAL_KEY);
-		expect(cert).not.toEqual(ORIGINAL_CERT);
-		expect(result.key).toEqual(key);
-		expect(result.cert).toEqual(cert);
-		expect(std.out).toMatchInlineSnapshot(
-			`"Generating new self-signed certificate..."`
-		);
-		expect(std.warn).toMatchInlineSnapshot(`""`);
-		expect(std.err).toMatchInlineSnapshot(`""`);
-	});
-
-	it("should warn if not able to write to the cache (legacy config path)", async () => {
-		fs.mkdirSync(path.join(os.homedir(), ".wrangler"));
-		await mockWriteFileSyncThrow(/\.pem$/);
-		await getHttpsOptions();
-		expect(
-			fs.existsSync(
-				path.resolve(getGlobalWranglerConfigPath(), "local-cert/key.pem")
-			)
-		).toBe(false);
-		expect(
-			fs.existsSync(
-				path.resolve(getGlobalWranglerConfigPath(), "local-cert/cert.pem")
-			)
-		).toBe(false);
-		expect(std.out).toMatchInlineSnapshot(
-			`"Generating new self-signed certificate..."`
-		);
-		expect(std.warn).toMatchInlineSnapshot(`
-			"▲ [WARNING] Unable to cache generated self-signed certificate in home/.wrangler/local-cert.
-
-			  ERROR: Cannot write file
-
-			"
-		`);
-		expect(std.err).toMatchInlineSnapshot(`""`);
-		fs.rmSync(path.join(os.homedir(), ".wrangler"), { recursive: true });
-	});
-
-	it("should warn if not able to write to the cache", async () => {
-		await mockWriteFileSyncThrow(/\.pem$/);
-
-		await getHttpsOptions();
-		expect(
-			fs.existsSync(
-				path.resolve(getGlobalWranglerConfigPath(), "local-cert/key.pem")
-			)
-		).toBe(false);
-		expect(
-			fs.existsSync(
-				path.resolve(getGlobalWranglerConfigPath(), "local-cert/cert.pem")
-			)
-		).toBe(false);
-		expect(std.out).toMatchInlineSnapshot(
-			`"Generating new self-signed certificate..."`
-		);
-		expect(std.warn).toMatchInlineSnapshot(`
-			"▲ [WARNING] Unable to cache generated self-signed certificate in home/.config/.wrangler/local-cert.
-
-			  ERROR: Cannot write file
-
-			"
-		`);
-		expect(std.err).toMatchInlineSnapshot(`""`);
+	it("should return undefined if nothing is passed in", async () => {
+		const result = await validateHttpsOptions();
+		expect(result).toBeUndefined();
 	});
 
 	it("should read the certs from the paths if provided", async () => {
 		fs.mkdirSync("./certs");
 		await fs.promises.writeFile("./certs/test.key", "xxxxx");
 		await fs.promises.writeFile("./certs/test.pem", "yyyyy");
-		const options = getHttpsOptions("./certs/test.key", "./certs/test.pem");
+		const options = validateHttpsOptions(
+			"./certs/test.key",
+			"./certs/test.pem"
+		);
+		assert(options);
 		expect(options.key).toEqual("xxxxx");
 		expect(options.cert).toEqual("yyyyy");
 	});
 
