mirror of
https://github.com/denoland/deno.git
synced 2025-01-26 17:02:20 -05:00
69ec45eac7
The way the standalone mode handles the `--cert` flag is different to all other modes. This is because `--cert` takes a path to the certificate file, which is directly added to the root cert store; except for compile mode, where its byte contents are stored in the standalone metadata, and they are added to the root cert store after the `ProcState` is created. This change instead changes `Flags::ca_file` (an `Option<String>`) into `Flags::ca_data`, which can represent a `String` file path or a `Vec<u8>` with the certificate contents. That way, standalone mode can create a `ProcState` whose root cert store alreay contains the certificate. This change also adds a tests for certificates in standalone mode, since there weren't any before. This refactor will help with implementing web workers in standalone mode in the future.
349 lines
11 KiB
Rust
349 lines
11 KiB
Rust
// Copyright 2018-2023 the Deno authors. All rights reserved. MIT license.
|
|
|
|
use deno_runtime::deno_net::ops_tls::TlsStream;
|
|
use deno_runtime::deno_tls::rustls;
|
|
use deno_runtime::deno_tls::rustls_pemfile;
|
|
use std::io::BufReader;
|
|
use std::io::Cursor;
|
|
use std::io::Read;
|
|
use std::process::Command;
|
|
use std::sync::Arc;
|
|
use test_util as util;
|
|
use test_util::TempDir;
|
|
use tokio::task::LocalSet;
|
|
|
|
itest_flaky!(cafile_url_imports {
|
|
args: "run --quiet --reload --cert tls/RootCA.pem cert/cafile_url_imports.ts",
|
|
output: "cert/cafile_url_imports.ts.out",
|
|
http_server: true,
|
|
});
|
|
|
|
itest_flaky!(cafile_ts_fetch {
|
|
args:
|
|
"run --quiet --reload --allow-net --cert tls/RootCA.pem cert/cafile_ts_fetch.ts",
|
|
output: "cert/cafile_ts_fetch.ts.out",
|
|
http_server: true,
|
|
});
|
|
|
|
itest_flaky!(cafile_eval {
|
|
args: "eval --cert tls/RootCA.pem fetch('https://localhost:5545/cert/cafile_ts_fetch.ts.out').then(r=>r.text()).then(t=>console.log(t.trimEnd()))",
|
|
output: "cert/cafile_ts_fetch.ts.out",
|
|
http_server: true,
|
|
});
|
|
|
|
itest_flaky!(cafile_info {
|
|
args:
|
|
"info --quiet --cert tls/RootCA.pem https://localhost:5545/cert/cafile_info.ts",
|
|
output: "cert/cafile_info.ts.out",
|
|
http_server: true,
|
|
});
|
|
|
|
itest_flaky!(cafile_url_imports_unsafe_ssl {
|
|
args: "run --quiet --reload --unsafely-ignore-certificate-errors=localhost cert/cafile_url_imports.ts",
|
|
output: "cert/cafile_url_imports_unsafe_ssl.ts.out",
|
|
http_server: true,
|
|
});
|
|
|
|
itest_flaky!(cafile_ts_fetch_unsafe_ssl {
|
|
args:
|
|
"run --quiet --reload --allow-net --unsafely-ignore-certificate-errors cert/cafile_ts_fetch.ts",
|
|
output: "cert/cafile_ts_fetch_unsafe_ssl.ts.out",
|
|
http_server: true,
|
|
});
|
|
|
|
itest!(deno_land_unsafe_ssl {
|
|
args:
|
|
"run --quiet --reload --allow-net --unsafely-ignore-certificate-errors=deno.land cert/deno_land_unsafe_ssl.ts",
