Simplify TLS in quickjs-wasm-sys WASI SDK download (#544)

bytecodealliance · Oct 30, 2023 · fa18258 · fa18258
1 parent b574e2f
commit fa18258
Show file tree

Hide file tree

Showing 6 changed files with 99 additions and 117 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/quickjs-wasm-sys/Cargo.toml b/crates/quickjs-wasm-sys/Cargo.toml
@@ -14,18 +14,6 @@ cc = "1.0"
 bindgen = "0.68.1"
 walkdir = "2"
 anyhow.workspace = true
-
-# The dependencies below are pinned so they map exactly to the exemptions
-# we copied from the wasmtime team to our supply-chain config
-tokio = { version = "=1.33.0", default-features = false, features = ["rt", "macros", "net"] }
-hyper = { version = "=1.0.0-rc.3", features = ["client", "http1"], default-features = false }
-bytes = "=1.5.0"
-futures-task = "=0.3.29"
-futures-util = { version = "=0.3.27", default-features = false }
-tokio-macros = "=2.1.0"
-futures-core = "=0.3.29"
-mio = "=0.8.9"
-http-body-util = "=0.1.0-rc.3"
-tokio-native-tls = "=0.3.1"
-native-tls = "0.2.11"
-openssl-macros = "=0.1.1"
+tokio = { version = "1.33", default-features = false, features = ["rt", "macros"] }
+hyper = { version = "0.14.27", features = ["client", "http1"] }
+hyper-tls = "0.5.0"
diff --git a/crates/quickjs-wasm-sys/build.rs b/crates/quickjs-wasm-sys/build.rs
@@ -1,67 +1,16 @@
 use anyhow::{anyhow, bail, Result};
-use hyper::body::Incoming;
+use hyper::body::HttpBody;
+use hyper::{Body, Client, Response};
+use hyper_tls::HttpsConnector;
 use std::io::Write;
 use std::path::{Path, PathBuf};
 use std::{env, fs, process};
 
-use http_body_util::BodyExt;
-use hyper::{body::Buf, Uri};
-use tokio::io::{AsyncRead, AsyncWrite};
-
 use walkdir::WalkDir;
 
 const WASI_SDK_VERSION_MAJOR: usize = 20;
 const WASI_SDK_VERSION_MINOR: usize = 0;
 
-async fn tls_connect(url: &Uri) -> Result<impl AsyncRead + AsyncWrite + Unpin> {
-    let connector: tokio_native_tls::TlsConnector =
-        tokio_native_tls::native_tls::TlsConnector::new()
-            .unwrap()
-            .into();
-    let addr = format!("{}:{}", url.host().unwrap(), url.port_u16().unwrap_or(443));
-    let stream = tokio::net::TcpStream::connect(addr).await?;
-    let stream = connector.connect(url.host().unwrap(), stream).await?;
-    Ok(stream)
-}
-
-// Mostly taken from the hyper examples:
-// https://github.com/hyperium/hyper/blob/4cf38a12ce7cc5dfd3af356a0cef61ace4ce82b9/examples/client.rs
-async fn get_uri(url_str: impl AsRef<str>) -> Result<Incoming> {
-    let mut url_string = url_str.as_ref().to_string();
-    // This loop will follow redirects and will return when a status code
-    // is a success (200-299) or a non-redirect (300-399).
-    loop {
-        let url: Uri = url_string.parse()?;
-        let stream = tls_connect(&url).await?;
-        let (mut sender, conn) = hyper::client::conn::http1::handshake(stream).await?;
-
-        tokio::task::spawn(async move {
-            if let Err(err) = conn.await {
-                println!("Connection failed: {:?}", err);
-            }
-        });
-
-        let authority = url.authority().unwrap().clone();
-        let req = hyper::Request::builder()
-            .uri(&url)
-            .header(hyper::header::HOST, authority.as_str())
-            .body("".to_string())?;
-
-        let res = sender.send_request(req).await?;
-        if res.status().is_success() {
-            return Ok(res.into_body());
-        } else if res.status().is_redirection() {
-            let target = res
-                .headers()
-                .get("Location")
-                .ok_or(anyhow!("Redirect without `Location` header"))?;
-            url_string = target.to_str()?.to_string();
-        } else {
-            return Err(anyhow!("Could not request URL {:?}", url));
-        }
-    }
-}
-
 async fn download_wasi_sdk() -> Result<PathBuf> {
     let mut wasi_sdk_dir: PathBuf = env::var("OUT_DIR")?.into();
     wasi_sdk_dir.push("wasi-sdk");
@@ -90,21 +39,32 @@ async fn download_wasi_sdk() -> Result<PathBuf> {
             other => return Err(anyhow!("Unsupported platform tuple {:?}", other)),
         };
 
