From b94707af7df757db13f24b7b70dbd7956d1e1e1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 19 Jun 2024 15:09:17 +0100 Subject: [PATCH] Revert "chore: upgrade to reqwest 0.12.4 and rustls 0.22 (#24056)" (#24262) This reverts commit fb31eaa9ca59f6daaee0210d5cd206185c7041b9. Reverting because users reported spurious errors when downloading dependencies - https://github.com/denoland/deno/issues/24260. Closes https://github.com/denoland/deno/issues/24260 --- Cargo.lock | 167 ++++++-------- Cargo.toml | 23 +- cli/args/mod.rs | 18 +- cli/http_util.rs | 2 +- ext/fetch/Cargo.toml | 2 +- ext/fetch/fs_fetch_handler.rs | 2 +- ext/fetch/lib.rs | 13 +- ext/kv/Cargo.toml | 2 - ext/kv/remote.rs | 44 +--- ext/net/ops_tls.rs | 28 +-- ext/node/Cargo.toml | 4 +- ext/node/ops/http2.rs | 14 +- ext/tls/Cargo.toml | 4 +- ext/tls/lib.rs | 211 ++++++++---------- ext/tls/testdata/README | 4 - ext/tls/testdata/example1_cert.der | Bin 929 -> 0 bytes ext/tls/testdata/example1_prikey.der | Bin 1190 -> 0 bytes ext/tls/testdata/example2_cert.der | Bin 929 -> 0 bytes ext/tls/testdata/example2_prikey.der | Bin 1191 -> 0 bytes ext/tls/tls_key.rs | 46 ++-- ext/websocket/lib.rs | 11 +- tests/integration/run_tests.rs | 19 +- tests/node_compat/config.jsonc | 6 + tests/node_compat/runner/TODO.md | 6 - ...p-url.parse-auth-with-header-in-request.js | 59 +++++ .../test/parallel/test-http-url.parse-auth.js | 55 +++++ .../parallel/test-http-url.parse-basic.js | 65 ++++++ .../test/parallel/test-http-url.parse-path.js | 53 +++++ .../test/parallel/test-http-url.parse-post.js | 61 +++++ .../parallel/test-http-url.parse-search.js | 54 +++++ .../localhost_unsafe_ssl.ts.out | 2 +- tests/unit/fetch_test.ts | 8 +- tests/unit/http_test.ts | 4 +- tests/unit/serve_test.ts | 12 +- tests/util/server/src/https.rs | 53 +++-- 35 files changed, 656 insertions(+), 396 deletions(-) delete mode 100644 ext/tls/testdata/README delete mode 100644 ext/tls/testdata/example1_cert.der delete mode 100644 ext/tls/testdata/example1_prikey.der delete mode 100644 ext/tls/testdata/example2_cert.der delete mode 100644 ext/tls/testdata/example2_prikey.der create mode 100644 tests/node_compat/test/parallel/test-http-url.parse-auth-with-header-in-request.js create mode 100644 tests/node_compat/test/parallel/test-http-url.parse-auth.js create mode 100644 tests/node_compat/test/parallel/test-http-url.parse-basic.js create mode 100644 tests/node_compat/test/parallel/test-http-url.parse-path.js create mode 100644 tests/node_compat/test/parallel/test-http-url.parse-post.js create mode 100644 tests/node_compat/test/parallel/test-http-url.parse-search.js diff --git a/Cargo.lock b/Cargo.lock index 91f05a2d62..9c15f41ab2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -705,7 +705,7 @@ dependencies = [ "flaky_test", "http 1.1.0", "http-body-util", - "hyper 1.3.1", + "hyper 1.1.0", "hyper-util", "nix 0.26.2", "once_cell", @@ -1434,7 +1434,7 @@ dependencies = [ "deno_permissions", "deno_tls", "dyn-clone", - "http 1.1.0", + "http 0.2.12", "reqwest", "serde", "serde_json", @@ -1527,7 +1527,7 @@ dependencies = [ "http-body-util", "httparse", "hyper 0.14.28", - "hyper 1.3.1", + "hyper 1.1.0", "hyper-util", "itertools", "memmem", @@ -1570,7 +1570,6 @@ dependencies = [ "anyhow", "async-trait", "base64 0.21.7", - "bytes", "chrono", "deno_core", "deno_fetch", @@ -1581,7 +1580,6 @@ dependencies = [ "denokv_remote", "denokv_sqlite", "faster-hex", - "http 1.1.0", "log", "num-bigint", "prost", @@ -1642,9 +1640,9 @@ dependencies = [ [[package]] name = "deno_native_certs" -version = "0.3.0" +version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c867603d2a5dfea31f55cecebb572554caa395437786d058faa9a2814c8d6eb9" +checksum = "f4785d0bdc13819b665b71e4fb7e119d859568471e4c245ec5610857e70c9345" dependencies = [ "dlopen2", "dlopen2_derive", @@ -1694,10 +1692,10 @@ dependencies = [ "elliptic-curve", "errno 0.2.8", "faster-hex", - "h2 0.4.4", + "h2 0.3.26", "hkdf", "home", - "http 1.1.0", + "http 0.2.12", "idna 0.3.0", "indexmap", "ipnetwork", @@ -1826,7 +1824,7 @@ dependencies = [ "http 1.1.0", "http-body-util", "hyper 0.14.28", - "hyper 1.3.1", + "hyper 1.1.0", "hyper-util", "libc", "log", @@ -1980,7 +1978,7 @@ dependencies = [ "h2 0.4.4", "http 1.1.0", "http-body-util", - "hyper 1.3.1", + "hyper 1.1.0", "hyper-util", "once_cell", "rustls-tokio-stream", @@ -2009,9 +2007,9 @@ dependencies = [ [[package]] name = "denokv_proto" -version = "0.8.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "114538d2cacd2b219f05faa753d80950f95416e47c77904c7452d5f41e157059" +checksum = "bd644ad038e7b6e8453463e96c278ba378e8bdc9f557959d511ac830ea0ec969" dependencies = [ "anyhow", "async-trait", @@ -2019,15 +2017,16 @@ dependencies = [ "futures", "num-bigint", "prost", + "prost-build", "serde", "uuid", ] [[package]] name = "denokv_remote" -version = "0.8.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d57717b5123e8d1ec5f52973a67f98e3621274d362d18b245038967b402082df" +checksum = "23cfa4786f9c609711aab89ce173232ceda0617167881e58fd5e0b78868a6932" dependencies = [ "anyhow", "async-stream", @@ -2036,10 +2035,10 @@ dependencies = [ "chrono", "denokv_proto", "futures", - "http 1.1.0", "log", "prost", "rand", + "reqwest", "serde", "serde_json", "tokio", @@ -2050,9 +2049,9 @@ dependencies = [ [[package]] name = "denokv_sqlite" -version = "0.8.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "188b792af19082cbfc7b666e71979775300482877d8b80601f4a5a86a80098a3" +checksum = "f36c1c54cda2de93d0f4ded0392d0b6917bcd9b1d13c056dd7c309668aa43e17" dependencies = [ "anyhow", "async-stream", @@ -2621,7 +2620,7 @@ checksum = "f63dd7b57f9b33b1741fa631c9522eb35d43e96dcca4a6a91d5e4ca7c93acdc1" dependencies = [ "base64 0.21.7", "http-body-util", - "hyper 1.3.1", + "hyper 1.1.0", "hyper-util", "pin-project", "rand", @@ -3371,9 +3370,9 @@ dependencies = [ [[package]] name = "hyper" -version = "1.3.1" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe575dd17d0862a9a33781c8c4696a55c320909004a67a00fb286ba8b1bc496d" +checksum = "fb5aa53871fc917b1a9ed87b683a5d86db645e23acb32c2e0785a353e522fb75" dependencies = [ "bytes", "futures-channel", @@ -3385,45 +3384,39 @@ dependencies = [ "httpdate", "itoa", "pin-project-lite", - "smallvec", "tokio", "want", ] [[package]] name = "hyper-rustls" -version = "0.26.0" +version = "0.24.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0bea761b46ae2b24eb4aef630d8d1c398157b6fc29e6350ecf090a0b70c952c" +checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" dependencies = [ "futures-util", - "http 1.1.0", - "hyper 1.3.1", - "hyper-util", + "http 0.2.12", + "hyper 0.14.28", "rustls", - "rustls-pki-types", "tokio", "tokio-rustls", - "tower-service", ] [[package]] name = "hyper-util" -version = "0.1.5" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b875924a60b96e5d7b9ae7b066540b1dd1cbd90d1828f54c92e02a283351c56" +checksum = "bdea9aac0dbe5a9240d68cfd9501e2db94222c6dc06843e06640b9e07f0fdc67" dependencies = [ "bytes", "futures-channel", "futures-util", "http 1.1.0", "http-body 1.0.0", - "hyper 1.3.1", + "hyper 1.1.0", "pin-project-lite", "socket2", "tokio", - "tower", - "tower-service", "tracing", ] @@ -3562,7 +3555,7 @@ dependencies = [ "socket2", "widestring", "windows-sys 0.48.0", - "winreg 0.50.0", + "winreg", ] [[package]] @@ -5247,22 +5240,21 @@ checksum = "e898588f33fdd5b9420719948f9f2a32c922a246964576f71ba7f24f80610fbc" [[package]] name = "reqwest" -version = "0.12.4" +version = "0.11.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "566cafdd92868e0939d3fb961bd0dc25fcfaaed179291093b3d43e6b3150ea10" +checksum = "3e9ad3fe7488d7e34558a2033d45a0c90b72d97b4f80705666fea71472e2e6a1" dependencies = [ "async-compression", - "base64 0.22.1", + "base64 0.21.7", "bytes", + "encoding_rs", "futures-core", "futures-util", - "h2 0.4.4", - "http 1.1.0", - "http-body 1.0.0", - "http-body-util", - "hyper 1.3.1", + "h2 0.3.26", + "http 0.2.12", + "http-body 0.4.6", + "hyper 0.14.28", "hyper-rustls", - "hyper-util", "ipnet", "js-sys", "log", @@ -5272,11 +5264,9 @@ dependencies = [ "pin-project-lite", "rustls", "rustls-pemfile", - "rustls-pki-types", "serde", "serde_json", "serde_urlencoded", - "sync_wrapper", "tokio", "tokio-rustls", "tokio-socks", @@ -5288,7 +5278,7 @@ dependencies = [ "wasm-streams", "web-sys", "webpki-roots", - "winreg 0.52.0", + "winreg", ] [[package]] @@ -5458,52 +5448,42 @@ dependencies = [ [[package]] name = "rustls" -version = "0.22.4" +version = "0.21.