|
|
output: "cert/deno_land_unsafe_ssl.ts.out",
|
|
});
|
|
|
|
itest!(ip_address_unsafe_ssl {
|
|
args:
|
|
"run --quiet --reload --allow-net --unsafely-ignore-certificate-errors=1.1.1.1 cert/ip_address_unsafe_ssl.ts",
|
|
output: "cert/ip_address_unsafe_ssl.ts.out",
|
|
});
|
|
|
|
itest!(localhost_unsafe_ssl {
|
|
args:
|
|
"run --quiet --reload --allow-net --unsafely-ignore-certificate-errors=deno.land cert/cafile_url_imports.ts",
|
|
output: "cert/localhost_unsafe_ssl.ts.out",
|
|
http_server: true,
|
|
exit_code: 1,
|
|
});
|
|
|
|
#[flaky_test::flaky_test]
|
|
fn cafile_env_fetch() {
|
|
use deno_core::url::Url;
|
|
let _g = util::http_server();
|
|
let deno_dir = TempDir::new();
|
|
let module_url =
|
|
Url::parse("https://localhost:5545/cert/cafile_url_imports.ts").unwrap();
|
|
let cafile = util::testdata_path().join("tls/RootCA.pem");
|
|
let output = Command::new(util::deno_exe_path())
|
|
.env("DENO_DIR", deno_dir.path())
|
|
.env("DENO_CERT", cafile)
|
|
.current_dir(util::testdata_path())
|
|
.arg("cache")
|
|
.arg(module_url.to_string())
|
|
.output()
|
|
.expect("Failed to spawn script");
|
|
assert!(output.status.success());
|
|
}
|
|
|
|
#[flaky_test::flaky_test]
|
|
fn cafile_fetch() {
|
|
use deno_core::url::Url;
|
|
let _g = util::http_server();
|
|
let deno_dir = TempDir::new();
|
|
let module_url =
|
|
Url::parse("http://localhost:4545/cert/cafile_url_imports.ts").unwrap();
|
|
let cafile = util::testdata_path().join("tls/RootCA.pem");
|
|
let output = Command::new(util::deno_exe_path())
|
|
.env("DENO_DIR", deno_dir.path())
|
|
.current_dir(util::testdata_path())
|
|
.arg("cache")
|
|
.arg("--cert")
|
|
.arg(cafile)
|
|
.arg(module_url.to_string())
|
|
.output()
|
|
.expect("Failed to spawn script");
|
|
assert!(output.status.success());
|
|
let out = std::str::from_utf8(&output.stdout).unwrap();
|
|
assert_eq!(out, "");
|
|
}
|
|
|
|
#[test]
|
|
fn cafile_compile() {
|
|
let _g = util::http_server();
|
|
let dir = TempDir::new();
|
|
let exe = if cfg!(windows) {
|
|
dir.path().join("cert.exe")
|
|
} else {
|
|
dir.path().join("cert")
|
|
};
|
|
let output = util::deno_cmd()
|
|
.current_dir(util::testdata_path())
|
|
.arg("compile")
|
|
.arg("--cert")
|
|
.arg("./tls/RootCA.pem")
|
|
.arg("--allow-net")
|
|
.arg("--output")
|
|
.arg(&exe)
|
|
.arg("./cert/cafile_ts_fetch.ts")
|
|
.stdout(std::process::Stdio::piped())
|
|
.spawn()
|
|
.unwrap()
|
|
.wait_with_output()
|
|
.unwrap();
|
|
assert!(output.status.success());
|
|
let output = Command::new(exe)
|
|
.stdout(std::process::Stdio::piped())
|
|
.spawn()
|
|
.unwrap()
|
|
.wait_with_output()
|
|
.unwrap();
|
|
assert!(output.status.success());
|
|
assert_eq!(output.stdout, b"[WILDCARD]\nHello\n")
|
|
}
|
|
|
|
#[flaky_test::flaky_test]
|
|
fn cafile_install_remote_module() {
|
|
let _g = util::http_server();
