From 3d73c7e5b5bf18c0ed1b63abd2ef7e238bf6b251 Mon Sep 17 00:00:00 2001 From: Duncan Harvey Date: Tue, 9 Jul 2024 07:54:37 -0400 Subject: [PATCH 1/8] fall back to web pki certificates if unable to load platform certs --- Cargo.lock | 10 ++++++++++ ddcommon/Cargo.toml | 2 ++ ddcommon/src/connector/mod.rs | 13 +++++++++---- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c676723c9c..5970ebeea6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2368,6 +2368,7 @@ dependencies = [ "tokio", "tokio-rustls", "tower-service", + "webpki-roots", ] [[package]] @@ -5114,6 +5115,15 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "webpki-roots" +version = "0.26.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd7c23921eeb1713a4e851530e9b9756e4fb0e89978582942612524cf09f01cd" +dependencies = [ + "rustls-pki-types", +] + [[package]] name = "which" version = "4.4.2" diff --git a/ddcommon/Cargo.toml b/ddcommon/Cargo.toml index ab640516de..ce955befb9 100644 --- a/ddcommon/Cargo.toml +++ b/ddcommon/Cargo.toml @@ -42,6 +42,7 @@ hyper-rustls = { version = "0.27", default-features = false, features = [ "http1", "tls12", "aws-lc-rs", + "webpki-roots", ] } [target.'cfg(not(unix))'.dependencies] @@ -50,6 +51,7 @@ hyper-rustls = { version = "0.27", default-features = false, features = [ "http1", "tls12", "ring", + "webpki-roots", ] } [dev-dependencies] diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs index a0aedec478..276a12bd6b 100644 --- a/ddcommon/src/connector/mod.rs +++ b/ddcommon/src/connector/mod.rs @@ -4,6 +4,7 @@ use futures::future::BoxFuture; use futures::{future, FutureExt}; use hyper::client::HttpConnector; +use hyper_rustls::ConfigBuilderExt; use lazy_static::lazy_static; use rustls::pki_types::CertificateDer; @@ -72,10 +73,14 @@ impl Connector { fn build_https_connector( ) -> anyhow::Result> { - let certs = load_root_certs()?; - let client_config = ClientConfig::builder() - .with_root_certificates(certs) - .with_no_client_auth(); + let client_config = match load_root_certs() { + Ok(certs) => ClientConfig::builder() + .with_root_certificates(certs) + .with_no_client_auth(), + Err(_) => ClientConfig::builder() + .with_webpki_roots() + .with_no_client_auth(), + }; Ok(hyper_rustls::HttpsConnectorBuilder::new() .with_tls_config(client_config) .https_or_http() From 36e3ceb2b7e4412f0a9faa692d9ec6f2d94ea820 Mon Sep 17 00:00:00 2001 From: Duncan Harvey Date: Tue, 9 Jul 2024 08:43:56 -0400 Subject: [PATCH 2/8] add allow_fallback_to_webpki_certs parameter and unit tests --- ddcommon/src/connector/mod.rs | 52 +++++++++++++++++++++++++++----- trace-utils/src/send_data/mod.rs | 2 +- trace-utils/src/stats_utils.rs | 2 +- 3 files changed, 46 insertions(+), 10 deletions(-) diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs index 276a12bd6b..cd5d998c9d 100644 --- a/ddcommon/src/connector/mod.rs +++ b/ddcommon/src/connector/mod.rs @@ -30,7 +30,7 @@ pub enum Connector { } lazy_static! { - static ref DEFAULT_CONNECTOR: Connector = Connector::new(); + static ref DEFAULT_CONNECTOR: Connector = Connector::new(false); } impl Default for Connector { @@ -40,8 +40,8 @@ impl Default for Connector { } impl Connector { - pub fn new() -> Self { - match build_https_connector() { + pub fn new(allow_fallback_to_webpki_certs: bool) -> Self { + match build_https_connector(allow_fallback_to_webpki_certs) { Ok(connector) => Connector::Https(connector), Err(_) => Connector::Http(HttpConnector::new()), } @@ -71,15 +71,24 @@ impl Connector { } fn build_https_connector( + allow_fallback_to_webpki_certs: bool, ) -> anyhow::Result> { let client_config = match load_root_certs() { Ok(certs) => ClientConfig::builder() .with_root_certificates(certs) .with_no_client_auth(), - Err(_) => ClientConfig::builder() - .with_webpki_roots() - .with_no_client_auth(), + Err(_) => { + if allow_fallback_to_webpki_certs { + ClientConfig::builder() + .with_webpki_roots() + .with_no_client_auth() + } else { + return Err(anyhow::anyhow!