From 83c60c283b6553ab70c3d3f03b20768f72b49ba8 Mon Sep 17 00:00:00 2001 From: Tomasz Pietrek Date: Tue, 7 Jan 2025 10:19:38 +0100 Subject: [PATCH 1/2] Improve transient dependencies imports Optional dependencies around TLS were pulling in more than it was necessary. This commit improves that. Additionally CI was not testing all TLS variants, nor the websockets feature. Signed-off-by: Tomasz Pietrek --- .github/workflows/test.yml | 10 +++++++++- async-nats/Cargo.toml | 10 +++++----- async-nats/src/connector.rs | 4 ++-- async-nats/src/tls.rs | 8 +++++--- 4 files changed, 21 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index aefb2459e..7cec24937 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -66,7 +66,15 @@ jobs: env: RUST_BACKTRACE: 1 run: | - cargo test --features=${{ matrix.features }} --features slow_tests -- --nocapture + cargo test --features slow_tests,websockets -- --nocapture + - name: TLS tests (ring, aws-lc-rs, fips) + if: ${{ matrix.os == 'ubuntu-latest' }} + run: | + # we do not want to create more matrices just for tls test. + # It's easier to test it manually here. + cargo test tls --features=ring --no-default-features -- --nocapture + cargo test tls --features=aws-lc-rs --no-default-features -- --nocapture + cargo test tls --features=fips --no-default-features -- --nocapture check_format: name: check format (ubuntu-latest / nightly) diff --git a/async-nats/Cargo.toml b/async-nats/Cargo.toml index 38fe1043b..7c75f6b26 100644 --- a/async-nats/Cargo.toml +++ b/async-nats/Cargo.toml @@ -39,9 +39,9 @@ base64 = "0.22" tryhard = "0.5" ring = { version = "0.17", optional = true } rand = "0.8" -webpki = { package = "rustls-webpki", version = "0.102" } +rustls-webpki = { package = "rustls-webpki", default-features = false, version = "0.102" } portable-atomic = "1" -tokio-websockets = { version = "0.10", features = ["client", "rand", "rustls-native-roots"], optional = true } +tokio-websockets = { version = "0.10", default-features = false, features = ["client", "rand", "rustls-webpki-roots"], optional = true } pin-project = "1.0" [dev-dependencies] @@ -52,7 +52,7 @@ rand = "0.8" tokio = { version = "1.25.0", features = ["rt-multi-thread"] } futures = { version = "0.3.28", default-features = false, features = ["std", "async-await"] } tracing-subscriber = "0.3" -async-nats = {path = ".", features = ["experimental"]} +async-nats = {path = ".", features = ["service", "server_2_10"], default-features = false} reqwest = "0.11.18" jsonschema = "0.17.1" @@ -64,8 +64,8 @@ default = ["server_2_10", "ring"] # Enables Service API for the client. service = [] websockets = ["dep:tokio-websockets"] -aws-lc-rs = ["dep:aws-lc-rs", "tokio-rustls/aws-lc-rs", "tokio-websockets/aws-lc-rs"] -ring = ["dep:ring", "tokio-rustls/ring", "tokio-websockets/ring"] +aws-lc-rs = ["dep:aws-lc-rs", "tokio-rustls/aws-lc-rs", "tokio-websockets?/aws-lc-rs", "rustls-webpki/aws_lc_rs"] +ring = ["dep:ring", "tokio-rustls/ring", "tokio-websockets?/ring"] fips = ["aws-lc-rs", "tokio-rustls/fips"] # All experimental features are part of this feature flag. experimental = ["service"] diff --git a/async-nats/src/connector.rs b/async-nats/src/connector.rs index 9c61a8553..ffbdb59e8 100644 --- a/async-nats/src/connector.rs +++ b/async-nats/src/connector.rs @@ -350,7 +350,7 @@ impl Connector { } #[cfg(feature = "websockets")] "wss" => { - let domain = webpki::types::ServerName::try_from(server_addr.host()) + let domain = rustls_webpki::types::ServerName::try_from(server_addr.host()) .map_err(|err| ConnectError::with_source(crate::ConnectErrorKind::Tls, err))?; let tls_config = Arc::new(tls::config_tls(&self.options).await.map_err(|err| { @@ -406,7 +406,7 @@ impl Connector { ); let tls_connector = tokio_rustls::TlsConnector::from(tls_config); - let domain = webpki::types::ServerName::try_from(server_addr.host()) + let domain = rustls_webpki::types::ServerName::try_from(server_addr.host()) .map_err(|err| ConnectError::with_source(crate::ConnectErrorKind::Tls, err))?; let tls_stream = tls_connector diff --git a/async-nats/src/tls.rs b/async-nats/src/tls.rs index b0fab53c3..e4f75c787 100644 --- a/async-nats/src/tls.rs +++ b/async-nats/src/tls.rs @@ -13,10 +13,10 @@ use crate::connector::ConnectorOptions; use crate::tls; +use rustls_webpki::types::{CertificateDer, PrivateKeyDer}; use std::io::{self, BufReader, ErrorKind}; use std::path::PathBuf; use tokio_rustls::rustls::{ClientConfig, RootCertStore}; -use webpki::types::{CertificateDer, PrivateKeyDer}; /// Loads client certificates from a `.pem` file. /// If the pem file is found, but does not contain any certificates, it will return @@ -67,8 +67,10 @@ pub(crate) async fn config_tls(options: &ConnectorOptions) -> io::Result, webpki::Error>>() + .map(|cert| { + rustls_webpki::anchor_from_trusted_cert(&cert).map(|ta| ta.to_owned()) + }) + .collect::, rustls_webpki::Error>>() .map_err(|err| { io::Error::new( ErrorKind::InvalidInput, From a471adc1b19ea769b85571ff1c10f4b3f7ec4462 Mon Sep 17 00:00:00 2001 From: Tomasz Pietrek Date: Tue, 7 Jan 2025 22:37:29 +0100 Subject: [PATCH 2/2] Improve cross-domain mirrors test Signed-off-by: Tomasz Pietrek --- async-nats/tests/kv_tests.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/async-nats/tests/kv_tests.rs b/async-nats/tests/kv_tests.rs index a443b5068..05d9d3567 100644 --- a/async-nats/tests/kv_tests.rs +++ b/async-nats/tests/kv_tests.rs @@ -1041,7 +1041,7 @@ mod kv { } }) .retries(5) - .exponential_backoff(Duration::from_millis(500)) + .exponential_backoff(Duration::from_millis(2000)) .await .unwrap();