|
|
let temp_dir = TempDir::new();
|
|
let bin_dir = temp_dir.path().join("bin");
|
|
std::fs::create_dir(&bin_dir).unwrap();
|
|
let deno_dir = TempDir::new();
|
|
let cafile = util::testdata_path().join("tls/RootCA.pem");
|
|
|
|
let install_output = Command::new(util::deno_exe_path())
|
|
.env("DENO_DIR", deno_dir.path())
|
|
.current_dir(util::testdata_path())
|
|
.arg("install")
|
|
.arg("--cert")
|
|
.arg(cafile)
|
|
.arg("--root")
|
|
.arg(temp_dir.path())
|
|
.arg("-n")
|
|
.arg("echo_test")
|
|
.arg("https://localhost:5545/echo.ts")
|
|
.output()
|
|
.expect("Failed to spawn script");
|
|
println!("{}", std::str::from_utf8(&install_output.stdout).unwrap());
|
|
eprintln!("{}", std::str::from_utf8(&install_output.stderr).unwrap());
|
|
assert!(install_output.status.success());
|
|
|
|
let mut echo_test_path = bin_dir.join("echo_test");
|
|
if cfg!(windows) {
|
|
echo_test_path = echo_test_path.with_extension("cmd");
|
|
}
|
|
assert!(echo_test_path.exists());
|
|
|
|
let output = Command::new(echo_test_path)
|
|
.current_dir(temp_dir.path())
|
|
.arg("foo")
|
|
.env("PATH", util::target_dir())
|
|
.output()
|
|
.expect("failed to spawn script");
|
|
let stdout = std::str::from_utf8(&output.stdout).unwrap().trim();
|
|
assert!(stdout.ends_with("foo"));
|
|
}
|
|
|
|
#[flaky_test::flaky_test]
|
|
fn cafile_bundle_remote_exports() {
|
|
let _g = util::http_server();
|
|
|
|
// First we have to generate a bundle of some remote module that has exports.
|
|
let mod1 = "https://localhost:5545/subdir/mod1.ts";
|
|
let cafile = util::testdata_path().join("tls/RootCA.pem");
|
|
let t = TempDir::new();
|
|
let bundle = t.path().join("mod1.bundle.js");
|
|
let mut deno = util::deno_cmd()
|
|
.current_dir(util::testdata_path())
|
|
.arg("bundle")
|
|
.arg("--cert")
|
|
.arg(cafile)
|
|
.arg(mod1)
|
|
.arg(&bundle)
|
|
.spawn()
|
|
.expect("failed to spawn script");
|
|
let status = deno.wait().expect("failed to wait for the child process");
|
|
assert!(status.success());
|
|
assert!(bundle.is_file());
|
|
|
|
// Now we try to use that bundle from another module.
|
|
let test = t.path().join("test.js");
|
|
std::fs::write(
|
|
&test,
|
|
"
|
|
import { printHello3 } from \"./mod1.bundle.js\";
|
|
printHello3(); ",
|
|
)
|
|
.expect("error writing file");
|
|
|
|
let output = util::deno_cmd()
|
|
.current_dir(util::testdata_path())
|
|
.arg("run")
|
|
.arg("--check")
|
|
.arg(&test)
|
|
.output()
|
|
.expect("failed to spawn script");
|
|
// check the output of the test.ts program.
|
|
assert!(std::str::from_utf8(&output.stdout)
|
|
.unwrap()
|
|
.trim()
|
|
.ends_with("Hello"));
|
|
assert_eq!(output.stderr, b"");
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn listen_tls_alpn() {
|
|
// TLS streams require the presence of an ambient local task set to gracefully
|
|
// close dropped connections in the background.
