From fa18258b62945ceeb58157af87e9bdff87e5762e Mon Sep 17 00:00:00 2001 From: Jeffrey Charles Date: Mon, 30 Oct 2023 07:43:41 -0700 Subject: [PATCH] Simplify TLS in quickjs-wasm-sys WASI SDK download (#544) --- Cargo.lock | 65 +++++++++++--------- crates/quickjs-wasm-sys/Cargo.toml | 18 +----- crates/quickjs-wasm-sys/build.rs | 96 +++++++++--------------------- supply-chain/audits.toml | 6 ++ supply-chain/config.toml | 12 ++++ supply-chain/imports.lock | 19 ++++-- 6 files changed, 99 insertions(+), 117 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6d501ddf..f398b526 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1199,24 +1199,12 @@ dependencies = [ [[package]] name = "http-body" -version = "1.0.0-rc.2" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "951dfc2e32ac02d67c90c0d65bd27009a635dc9b381a2cc7d284ab01e3a0150d" +checksum = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1" dependencies = [ "bytes", "http", -] - -[[package]] -name = "http-body-util" -version = "0.1.0-rc.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08ef12f041acdd397010e5fb6433270c147d3b8b2d0a840cd7fff8e531dca5c8" -dependencies = [ - "bytes", - "futures-util", - "http", - "http-body", "pin-project-lite", ] @@ -1240,9 +1228,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" [[package]] name = "hyper" -version = "1.0.0-rc.3" +version = "0.14.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b75264b2003a3913f118d35c586e535293b3e22e41f074930762929d071e092" +checksum = "ffb1cfd654a8219eaef89881fdb3bb3b1cdc5fa75ded05d6933b2b382e395468" dependencies = [ "bytes", "futures-channel", @@ -1254,11 +1242,26 @@ dependencies = [ "httpdate", "itoa", "pin-project-lite", + "socket2 0.4.10", "tokio", + "tower-service", "tracing", "want", ] +[[package]] +name = "hyper-tls" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" +dependencies = [ + "bytes", + "hyper", + "native-tls", + "tokio", + "tokio-native-tls", +] + [[package]] name = "id-arena" version = "2.2.1" @@ -1622,7 +1625,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3dce281c5e46beae905d4de1870d8b1509a9142b62eedf18b443b011ca8343d0" dependencies = [ "libc", - "log", "wasi 0.11.0+wasi-snapshot-preview1", "windows-sys 0.48.0", ] @@ -2042,19 +2044,10 @@ version = "1.1.2-alpha.1" dependencies = [ "anyhow", "bindgen", - "bytes", "cc", - "futures-core", - "futures-task", - "futures-util", - "http-body-util", "hyper", - "mio", - "native-tls", - "openssl-macros", + "hyper-tls", "tokio", - "tokio-macros", - "tokio-native-tls", "walkdir", ] @@ -2467,6 +2460,16 @@ dependencies = [ "version_check", ] +[[package]] +name = "socket2" +version = "0.4.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f7916fc008ca5542385b89a3d3ce689953c143e9304a9bf8beec1de48994c0d" +dependencies = [ + "libc", + "winapi", +] + [[package]] name = "socket2" version = "0.5.5" @@ -2937,7 +2940,7 @@ dependencies = [ "libc", "mio", "pin-project-lite", - "socket2", + "socket2 0.5.5", "tokio-macros", "windows-sys 0.48.0", ] @@ -2972,6 +2975,12 @@ dependencies = [ "serde", ] +[[package]] +name = "tower-service" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" + [[package]] name = "tracing" version = "0.1.37" diff --git a/crates/quickjs-wasm-sys/Cargo.toml b/crates/quickjs-wasm-sys/Cargo.toml index d2b76104..9875edb2 100644 --- a/crates/quickjs-wasm-sys/Cargo.toml +++ b/crates/quickjs-wasm-sys/Cargo.toml @@ -14,18 +14,6 @@ cc = "1.0" bindgen = "0.68.1" walkdir = "2" anyhow.workspace = true - -# The dependencies below are pinned so they map exactly to the exemptions -# we copied from the wasmtime team to our supply-chain config -tokio = { version = "=1.33.0", default-features = false, features = ["rt", "macros", "net"] } -hyper = { version = "=1.0.0-rc.3", features = ["client", "http1"], default-features = false } -bytes = "=1.5.0" -futures-task = "=0.3.29" -futures-util = { version = "=0.3.27", default-features = false } -tokio-macros = "=2.1.0" -futures-core = "=0.3.29" -mio = "=0.8.9" -http-body-util = "=0.1.0-rc.3" -tokio-native-tls = "=0.3.1" -native-tls = "0.2.11" -openssl-macros = "=0.1.1" +tokio = { version = "1.33", default-features = false, features = ["rt", "macros"] } +hyper = { version = "0.14.27", features = ["client", "http1"] } +hyper-tls = "0.5.0" diff --git a/crates/quickjs-wasm-sys/build.rs b/crates/quickjs-wasm-sys/build.rs index 156ac63f..fffb372e 100644 --- a/crates/quickjs-wasm-sys/build.rs +++ b/crates/quickjs-wasm-sys/build.rs @@ -1,67 +1,16 @@ use anyhow::{anyhow, bail, Result}; -use hyper::body::Incoming; +use hyper::body::HttpBody; +use hyper::{Body, Client, Response}; +use hyper_tls::HttpsConnector; use std::io::Write; use std::path::{Path, PathBuf}; use std::{env, fs, process}; -use http_body_util::BodyExt; -use hyper::{body::Buf, Uri}; -use tokio::io::{AsyncRead, AsyncWrite}; - use walkdir::WalkDir; const WASI_SDK_VERSION_MAJOR: usize = 20; const WASI_SDK_VERSION_MINOR: usize = 0; -async fn tls_connect(url: &Uri) -> Result { - let connector: tokio_native_tls::TlsConnector = - tokio_native_tls::native_tls::TlsConnector::new() - .unwrap() - .into(); - let addr = format!