( + "Failed to load root certificates and allow_fallback_to_webpki_certs is false" + )); + } + } }; Ok(hyper_rustls::HttpsConnectorBuilder::new() .with_tls_config(client_config) @@ -141,7 +150,13 @@ mod tests { /// Verify that the Connector type implements the correct bound Connect + Clone /// to be able to use the hyper::Client fn test_hyper_client_from_connector() { - let _: hyper::Client = hyper::Client::builder().build(Connector::new()); + let _: hyper::Client = hyper::Client::builder().build(Connector::new(false)); + } + + #[test] + #[cfg_attr(miri, ignore)] + fn test_hyper_client_from_connector_with_webpki_fallback() { + let _: hyper::Client = hyper::Client::builder().build(Connector::new(true)); } #[tokio::test] @@ -153,7 +168,7 @@ mod tests { let old_value = env::var(ENV_SSL_CERT_FILE).unwrap_or_default(); env::set_var(ENV_SSL_CERT_FILE, "this/folder/does/not/exist"); - let mut connector = Connector::new(); + let mut connector = Connector::new(false); assert!(matches!(connector, Connector::Http(_))); let stream = connector @@ -168,4 +183,25 @@ mod tests { env::set_var(ENV_SSL_CERT_FILE, old_value); } + + #[tokio::test] + #[cfg_attr(miri, ignore)] + /// Verify that Connector will tls connections if root certificates + /// are not found but can fall back to webpki certificates + async fn test_missing_root_certificates_fallback_to_webpki_certificates() { + const ENV_SSL_CERT_FILE: &str = "SSL_CERT_FILE"; + let old_value = env::var(ENV_SSL_CERT_FILE).unwrap_or_default(); + + env::set_var(ENV_SSL_CERT_FILE, "this/folder/does/not/exist"); + let mut connector = Connector::new(true); + assert!(matches!(connector, Connector::Https(_))); + + let stream = connector + .call(hyper::Uri::from_static("https://example.com")) + .await; + + assert!(!stream.is_err(),); + + env::set_var(ENV_SSL_CERT_FILE, old_value); + } } diff --git a/trace-utils/src/send_data/mod.rs b/trace-utils/src/send_data/mod.rs index 9cb7272cb6..eff8ccad39 100644 --- a/trace-utils/src/send_data/mod.rs +++ b/trace-utils/src/send_data/mod.rs @@ -211,7 +211,7 @@ impl SendData { }; match Client::builder() - .build(connector::Connector::default()) + .build(connector::Connector::new(true)) .request(req) .await { diff --git a/trace-utils/src/stats_utils.rs b/trace-utils/src/stats_utils.rs index 10e238935a..25a07cf859 100644 --- a/trace-utils/src/stats_utils.rs +++ b/trace-utils/src/stats_utils.rs @@ -61,7 +61,7 @@ pub async fn send_stats_payload( .header("DD-API-KEY", api_key) .body(Body::from(data.clone()))?; - let client: Client<_, hyper::Body> = Client::builder().build(Connector::default()); + let client: Client<_, hyper::Body> = Client::builder().build(Connector::new(true)); match client.request(req).await { Ok(response) => { if response.status() != StatusCode::ACCEPTED { From 92322b2bc67602d3f2c072d975124a2e040eb03a Mon Sep 17 00:00:00 2001 From: Duncan Harvey Date: Tue, 9 Jul 2024 09:10:42 -0400 Subject: [PATCH 3/8] fix formatting and regenerate license --- LICENSE-3rdparty.yml | 32 ++++++++++++++++++++++++++++++-- ddcommon/src/connector/mod.rs | 2 +- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/LICENSE-3rdparty.yml b/LICENSE-3rdparty.yml index 7e6d63349b..1da6103019 100644 --- a/LICENSE-3rdparty.yml +++ b/LICENSE-3rdparty.yml @@ -19113,9 +19113,9 @@ third_party_libraries: - package_name: ring package_version: 0.17.8 repository: https://github.com/briansmith/ring - license: License specified in file ($CARGO_HOME/registry/src/github.com-1ecc6299db9ec823/ring-0.17.8/LICENSE) + license: License specified in file ($CARGO_HOME/registry/src/index.crates.io-6f17d22bba15001f/ring-0.17.8/LICENSE) licenses: - - license: License specified in file ($CARGO_HOME/registry/src/github.com-1ecc6299db9ec823/ring-0.17.8/LICENSE) + - license: License specified in file ($CARGO_HOME/registry/src/index.crates.io-6f17d22bba15001f/ring-0.17.8/LICENSE) text: "Note that it is easy for this file to get out of sync with the licenses in the\nsource code files. It's recommended to compare the licenses in the source code\nwith what's mentioned here.