-        let uri = format!("https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-{major_version}/wasi-sdk-{major_version}.{minor_version}-{file_suffix}.tar.gz");
-        let mut body = get_uri(uri).await?;
-        let mut archive = fs::File::create(&archive_path)?;
-        while let Some(frame) = body.frame().await {
-            if let Some(chunk) = frame
-                .map_err(|err| {
-                    anyhow!(
-                        "Something went wrong when downloading the WASI SDK: {}",
-                        err
-                    )
-                })?
-                .data_ref()
-            {
-                archive.write_all(chunk.chunk())?;
+        let mut uri = format!("https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-{major_version}/wasi-sdk-{major_version}.{minor_version}-{file_suffix}.tar.gz");
+
+        let client = Client::builder().build::<_, hyper::Body>(HttpsConnector::new());
+        let mut response: Response<Body> = loop {
+            let response = client.get(uri.try_into()?).await?;
+            let status = response.status();
+            if status.is_redirection() {
+                uri = response
+                    .headers()
+                    .get("Location")
+                    .ok_or_else(|| anyhow!("Received redirect without location header"))?
+                    .to_str()?
+                    .to_string();
+            } else if !status.is_success() {
+                bail!("Received {status} when downloading WASI SDK");
+            } else {
+                break response;
             }
+        };
+
+        let mut archive = fs::File::create(&archive_path)?;
+
+        while let Some(chunk) = response.body_mut().data().await {
+            archive.write_all(&chunk.map_err(|err| {
+                anyhow!("Something went wrong when downloading the WASI SDK: {err}")
+            })?)?;
         }
     }
 

diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
@@ -153,6 +153,12 @@ user-id = 359 # Sean McArthur (seanmonstar)
 start = "2019-03-01"
 end = "2024-10-26"
 
+[[trusted.hyper-tls]]
+criteria = "safe-to-deploy"
+user-id = 359 # Sean McArthur (seanmonstar)
+start = "2019-03-19"
+end = "2024-10-27"
+
 [[trusted.io-extras]]
 criteria = "safe-to-deploy"
 user-id = 6825 # Dan Gohman (sunfishcode)

diff --git a/supply-chain/config.toml b/supply-chain/config.toml
@@ -281,6 +281,10 @@ criteria = "safe-to-deploy"
 version = "0.3.1"
 criteria = "safe-to-deploy"
 
+[[exemptions.http-body]]
+version = "0.4.5"
+criteria = "safe-to-deploy"
+
 [[exemptions.humantime]]
 version = "2.1.0"
 criteria = "safe-to-deploy"
@@ -525,6 +529,10 @@ criteria = "safe-to-deploy"
 version = "1.0.1"
 criteria = "safe-to-deploy"
 
+[[exemptions.socket2]]
+version = "0.4.10"
+criteria = "safe-to-deploy"
+
 [[exemptions.socket2]]
 version = "0.5.5"
 criteria = "safe-to-deploy"
@@ -653,6 +661,10 @@ criteria = "safe-to-deploy"
 version = "0.5.8"
 criteria = "safe-to-deploy"
 
+[[exemptions.tower-service]]
+version = "0.3.2"
+criteria = "safe-to-deploy"
+
 [[exemptions.tracing]]
 version = "0.1.34"
 criteria = "safe-to-deploy"

diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
@@ -215,16 +215,16 @@ user-id = 359
 user-login = "seanmonstar"
 user-name = "Sean McArthur"
 
-[[publisher.http-body-util]]
-version = "0.1.0-rc.3"
-when = "2023-07-10"
+[[publisher.httparse]]
+version = "1.8.0"
+when = "2022-08-30"
 user-id = 359
 user-login = "seanmonstar"
 user-name = "Sean McArthur"
 
-[[publisher.httparse]]
-version = "1.8.0"
-when = "2022-08-30"
+[[publisher.hyper]]
+version = "0.14.27"
+when = "2023-06-26"
 user-id = 359
 user-login = "seanmonstar"
 user-name = "Sean McArthur"
@@ -236,6 +236,13 @@ user-id = 359
 user-login = "seanmonstar"
 user-name = "Sean McArthur"
 
+[[publisher.hyper-tls]]
+version = "0.5.0"
+when = "2020-12-29"
+user-id = 359
+user-login = "seanmonstar"
+user-name = "Sean McArthur"
+
 [[publisher.io-extras]]
 version = "0.13.2"
 when = "2022-02-01"