("{}:{}", url.host().unwrap(), url.port_u16().unwrap_or(443)); - let stream = tokio::net::TcpStream::connect(addr).await?; - let stream = connector.connect(url.host().unwrap(), stream).await?; - Ok(stream) -} - -// Mostly taken from the hyper examples: -// https://github.com/hyperium/hyper/blob/4cf38a12ce7cc5dfd3af356a0cef61ace4ce82b9/examples/client.rs -async fn get_uri(url_str: impl AsRef) -> Result { - let mut url_string = url_str.as_ref().to_string(); - // This loop will follow redirects and will return when a status code - // is a success (200-299) or a non-redirect (300-399). - loop { - let url: Uri = url_string.parse()?; - let stream = tls_connect(&url).await?; - let (mut sender, conn) = hyper::client::conn::http1::handshake(stream).await?; - - tokio::task::spawn(async move { - if let Err(err) = conn.await { - println!("Connection failed: {:?}", err); - } - }); - - let authority = url.authority().unwrap().clone(); - let req = hyper::Request::builder() - .uri(&url) - .header(hyper::header::HOST, authority.as_str()) - .body("".to_string())?; - - let res = sender.send_request(req).await?; - if res.status().is_success() { - return Ok(res.into_body()); - } else if res.status().is_redirection() { - let target = res - .headers() - .get("Location") - .ok_or(anyhow!("Redirect without `Location` header"))?; - url_string = target.to_str()?.to_string(); - } else { - return Err(anyhow!("Could not request URL {:?}", url)); - } - } -} - async fn download_wasi_sdk() -> Result { let mut wasi_sdk_dir: PathBuf = env::var("OUT_DIR")?.into(); wasi_sdk_dir.push("wasi-sdk"); @@ -90,21 +39,32 @@ async fn download_wasi_sdk() -> Result { other => return Err(anyhow!("Unsupported platform tuple {:?}", other)), }; - let uri = format!("https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-{major_version}/wasi-sdk-{major_version}.{minor_version}-{file_suffix}.tar.gz"); - let mut body = get_uri(uri).await?; - let mut archive = fs::File::create(&archive_path)?; - while let Some(frame) = body.frame().await { - if let Some(chunk) = frame - .map_err(|err| { - anyhow!( - "Something went wrong when downloading the WASI SDK: {}", - err - ) - })? - .data_ref() - { - archive.write_all(chunk.chunk())?; + let mut uri = format!("https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-{major_version}/wasi-sdk-{major_version}.{minor_version}-{file_suffix}.tar.gz"); + + let client = Client::builder().build::<_, hyper::Body>(HttpsConnector::new()); + let mut response: Response = loop { + let response = client.get(uri.try_into()?).await?; + let status = response.status(); + if status.is_redirection() { + uri = response + .headers() + .get("Location") + .ok_or_else(|| anyhow!("Received redirect without location header"))? + .to_str()? + .to_string(); + } else if !status.is_success() { + bail!("Received {status} when downloading WASI SDK"); + } else { + break response; } + }; + + let mut archive = fs::File::create(&archive_path)?; + + while let Some(chunk) = response.body_mut().data().await { + archive.write_all(&chunk.map_err(|err| { + anyhow!("Something went wrong when downloading the WASI SDK: {err}") + })?)?; } } diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index aeda87eb..8ff15fe3 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -153,6 +153,12 @@ user-id = 359 # Sean McArthur (seanmonstar) start = "2019-03-01" end = "2024-10-26" +[[trusted.hyper-tls]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2019-03-19" +end = "2024-10-27" + [[trusted.io-extras]] criteria = "safe-to-deploy" user-id = 6825 # Dan Gohman (sunfishcode) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 03f594a8..191f5159 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -281,6 +281,10 @@ criteria = "safe-to-deploy" version = "0.3.1" criteria = "safe-to-deploy" +[[exemptions.http-body]] +version = "0.4.5" +criteria = "safe-to-deploy" + [[exemptions.humantime]] version = "2.1.0" criteria = "safe-to-deploy" @@ -525,6 +529,10 @@ criteria = "safe-to-deploy" version = "1.0.1" criteria = "safe-to-deploy" +[[exemptions.socket2]] +version = "0.4.10" +criteria = "safe-to-deploy" + [[exemptions.socket2]] version = "0.5.5" criteria = "safe-to-deploy" @@ -653,6 +661,10 @@ criteria = "safe-to-deploy" version = "0.5.8" criteria = "safe-to-deploy" +[[exemptions.tower-service]] +version = "0.3.2" +criteria = "safe-to-deploy" + [[exemptions.tracing]] version = "0.1.34" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 48b28d02..52da4db6 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -215,16 +215,16 @@ user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" -[[publisher.http-body-util]] -version = "0.1.0-rc.3" -when = "2023-07-10" +[[publisher.httparse]] +version = "1.8.0" +when = "2022-08-30" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" -[[publisher.httparse]] -version = "1.8.0" -when = "2022-08-30" +[[publisher.hyper]] +version = "0.14.27" +when = "2023-06-26" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" @@ -236,6 +236,13 @@ user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" +[[publisher.hyper-tls]] +version = "0.5.0" +when = "2020-12-29" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + [[publisher.io-extras]] version = "0.13.2" when = "2022-02-01"