Skip to content

Commit

Permalink
chore: Replaced static openssl cert usage with in-process cert
Browse files Browse the repository at this point in the history
  • Loading branch information
@jsumners-nr
jsumners-nr committed Oct 22, 2024
1 parent b917b3e commit bf6ef13
Show file tree
Hide file tree
Showing 18 changed files with 501 additions and 473 deletions.
44 changes: 7 additions & 37 deletions THIRD_PARTY_NOTICES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,6 @@ code, the source code can be found at [https://github.com/newrelic/node-newrelic
* [lint-staged](#lint-staged)
* [lockfile-lint](#lockfile-lint)
* [nock](#nock)
* [proxy](#proxy)
* [proxyquire](#proxyquire)
* [rimraf](#rimraf)
* [self-cert](#self-cert)
Expand All @@ -93,7 +92,7 @@ code, the source code can be found at [https://github.com/newrelic/node-newrelic

### @grpc/grpc-js

This product includes source derived from [@grpc/grpc-js](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js) ([v1.11.3](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js/tree/v1.11.3)), distributed under the [Apache-2.0 License](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js/blob/v1.11.3/LICENSE):
This product includes source derived from [@grpc/grpc-js](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js) ([v1.12.2](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js/tree/v1.12.2)), distributed under the [Apache-2.0 License](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js/blob/v1.12.2/LICENSE):

```
Apache License
Expand Down Expand Up @@ -1043,7 +1042,7 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

### winston-transport

This product includes source derived from [winston-transport](https://github.com/winstonjs/winston-transport) ([v4.7.1](https://github.com/winstonjs/winston-transport/tree/v4.7.1)), distributed under the [MIT License](https://github.com/winstonjs/winston-transport/blob/v4.7.1/LICENSE):
This product includes source derived from [winston-transport](https://github.com/winstonjs/winston-transport) ([v4.8.0](https://github.com/winstonjs/winston-transport/tree/v4.8.0)), distributed under the [MIT License](https://github.com/winstonjs/winston-transport/blob/v4.8.0/LICENSE):

```
The MIT License (MIT)
Expand Down Expand Up @@ -1076,7 +1075,7 @@ SOFTWARE.

### @aws-sdk/client-s3

This product includes source derived from [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3) ([v3.658.1](https://github.com/aws/aws-sdk-js-v3/tree/v3.658.1)), distributed under the [Apache-2.0 License](https://github.com/aws/aws-sdk-js-v3/blob/v3.658.1/LICENSE):
This product includes source derived from [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3) ([v3.676.0](https://github.com/aws/aws-sdk-js-v3/tree/v3.676.0)), distributed under the [Apache-2.0 License](https://github.com/aws/aws-sdk-js-v3/blob/v3.676.0/LICENSE):

```
Apache License
Expand Down Expand Up @@ -1285,7 +1284,7 @@ This product includes source derived from [@aws-sdk/client-s3](https://github.co

### @aws-sdk/s3-request-presigner

This product includes source derived from [@aws-sdk/s3-request-presigner](https://github.com/aws/aws-sdk-js-v3) ([v3.658.1](https://github.com/aws/aws-sdk-js-v3/tree/v3.658.1)), distributed under the [Apache-2.0 License](https://github.com/aws/aws-sdk-js-v3/blob/v3.658.1/LICENSE):
This product includes source derived from [@aws-sdk/s3-request-presigner](https://github.com/aws/aws-sdk-js-v3) ([v3.676.0](https://github.com/aws/aws-sdk-js-v3/tree/v3.676.0)), distributed under the [Apache-2.0 License](https://github.com/aws/aws-sdk-js-v3/blob/v3.676.0/LICENSE):

```
Apache License
Expand Down Expand Up @@ -2208,7 +2207,7 @@ THE SOFTWARE.

### @slack/bolt

This product includes source derived from [@slack/bolt](https://github.com/slackapi/bolt) ([v3.21.4](https://github.com/slackapi/bolt/tree/v3.21.4)), distributed under the [MIT License](https://github.com/slackapi/bolt/blob/v3.21.4/LICENSE):
This product includes source derived from [@slack/bolt](https://github.com/slackapi/bolt) ([v3.22.0](https://github.com/slackapi/bolt/tree/v3.22.0)), distributed under the [MIT License](https://github.com/slackapi/bolt/blob/v3.22.0/LICENSE):

```
The MIT License (MIT)
Expand Down Expand Up @@ -3372,7 +3371,7 @@ THE SOFTWARE.

### express

This product includes source derived from [express](https://github.com/expressjs/express) ([v4.21.0](https://github.com/expressjs/express/tree/v4.21.0)), distributed under the [MIT License](https://github.com/expressjs/express/blob/v4.21.0/LICENSE):
This product includes source derived from [express](https://github.com/expressjs/express) ([v4.21.1](https://github.com/expressjs/express/tree/v4.21.1)), distributed under the [MIT License](https://github.com/expressjs/express/blob/v4.21.1/LICENSE):

```
(The MIT License)
Expand Down Expand Up @@ -3508,7 +3507,7 @@ SOFTWARE.