\n\n*ring* is derived from BoringSSL, so the licensing situation in *ring* is\nsimilar to BoringSSL.\n\n*ring* uses an ISC-style license like BoringSSL for code in new files,\nincluding in particular all the Rust code:\n\n Copyright 2015-2016 Brian Smith.\n\n Permission to use, copy, modify, and/or distribute this software for any\n purpose with or without fee is hereby granted, provided that the above\n copyright notice and this permission notice appear in all copies.\n\n THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHORS DISCLAIM ALL WARRANTIES\n WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY\n SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n\nBoringSSL is a fork of OpenSSL. As such, large parts of it fall under OpenSSL\nlicensing. Files that are completely new have a Google copyright and an ISC\nlicense. This license is reproduced at the bottom of this file.\n\nContributors to BoringSSL are required to follow the CLA rules for Chromium:\nhttps://cla.developers.google.com/clas\n\nFiles in third_party/ have their own licenses, as described therein. The MIT\nlicense, for third_party/fiat, which, unlike other third_party directories, is\ncompiled into non-test libraries, is included below.\n\nThe OpenSSL toolkit stays under a dual license, i.e. both the conditions of the\nOpenSSL License and the original SSLeay license apply to the toolkit. See below\nfor the actual license texts. Actually both licenses are BSD-style Open Source\nlicenses. In case of any license issues related to OpenSSL please contact\nopenssl-core@openssl.org.\n\nThe following are Google-internal bug numbers where explicit permission from\nsome authors is recorded for use of their work:\n 27287199\n 27287880\n 27287883\n\n OpenSSL License\n ---------------\n\n/* ====================================================================\n * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n *\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer. \n *\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in\n * the documentation and/or other materials provided with the\n * distribution.\n *\n * 3. All advertising materials mentioning features or use of this\n * software must display the following acknowledgment:\n * \"This product includes software developed by the OpenSSL Project\n * for use in the OpenSSL Toolkit. (http://www.openssl.org/)\"\n *\n * 4. The names \"OpenSSL Toolkit\" and \"OpenSSL Project\" must not be used to\n * endorse or promote products derived from this software without\n * prior written permission. For written permission, please contact\n * openssl-core@openssl.org.\n *\n * 5. Products derived from this software may not be called \"OpenSSL\"\n * nor may \"OpenSSL\" appear in their names without prior written\n * permission of the OpenSSL Project.\n *\n * 6. Redistributions of any form whatsoever must retain the following\n * acknowledgment:\n * \"This product includes software developed by the OpenSSL Project\n * for use in the OpenSSL Toolkit (http://www.openssl.org/)\"\n *\n * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY\n * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR\n * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\n * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\n * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\n * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\n * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED\n * OF THE POSSIBILITY OF SUCH DAMAGE.