chore: refactor test_server and move to rustls-tokio-stream (denoland…

…#21117) Remove tokio-rustls as a direct dependency of Deno and refactor test_server to reduce code duplication. All tcp and tls listener paths go through the same streams now, with the exception of the simpler Hyper http-only handlers (those can be done in a later follow-up). Minor bugs fixed: - gRPC server should only serve h2 - WebSocket over http/2 had a port overlap - Restored missing eye-catchers for some servers (still missing on Hyper ones)
fanbaby · Nov 8, 2023 · 02c5f49 · 02c5f49
1 parent 5e82fce
commit 02c5f49
Show file tree

Hide file tree

Showing 6 changed files with 325 additions and 501 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -128,7 +128,7 @@ ring = "^0.17.0"
 rusqlite = { version = "=0.29.0", features = ["unlock_notify", "bundled"] }
 rustls = "0.21.8"
 rustls-pemfile = "1.0.0"
-rustls-tokio-stream = "=0.2.7"
+rustls-tokio-stream = "=0.2.9"
 rustls-webpki = "0.101.4"
 webpki-roots = "0.25.2"
 scopeguard = "1.2.0"
@@ -148,7 +148,6 @@ termcolor = "1.1.3"
 thiserror = "1.0.40"
 tokio = { version = "1.28.1", features = ["full"] }
 tokio-metrics = { version = "0.3.0", features = ["rt"] }
-tokio-rustls = "0.24.0"
 tokio-util = "0.7.4"
 tower-lsp = { version = "=0.20.0", features = ["proposed"] }
 url = { version = "2.3.1", features = ["serde", "expose_internals"] }

diff --git a/cli/tests/unit/websocket_test.ts b/cli/tests/unit/websocket_test.ts
@@ -31,8 +31,8 @@ Deno.test(async function websocketConstructorTakeURLObjectAsParameter() {
 
 Deno.test(async function websocketH2SendSmallPacket() {
  const promise = deferred();
- const ws = new WebSocket(new URL("wss:https://localhost:4248/"));
- assertEquals(ws.url, "wss:https://localhost:4248/");
+ const ws = new WebSocket(new URL("wss:https://localhost:4249/"));
+ assertEquals(ws.url, "wss:https://localhost:4249/");
  let messageCount = 0;
  ws.onerror = (e) => promise.reject(e);
  ws.onopen = () => {
@@ -53,8 +53,8 @@ Deno.test(async function websocketH2SendSmallPacket() {
 
 Deno.test(async function websocketH2SendLargePacket() {
  const promise = deferred();
- const ws = new WebSocket(new URL("wss:https://localhost:4248/"));
- assertEquals(ws.url, "wss:https://localhost:4248/");
+ const ws = new WebSocket(new URL("wss:https://localhost:4249/"));
+ assertEquals(ws.url, "wss:https://localhost:4249/");
  let messageCount = 0;
  ws.onerror = (e) => promise.reject(e);
  ws.onopen = () => {

diff --git a/test_util/Cargo.toml b/test_util/Cargo.toml
@@ -40,14 +40,14 @@ regex.workspace = true
 reqwest.workspace = true
 ring.workspace = true
 rustls-pemfile.workspace = true
+rustls-tokio-stream.workspace = true
 semver = "=1.0.14"
 serde.workspace = true
 serde_json.workspace = true
 tar.workspace = true
 tempfile.workspace = true
 termcolor.workspace = true
 tokio.workspace = true
-tokio-rustls.workspace = true
 url.workspace = true
 
 [target.'cfg(windows)'.dependencies]