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432" +checksum = "7fecbfb7b1444f477b345853b1fce097a2c6fb637b2bfb87e6bc5db0f043fae4" dependencies = [ "log", "ring", - "rustls-pki-types", "rustls-webpki", - "subtle", - "zeroize", + "sct", ] [[package]] name = "rustls-native-certs" -version = "0.7.0" +version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f1fb85efa936c42c6d5fc28d2629bb51e4b2f4b8a5211e297d599cc5a093792" +checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", "rustls-pemfile", - "rustls-pki-types", "schannel", "security-framework", ] [[package]] name = "rustls-pemfile" -version = "2.1.2" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "29993a25686778eb88d4189742cd713c9bce943bc54251a33509dc63cbacf73d" +checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" dependencies = [ - "base64 0.22.1", - "rustls-pki-types", + "base64 0.21.7", ] -[[package]] -name = "rustls-pki-types" -version = "1.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d" - [[package]] name = "rustls-tokio-stream" -version = "0.2.23" +version = "0.2.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c478c030dfd68498e6c59168d9eec4f8bead33152a5f3095ad4bdbdcea09d466" +checksum = "fd707225bb670bcd2876886bb571753d1ce03a9cedfa2e629a79984ca9a93cfb" dependencies = [ "futures", "rustls", @@ -5513,12 +5493,11 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.102.4" +version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff448f7e92e913c4b7d4c6d8e4540a1724b319b4152b8aef6d4cf8339712b33e" +checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ "ring", - "rustls-pki-types", "untrusted", ] @@ -5634,6 +5613,16 @@ dependencies = [ "sha2", ] +[[package]] +name = "sct" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "sec1" version = "0.7.3" @@ -6577,12 +6566,6 @@ dependencies = [ "unicode-ident", ] -[[package]] -name = "sync_wrapper" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160" - [[package]] name = "synstructure" version = "0.12.6" @@ -6699,7 +6682,7 @@ dependencies = [ "h2 0.4.4", "http 1.1.0", "http-body-util", - "hyper 1.3.1", + "hyper 1.1.0", "hyper-util", "jsonc-parser", "lazy-regex", @@ -6865,12 +6848,11 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.25.0" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" +checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ "rustls", - "rustls-pki-types", "tokio", ] @@ -6907,10 +6889,7 @@ dependencies = [ "futures-core", "futures-io", "futures-sink", - "futures-util", - "hashbrown", "pin-project-lite", - "slab", "tokio", "tracing", ] @@ -6968,7 +6947,6 @@ dependencies = [ "futures-util", "pin-project", "pin-project-lite", - "tokio", "tower-layer", "tower-service", ] @@ -7542,9 +7520,9 @@ checksum = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96" [[package]] name = "wasm-streams" -version = "0.4.0" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b65dc4c90b63b118468cf747d8bf3566c1913ef60be765b5730ead9e0a3ba129" +checksum = "b4609d447824375f43e1ffbc051b50ad8f4b3ae8219680c94452ea05eb240ac7" dependencies = [ "futures-util", "js-sys", @@ -7565,12 +7543,9 @@ dependencies = [ [[package]] name = "webpki-roots" -version = "0.26.1" +version = "0.25.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b3de34ae270483955a94f4b21bdaaeb83d508bb84a01435f393818edb0012009" -dependencies = [ - "rustls-pki-types", -] +checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" [[package]] name = "wgpu-core" @@ -7907,16 +7882,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "winreg" -version = "0.52.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a277a57398d4bfa075df44f501a17cfdf8542d224f0d36095a2adc7aee4ef0a5" -dependencies = [ - "cfg-if", - "windows-sys 0.48.0", -] - [[package]] name = "winres" version = "0.1.12" diff --git a/Cargo.toml b/Cargo.toml index bb48334dab..21976c7247 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -55,10 +55,10 @@ deno_terminal = "0.1.1" napi_sym = { version = "0.87.0", path = "./cli/napi/sym" } test_util = { package = "test_server", path = "./tests/util/server" } -denokv_proto = "0.8.1" -denokv_remote = "0.8.1" +denokv_proto = "0.7.0" +denokv_remote = "0.7.0" # denokv_sqlite brings in bundled sqlite if we don't disable the default features -denokv_sqlite = { default-features = false, version = "0.8.1" } +denokv_sqlite = { default-features = false, version = "0.7.0" } # exts deno_broadcast_channel = { version = "0.151.0", path = "./ext/broadcast_channel" } @@ -117,8 +117,8 @@ http = "1.0" http-body-util = "0.1" http_v02 = { package = "http", version = "0.2.9" } httparse = "1.8.0" -hyper = { version = "=1.3.1", features = ["full"] } -hyper-util = { version = "=0.1.5", features = ["tokio", "server", "server-auto"] } +hyper = { version = "=1.1.0", features = ["full"] } +hyper-util = { version = "=0.1.2", features = ["tokio", "server", "server-auto"] } hyper_v014 = { package = "hyper", version = "0.14.26", features = ["runtime", "http1"] } indexmap = { version = "2", features = ["serde"] } jsonc-parser = { version = "=0.23.0", features = ["serde"] } @@ -145,13 +145,14 @@ prost = "0.11" prost-build = "0.11" rand = "=0.8.5" regex = "^1.7.0" -reqwest = { version = "=0.12.4", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli", "socks", "json", "http2"] } # pinned because of https://github.com/seanmonstar/reqwest/pull/1955 +reqwest = { version = "=0.11.20", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli", "socks", "json"] } # pinned because of https://github.com/seanmonstar/reqwest/pull/1955 ring = "^0.17.0" rusqlite = { version = "=0.29.0", features = ["unlock_notify", "bundled"] } -rustls = "0.22.4" -rustls-pemfile = "2" -rustls-tokio-stream = "=0.2.23" -rustls-webpki = "0.102" +# pinned because it was causing issues on cargo publish +rustls = "=0.21.11" +rustls-pemfile = "1.0.0" +rustls-tokio-stream = "=0.2.24" +rustls-webpki = "0.101.4" rustyline = "=13.0.0" saffron = "=0.1.0" scopeguard = "1.2.0" @@ -177,7 +178,7 @@ twox-hash = "=1.6.3" # Upgrading past 2.4.1 may cause WPT failures url = { version = "< 2.5.0", features = ["serde", "expose_internals"] } uuid = { version = "1.3.0", features = ["v4"] } -webpki-roots = "0.26" +webpki-roots = "0.25.2" zeromq = { version = "=0.3.4", default-features = false, features = ["tcp-transport", "tokio-runtime"] } zstd = "=0.12.4" diff --git a/cli/args/mod.rs b/cli/args/mod.rs index c0172e80b2..7422498355 100644 --- a/cli/args/mod.rs +++ b/cli/args/mod.rs @@ -696,13 +696,21 @@ pub fn get_root_cert_store( for store in ca_stores.iter() { match store.as_str() { "mozilla" => { - root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.to_vec()); + root_cert_store.add_trust_anchors( + webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| { + rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( + ta.subject, + ta.spki, + ta.name_constraints, + ) + }), + ); } "system" => { let roots = load_native_certs().expect("could not load platform certs"); for root in roots { root_cert_store - .add(rustls::pki_types::CertificateDer::from(root.0)) + .add(&rustls::Certificate(root.0)) .expect("Failed to add platform cert to root cert store"); } } @@ -726,17 +734,17 @@ pub fn get_root_cert_store( RootCertStoreLoadError::CaFileOpenError(err.to_string()) })?; let mut reader = BufReader::new(certfile); - rustls_pemfile::certs(&mut reader).collect::, _>>() + rustls_pemfile::certs(&mut reader) } CaData::Bytes(data) => { let mut reader = BufReader::new(Cursor::new(data)); - rustls_pemfile::certs(&mut reader).collect::, _>>() + rustls_pemfile::certs(&mut reader) } }; match result { Ok(certs) => { - root_cert_store.add_parsable_certificates(certs); + root_cert_store.add_parsable_certificates(&certs); } Err(e) => { return