\n * ====================================================================\n *\n * This product includes cryptographic software written by Eric Young\n * (eay@cryptsoft.com). This product includes software written by Tim\n * Hudson (tjh@cryptsoft.com).\n *\n */\n\n Original SSLeay License\n -----------------------\n\n/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)\n * All rights reserved.\n *\n * This package is an SSL implementation written\n * by Eric Young (eay@cryptsoft.com).\n * The implementation was written so as to conform with Netscapes SSL.\n * \n * This library is free for commercial and non-commercial use as long as\n * the following conditions are aheared to. The following conditions\n * apply to all code found in this distribution, be it the RC4, RSA,\n * lhash, DES, etc., code; not just the SSL code. The SSL documentation\n * included with this distribution is covered by the same copyright terms\n * except that the holder is Tim Hudson (tjh@cryptsoft.com).\n * \n * Copyright remains Eric Young's, and as such any Copyright notices in\n * the code are not to be removed.\n * If this package is used in a product, Eric Young should be given attribution\n * as the author of the parts of the library used.\n * This can be in the form of a textual message at program startup or\n * in documentation (online or textual) provided with the package.\n * \n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. All advertising materials mentioning features or use of this software\n * must display the following acknowledgement:\n * \"This product includes cryptographic software written by\n * Eric Young (eay@cryptsoft.com)\"\n * The word 'cryptographic' can be left out if the rouines from the library\n * being used are not cryptographic related :-).\n * 4. If you include any Windows specific code (or a derivative thereof) from \n * the apps directory (application code) you must include an acknowledgement:\n * \"This product includes software written by Tim Hudson (tjh@cryptsoft.com)\"\n * \n * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND\n * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE\n * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\n * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n * SUCH DAMAGE.\n * \n * The licence and distribution terms for any publically available version or\n * derivative of this code cannot be changed. i.e. this code cannot simply be\n * copied and put under another distribution licence\n * [including the GNU Public Licence.]\n */\n\n\nISC license used for completely new code in BoringSSL:\n\n/* Copyright (c) 2015, Google Inc.\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n\nThe code in third_party/fiat carries the MIT license:\n\nCopyright (c) 2015-2016 the fiat-crypto authors (see\nhttps://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS).\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" - package_name: rmp package_version: 0.8.14 @@ -27109,6 +27109,34 @@ third_party_libraries: DEALINGS IN THE SOFTWARE. - license: Apache-2.0 text: " Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\nTERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\nEND OF TERMS AND CONDITIONS\n\nAPPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\nCopyright [yyyy] [name of copyright owner]\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n\thttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n" +- package_name: webpki-roots + package_version: 0.26.3 + repository: https://github.com/rustls/webpki-roots + license: MPL-2.0 + licenses: + - license: MPL-2.0 + text: | + This packge contains a modified version of ca-bundle.crt: + + ca-bundle.crt -- Bundle of CA Root Certificates + + Certificate data from Mozilla as of: Thu Nov 3 19:04:19 2011# + This is a bundle of X.509 certificates of public Certificate Authorities + (CA). These were automatically extracted from Mozilla's root certificates + file (certdata.txt). This file can be found in the mozilla source tree: + http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1# + It contains the certificates in PEM format and therefore + can be directly used with curl / libcurl / php_curl, or with + an Apache+mod_ssl webserver for SSL client authentication. + Just configure this file as the SSLCACertificateFile.