From d2c30346a03402d111dfa94ec502fc71471e1bc8 Mon Sep 17 00:00:00 2001
From: Aaron Jackson <ajackson002@dundee.ac.uk>
Date: Fri, 23 Aug 2024 12:52:04 +0100
Subject: [PATCH 1/2] Install CA certificate on Firefox (Windows)

---
 modules/hic-tre-cert.ps1 | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/modules/hic-tre-cert.ps1 b/modules/hic-tre-cert.ps1
index 6ceb0e5..c2bcf63 100644
--- a/modules/hic-tre-cert.ps1
+++ b/modules/hic-tre-cert.ps1
@@ -39,7 +39,22 @@ zvyXRCnDutC2I48pjubDIKtp2crIOMdsmtBVCQq6gX1Sl/4z4E6BXEWkfVcSBk+O
 05i6skiAX2QQcqX+EC/9HQ8UEjKIGeXyR2SxAiACx+1ckj9MHG8nytRAJQ2glmLs
 ws7bgq7KAqJqvvPyVIeOW0hx4AX+5Q==
 -----END CERTIFICATE-----
-"@ | Out-File -FilePath C:\Tools\hic-tre.dundee.ac.uk.crt
+"@ | Out-File -Encoding ASCII -FilePath C:\Tools\hic-tre.dundee.ac.uk.crt
 
 Get-Item C:\Tools\hic-tre.dundee.ac.uk.crt | `
   Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
+
+
+# Firefox doesn't use the system certificates by default, but a policy
+# can be used to force the installation of the certificate at the next
+# run.
+New-Item -Path "C:\Program Files\Mozilla Firefox\" -Name distribution -ItemType Directory -Force
+@"
+{
+  "policies": {
+    "Certificates": {
+      "Install": ["C:\\Tools\\hic-tre.dundee.ac.uk.crt"]
+    }
+  }
+}
+"@ | Out-File -Encoding ASCII -FilePath "C:\Program Files\Mozilla Firefox\distribution\policies.json"

From 217f84d02466d875e1e2b9666f5e355e9e9c60a9 Mon Sep 17 00:00:00 2001
From: Aaron Jackson <ajackson002@dundee.ac.uk>
Date: Wed, 13 Nov 2024 12:52:08 +0000
Subject: [PATCH 2/2] Add global env vars for ca chain

---
 modules/hic-tre-cert.ps1 | 16 ++++++++++++++++
 modules/hic-tre-cert.sh  | 12 ++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/modules/hic-tre-cert.ps1 b/modules/hic-tre-cert.ps1
index c2bcf63..7fff012 100644
--- a/modules/hic-tre-cert.ps1
+++ b/modules/hic-tre-cert.ps1
@@ -58,3 +58,19 @@ New-Item -Path "C:\Program Files\Mozilla Firefox\" -Name distribution -ItemType
   }
 }
 "@ | Out-File -Encoding ASCII -FilePath "C:\Program Files\Mozilla Firefox\distribution\policies.json"
+
+# This covers both conda and CRAN, but it also overrides their own
+# provided CA chain files. That's probably ok given we don't allow
+# access to the internet.
+[Environment]::SetEnvironmentVariable(
+    "SSL_CERT_FILE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
+[Environment]::SetEnvironmentVariable(
+    "REQUESTS_CA_BUNDLE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
+[Environment]::SetEnvironmentVariable(
+    "CURL_CA_BUNDLE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
diff --git a/modules/hic-tre-cert.sh b/modules/hic-tre-cert.sh
index e495ea8..0cbf891 100644
--- a/modules/hic-tre-cert.sh
+++ b/modules/hic-tre-cert.sh
@@ -60,3 +60,15 @@ sudo tee /etc/firefox/policies/policies.json <<JSON
   }
 }
 JSON
+
+# /etc/profile.d/*.sh not called due to how we start VNC
+if ! grep -Fxq "# HIC TRE CA CERT" /etc/bash.bashrc ; then
+    sudo tee -a /etc/bash.bashrc <<EOF
+
+# HIC TRE CA CERT
+export SSL_CERT_FILE=/usr/local/share/ca-certificates/hic/hic-tre.crt
+export REQUESTS_CA_BUNDLE=\$SSL_CERT_FILE
+export CURL_CA_BUNDLE=\$SSL_CERT_FILE
+EOF
+fi
+