Err(RootCertStoreLoadError::FailedAddPemFile(e.to_string())); diff --git a/cli/http_util.rs b/cli/http_util.rs index 18c0687bdb..7fcce616b4 100644 --- a/cli/http_util.rs +++ b/cli/http_util.rs @@ -587,7 +587,7 @@ mod test { use std::collections::HashSet; use std::hash::RandomState; - use deno_runtime::deno_tls::rustls::RootCertStore; + use deno_runtime::deno_tls::RootCertStore; use crate::version; diff --git a/ext/fetch/Cargo.toml b/ext/fetch/Cargo.toml index 0fb9e0ed6d..8d8c2205e6 100644 --- a/ext/fetch/Cargo.toml +++ b/ext/fetch/Cargo.toml @@ -20,7 +20,7 @@ deno_core.workspace = true deno_permissions.workspace = true deno_tls.workspace = true dyn-clone = "1" -http.workspace = true +http_v02.workspace = true reqwest.workspace = true serde.workspace = true serde_json.workspace = true diff --git a/ext/fetch/fs_fetch_handler.rs b/ext/fetch/fs_fetch_handler.rs index 29bad5992b..8f83cef882 100644 --- a/ext/fetch/fs_fetch_handler.rs +++ b/ext/fetch/fs_fetch_handler.rs @@ -31,7 +31,7 @@ impl FetchHandler for FsFetchHandler { let file = tokio::fs::File::open(path).map_err(|_| ()).await?; let stream = ReaderStream::new(file); let body = reqwest::Body::wrap_stream(stream); - let response = http::Response::builder() + let response = http_v02::Response::builder() .status(StatusCode::OK) .body(body) .map_err(|_| ())? diff --git a/ext/fetch/lib.rs b/ext/fetch/lib.rs index 75ceb86d99..066f1685b0 100644 --- a/ext/fetch/lib.rs +++ b/ext/fetch/lib.rs @@ -47,8 +47,8 @@ use data_url::DataUrl; use deno_tls::TlsKey; use deno_tls::TlsKeys; use deno_tls::TlsKeysHolder; -use http::header::CONTENT_LENGTH; -use http::Uri; +use http_v02::header::CONTENT_LENGTH; +use http_v02::Uri; use reqwest::header::HeaderMap; use reqwest::header::HeaderName; use reqwest::header::HeaderValue; @@ -449,9 +449,12 @@ where .decode_to_vec() .map_err(|e| type_error(format!("{e:?}")))?; - let response = http::Response::builder() - .status(http::StatusCode::OK) - .header(http::header::CONTENT_TYPE, data_url.mime_type().to_string()) + let response = http_v02::Response::builder() + .status(http_v02::StatusCode::OK) + .header( + http_v02::header::CONTENT_TYPE, + data_url.mime_type().to_string(), + ) .body(reqwest::Body::from(body))?; let fut = async move { Ok(Ok(Response::from(response))) }; diff --git a/ext/kv/Cargo.toml b/ext/kv/Cargo.toml index 503900b2c4..47659f6e13 100644 --- a/ext/kv/Cargo.toml +++ b/ext/kv/Cargo.toml @@ -17,7 +17,6 @@ path = "lib.rs" anyhow.workspace = true async-trait.workspace = true base64.workspace = true -bytes.workspace = true chrono = { workspace = true, features = ["now"] } deno_core.workspace = true deno_fetch.workspace = true @@ -28,7 +27,6 @@ denokv_proto.workspace = true denokv_remote.workspace = true denokv_sqlite.workspace = true faster-hex.workspace = true -http.workspace = true log.workspace = true num-bigint.workspace = true prost.workspace = true diff --git a/ext/kv/remote.rs b/ext/kv/remote.rs index 7541b5a06a..a1273e78b8 100644 --- a/ext/kv/remote.rs +++ b/ext/kv/remote.rs @@ -8,14 +8,10 @@ use std::sync::Arc; use crate::DatabaseHandler; use anyhow::Context; use async_trait::async_trait; -use bytes::Bytes; use deno_core::error::type_error; use deno_core::error::AnyError; -use deno_core::futures::Stream; -use deno_core::futures::TryStreamExt as _; use deno_core::OpState; use deno_fetch::create_http_client; -use deno_fetch::reqwest; use deno_fetch::CreateHttpClientOptions; use deno_tls::rustls::RootCertStore; use deno_tls::Proxy; @@ -23,8 +19,6 @@ use deno_tls::RootCertStoreProvider; use deno_tls::TlsKeys; use denokv_remote::MetadataEndpoint; use denokv_remote::Remote; -use denokv_remote::RemoteResponse; -use denokv_remote::RemoteTransport; use url::Url; #[derive(Clone)] @@ -108,44 +102,11 @@ impl denokv_remote::RemotePermissions } } -#[derive(Clone)] -pub struct ReqwestClient(reqwest::Client); -pub struct ReqwestResponse(reqwest::Response); - -impl RemoteTransport for ReqwestClient { - type Response = ReqwestResponse; - async fn post( - &self, - url: Url, - headers: http::HeaderMap, - body: Bytes, - ) -> Result<(Url, http::StatusCode, Self::Response), anyhow::Error> { - let res = self.0.post(url).headers(headers).body(body).send().await?; - let url = res.url().clone(); - let status = res.status(); - Ok((url, status, ReqwestResponse(res))) - } -} - -impl RemoteResponse for ReqwestResponse { - async fn bytes(self) -> Result { - Ok(self.0.bytes().await?) - } - fn stream( - self, - ) -> impl Stream> + Send + Sync { - self.0.bytes_stream().map_err(|e| e.into()) - } - async fn text(self) -> Result { - Ok(self.0.text().await?) - } -} - #[async_trait(?Send)] impl DatabaseHandler for RemoteDbHandler

{ - type DB = Remote, ReqwestClient>; + type DB = Remote>; async fn open( &self, @@ -201,14 +162,13 @@ impl DatabaseHandler http2: true, }, )?; - let reqwest_client = ReqwestClient(client); let permissions = PermissionChecker { state: state.clone(), _permissions: PhantomData, }; - let remote = Remote::new(reqwest_client, permissions, metadata_endpoint); + let remote = Remote::new(client, permissions, metadata_endpoint); Ok(remote) } diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index ccea8eb758..c529859087 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -31,11 +31,11 @@ use deno_tls::create_client_config; use deno_tls::load_certs; use deno_tls::load_private_keys; use deno_tls::new_resolver; -use deno_tls::rustls::pki_types::ServerName; +use deno_tls::rustls::Certificate; use deno_tls::rustls::ClientConnection; +use deno_tls::rustls::PrivateKey; use deno_tls::rustls::ServerConfig; -use deno_tls::webpki::types::CertificateDer; -use deno_tls::webpki::types::PrivateKeyDer; +use deno_tls::rustls::ServerName; use deno_tls::ServerConfigProvider; use deno_tls::SocketUse; use deno_tls::TlsKey; @@ -48,6 +48,7 @@ use serde::Deserialize; use std::borrow::Cow; use std::cell::RefCell; use std::convert::From; +use std::convert::TryFrom; use std::fs::File; use std::io::BufReader; use std::io::ErrorKind; @@ -303,14 +304,14 @@ where { let rid = args.rid; let hostname = match &*args.hostname { - "" => "localhost".to_string(), - n => n.to_string(), + "" => "localhost", + n => n, }; { let mut s = state.borrow_mut(); let permissions = s.borrow_mut::(); - permissions.check_net(&(&hostname, Some(0)), "Deno.startTls()")?; + permissions.check_net(&(hostname, Some(0)), "Deno.startTls()")?; } let ca_certs = args @@ -319,8 +320,8 @@ where .map(|s| s.into_bytes()) .collect::>(); - let hostname_dns = ServerName::try_from(hostname.to_string()) - .map_err(|_| invalid_hostname(&hostname))?; + let hostname_dns = + ServerName::try_from(hostname).map_err(|_| invalid_hostname(hostname))?; let unsafely_ignore_certificate_errors = state .borrow() @@ -421,9 +422,9 @@ where .borrow::() .root_cert_store()?; let hostname_dns = if let Some(server_name) = args.server_name { - ServerName::try_from(server_name) + ServerName::try_from(server_name.as_str()) } else { - ServerName::try_from(addr.hostname.clone()) + ServerName::try_from(&*addr.hostname) } .map_err(|_| invalid_hostname(&addr.hostname))?; let connect_addr = resolve_addr(&addr.hostname, addr.port) @@ -465,9 +466,7 @@ where Ok((rid, IpAddr::from(local_addr), IpAddr::from(remote_addr))) } -fn load_certs_from_file( - path: &str, -) -> Result>, AnyError> { +fn load_certs_from_file(path: &str) -> Result, AnyError> { let cert_file = File::open(path)?; let reader = &mut BufReader::new(cert_file); load_certs(reader) @@ -475,7 +474,7 @@ fn load_certs_from_file( fn load_private_keys_from_file( path: &str, -) -> Result>, AnyError> { +) -> Result, AnyError> { let key_bytes = std::fs::read(path)?; load_private_keys(&key_bytes) } @@ -524,6 +523,7 @@ where TlsKeys::Null => Err(anyhow!("Deno.listenTls requires a key")), TlsKeys::Static(TlsKey(cert, key)) => { let mut tls_config = ServerConfig::builder() + .with_safe_defaults() .with_no_client_auth() .with_single_cert(cert, key) .map_err(|e| anyhow!