# + + ***** BEGIN LICENSE BLOCK ***** + This Source Code Form is subject to the terms of the Mozilla Public License, + v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain + one at http://mozilla.org/MPL/2.0/. + + ***** END LICENSE BLOCK ***** + @(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $ - package_name: winapi package_version: 0.2.8 repository: https://github.com/retep998/winapi-rs diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs index cd5d998c9d..b2d05bedc8 100644 --- a/ddcommon/src/connector/mod.rs +++ b/ddcommon/src/connector/mod.rs @@ -200,7 +200,7 @@ mod tests { .call(hyper::Uri::from_static("https://example.com")) .await; - assert!(!stream.is_err(),); + assert!(stream.is_ok()); env::set_var(ENV_SSL_CERT_FILE, old_value); } From 95b0dffb7b5bcb37ee49894c87022d9218a7ccbc Mon Sep 17 00:00:00 2001 From: Duncan Harvey Date: Tue, 9 Jul 2024 22:03:20 -0400 Subject: [PATCH 4/8] add webpki_cert_fallback feature to ddcommon --- ddcommon/Cargo.toml | 3 ++ ddcommon/src/connector/mod.rs | 53 ++++++++++++++++++++------------ trace-utils/Cargo.toml | 2 +- trace-utils/src/send_data/mod.rs | 2 +- trace-utils/src/stats_utils.rs | 2 +- 5 files changed, 40 insertions(+), 22 deletions(-) diff --git a/ddcommon/Cargo.toml b/ddcommon/Cargo.toml index ce955befb9..b297cec1af 100644 --- a/ddcommon/Cargo.toml +++ b/ddcommon/Cargo.toml @@ -57,3 +57,6 @@ hyper-rustls = { version = "0.27", default-features = false, features = [ [dev-dependencies] indexmap = "2.2" maplit = "1.0" + +[features] +webpki_cert_fallback = [] diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs index b2d05bedc8..8a082ae5dd 100644 --- a/ddcommon/src/connector/mod.rs +++ b/ddcommon/src/connector/mod.rs @@ -4,6 +4,8 @@ use futures::future::BoxFuture; use futures::{future, FutureExt}; use hyper::client::HttpConnector; + +#[cfg(feature = "webpki_cert_fallback")] use hyper_rustls::ConfigBuilderExt; use lazy_static::lazy_static; @@ -30,7 +32,7 @@ pub enum Connector { } lazy_static! { - static ref DEFAULT_CONNECTOR: Connector = Connector::new(false); + static ref DEFAULT_CONNECTOR: Connector = Connector::new(); } impl Default for Connector { @@ -40,8 +42,13 @@ impl Default for Connector { } impl Connector { - pub fn new(allow_fallback_to_webpki_certs: bool) -> Self { - match build_https_connector(allow_fallback_to_webpki_certs) { + pub fn new() -> Self { + #[cfg(feature = "webpki_cert_fallback")] + let connector_fn = build_https_connector_with_webpki_cert_fallback; + #[cfg(not(feature = "webpki_cert_fallback"))] + let connector_fn = build_https_connector; + + match connector_fn() { Ok(connector) => Connector::Https(connector), Err(_) => Connector::Http(HttpConnector::new()), } @@ -70,25 +77,32 @@ impl Connector { } } +#[cfg(not(feature = "webpki_cert_fallback"))] fn build_https_connector( - allow_fallback_to_webpki_certs: bool, +) -> anyhow::Result> +{ + let certs = load_root_certs()?; + let client_config = ClientConfig::builder() + .with_root_certificates(certs) + .with_no_client_auth(); + Ok(hyper_rustls::HttpsConnectorBuilder::new() + .with_tls_config(client_config) + .https_or_http() + .enable_http1() + .build()) +} + +#[cfg(feature = "webpki_cert_fallback")] +fn build_https_connector_with_webpki_cert_fallback( ) -> anyhow::Result> { let client_config = match load_root_certs() { Ok(certs) => ClientConfig::builder() .with_root_certificates(certs) .with_no_client_auth(), - Err(_) => { - if allow_fallback_to_webpki_certs { - ClientConfig::builder() - .with_webpki_roots() - .with_no_client_auth() - } else { - return Err(anyhow::anyhow!