### jsdoc

This product includes source derived from [jsdoc](https://github.com/jsdoc/jsdoc) ([v4.0.3](https://github.com/jsdoc/jsdoc/tree/v4.0.3)), distributed under the [Apache-2.0 License](https://github.com/jsdoc/jsdoc/blob/v4.0.3/LICENSE.md):
This product includes source derived from [jsdoc](https://github.com/jsdoc/jsdoc) ([v4.0.4](https://github.com/jsdoc/jsdoc/tree/v4.0.4)), distributed under the [Apache-2.0 License](https://github.com/jsdoc/jsdoc/blob/v4.0.4/LICENSE.md):

```
# License
Expand Down Expand Up @@ -3947,35 +3946,6 @@ SOFTWARE.
```

### proxy

This product includes source derived from [proxy](https://github.com/TooTallNate/proxy-agents) ([v2.2.0](https://github.com/TooTallNate/proxy-agents/tree/v2.2.0)), distributed under the [MIT License](https://github.com/TooTallNate/proxy-agents/blob/v2.2.0/LICENSE):

```
(The MIT License)
Copyright (c) 2013 Nathan Rajlich <[email protected]>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
```

### proxyquire

This product includes source derived from [proxyquire](https://github.com/thlorenz/proxyquire) ([v1.8.0](https://github.com/thlorenz/proxyquire/tree/v1.8.0)), distributed under the [MIT License](https://github.com/thlorenz/proxyquire/blob/v1.8.0/LICENSE):
Expand Down
5 changes: 4 additions & 1 deletion lib/collector/http-agents.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,14 @@ exports.proxyAgent = function proxyAgent(config) {
}
const proxyUrl = proxyOptions(config)

// Tests may supply 127.0.0.1 as the host, but SNI requires a hostname.
const servername = config.host
const proxyOpts = {
secureEndpoint: config.ssl,
auth: proxyUrl.auth,
ca: config?.certificates?.length ? config.certificates : [],
keepAlive: true
keepAlive: true,
servername
}

logger.info(`using proxy: ${proxyUrl}`)
Expand Down
3 changes: 1 addition & 2 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@
"newrelic-naming-rules": "./bin/test-naming-rules.js"
},
"dependencies": {
"@grpc/grpc-js": "^1.9.4",
"@grpc/grpc-js": "^1.12.2",
"@grpc/proto-loader": "^0.7.5",
"@newrelic/security-agent": "^2.0.0",
"@tyriar/fibonacci-heap": "^2.0.7",
Expand Down Expand Up @@ -253,7 +253,6 @@
"lint-staged": "^11.0.0",
"lockfile-lint": "^4.9.6",
"nock": "11.8.0",
"proxy": "^2.1.1",
"proxyquire": "^1.8.0",
"rimraf": "^2.6.3",
"self-cert": "^2.0.0",
Expand Down
17 changes: 11 additions & 6 deletions test/integration/grpc/reconnect.tap.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,14 @@ const MetricMapper = require('../../../lib/metrics/mapper')
const MetricNormalizer = require('../../../lib/metrics/normalizer')
const StreamingSpanEvent = require('../../../lib/spans/streaming-span-event')

const fakeCert = require('../../lib/fake-cert')
const helper = require('../../lib/agent_helper')

// We generate the certificate once for the whole suite because it is a CPU
// intensive operation and would slow down tests if each test created its
// own certificate.
const cert = fakeCert({ commonName: 'localhost' })

tap.test('test that connection class reconnects', async (t) => {
// one assert for the initial connection
// a second assert for the disconnect
Expand Down Expand Up @@ -50,7 +56,7 @@ tap.test('test that connection class reconnects', async (t) => {

// Currently test-only configuration
const origEnv = process.env.NEWRELIC_GRPCCONNECTION_CA
process.env.NEWRELIC_GRPCCONNECTION_CA = sslOpts.ca
process.env.NEWRELIC_GRPCCONNECTION_CA = cert.certificate
t.teardown(() => {
process.env.NEWRELIC_GRPCCONNECTION_CA = origEnv
})
Expand Down Expand Up @@ -133,7 +139,7 @@ tap.test('Should reconnect even when data sent back', async (t) => {