(e))?; diff --git a/ext/node/Cargo.toml b/ext/node/Cargo.toml index 906fe08b32..475ca21139 100644 --- a/ext/node/Cargo.toml +++ b/ext/node/Cargo.toml @@ -35,10 +35,10 @@ ecb.workspace = true elliptic-curve.workspace = true errno = "0.2.8" faster-hex.workspace = true -h2.workspace = true +h2 = { version = "0.3.26", features = ["unstable"] } hkdf.workspace = true home = "0.5.9" -http.workspace = true +http_v02.workspace = true idna = "0.3.0" indexmap.workspace = true ipnetwork = "0.20.0" diff --git a/ext/node/ops/http2.rs b/ext/node/ops/http2.rs index d12e108e66..abf7eae5d8 100644 --- a/ext/node/ops/http2.rs +++ b/ext/node/ops/http2.rs @@ -26,11 +26,11 @@ use deno_net::raw::NetworkStream; use h2; use h2::Reason; use h2::RecvStream; -use http; -use http::request::Parts; -use http::HeaderMap; -use http::Response; -use http::StatusCode; +use http_v02; +use http_v02::request::Parts; +use http_v02::HeaderMap; +use http_v02::Response; +use http_v02::StatusCode; use reqwest::header::HeaderName; use reqwest::header::HeaderValue; use url::Url; @@ -311,7 +311,7 @@ pub async fn op_http2_client_request( let url = url.join(&pseudo_path)?; - let mut req = http::Request::builder() + let mut req = http_v02::Request::builder() .uri(url.as_str()) .method(pseudo_method.as_str()); @@ -383,7 +383,7 @@ pub async fn op_http2_client_send_trailers( .get::(stream_rid)?; let mut stream = RcRef::map(&resource, |r| &r.stream).borrow_mut().await; - let mut trailers_map = http::HeaderMap::new(); + let mut trailers_map = http_v02::HeaderMap::new(); for (name, value) in trailers { trailers_map.insert( HeaderName::from_bytes(&name).unwrap(), diff --git a/ext/tls/Cargo.toml b/ext/tls/Cargo.toml index e9f4328482..65c407d1c7 100644 --- a/ext/tls/Cargo.toml +++ b/ext/tls/Cargo.toml @@ -15,8 +15,8 @@ path = "lib.rs" [dependencies] deno_core.workspace = true -deno_native_certs = "0.3.0" -rustls.workspace = true +deno_native_certs = "0.2.0" +rustls = { workspace = true, features = ["dangerous_configuration"] } rustls-pemfile.workspace = true rustls-tokio-stream.workspace = true rustls-webpki.workspace = true diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index c4d548ccf2..5122264bf1 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -1,9 +1,7 @@ // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license. + pub use deno_native_certs; pub use rustls; -use rustls::pki_types::CertificateDer; -use rustls::pki_types::PrivateKeyDer; -use rustls::pki_types::ServerName; pub use rustls_pemfile; pub use rustls_tokio_stream::*; pub use webpki; @@ -13,14 +11,14 @@ use deno_core::anyhow::anyhow; use deno_core::error::custom_error; use deno_core::error::AnyError; -use rustls::client::danger::HandshakeSignatureValid; -use rustls::client::danger::ServerCertVerified; -use rustls::client::danger::ServerCertVerifier; -use rustls::client::WebPkiServerVerifier; +use rustls::client::HandshakeSignatureValid; +use rustls::client::ServerCertVerified; +use rustls::client::ServerCertVerifier; +use rustls::client::WebPkiVerifier; use rustls::ClientConfig; use rustls::DigitallySignedStruct; use rustls::Error; -use rustls::RootCertStore; +use rustls::ServerName; use rustls_pemfile::certs; use rustls_pemfile::ec_private_keys; use rustls_pemfile::pkcs8_private_keys; @@ -29,12 +27,16 @@ use serde::Deserialize; use std::io::BufRead; use std::io::BufReader; use std::io::Cursor; -use std::net::IpAddr; use std::sync::Arc; +use std::time::SystemTime; mod tls_key; pub use tls_key::*; +pub type Certificate = rustls::Certificate; +pub type PrivateKey = rustls::PrivateKey; +pub type RootCertStore = rustls::RootCertStore; + /// Lazily resolves the root cert store. /// /// This was done because the root cert store is not needed in all cases @@ -46,59 +48,56 @@ pub trait RootCertStoreProvider: Send + Sync { // This extension has no runtime apis, it only exports some shared native functions. deno_core::extension!(deno_tls); -#[derive(Debug)] -pub struct NoCertificateVerification { - pub ic_allowlist: Vec, - default_verifier: Arc, -} - -impl NoCertificateVerification { - pub fn new(ic_allowlist: Vec) -> Self { - Self { - ic_allowlist, - default_verifier: WebPkiServerVerifier::builder( - create_default_root_cert_store().into(), - ) - .build() - .unwrap(), - } - } -} - -impl ServerCertVerifier for NoCertificateVerification { - fn supported_verify_schemes(&self) -> Vec { - self.default_verifier.supported_verify_schemes() - } +struct DefaultSignatureVerification; +impl ServerCertVerifier for DefaultSignatureVerification { fn verify_server_cert( &self, - end_entity: &rustls::pki_types::CertificateDer<'_>, - intermediates: &[rustls::pki_types::CertificateDer<'_>], - server_name: &rustls::pki_types::ServerName<'_>, - ocsp_response: &[u8], - now: rustls::pki_types::UnixTime, + _end_entity: &Certificate, + _intermediates: &[Certificate], + _server_name: &ServerName, + _scts: &mut dyn Iterator, + _ocsp_response: &[u8], + _now: SystemTime, ) -> Result { - if self.ic_allowlist.is_empty() { + Err(Error::General("Should not be used".to_string())) + } +} + +pub struct NoCertificateVerification(pub Vec); + +impl ServerCertVerifier for NoCertificateVerification { + fn verify_server_cert( + &self, + end_entity: &Certificate, + intermediates: &[Certificate], + server_name: &ServerName, + scts: &mut dyn Iterator, + ocsp_response: &[u8], + now: SystemTime, + ) -> Result { + if self.0.is_empty() { return Ok(ServerCertVerified::assertion()); } let dns_name_or_ip_address = match server_name { ServerName::DnsName(dns_name) => dns_name.as_ref().to_owned(), - ServerName::IpAddress(ip_address) => { - Into::::into(*ip_address).to_string() - } + ServerName::IpAddress(ip_address) => ip_address.to_string(), _ => { // NOTE(bartlomieju): `ServerName` is a non-exhaustive enum // so we have this catch all errors here. return Err(Error::General("Unknown `ServerName` variant".to_string())); } }; - if self.ic_allowlist.contains(&dns_name_or_ip_address) { + if self.0.contains(&dns_name_or_ip_address) { Ok(ServerCertVerified::assertion()) } else { - self.default_verifier.verify_server_cert( + let root_store = create_default_root_cert_store(); + let verifier = WebPkiVerifier::new(root_store, None); + verifier.verify_server_cert( end_entity, intermediates, server_name, + scts, ocsp_response, now, ) @@ -108,32 +107,28 @@ impl ServerCertVerifier for NoCertificateVerification { fn verify_tls12_signature( &self, message: &[u8], - cert: &rustls::pki_types::CertificateDer, + cert: &rustls::Certificate, dss: &DigitallySignedStruct, ) -> Result { - if self.ic_allowlist.is_empty() { + if self.0.is_empty() { return Ok(HandshakeSignatureValid::assertion()); } filter_invalid_encoding_err( - self - .default_verifier - .verify_tls12_signature(message, cert, dss), + DefaultSignatureVerification.verify_tls12_signature(message, cert, dss), ) } fn verify_tls13_signature( &self, message: &[u8], - cert: &rustls::pki_types::CertificateDer, + cert: &rustls::Certificate, dss: &DigitallySignedStruct, ) -> Result { - if self.ic_allowlist.is_empty() { + if self.0.is_empty() { return Ok(HandshakeSignatureValid::assertion()); } filter_invalid_encoding_err( - self - .default_verifier - .verify_tls13_signature(message, cert, dss), + DefaultSignatureVerification.verify_tls13_signature(message, cert, dss), ) } } @@ -154,10 +149,17 @@ pub struct BasicAuth { } pub fn create_default_root_cert_store() -> RootCertStore { - let root_cert_store = rustls::RootCertStore { - roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(), - }; - debug_assert!