( - "Failed to load root certificates and allow_fallback_to_webpki_certs is false" - )); - } - } + Err(_) => ClientConfig::builder() + .with_webpki_roots() + .with_no_client_auth(), }; Ok(hyper_rustls::HttpsConnectorBuilder::new() .with_tls_config(client_config) @@ -150,13 +164,13 @@ mod tests { /// Verify that the Connector type implements the correct bound Connect + Clone /// to be able to use the hyper::Client fn test_hyper_client_from_connector() { - let _: hyper::Client = hyper::Client::builder().build(Connector::new(false)); + let _: hyper::Client = hyper::Client::builder().build(Connector::new()); } #[test] #[cfg_attr(miri, ignore)] fn test_hyper_client_from_connector_with_webpki_fallback() { - let _: hyper::Client = hyper::Client::builder().build(Connector::new(true)); + let _: hyper::Client = hyper::Client::builder().build(Connector::new()); } #[tokio::test] @@ -168,7 +182,7 @@ mod tests { let old_value = env::var(ENV_SSL_CERT_FILE).unwrap_or_default(); env::set_var(ENV_SSL_CERT_FILE, "this/folder/does/not/exist"); - let mut connector = Connector::new(false); + let mut connector = Connector::new(); assert!(matches!(connector, Connector::Http(_))); let stream = connector @@ -186,6 +200,7 @@ mod tests { #[tokio::test] #[cfg_attr(miri, ignore)] + #[cfg(feature = "webpki_cert_fallback")] /// Verify that Connector will tls connections if root certificates /// are not found but can fall back to webpki certificates async fn test_missing_root_certificates_fallback_to_webpki_certificates() { @@ -193,7 +208,7 @@ mod tests { let old_value = env::var(ENV_SSL_CERT_FILE).unwrap_or_default(); env::set_var(ENV_SSL_CERT_FILE, "this/folder/does/not/exist"); - let mut connector = Connector::new(true); + let mut connector = Connector::new(); assert!(matches!(connector, Connector::Https(_))); let stream = connector diff --git a/trace-utils/Cargo.toml b/trace-utils/Cargo.toml index 1566c1d5e4..a9072a330e 100644 --- a/trace-utils/Cargo.toml +++ b/trace-utils/Cargo.toml @@ -17,7 +17,7 @@ log = "0.4" serde_json = "1.0" flate2 = "1.0" futures = { version = "0.3", default-features = false } -ddcommon = { path = "../ddcommon" } +ddcommon = { path = "../ddcommon", features = ["webpki_cert_fallback"] } datadog-trace-protobuf = { path = "../trace-protobuf" } datadog-trace-normalization = { path = "../trace-normalization" } tokio = { version = "1", features = ["macros", "rt-multi-thread"] } diff --git a/trace-utils/src/send_data/mod.rs b/trace-utils/src/send_data/mod.rs index eff8ccad39..9cb7272cb6 100644 --- a/trace-utils/src/send_data/mod.rs +++ b/trace-utils/src/send_data/mod.rs @@ -211,7 +211,7 @@ impl SendData { }; match Client::builder() - .build(connector::Connector::new(true)) + .build(connector::Connector::default()) .request(req) .await { diff --git a/trace-utils/src/stats_utils.rs b/trace-utils/src/stats_utils.rs index 25a07cf859..10e238935a 100644 --- a/trace-utils/src/stats_utils.rs +++ b/trace-utils/src/stats_utils.rs @@ -61,7 +61,7 @@ pub async fn send_stats_payload( .header("DD-API-KEY", api_key) .body(Body::from(data.clone()))?; - let client: Client<_, hyper::Body> = Client::builder().build(Connector::new(true)); + let client: Client<_, hyper::Body> = Client::builder().build(Connector::default()); match client.request(req).await { Ok(response) => { if response.status() != StatusCode::ACCEPTED { From 95bb2cba19cc9551d1ab83aa5756f58f2ec40d7f Mon Sep 17 00:00:00 2001 From: Duncan Harvey Date: Tue, 9 Jul 2024 22:14:29 -0400 Subject: [PATCH 5/8] conditionally enable hyper-rustls/webpki-roots when webpki_cert_fallback is enabled --- ddcommon/Cargo.toml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ddcommon/Cargo.toml b/ddcommon/Cargo.toml index 386cbdee18..06cff3cb62 100644 --- a/ddcommon/Cargo.toml +++ b/ddcommon/Cargo.toml @@ -43,7 +43,6 @@ hyper-rustls = { version = "0.27", default-features = false, features = [ "http1", "tls12", "aws-lc-rs", - "webpki-roots", ] } [target.'cfg(not(unix))'.dependencies] @@ -52,7 +51,6 @@ hyper-rustls = { version = "0.27", default-features = false, features = [ "http1", "tls12", "ring", - "webpki-roots", ] } [dev-dependencies] @@ -60,4 +58,4 @@ indexmap = "2.2" maplit = "1.0" [features] -webpki_cert_fallback = [] +webpki_cert_fallback = ["hyper-rustls/webpki-roots"] From 92498a77d9ca03b6fadfb130e93325cdeda1caef Mon Sep 17 00:00:00 2001 From: Duncan Harvey Date: Tue, 9 Jul 2024 22:16:01 -0400 Subject: [PATCH 6/8] fix unit test --- ddcommon/src/connector/mod.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs index 8a082ae5dd..28e132871b 100644 --- a/ddcommon/src/connector/mod.rs +++ b/ddcommon/src/connector/mod.rs @@ -169,6 +169,7 @@ mod tests { #[test] #[cfg_attr(miri, ignore)] + #[cfg(feature = "webpki_cert_fallback")] fn test_hyper_client_from_connector_with_webpki_fallback() { let _: hyper::Client = hyper::Client::builder().build(Connector::new()); } From 55304a1c5f46dc786f43d3b89b3cd8473399e7b2 Mon Sep 17 00:00:00 2001 From: Duncan Harvey Date: Wed, 10 Jul 2024 07:22:14 -0400 Subject: [PATCH 7/8] disable webpki_cert_fallback feature for unit tests --- ddcommon/Cargo.toml | 1 + ddcommon/src/connector/mod.rs | 2 ++ 2 files changed, 3 insertions(+) diff --git a/ddcommon/Cargo.toml b/ddcommon/Cargo.toml index 06cff3cb62..235b4fd976 100644 --- a/ddcommon/Cargo.toml +++ b/ddcommon/Cargo.toml @@ -58,4 +58,5 @@ indexmap = "2.2" maplit = "1.0" [features] +default = [] webpki_cert_fallback = ["hyper-rustls/webpki-roots"] diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs index 28e132871b..d5484bc4d4 100644 --- a/ddcommon/src/connector/mod.rs +++ b/ddcommon/src/connector/mod.rs @@ -161,6 +161,7 @@ mod tests { #[test] #[cfg_attr(miri, ignore)] + #[cfg(not(feature = "webpki_cert_fallback"))] /// Verify that the Connector type implements the correct bound Connect + Clone /// to be able to use the hyper::Client fn test_hyper_client_from_connector() { @@ -176,6 +177,7 @@ mod tests { #[tokio::test] #[cfg_attr(miri, ignore)] + #[cfg(not(feature = "webpki_cert_fallback"))] /// Verify that Connector will only allow non tls connections if root certificates /// are not found async fn test_missing_root_certificates_only_allow_http_connections() { From b90d0bbbf9a16cc1a2972b38a99358284c4dc136 Mon Sep 17 00:00:00 2001 From: Duncan Harvey Date: Wed, 10 Jul 2024 11:24:13 -0400 Subject: [PATCH 8/8] update to explicity use webpki roots instead of falling back --- ddcommon/Cargo.toml | 2 +- ddcommon/src/connector/mod.rs | 49 +++++++++++++++++------------------ trace-utils/Cargo.toml | 2 +- 3 files changed, 26 insertions(+), 27 deletions(-) diff --git a/ddcommon/Cargo.toml b/ddcommon/Cargo.toml index 235b4fd976..bd458b36af 100644 --- a/ddcommon/Cargo.toml +++ b/ddcommon/Cargo.toml @@ -59,4 +59,4 @@ maplit = "1.0" [features] default = [] -webpki_cert_fallback = ["hyper-rustls/webpki-roots"] +use_webpki_roots = ["hyper-rustls/webpki-roots"] diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs index d5484bc4d4..9bb0ab986d 100644 --- a/ddcommon/src/connector/mod.rs +++ b/ddcommon/src/connector/mod.rs @@ -5,11 +5,14 @@ use futures::future::BoxFuture; use futures::{future, FutureExt}; use hyper::client::HttpConnector; -#[cfg(feature = "webpki_cert_fallback")] +#[cfg(feature = "use_webpki_roots")] use hyper_rustls::ConfigBuilderExt; use lazy_static::lazy_static; + +#[cfg(not(feature = "use_webpki_roots"))] use rustls::pki_types::CertificateDer; + use rustls::ClientConfig; use std::future::Future; use std::pin::Pin; @@ -43,12 +46,12 @@ impl Default for Connector { impl Connector { pub fn new() -> Self { - #[cfg(feature = "webpki_cert_fallback")] - let