 	it("should error if only one of the two paths is provided", async () => {
 		expect(() =>
-			getHttpsOptions("./certs/test.key", undefined)
+			validateHttpsOptions("./certs/test.key", undefined)
 		).toThrowErrorMatchingInlineSnapshot(
 			`[Error: Must specify both certificate path and key path to use a Custom Certificate.]`
 		);
 		expect(() =>
-			getHttpsOptions(undefined, "./certs/test.pem")
+			validateHttpsOptions(undefined, "./certs/test.pem")
 		).toThrowErrorMatchingInlineSnapshot(
 			`[Error: Must specify both certificate path and key path to use a Custom Certificate.]`
 		);
@@ -183,7 +40,7 @@ describe("getHttpsOptions()", () => {
 		fs.mkdirSync("./certs");
 		await fs.promises.writeFile("./certs/test.pem", "yyyyy");
 		expect(() =>
-			getHttpsOptions("./certs/test.key", "./certs/test.pem")
+			validateHttpsOptions("./certs/test.key", "./certs/test.pem")
 		).toThrowErrorMatchingInlineSnapshot(
 			`[Error: Missing Custom Certificate Key at ./certs/test.key]`
 		);
@@ -193,7 +50,7 @@ describe("getHttpsOptions()", () => {
 		fs.mkdirSync("./certs");
 		await fs.promises.writeFile("./certs/test.key", "xxxxx");
 		expect(() =>
-			getHttpsOptions("./certs/test.key", "./certs/test.pem")
+			validateHttpsOptions("./certs/test.key", "./certs/test.pem")
 		).toThrowErrorMatchingInlineSnapshot(
 			`[Error: Missing Custom Certificate File at ./certs/test.pem]`
 		);
@@ -205,7 +62,8 @@ describe("getHttpsOptions()", () => {
 		await fs.promises.writeFile("./certs/test.pem", "yyyyy");
 		vi.stubEnv("WRANGLER_HTTPS_KEY_PATH", "./certs/test.key");
 		vi.stubEnv("WRANGLER_HTTPS_CERT_PATH", "./certs/test.pem");
-		const options = getHttpsOptions();
+		const options = validateHttpsOptions();
+		assert(options);
 		expect(options.key).toEqual("xxxxx");
 		expect(options.cert).toEqual("yyyyy");
 	});
@@ -218,26 +76,12 @@ describe("getHttpsOptions()", () => {
 		await fs.promises.writeFile("./certs/test-env.pem", "yyyyy-env");
 		vi.stubEnv("WRANGLER_HTTPS_KEY_PATH", "./certs/test-env.key");
 		vi.stubEnv("WRANGLER_HTTPS_CERT_PATH", "./certs/test-env.pem");
-		const options = getHttpsOptions(
+		const options = validateHttpsOptions(
 			"./certs/test-param.key",
 			"./certs/test-param.pem"
 		);
+		assert(options);
 		expect(options.key).toEqual("xxxxx-param");
 		expect(options.cert).toEqual("yyyyy-param");
 	});
 });
-
-async function mockWriteFileSyncThrow(matcher: RegExp) {
-	const originalWriteFileSync =
-		// eslint-disable-next-line @typescript-eslint/consistent-type-imports
-		(await vi.importActual<typeof import("node:fs")>("node:fs")).writeFileSync;
-	vi.spyOn(fs, "writeFileSync").mockImplementation(
-		(filePath, data, options) => {
-			if (matcher.test(filePath.toString())) {
-				throw new Error("ERROR: Cannot write file");
-			} else {
-				return originalWriteFileSync(filePath, data, options);
-			}
-		}
-	);
-}

packages/wrangler/src/api/startDevWorker/ProxyController.ts

@@ -16,7 +16,7 @@ import {
 	handleStructuredLogs,
 	WranglerLog,
 } from "../../dev/miniflare";
-import { getHttpsOptions } from "../../https-options";
+import { validateHttpsOptions } from "../../https-options";
 import { logger } from "../../logger";
 import { getSourceMappedStack } from "../../sourcemap";
 import { Controller } from "./BaseController";
@@ -67,7 +67,7 @@ export class ProxyController extends Controller {
 			(this.inspectorEnabled &&
 				this.latestConfig.dev?.inspector &&
 				this.latestConfig.dev?.inspector?.secure)
-				? getHttpsOptions(
+				? validateHttpsOptions(
 						this.latestConfig.dev.server?.httpsKeyPath,
 						this.latestConfig.dev.server?.httpsCertPath
 					)