(!root_cert_store.is_empty()); + let mut root_cert_store = RootCertStore::empty(); + // TODO(@justinmchase): Consider also loading the system keychain here + root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map( + |ta| { + rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( + ta.subject, + ta.spki, + ta.name_constraints, + ) + }, + )); root_cert_store } @@ -181,10 +183,10 @@ pub fn create_client_config( ) -> Result { if let Some(ic_allowlist) = unsafely_ignore_certificate_errors { let client_config = ClientConfig::builder() - .dangerous() - .with_custom_certificate_verifier(Arc::new( - NoCertificateVerification::new(ic_allowlist), - )); + .with_safe_defaults() + .with_custom_certificate_verifier(Arc::new(NoCertificateVerification( + ic_allowlist, + ))); // NOTE(bartlomieju): this if/else is duplicated at the end of the body of this function. // However it's not really feasible to deduplicate it as the `client_config` instances @@ -192,7 +194,7 @@ pub fn create_client_config( // or client cert". let mut client = match maybe_cert_chain_and_key { TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config - .with_client_auth_cert(cert_chain, private_key.clone_key()) + .with_client_auth_cert(cert_chain, private_key) .expect("invalid client key or certificate"), TlsKeys::Null => client_config.with_no_client_auth(), TlsKeys::Resolver(_) => unimplemented!(), @@ -202,33 +204,33 @@ pub fn create_client_config( return Ok(client); } - let mut root_cert_store = - root_cert_store.unwrap_or_else(create_default_root_cert_store); - // If custom certs are specified, add them to the store - for cert in ca_certs { - let reader = &mut BufReader::new(Cursor::new(cert)); - // This function does not return specific errors, if it fails give a generic message. - for r in rustls_pemfile::certs(reader) { - match r { - Ok(cert) => { - root_cert_store.add(cert)?; - } - Err(e) => { - return Err(anyhow!( - "Unable to add pem file to certificate store: {}", - e - )); + let client_config = ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates({ + let mut root_cert_store = + root_cert_store.unwrap_or_else(create_default_root_cert_store); + // If custom certs are specified, add them to the store + for cert in ca_certs { + let reader = &mut BufReader::new(Cursor::new(cert)); + // This function does not return specific errors, if it fails give a generic message. + match rustls_pemfile::certs(reader) { + Ok(certs) => { + root_cert_store.add_parsable_certificates(&certs); + } + Err(e) => { + return Err(anyhow!( + "Unable to add pem file to certificate store: {}", + e + )); + } } } - } - } - - let client_config = - ClientConfig::builder().with_root_certificates(root_cert_store); + root_cert_store + }); let mut client = match maybe_cert_chain_and_key { TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config - .with_client_auth_cert(cert_chain, private_key.clone_key()) + .with_client_auth_cert(cert_chain, private_key) .expect("invalid client key or certificate"), TlsKeys::Null => client_config.with_no_client_auth(), TlsKeys::Resolver(_) => unimplemented!(), @@ -255,17 +257,15 @@ fn add_alpn(client: &mut ClientConfig, socket_use: SocketUse) { pub fn load_certs( reader: &mut dyn BufRead, -) -> Result>, AnyError> { - let certs: Result, _> = certs(reader).collect(); - - let certs = certs +) -> Result, AnyError> { + let certs = certs(reader) .map_err(|_| custom_error("InvalidData", "Unable to decode certificate"))?; if certs.is_empty() { return Err(cert_not_found_err()); } - Ok(certs) + Ok(certs.into_iter().map(rustls::Certificate).collect()) } fn key_decode_err() -> AnyError { @@ -281,32 +281,21 @@ fn cert_not_found_err() -> AnyError { } /// Starts with -----BEGIN RSA PRIVATE KEY----- -fn load_rsa_keys( - mut bytes: &[u8], -) -> Result>, AnyError> { - let keys: Result, _> = rsa_private_keys(&mut bytes).collect(); - let keys = keys.map_err(|_| key_decode_err())?; - Ok(keys.into_iter().map(PrivateKeyDer::Pkcs1).collect()) +fn load_rsa_keys(mut bytes: &[u8]) -> Result, AnyError> { + let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys.into_iter().map(rustls::PrivateKey).collect()) } /// Starts with -----BEGIN EC PRIVATE KEY----- -fn load_ec_keys( - mut bytes: &[u8], -) -> Result>, AnyError> { - let keys: Result, std::io::Error> = - ec_private_keys(&mut bytes).collect(); - let keys2 = keys.map_err(|_| key_decode_err())?; - Ok(keys2.into_iter().map(PrivateKeyDer::Sec1).collect()) +fn load_ec_keys(mut bytes: &[u8]) -> Result, AnyError> { + let keys = ec_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys.into_iter().map(rustls::PrivateKey).collect()) } /// Starts with -----BEGIN PRIVATE KEY----- -fn load_pkcs8_keys( - mut bytes: &[u8], -) -> Result>, AnyError> { - let keys: Result, std::io::Error> = - pkcs8_private_keys(&mut bytes).collect(); - let keys2 = keys.map_err(|_| key_decode_err())?; - Ok(keys2.into_iter().map(PrivateKeyDer::Pkcs8).collect()) +fn load_pkcs8_keys(mut bytes: &[u8]) -> Result, AnyError> { + let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys.into_iter().map(rustls::PrivateKey).collect()) } fn filter_invalid_encoding_err( @@ -320,9 +309,7 @@ fn filter_invalid_encoding_err( } } -pub fn load_private_keys( - bytes: &[u8], -) -> Result>, AnyError> { +pub fn load_private_keys(bytes: &[u8]) -> Result, AnyError> { let mut keys = load_rsa_keys(bytes)?; if keys.is_empty() { diff --git a/ext/tls/testdata/README b/ext/tls/testdata/README deleted file mode 100644 index 12046561c2..0000000000 --- a/ext/tls/testdata/README +++ /dev/null @@ -1,4 +0,0 @@ - -openssl req -x509 -newkey rsa:2048 -nodes -keyout example2_prikey.pem -out example2_cert.der -subj "/C=US/ST=State/L=Locality/O=Organization/CN=example2.com" -outform der - -openssl pkey -in example2_prikey.pem -out example2_prikey.der -outform der diff --git a/ext/tls/testdata/example1_cert.der b/ext/tls/testdata/example1_cert.der deleted file mode 100644 index fb1b2e64b2510fb1028bd4ecaeaebb29e3ac0ad8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 929 zcmXqLVxDWz#MHWgnTe5!NyM|i;{MjIT`H#6f4+I0cUj@=*ZGePc-c6$+C196^D;7W zvoaXO8FCwNvN4CUun9AT1{?Aj@PIfRJgmVbi6yCqf(HB`K06PGPkwS@PG(7^p{Ri{ zNQjGv$G<2&F)yW~+7mQHj6);z;T>7M|l8TGp=*={+13PVMfbAS6Cr_K2e=#Q^ z?9u|SuC^(xdOsJL$vyO0VmE)2MceX;yO#c5oxnN2o2%wjN63Q>-H!aL9a%nm^$A9{ z-O$cW*WR{d!$kjdsTyGn=9U{Cn3t;k z`Pl9)rKfY;ZX|~UI34|OxIe;v{(++Z%#(J8_ts3>{%BuNbyMRd$9reuLjMB}r8qtT7=ZPt9YU-6>-!Epn~U-T!H) zFXbC_{`lg@k;t-83Nz98e}HD)el?bKUa>o9|7RPiU$_^`@?+H`zturj$ z?6T>2PJpE7Qbq{TGX$0wWMo9;JOBA9==c?Q}; z_79M*=7#kPUZM{7R+^=r*JrEccMsCjyEXq`pcRwY!TKb$8FObSo<3WR1%7io?$ycs zp-l|bcL`VMGfvr-l9(9+0|5X50)hbmAPq@YhcIKeLtpoxg+E9VVw%hS@F74g9CT51 z@*buIa`|6zqN+;aB0Mk1*@YfHmpKyFGRC{~ouh=g&y(Le1h~#Wx7?eO?lSb;F*(;FXd_pm zohRl>jw$(9suxlie6X2Fu#VpD!o`u0)c@5?K%9Or@kYVCQkw3c};T-E3Pm<@w?JJ8|Lc5 z+@$1sR&-t%Sk(WBRQ;3T1}|k-`_hvby_?TCa#p_7iA)B|SN`OXA10@jz{F+hX1WGI zh&R&Ov&yMz0RdXG6$lx!ozsXfNM4P#8!{vSo!Ax#sm{0)c@5 z#PjG-oGzt%%fugCcq~m9l&$ZkzD^YC)uh~Ym= z^dMH3McLF~BKEqjsCqAdVlIDR&&V=KV8^fBg@`X}@|z-) zb}SpzP?^Y+##h4X68A_X5UbYqMRE6%^>89Wf*}@zJ-ct9%ALv$_JXubU5FNyu!gm( z8DV2B7nv2g?$?`0WFNQ#->OjXkykV&A#qM+=)nO9(T;59aKPR;er|&_0j?P5;on^X zfq-VMFNtqy9E3$;!-3t0#q;@Q0P5tR@cKBJ<3Xpusb5Du-IhL0Q7xolUhPq;EHN`0 z$bUX6r9|t4)I6xN73nOCq9Dr)bkL-TH&X~Nq(iWDMd*&VPnrxztElcnG1JF#tuP0x z1V|tEORR_~N#NtzBL0qQ-iHR)jy=a?c2NR>fJE<~2U)9YWPa1ARRkYgUcd zEjs3P$sz4CM*VNN!#j?F-exnB*PK{r9+tZVP&3%|7{X4Hjp!fz%XD;%d_H9e;WEu% zw#TyOE}5$fpDMeL6|x432Z}@LITLt{Z;d&DR38shQ#D;WT6lDVcI8JL?G`56qF7`d357#SH3a2DO+%B<4(rye=)n*2Hb?*B5IS2gSX zvioOtv}5axx|81Fp=Z4Q9of5UgoS*xYwx!HCaDL1AOApRjonoDv z$)=I)8@X@Qc>~VuM|;a%GE`>!F6v%7d4@PkpV)mjGe-m6nu$-NK3HTtNl(6`gvRtGKiJH}4^4Gqn<{ME|8D2p zPfH4QZvUIPsH;lnKv&yCflT)-Yh2-m|zB2}ceY$b+PnStJa^8n7z>B@|gwn=l8efF?v-n2{e@``zl4vW`& zZ{-xctmu$Qs-Dz>sknLW0_t>Ll&u{i$ YV&a~=g{Lg4egDjYk8hQ>c|QmO0O~1ZSO5S3 diff --git a/ext/tls/testdata/example2_prikey.der b/ext/tls/testdata/example2_prikey.der deleted file mode 100644 index 8bdef8df382c4577b4a9ed68410926cf15866533..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1191 zcmV;Y1X%kpf&`-i0RRGm0RaHO33A*DX?iIBCt04>AI=Yp{~WWbgD(0${x-#kwU~a% zOIKCQO8&&Xx~bU_C|=A-SS4bAc?t85BDQ3hz|XYL(%{ZI$_1Ti1}I}qS-z^zFbQko zy>~=tB%4j5i=~s87X*$L-$ph;FfDwMZnWBn%EWnD6;(B>M z4WTK$n(^0V&WhJd9E9xe^D{CX9*AG?@7-|S^t&z>%H_=iw&-rD#H99n_;Dm1#W(t8 zQTX#mu^pp`6tVwPK!s&nLhyLomLC21Ls=25NEW4&WL+urEEV2yk0TbY{@li_ZIpPXh zY{t|L)H?2W5kSl3X(-~oOVwOY%|{iR8F`=n$SOC}#t)s22ALJ_7wh87yqLt6$DCMSV~C&n3w?=;QW)nb zc;}~1XvcMnl<+}R;k+ZM^9$1uzMvn&0)c=tm1vH0?np`O(Zn}|44C7^X3V${g3-CZ z86BCUK#_TibH|yG2F_#7@RS?#&JTBZJw)%PE7C&Ql3t)rVeR_mS=R~!gw(*KCFe)= zgR-KNRZ`JoG|@1t?)%XlSwSRIAz>k!