Make --use-system-ca per-env rather than per-process#60678
Make --use-system-ca per-env rather than per-process#60678Aditi-1400 wants to merge 1 commit intonodejs:mainfrom
Conversation
|
Review requested:
|
nodejs-github-bot
added
c++
Aditi-1400
force-pushed
the
ca-per-env
branch
2 times, most recently
from
d87558c to
23473b9
Compare
|
Hmm, I think this may need more work than just updating the options - the implication of being per-env is that each worker would then be able to toggle this independently. Say when the main thread does not enable it but a worker does, then the worker will have the system CA certs in their default store but the parent doesn't. Can you add a test for this, and the other way around (parent enables it, worker disables it)? My impression is that the default store initialisation code is not yet ready for this and it's still shared across the process (so if a worker enables it, suddenly the parent get it too, which would be unexpected). |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #60678 +/- ##
==========================================
- Coverage 89.78% 89.73% -0.05%
==========================================
Files 673 675 +2
Lines 203775 204587 +812
Branches 39166 39309 +143
==========================================
+ Hits 182956 183584 +628
- Misses 13139 13289 +150
- Partials 7680 7714 +34
🚀 New features to boost your workflow:
|
Aditi-1400
force-pushed
the
ca-per-env
branch
2 times, most recently
from
f22457c to
780c272
Compare
Aditi-1400
force-pushed
the
ca-per-env
branch
4 times, most recently
from
38913f9 to
d9fb49d
Compare
There was a problem hiding this comment.
Can you add some tests to test/parallel that checks this affects tls.getCACertificates('default') in a worker if tls.getCACertificates('system') returns non-empty in a parent? (if there are no system CAs in the testing machine, then the test can be skipped - that way it can run even without the mock certificates installed)
Aditi-1400
force-pushed
the
ca-per-env
branch
2 times, most recently
from
77856be to
d8281c4
Compare
test/parallel/test-tls-get-ca-certificates-worker-use-system-ca.js
Outdated
Show resolved
Hide resolved
test/parallel/test-tls-get-ca-certificates-worker-use-system-ca.js
Outdated
Show resolved
Hide resolved
Aditi-1400
force-pushed
the
ca-per-env
branch
from
d8281c4 to
5d7dc6b
Compare
Aditi-1400
force-pushed
the
ca-per-env
branch
2 times, most recently
from
00f4b51 to
aa9f038
Compare
src/quic/tlscontext.cc
Outdated
| TLSContext::TLSContext(Side side, const Options& options) | ||
| : side_(side), options_(options), ctx_(Initialize()) {} | ||
| TLSContext::TLSContext(Environment* env, Side side, const Options& options) | ||
| : side_(side), options_(options), env_(env), ctx_(Initialize()) {} |
There was a problem hiding this comment.
I think this initialization is buggy, env_ is declared after ctx_, and member initialization order follows declaration order, not the order in this list, so in Initialize(), env_ is not initialized - this can probably be fixed by just passing the env into Initialize instead (which I think is better because it's more explicit), or just switch the declaration order.
There was a problem hiding this comment.
Hmm, from what I see, the env_ is declared before the ctx_. Although, I guess std::string validation_error_ = ""; should be moved above ctx_. But if you prefer, I can change this to pass env into Initialise instead
There was a problem hiding this comment.
Oops sorry, I misread. Yeah I think it's still safer to pass in env to Initialize just in case it gets shuffled. (and move validation_error_ too while you are at it ;))
| return root_cert_store; | ||
| } | ||
| root_cert_store = NewRootCertStore(); | ||
| root_cert_store = NewRootCertStore(env); |
There was a problem hiding this comment.
I think this now leaks a X509_STORE for every worker upon shutdown. Previously this was okay because there's only ever one store in the process, but now they come and go with workers. Also while Node.js executable doesn't do this usually, embedders (including cctests) reuse a thread for different Environments, so the store may go stale when the thread gets reused by another Environment. This probably fixes it:
| root_cert_store = NewRootCertStore(env); | |
| root_cert_store = NewRootCertStore(env); | |
| env->AddCleanupHook([](void* arg) { | |
| if (root_cert_store != nullptr) { | |
| X509_STORE_free(root_cert_store); | |
| root_cert_store = nullptr; | |
| } | |
| }, nullptr); |
There was a problem hiding this comment.
This caused several tests to crash because of the assertion failure in CleanupQueue::Add as we were trying to add a cleanup hook for every GetOrCreateRootCertStore call.
Updated this to only add a cleanup hook once, if it didn't exist already, and also extended it to clean up root_certs_from_users as well.
Aditi-1400
force-pushed
the
ca-per-env
branch
from
aa9f038 to
0a77533
Compare
3 participants
Makes the
--use-system-caoption a per-environment option rather than a per-process option so that workers can enable/disable them individually