connector_fn = build_https_connector_with_webpki_cert_fallback; - #[cfg(not(feature = "webpki_cert_fallback"))] - let connector_fn = build_https_connector; + #[cfg(feature = "use_webpki_roots")] + let https_connector_fn = build_https_connector_with_webpki_roots; + #[cfg(not(feature = "use_webpki_roots"))] + let https_connector_fn = build_https_connector; - match connector_fn() { + match https_connector_fn() { Ok(connector) => Connector::Https(connector), Err(_) => Connector::Http(HttpConnector::new()), } @@ -77,7 +80,7 @@ impl Connector { } } -#[cfg(not(feature = "webpki_cert_fallback"))] +#[cfg(not(feature = "use_webpki_roots"))] fn build_https_connector( ) -> anyhow::Result> { @@ -92,18 +95,13 @@ fn build_https_connector( .build()) } -#[cfg(feature = "webpki_cert_fallback")] -fn build_https_connector_with_webpki_cert_fallback( +#[cfg(feature = "use_webpki_roots")] +fn build_https_connector_with_webpki_roots( ) -> anyhow::Result> { - let client_config = match load_root_certs() { - Ok(certs) => ClientConfig::builder() - .with_root_certificates(certs) - .with_no_client_auth(), - Err(_) => ClientConfig::builder() - .with_webpki_roots() - .with_no_client_auth(), - }; + let client_config = ClientConfig::builder() + .with_webpki_roots() + .with_no_client_auth(); Ok(hyper_rustls::HttpsConnectorBuilder::new() .with_tls_config(client_config) .https_or_http() @@ -111,6 +109,7 @@ fn build_https_connector_with_webpki_cert_fallback( .build()) } +#[cfg(not(feature = "use_webpki_roots"))] fn load_root_certs() -> anyhow::Result { let mut roots = rustls::RootCertStore::empty(); @@ -161,7 +160,7 @@ mod tests { #[test] #[cfg_attr(miri, ignore)] - #[cfg(not(feature = "webpki_cert_fallback"))] + #[cfg(not(feature = "use_webpki_roots"))] /// Verify that the Connector type implements the correct bound Connect + Clone /// to be able to use the hyper::Client fn test_hyper_client_from_connector() { @@ -170,14 +169,14 @@ mod tests { #[test] #[cfg_attr(miri, ignore)] - #[cfg(feature = "webpki_cert_fallback")] - fn test_hyper_client_from_connector_with_webpki_fallback() { + #[cfg(feature = "use_webpki_roots")] + fn test_hyper_client_from_connector_with_webpki_roots() { let _: hyper::Client = hyper::Client::builder().build(Connector::new()); } #[tokio::test] #[cfg_attr(miri, ignore)] - #[cfg(not(feature = "webpki_cert_fallback"))] + #[cfg(not(feature = "use_webpki_roots"))] /// Verify that Connector will only allow non tls connections if root certificates /// are not found async fn test_missing_root_certificates_only_allow_http_connections() { @@ -203,10 +202,10 @@ mod tests { #[tokio::test] #[cfg_attr(miri, ignore)] - #[cfg(feature = "webpki_cert_fallback")] - /// Verify that Connector will tls connections if root certificates - /// are not found but can fall back to webpki certificates - async fn test_missing_root_certificates_fallback_to_webpki_certificates() { + #[cfg(feature = "use_webpki_roots")] + /// Verify that Connector will allow tls connections if root certificates + /// are not found but can use webpki certificates + async fn test_missing_root_certificates_use_webpki_certificates() { const ENV_SSL_CERT_FILE: &str = "SSL_CERT_FILE"; let old_value = env::var(ENV_SSL_CERT_FILE).unwrap_or_default(); diff --git a/trace-utils/Cargo.toml b/trace-utils/Cargo.toml index 8d9a40f562..4169d7a8bf 100644 --- a/trace-utils/Cargo.toml +++ b/trace-utils/Cargo.toml @@ -20,7 +20,7 @@ log = "0.4" serde_json = "1.0" flate2 = "1.0" futures = { version = "0.3", default-features = false } -ddcommon = { path = "../ddcommon", features = ["webpki_cert_fallback"] } +ddcommon = { path = "../ddcommon", features = ["use_webpki_roots"] } datadog-trace-protobuf = { path = "../trace-protobuf" } datadog-trace-normalization = { path = "../trace-normalization" } tokio = { version = "1", features = ["macros", "rt-multi-thread"] }