|
|
LocalSet::new()
|
|
.run_until(async {
|
|
let mut child = util::deno_cmd()
|
|
.current_dir(util::testdata_path())
|
|
.arg("run")
|
|
.arg("--unstable")
|
|
.arg("--quiet")
|
|
.arg("--allow-net")
|
|
.arg("--allow-read")
|
|
.arg("./cert/listen_tls_alpn.ts")
|
|
.arg("4504")
|
|
.stdout(std::process::Stdio::piped())
|
|
.spawn()
|
|
.unwrap();
|
|
let stdout = child.stdout.as_mut().unwrap();
|
|
let mut msg = [0; 5];
|
|
let read = stdout.read(&mut msg).unwrap();
|
|
assert_eq!(read, 5);
|
|
assert_eq!(&msg, b"READY");
|
|
|
|
let mut reader = &mut BufReader::new(Cursor::new(include_bytes!(
|
|
"../testdata/tls/RootCA.crt"
|
|
)));
|
|
let certs = rustls_pemfile::certs(&mut reader).unwrap();
|
|
let mut root_store = rustls::RootCertStore::empty();
|
|
root_store.add_parsable_certificates(&certs);
|
|
let mut cfg = rustls::ClientConfig::builder()
|
|
.with_safe_defaults()
|
|
.with_root_certificates(root_store)
|
|
.with_no_client_auth();
|
|
cfg.alpn_protocols.push(b"foobar".to_vec());
|
|
let cfg = Arc::new(cfg);
|
|
|
|
let hostname = rustls::ServerName::try_from("localhost").unwrap();
|
|
|
|
let tcp_stream = tokio::net::TcpStream::connect("localhost:4504")
|
|
.await
|
|
.unwrap();
|
|
let mut tls_stream =
|
|
TlsStream::new_client_side(tcp_stream, cfg, hostname);
|
|
|
|
tls_stream.handshake().await.unwrap();
|
|
|
|
let (_, rustls_connection) = tls_stream.get_ref();
|
|
let alpn = rustls_connection.alpn_protocol().unwrap();
|
|
assert_eq!(alpn, b"foobar");
|
|
|
|
let status = child.wait().unwrap();
|
|
assert!(status.success());
|
|
})
|
|
.await;
|
|
}
|
|
|
|
#[tokio::test]
|
|
async fn listen_tls_alpn_fail() {
|
|
// TLS streams require the presence of an ambient local task set to gracefully
|
|
// close dropped connections in the background.
|
|
LocalSet::new()
|
|
.run_until(async {
|
|
let mut child = util::deno_cmd()
|
|
.current_dir(util::testdata_path())
|
|
.arg("run")
|
|
.arg("--unstable")
|
|
.arg("--quiet")
|
|
.arg("--allow-net")
|
|
.arg("--allow-read")
|
|
.arg("./cert/listen_tls_alpn_fail.ts")
|
|
.arg("4505")
|
|
.stdout(std::process::Stdio::piped())
|
|
.spawn()
|
|
.unwrap();
|
|
let stdout = child.stdout.as_mut().unwrap();
|
|
let mut msg = [0; 5];
|
|
let read = stdout.read(&mut msg).unwrap();
|
|
assert_eq!(read, 5);
|
|
assert_eq!(&msg, b"READY");
|
|
|
|
let mut reader = &mut BufReader::new(Cursor::new(include_bytes!(
|
|
"../testdata/tls/RootCA.crt"
|
|
)));
|
|
let certs = rustls_pemfile::certs(&mut reader).unwrap();
|
|
let mut root_store = rustls::RootCertStore::empty();
|
|
root_store.add_parsable_certificates(&certs);
|
|
let mut cfg = rustls::ClientConfig::builder()
|
|
.with_safe_defaults()
|
|
.with_root_certificates(root_store)
|
|
.with_no_client_auth();
|
|
cfg.alpn_protocols.push(b"boofar".to_vec());
|
|
let cfg = Arc::new(cfg);
|
|
|
|
let hostname = rustls::ServerName::try_from("localhost").unwrap();
|
|
|
|
let tcp_stream = tokio::net::TcpStream::connect("localhost:4505")
|
|
.await
|
|
.unwrap();
|
|
let mut tls_stream =
|
|
TlsStream::new_client_side(tcp_stream, cfg, hostname);
|
|
|
|
tls_stream.handshake().await.unwrap_err();
|
|
|
|
let (_, rustls_connection) = tls_stream.get_ref();
|
|
assert!(rustls_connection.alpn_protocol().is_none());
|
|
|
|
let status = child.wait().unwrap();
|
|
assert!(status.success());
|
|
})
|
|
.await;
|
|
}
|