ssl-root-cas cannot update certicates when file system is run in read only mode

[jdoof]

I'm submitting a...

[ ] Regression (a behavior that used to work and stopped working in a new release)
[X] Bug report  
[ ] Performance issue
[ ] Feature request
[ ] Documentation issue or request
[ ] Other... Please describe:

We run a node azure function to run our Alexa Skill. We depend on ask-sdk-express-adapter to provide validation of request sent from Amazon. When deploying our code we utilise a feature of functions which is to deploy and run directly from a zip file. Outlined here. The side of effect this is the file system is mounted as read-only. The package ssl-root-cas is configured to update the latest root cas at run time which in our case it cannot do.

Expected Behavior

That an exception is not thrown when certificates cannot be updated

Current Behavior

Certificates Root store from module ssl-root-cas in the ask-sdk-express-adapter are failing to update when the file system is run in read-only mode. This is causing an exception to thrown and application to crash.

2020-08-17T03:23:47.676 [Error] Executed 'Functions.AvsHttpTrigger' (Failed, Id=f5e07409-17b6-440b-9137-c0c62be0b3a5, Duration=6120ms)node exited with code 1LanguageWorkerConsoleLog[error] Worker c8caadeb-237d-4c9d-8a0e-732145f190bc uncaught exception (learn more: https://go.microsoft.com/fwlink/?linkid=2097909 ): Error: EPERM: operation not permitted, write     at Object.writeSync (fs.js:569:3)     at Object.writeFileSync (fs.js:1200:26)     at D:\home\site\wwwroot\node_modules\ssl-root-cas\ca-store-generator.js:219:10     at IncomingMessage.<anonymous> (D:\home\site\wwwroot\node_modules\@coolaj86\urequest\index.js:154:9)     at IncomingMessage.emit (events.js:194:15)     at IncomingMessage.EventEmitter.emit (domain.js:441:20)     at endReadableNT (_stream_readable.js:1103:12)     at process._tickCallback (internal/process/next_tick.js:63:19)
2020-08-17T03:23:47.707 [Error] Exceeded language worker restart retry count for runtime:node. Shutting down Functions Host

Possible Solution

• Have ssl-root-cas update to latest cas
• Toggle between having the runtime update on or off
• Configurable root ca file system location

Steps to Reproduce (for bugs)

import { HttpRequest } from '@azure/functions';
import { SkillRequestSignatureVerifier, TimestampVerifier } from 'ask-sdk-express-adapter';

export const verifier = {
  verify: async (req: HttpRequest, enforceVerifier: boolean): Promise<void> => {
    const environment = process.env.APPSETTING_NODE_ENV || process.env.NODE_ENV;
    if (environment === 'development' || !enforceVerifier) {
      return;
    }
    const body = req?.body;
    const headers = req.headers;
    const textBody = JSON.stringify(body);
    await new TimestampVerifier().verify(textBody);
    await new SkillRequestSignatureVerifier().verify(textBody, headers);
  },
};

Context

This issue was causing our application to crash at runtime upon receiving requests from amazon.

Your Environment

• ASK SDK for Node.js used: ask-sdk-express-adapter 2.1.0 ask-sdk 2.7.0
• Operating System and version: Windows hosted in Azure Function

Node.js and NPM Info

• Node.js version used for development: 10.15.2
• NPM version used for development: 6.12.1

[ShenChen93]

Hi @jdoof ,

Thanks for using our SDK. ssl-root-cas will cache root CAs at locale file system under node_modules, thus it will fail when you use read-only file system. I will log this issue in our backlog, and further investigate the best user experience for caching the root CAs.

For a quick fix, you could use ask-sdk-express-adapter@2.0.1, which doesn't have the feature to validate the certificates against root CAs (Thus without dependency on ssl-root-cas).

Thanks, Shen

[jdoof]

Thanks, we will give downgrading a go and report back the results

[jdoof]

@ShenChen-Amazon Just confirming that the downgrade is working as expected.

[ShenChen93]

@jdoof ,

Thanks for confirmation. We've logged this problem into our backlog, thus will close this github issue for now. Will update here once new version of express-adapter pkg released.

Thanks, Shen