diff --git a/test_util/src/https.rs b/test_util/src/https.rs
@@ -0,0 +1,133 @@
+// Copyright 2018-2023 the Deno authors. All rights reserved. MIT license.
+use anyhow::anyhow;
+use futures::Stream;
+use futures::StreamExt;
+use rustls::Certificate;
+use rustls::PrivateKey;
+use rustls_tokio_stream::rustls;
+use rustls_tokio_stream::TlsStream;
+use std::io;
+use std::num::NonZeroUsize;
+use std::result::Result;
+use std::sync::Arc;
+use tokio::net::TcpStream;
+
+use crate::get_tcp_listener_stream;
+use crate::testdata_path;
+
+pub const TLS_BUFFER_SIZE: Option<NonZeroUsize> = NonZeroUsize::new(65536);
+
+#[derive(Default)]
+pub enum SupportedHttpVersions {
+ #[default]
+ All,
+ Http1Only,
+ Http2Only,
+}
+
+pub fn get_tls_listener_stream_from_tcp(
+ tls_config: Arc<rustls::ServerConfig>,
+ mut tcp: impl Stream<Item = Result<TcpStream, std::io::Error>> + Unpin + 'static,
+) -> impl Stream<Item = Result<TlsStream, std::io::Error>> + Unpin {
+ async_stream::stream! {
+ while let Some(result) = tcp.next().await {
+ match result {
+ Ok(tcp) => yield Ok(TlsStream::new_server_side(tcp, tls_config.clone(), TLS_BUFFER_SIZE)),
+ Err(e) => yield Err(e),
+ };
+ }
+ }.boxed_local()
+}
+
+pub async fn get_tls_listener_stream(
+ name: &'static str,
+ port: u16,
+ http: SupportedHttpVersions,
+) -> impl Stream<Item = Result<TlsStream, std::io::Error>> + Unpin {
+ let cert_file = "tls/localhost.crt";
+ let key_file = "tls/localhost.key";
+ let ca_cert_file = "tls/RootCA.pem";
+ let tls_config = get_tls_config(cert_file, key_file, ca_cert_file, http)
+ .await
+ .unwrap();
+
+ let tcp = get_tcp_listener_stream(name, port).await;
+ get_tls_listener_stream_from_tcp(tls_config, tcp)
+}
+
+pub async fn get_tls_config(
+ cert: &str,
+ key: &str,
+ ca: &str,
+ http_versions: SupportedHttpVersions,
+) -> io::Result<Arc<rustls::ServerConfig>> {
+ let cert_path = testdata_path().join(cert);
+ let key_path = testdata_path().join(key);
+ let ca_path = testdata_path().join(ca);
+
+ let cert_file = std::fs::File::open(cert_path)?;
+ let key_file = std::fs::File::open(key_path)?;
+ let ca_file = std::fs::File::open(ca_path)?;
+
+ let certs: Vec<Certificate> = {
+ let mut cert_reader = io::BufReader::new(cert_file);
+ rustls_pemfile::certs(&mut cert_reader)
+ .unwrap()
+ .into_iter()
+ .map(Certificate)
+ .collect()
+ };
+
+ let mut ca_cert_reader = io::BufReader::new(ca_file);
+ let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader)
+ .expect("Cannot load CA certificate")
+ .remove(0);
+
+ let mut key_reader = io::BufReader::new(key_file);
+ let key = {
+ let pkcs8_key = rustls_pemfile::pkcs8_private_keys(&mut key_reader)
+ .expect("Cannot load key file");
+ let rsa_key = rustls_pemfile::rsa_private_keys(&mut key_reader)
+ .expect("Cannot load key file");
+ if !pkcs8_key.is_empty() {
+ Some(pkcs8_key[0].clone())
+ } else if !rsa_key.is_empty() {
+ Some(rsa_key[0].clone())
+ } else {
+ None
+ }
+ };
+
+ match key {
+ Some(key) => {
+ let mut root_cert_store = rustls::RootCertStore::empty();
+ root_cert_store.add(&rustls::Certificate(ca_cert)).unwrap();
+
+ // Allow (but do not require) client authentication.
+
+ let mut config = rustls::ServerConfig::builder()
+ .with_safe_defaults()
+ .with_client_cert_verifier(Arc::new(
+ rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(
+ root_cert_store,
+ ),
+ ))
+ .with_single_cert(certs, PrivateKey(key))
+ .map_err(|e| anyhow!("Error setting cert: {:?}", e))
+ .unwrap();
+
+ match http_versions {
+ SupportedHttpVersions::All => {
+ config.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
+ }
+ SupportedHttpVersions::Http1Only => {}
+ SupportedHttpVersions::Http2Only => {
+ config.alpn_protocols = vec!["h2".into()];
+ }
+ }
+
+ Ok(Arc::new(config))
+ }
+ None => Err(io::Error::new(io::ErrorKind::Other, "Cannot find key")),
+ }
+}