(rh3#ZKqHs&7`%2Q7Y!Hy1+18;E1uW;-_T- zfq)v*o|2j~sM*Q| zBo>iYTrpI#q`&`}B%L7lW&e5@+<-SXBp(8SfdI{1XoFy7BAIQA=`-tJr&L#tJ2W=% zKmPNjt%O4NTBoTsDkaF?d?d$iqt&QGLj*^2&J0FQ zQg-g6Ej2#E+!j~IKha4mGC=p~kqxg^$u601`cH)WP_JL#T^-N%(n$M`iXkswoY(MV Fq87UwR!jf@ diff --git a/ext/tls/tls_key.rs b/ext/tls/tls_key.rs index 1e60e7cf0a..18064a91a0 100644 --- a/ext/tls/tls_key.rs +++ b/ext/tls/tls_key.rs @@ -11,6 +11,8 @@ //! key lookup can handle closing one end of the pair, in which case they will just //! attempt to clean up the associated resources. +use crate::Certificate; +use crate::PrivateKey; use deno_core::anyhow::anyhow; use deno_core::error::AnyError; use deno_core::futures::future::poll_fn; @@ -30,21 +32,12 @@ use std::sync::Arc; use tokio::sync::broadcast; use tokio::sync::mpsc; use tokio::sync::oneshot; -use webpki::types::CertificateDer; -use webpki::types::PrivateKeyDer; type ErrorType = Rc; /// A TLS certificate/private key pair. -/// see https://docs.rs/rustls-pki-types/latest/rustls_pki_types/#cloning-private-keys -#[derive(Debug, PartialEq, Eq)] -pub struct TlsKey(pub Vec>, pub PrivateKeyDer<'static>); - -impl Clone for TlsKey { - fn clone(&self) -> Self { - Self(self.0.clone(), self.1.clone_key()) - } -} +#[derive(Clone, Debug, PartialEq, Eq)] +pub struct TlsKey(pub Vec, pub PrivateKey); #[derive(Clone, Debug, Default)] pub enum TlsKeys { @@ -116,8 +109,9 @@ impl TlsKeyResolver { let key = self.resolve(sni).await?; let mut tls_config = ServerConfig::builder() + .with_safe_defaults() .with_no_client_auth() - .with_single_cert(key.0, key.1.clone_key())?; + .with_single_cert(key.0, key.1)?; tls_config.alpn_protocols = alpn; Ok(tls_config.into()) } @@ -257,18 +251,14 @@ impl TlsKeyLookup { pub mod tests { use super::*; use deno_core::unsync::spawn; + use rustls::Certificate; + use rustls::PrivateKey; fn tls_key_for_test(sni: &str) -> TlsKey { - let manifest_dir = - std::path::PathBuf::from(std::env::var("CARGO_MANIFEST_DIR").unwrap()); - let sni = sni.replace(".com", ""); - let cert_file = manifest_dir.join(format!("testdata/{}_cert.der", sni)); - let prikey_file = manifest_dir.join(format!("testdata/{}_prikey.der", sni)); - let cert = std::fs::read(cert_file).unwrap(); - let prikey = std::fs::read(prikey_file).unwrap(); - let cert = CertificateDer::from(cert); - let prikey = PrivateKeyDer::try_from(prikey).unwrap(); - TlsKey(vec![cert], prikey) + TlsKey( + vec![Certificate(format!("{sni}-cert").into_bytes())], + PrivateKey(format!("{sni}-key").into_bytes()), + ) } #[tokio::test] @@ -280,8 +270,8 @@ pub mod tests { } }); - let key = resolver.resolve("example1.com".to_owned()).await.unwrap(); - assert_eq!(tls_key_for_test("example1.com"), key); + let key = resolver.resolve("example.com".to_owned()).await.unwrap(); + assert_eq!(tls_key_for_test("example.com"), key); drop(resolver); task.await.unwrap(); @@ -296,13 +286,13 @@ pub mod tests { } }); - let f1 = resolver.resolve("example1.com".to_owned()); - let f2 = resolver.resolve("example1.com".to_owned()); + let f1 = resolver.resolve("example.com".to_owned()); + let f2 = resolver.resolve("example.com".to_owned()); let key = f1.await.unwrap(); - assert_eq!(tls_key_for_test("example1.com"), key); + assert_eq!(tls_key_for_test("example.com"), key); let key = f2.await.unwrap(); - assert_eq!(tls_key_for_test("example1.com"), key); + assert_eq!(tls_key_for_test("example.com"), key); drop(resolver); task.await.unwrap(); diff --git a/ext/websocket/lib.rs b/ext/websocket/lib.rs index a8bb3415de..87503120bf 100644 --- a/ext/websocket/lib.rs +++ b/ext/websocket/lib.rs @@ -36,13 +36,14 @@ use http::Request; use http::StatusCode; use http::Uri; use once_cell::sync::Lazy; -use rustls_tokio_stream::rustls::pki_types::ServerName; use rustls_tokio_stream::rustls::RootCertStore; +use rustls_tokio_stream::rustls::ServerName; use rustls_tokio_stream::TlsStream; use serde::Serialize; use std::borrow::Cow; use std::cell::Cell; use std::cell::RefCell; +use std::convert::TryFrom; use std::fmt; use std::future::Future; use std::num::NonZeroUsize; @@ -244,8 +245,8 @@ async fn handshake_http1_wss( ) -> Result<(WebSocket, http::HeaderMap), AnyError> { let tcp_socket = TcpStream::connect(addr).await?; let tls_config = create_ws_client_config(state, SocketUse::Http1Only)?; - let dnsname = ServerName::try_from(domain.to_string()) - .map_err(|_| invalid_hostname(domain))?; + let dnsname = + ServerName::try_from(domain).map_err(|_| invalid_hostname(domain))?; let mut tls_connector = TlsStream::new_client_side( tcp_socket, ClientConnection::new(tls_config.into(), dnsname)?, @@ -269,8 +270,8 @@ async fn handshake_http2_wss( ) -> Result<(WebSocket, http::HeaderMap), AnyError> { let tcp_socket = TcpStream::connect(addr).await?; let tls_config = create_ws_client_config(state, SocketUse::Http2Only)?; - let dnsname = ServerName::try_from(domain.to_string()) - .map_err(|_| invalid_hostname(domain))?; + let dnsname = + ServerName::try_from(domain).map_err(|_| invalid_hostname(domain))?; // We need to better expose the underlying errors here let mut tls_connector = TlsStream::new_client_side( tcp_socket, diff --git a/tests/integration/run_tests.rs b/tests/integration/run_tests.rs index b8263be291..5bd0de60ce 100644 --- a/tests/integration/run_tests.rs +++ b/tests/integration/run_tests.rs @@ -5303,19 +5303,17 @@ async fn listen_tls_alpn() { let mut reader = &mut BufReader::new(Cursor::new(include_bytes!( "../testdata/tls/RootCA.crt" ))); - let certs = rustls_pemfile::certs(&mut reader) - .collect::, _>>() - .unwrap(); + let certs = rustls_pemfile::certs(&mut reader).unwrap(); let mut root_store = rustls::RootCertStore::empty(); - root_store.add_parsable_certificates(certs); + root_store.add_parsable_certificates(&certs); let mut cfg = rustls::ClientConfig::builder() + .with_safe_defaults() .with_root_certificates(root_store) .with_no_client_auth(); cfg.alpn_protocols.push(b"foobar".to_vec()); let cfg = Arc::new(cfg); - let hostname = - rustls::pki_types::ServerName::try_from("localhost".to_string()).unwrap(); + let hostname = rustls::ServerName::try_from("localhost").unwrap(); let tcp_stream = tokio::net::TcpStream::connect("localhost:4504") .await @@ -5357,18 +5355,17 @@ async fn listen_tls_alpn_fail() { let mut reader = &mut BufReader::new(Cursor::new(include_bytes!( "../testdata/tls/RootCA.crt" ))); - let certs = rustls_pemfile::certs(&mut reader) - .collect::, _>>() - .unwrap(); + let certs = rustls_pemfile::certs(&mut reader).unwrap(); let mut root_store = rustls::RootCertStore::empty(); - root_store.add_parsable_certificates(certs); + root_store.add_parsable_certificates(&certs); let mut cfg = rustls::ClientConfig::builder() + .with_safe_defaults() .with_root_certificates(root_store) .with_no_client_auth(); cfg.alpn_protocols.push(b"boofar".to_vec()); let cfg = Arc::new(cfg); - let hostname = rustls::pki_types::ServerName::try_from("localhost").unwrap(); + let hostname = rustls::ServerName::try_from("localhost").unwrap(); let tcp_stream = tokio::net::TcpStream::connect("localhost:4505") .await diff --git a/tests/node_compat/config.jsonc b/tests/node_compat/config.jsonc index 6a61c4e631..0a661c0a9a 100644 --- a/tests/node_compat/config.jsonc +++ b/tests/node_compat/config.jsonc @@ -392,8 +392,14 @@ // "test-http-outgoing-message-inheritance.js", "test-http-outgoing-renderHeaders.js", "test-http-outgoing-settimeout.js", + "test-http-url.parse-auth-with-header-in-request.js", + "test-http-url.parse-auth.js", + "test-http-url.parse-basic.js", "test-http-url.parse-https.request.js", "test-http-url.parse-only-support-http-https-protocol.js", + "test-http-url.parse-path.js", + "test-http-url.parse-post.js", + "test-http-url.parse-search.js", "test-net-access-byteswritten.js", "test-net-better-error-messages-listen-path.js", "test-net-better-error-messages-path.js", diff --git a/tests/node_compat/runner/TODO.md b/tests/node_compat/runner/TODO.md index 4f397cc21e..d5dd2fc7b6 100644 --- a/tests/node_compat/runner/TODO.md +++ b/tests/node_compat/runner/TODO.md @@ -1308,12 +1308,6 @@ NOTE: This file should not be manually edited. Please edit `tests/node_compat/co - [parallel/test-http-upgrade-reconsume-stream.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-upgrade-reconsume-stream.js) - [parallel/test-http-upgrade-server.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-upgrade-server.js) - [parallel/test-http-upgrade-server2.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-upgrade-server2.js) -- [parallel/test-http-url.parse-auth-with-header-in-request.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-url.parse-auth-with-header-in-request.js) -- [parallel/test-http-url.parse-auth.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-url.parse-auth.js) -- [parallel/test-http-url.parse-basic.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-url.parse-basic.js) -- [parallel/test-http-url.parse-path.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-url.parse-path.js) -- [parallel/test-http-url.parse-post.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-url.parse-post.js) -- [parallel/test-http-url.parse-search.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-url.parse-search.js) - [parallel/test-http-wget.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-wget.js) - [parallel/test-http-writable-true-after-close.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-writable-true-after-close.js) - [parallel/test-http-write-callbacks.js](https://github.com/nodejs/node/tree/v18.12.1/test/parallel/test-http-write-callbacks.js) diff --git a/tests/node_compat/test/parallel/test-http-url.parse-auth-with-header-in-request.js b/tests/node_compat/test/parallel/test-http-url.parse-auth-with-header-in-request.js new file mode 100644 index 0000000000..eaa63bab73 --- /dev/null +++ b/tests/node_compat/test/parallel/test-http-url.parse-auth-with-header-in-request.js @@ -0,0 +1,59 @@ +// deno-fmt-ignore-file +// deno-lint-ignore-file + +// Copyright Joyent and Node contributors. All rights reserved. MIT license. +// Taken from Node 18.12.1 +// This file is automatically generated by `tests/node_compat/runner/setup.ts`. Do not modify this file manually. + +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +'use strict'; +require('../common'); +const assert = require('assert'); +const http = require('http'); +const url = require('url'); + +function check(request) { + // The correct authorization header is be passed + assert.strictEqual(request.headers.authorization, 'NoAuthForYOU'); +} + +const server = http.createServer(function(request, response) { + // Run the check function + check(request); + response.writeHead(200, {}); + response.end('ok'); + server.close(); +}); + +server.listen(0, function() { + const testURL = + url.parse(`http://asdf:qwer@localhost:${this.address().port}`); + // The test here is if you set a specific authorization header in the + // request we should not override that with basic auth + testURL.headers = { + Authorization: 'NoAuthForYOU' + }; + + // make the request + http.request(testURL).end(); +}); diff --git a/tests/node_compat/test/parallel/test-http-url.parse-auth.js b/tests/node_compat/test/parallel/test-http-url.parse-auth.js new file mode 100644 index 0000000000..3bf3242c97 --- /dev/null +++ b/tests/node_compat/test/parallel/test-http-url.parse-auth.js @@ -0,0 +1,55 @@ +// deno-fmt-ignore-file +// deno-lint-ignore-file + +// Copyright Joyent and Node contributors. All rights reserved. MIT license. +// Taken from Node 18.12.1 +// This file is automatically generated by `tests/node_compat/runner/setup.ts`. Do not modify this file manually. + +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +'use strict'; +require('../common'); +const assert = require('assert'); +const http = require('http'); +const url = require('url'); + +function check(request) { + // The correct authorization header is be passed + assert.strictEqual(request.headers.authorization, 'Basic dXNlcjpwYXNzOg=='); +} + +const server = http.createServer(function(request, response) { + // Run the check function + check(request); + response.writeHead(200, {}); + response.end('ok'); + server.close(); +}); + +server.listen(0, function() { + const port = this.address().port; + // username = "user", password = "pass:" + const testURL = url.parse(`http://user:pass%3A@localhost:${port}`); + + // make the request + http.request(testURL).end(); +}); diff --git a/tests/node_compat/test/parallel/test-http-url.parse-basic.js b/tests/node_compat/test/parallel/test-http-url.parse-basic.js new file mode 100644 index 0000000000..7018cd4109 --- /dev/null +++ b/tests/node_compat/test/parallel/test-http-url.parse-basic.js @@ -0,0 +1,65 @@ +// deno-fmt-ignore-file +// deno-lint-ignore-file + +// Copyright Joyent and Node contributors. All rights reserved. MIT license. +// Taken from Node 18.12.1 +// This file is automatically generated by `tests/node_compat/runner/setup.ts`. Do not modify this file manually. + +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +'use strict'; +require('../common'); +const assert = require('assert'); +const http = require('http'); +const url = require('url'); + +let testURL; + +// Make sure the basics work +function check(request) { + // Default method should still be 'GET' + assert.strictEqual(request.method, 'GET'); + // There are no URL params, so you should not see any + assert.strictEqual(request.url, '/'); + // The host header should use the url.parse.hostname + assert.strictEqual(request.headers.host, + `${testURL.hostname}:${testURL.port}`); +} + +const server = http.createServer(function(request, response) { + // Run the check function + check(request); + response.writeHead(200, {}); + response.end('ok'); + server.close(); +}); + +server.listen(0, function() { + testURL = url.parse(`http://localhost:${this.address().port}`); + + // make the request + const clientRequest = http.request(testURL); + // Since there is a little magic with the agent + // make sure that an http request uses the http.Agent + assert.ok(clientRequest.agent instanceof http.Agent); + clientRequest.end(); +}); diff --git a/tests/node_compat/test/parallel/test-http-url.parse-path.js b/tests/node_compat/test/parallel/test-http-url.parse-path.js new file mode 100644 index 0000000000..f0c07887f2 --- /dev/null +++ b/tests/node_compat/test/parallel/test-http-url.parse-path.js @@ -0,0 +1,53 @@ +// deno-fmt-ignore-file +// deno-lint-ignore-file + +// Copyright Joyent and Node contributors. All rights reserved. MIT license. +// Taken from Node 18.12.1 +// This file is automatically generated by `tests/node_compat/runner/setup.ts`. Do not modify this file manually. + +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +'use strict'; +require('../common'); +const assert = require('assert'); +const http = require('http'); +const url = require('url'); + +function check(request) { + // A path should come over + assert.strictEqual(request.url, '/asdf'); +} + +const server = http.createServer(function(request, response) { + // Run the check function + check(request); + response.writeHead(200, {}); + response.end('ok'); + server.close(); +}); + +server.listen(0, function() { + const testURL = url.parse(`http://localhost:${this.address().port}/asdf`); + + // make the request + http.request(testURL).end(); +}); diff --git a/tests/node_compat/test/parallel/test-http-url.parse-post.js b/tests/node_compat/test/parallel/test-http-url.parse-post.js new file mode 100644 index 0000000000..c591146035 --- /dev/null +++ b/tests/node_compat/test/parallel/test-http-url.parse-post.js @@ -0,0 +1,61 @@ +// deno-fmt-ignore-file +// deno-lint-ignore-file + +// Copyright Joyent and Node contributors. All rights reserved. MIT license. +// Taken from Node 18.12.1 +// This file is automatically generated by `tests/node_compat/runner/setup.ts`. Do not modify this file manually. + +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +'use strict'; +require('../common'); +const assert = require('assert'); +const http = require('http'); +const url = require('url'); + +let testURL; + +function check(request) { + // url.parse should not mess with the method + assert.strictEqual(request.method, 'POST'); + // Everything else should be right + assert.strictEqual(request.url, '/asdf?qwer=zxcv'); + // The host header should use the url.parse.hostname + assert.strictEqual(request.headers.host, + `${testURL.hostname}:${testURL.port}`); +} + +const server = http.createServer(function(request, response) { + // Run the check function + check(request); + response.writeHead(200, {}); + response.end('ok'); + server.close(); +}); + +server.listen(0, function() { + testURL = url.parse(`http://localhost:${this.address().port}/asdf?qwer=zxcv`); + testURL.method = 'POST'; + + // make the request + http.request(testURL).end(); +}); diff --git a/tests/node_compat/test/parallel/test-http-url.parse-search.js b/tests/node_compat/test/parallel/test-http-url.parse-search.js new file mode 100644 index 0000000000..8725331618 --- /dev/null +++ b/tests/node_compat/test/parallel/test-http-url.parse-search.js @@ -0,0 +1,54 @@ +// deno-fmt-ignore-file +// deno-lint-ignore-file + +// Copyright Joyent and Node contributors. All rights reserved. MIT license. +// Taken from Node 18.12.1 +// This file is automatically generated by `tests/node_compat/runner/setup.ts`. Do not modify this file manually. + +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +'use strict'; +require('../common'); +const assert = require('assert'); +const http = require('http'); +const url = require('url'); + +function check(request) { + // A path should come over with params + assert.strictEqual(request.url, '/asdf?qwer=zxcv'); +} + +const server = http.createServer(function(request, response) { + // Run the check function + check(request); + response.writeHead(200, {}); + response.end('ok'); + server.close(); +}); + +server.listen(0, function() { + const port = this.address().port; + const testURL = url.parse(`http://localhost:${port}/asdf?qwer=zxcv`); + + // make the request + http.request(testURL).end(); +}); diff --git a/tests/specs/cert/localhost_unsafe_ssl/localhost_unsafe_ssl.ts.out b/tests/specs/cert/localhost_unsafe_ssl/localhost_unsafe_ssl.ts.out index 3067fffae2..81e490c1cd 100644 --- a/tests/specs/cert/localhost_unsafe_ssl/localhost_unsafe_ssl.ts.out +++ b/tests/specs/cert/localhost_unsafe_ssl/localhost_unsafe_ssl.ts.out @@ -1,3 +1,3 @@ DANGER: TLS certificate validation is disabled for: deno.land -error: Import 'https://localhost:5545/subdir/mod2.ts' failed: error sending request for url (https://localhost:5545/subdir/mod2.ts) +error: Import 'https://localhost:5545/subdir/mod2.ts' failed: error sending request for url (https://localhost:5545/subdir/mod2.ts): error trying to connect: invalid peer certificate: UnknownIssuer at file:///[WILDCARD]/cafile_url_imports.ts:[WILDCARD] diff --git a/tests/unit/fetch_test.ts b/tests/unit/fetch_test.ts index b549be9a43..4176f39ace 100644 --- a/tests/unit/fetch_test.ts +++ b/tests/unit/fetch_test.ts @@ -67,7 +67,7 @@ Deno.test( await fetch(`http://localhost:${port}`); }, TypeError, - "error sending request for url", + "error trying to connect", ); }, ); @@ -80,7 +80,7 @@ Deno.test( await fetch("http://nil/"); }, TypeError, - "error sending request for url", + "error trying to connect", ); }, ); @@ -1824,7 +1824,7 @@ Deno.test( await fetch(`http://${addr}/`); }, TypeError, - "error sending request", + "invalid content-length parsed", ); listener.close(); @@ -1880,7 +1880,7 @@ Deno.test( await response.arrayBuffer(); }, Error, - "error decoding response body", + "end of file before message length reached", ); listener.close(); diff --git a/tests/unit/http_test.ts b/tests/unit/http_test.ts index eddb1520b4..6968c6f880 100644 --- a/tests/unit/http_test.ts +++ b/tests/unit/http_test.ts @@ -2574,7 +2574,7 @@ for (const compression of [true, false]) { assertEquals(result.value, new Uint8Array([65])); const err = await assertRejects(() => reader.read()); assert(err instanceof TypeError); - assert(err.message.includes("error decoding response body")); + assert(err.message.includes("unexpected EOF")); const httpConn = await server; httpConn.close(); @@ -2610,7 +2610,7 @@ for (const compression of [true, false]) { assertEquals(result.value, new Uint8Array([65])); const err = await assertRejects(() => reader.read()); assert(err instanceof TypeError); - assert(err.message.includes("error decoding response body")); + assert(err.message.includes("unexpected internal error encountered")); const httpConn = await server; httpConn.close(); diff --git a/tests/unit/serve_test.ts b/tests/unit/serve_test.ts index 3636670661..ff77578e61 100644 --- a/tests/unit/serve_test.ts +++ b/tests/unit/serve_test.ts @@ -3522,7 +3522,11 @@ Deno.test( fail(); } catch (clientError) { assert(clientError instanceof TypeError); - assert(clientError.message.includes("error sending request for url")); + assert( + clientError.message.endsWith( + "connection closed before message completed", + ), + ); } finally { ac.abort(); await server.finished; @@ -3570,7 +3574,11 @@ Deno.test({ fail(); } catch (clientError) { assert(clientError instanceof TypeError); - assert(clientError.message.includes("error sending request for url")); + assert( + clientError.message.endsWith( + "connection closed before message completed", + ), + ); } finally { ac.abort(); await server.finished; diff --git a/tests/util/server/src/https.rs b/tests/util/server/src/https.rs index 617fd5cae2..8a2524dca9 100644 --- a/tests/util/server/src/https.rs +++ b/tests/util/server/src/https.rs @@ -2,9 +2,9 @@ use anyhow::anyhow; use futures::Stream; use futures::StreamExt; +use rustls::Certificate; +use rustls::PrivateKey; use rustls_tokio_stream::rustls; -use rustls_tokio_stream::rustls::pki_types::CertificateDer; -use rustls_tokio_stream::rustls::pki_types::PrivateKeyDer; use rustls_tokio_stream::TlsStream; use std::io; use std::num::NonZeroUsize; @@ -68,30 +68,30 @@ pub fn get_tls_config( let key_file = std::fs::File::open(key_path)?; let ca_file = std::fs::File::open(ca_path)?; - let certs_result: Result>, io::Error> = { + let certs: Vec = { let mut cert_reader = io::BufReader::new(cert_file); - rustls_pemfile::certs(&mut cert_reader).collect() + rustls_pemfile::certs(&mut cert_reader) + .unwrap() + .into_iter() + .map(Certificate) + .collect() }; - let certs = certs_result?; let mut ca_cert_reader = io::BufReader::new(ca_file); let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader) - .collect::>() - .remove(0)?; + .expect("Cannot load CA certificate") + .remove(0); let mut key_reader = io::BufReader::new(key_file); let key = { - let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut key_reader) - .collect::, _>>()?; - let rsa_keys = rustls_pemfile::rsa_private_keys(&mut key_reader) - .collect::, _>>()?; - - if !pkcs8_keys.is_empty() { - let key = pkcs8_keys[0].clone_key(); - Some(PrivateKeyDer::from(key)) - } else if !rsa_keys.is_empty() { - let key = rsa_keys[0].clone_key(); - Some(PrivateKeyDer::from(key)) + let pkcs8_key = rustls_pemfile::pkcs8_private_keys(&mut key_reader) + .expect("Cannot load key file"); + let rsa_key = rustls_pemfile::rsa_private_keys(&mut key_reader) + .expect("Cannot load key file"); + if !pkcs8_key.is_empty() { + Some(pkcs8_key[0].clone()) + } else if !rsa_key.is_empty() { + Some(rsa_key[0].clone()) } else { None } @@ -100,19 +100,18 @@ pub fn get_tls_config( match key { Some(key) => { let mut root_cert_store = rustls::RootCertStore::empty(); - root_cert_store.add(ca_cert).unwrap(); + root_cert_store.add(&rustls::Certificate(ca_cert)).unwrap(); // Allow (but do not require) client authentication. - let client_verifier = rustls::server::WebPkiClientVerifier::builder( - Arc::new(root_cert_store), - ) - .allow_unauthenticated() - .build() - .unwrap(); let mut config = rustls::ServerConfig::builder() - .with_client_cert_verifier(client_verifier) - .with_single_cert(certs, key) + .with_safe_defaults() + .with_client_cert_verifier(Arc::new( + rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new( + root_cert_store, + ), + )) + .with_single_cert(certs, PrivateKey(key)) .map_err(|e| anyhow!("Error setting cert: {:?}", e)) .unwrap();