// Currently test-only configuration
const origEnv = process.env.NEWRELIC_GRPCCONNECTION_CA
process.env.NEWRELIC_GRPCCONNECTION_CA = sslOpts.ca
process.env.NEWRELIC_GRPCCONNECTION_CA = cert.certificate
t.teardown(() => {
process.env.NEWRELIC_GRPCCONNECTION_CA = origEnv
})
Expand Down Expand Up @@ -186,13 +192,12 @@ tap.test('Should reconnect even when data sent back', async (t) => {
})

async function setupSsl() {
const [key, certificate, ca] = await helper.withSSL()
return {
ca,
ca: null,
authPairs: [
{
private_key: key,
cert_chain: certificate
private_key: cert.privateKeyBuffer,
cert_chain: cert.certificateBuffer
}
]
}
Expand Down
124 changes: 61 additions & 63 deletions test/integration/infinite-tracing-connection.tap.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,14 @@ const path = require('path')
const grpc = require('@grpc/grpc-js')
const protoLoader = require('@grpc/proto-loader')

const fakeCert = require('../lib/fake-cert')
const helper = require('../lib/agent_helper')

// We generate the certificate once for the whole suite because it is a CPU
// intensive operation and would slow down tests if each test created its
// own certificate.
const cert = fakeCert({ commonName: 'localhost' })

const PROTO_PATH = path.join(__dirname, '../..', '/lib/grpc/endpoints/infinite-tracing/v1.proto')

const TEST_DOMAIN = 'test-collector.newrelic.com'
Expand Down Expand Up @@ -258,70 +264,63 @@ const infiniteTracingService = grpc.loadPackageDefinition(packageDefinition).com
nock.disableNetConnect()
startingEndpoints = setupConnectionEndpoints(INITIAL_RUN_ID, INITIAL_SESSION_ID)

helper
.withSSL()
.then(([key, certificate, ca]) => {
const sslOpts = {
ca,
authPairs: [{ private_key: key, cert_chain: certificate }]
}
const sslOpts = {
ca: cert.certificateBuffer,
authPairs: [{ private_key: cert.privateKeyBuffer, cert_chain: cert.certificateBuffer }]
}

const services = [
{
serviceDefinition: infiniteTracingService.IngestService.service,
implementation: { recordSpan, recordSpanBatch }
const services = [
{
serviceDefinition: infiniteTracingService.IngestService.service,
implementation: { recordSpan, recordSpanBatch }
}
]

server = createGrpcServer(sslOpts, services, (err, port) => {
t.error(err)

agent = helper.loadMockedAgent({
license_key: EXPECTED_LICENSE_KEY,
apdex_t: Number.MIN_VALUE, // force transaction traces
host: TEST_DOMAIN,
plugins: {
// turn off native metrics to avoid unwanted gc metrics
native_metrics: { enabled: false }
},
distributed_tracing: { enabled: true },
slow_sql: { enabled: true },
transaction_tracer: {
record_sql: 'obfuscated',
explain_threshold: Number.MIN_VALUE // force SQL traces
},
utilization: {
detect_aws: false
},
infinite_tracing: {
...config,
span_events: {
queue_size: 2
},
trace_observer: {
host: helper.SSL_HOST,
port
}
]

server = createGrpcServer(sslOpts, services, (err, port) => {
t.error(err)

agent = helper.loadMockedAgent({
license_key: EXPECTED_LICENSE_KEY,
apdex_t: Number.MIN_VALUE, // force transaction traces
host: TEST_DOMAIN,
plugins: {
// turn off native metrics to avoid unwanted gc metrics
native_metrics: { enabled: false }
},
distributed_tracing: { enabled: true },
slow_sql: { enabled: true },
transaction_tracer: {
record_sql: 'obfuscated',
explain_threshold: Number.MIN_VALUE // force SQL traces
},
utilization: {
detect_aws: false
},
infinite_tracing: {
...config,
span_events: {
queue_size: 2
},
trace_observer: {
host: helper.SSL_HOST,
port
}
}
})
}
})

agent.config.no_immediate_harvest = true
agent.config.no_immediate_harvest = true

// Currently test-only configuration
const origEnv = process.env.NEWRELIC_GRPCCONNECTION_CA
process.env.NEWRELIC_GRPCCONNECTION_CA = ca
t.teardown(() => {
process.env.NEWRELIC_GRPCCONNECTION_CA = origEnv
})

if (callback) {
callback()
}
})
})
.catch((err) => {
t.error(err)
// Currently test-only configuration
const origEnv = process.env.NEWRELIC_GRPCCONNECTION_CA
process.env.NEWRELIC_GRPCCONNECTION_CA = cert.certificate
t.teardown(() => {
process.env.NEWRELIC_GRPCCONNECTION_CA = origEnv
})

if (callback) {
callback()
}
})
}
})
})
Expand Down Expand Up @@ -387,11 +386,10 @@ function createGrpcServer(sslOptions, services, callback) {
server.addService(service.serviceDefinition, service.implementation)
}

const { ca, authPairs } = sslOptions
const credentials = grpc.ServerCredentials.createSsl(ca, authPairs, false)
const { authPairs } = sslOptions
const credentials = grpc.ServerCredentials.createSsl(null, authPairs, false)

// Select a random port
server.bindAsync('localhost:0', credentials, (err, port) => {
server.bindAsync('127.0.0.1:0', credentials, (err, port) => {
if (err) {
callback(err)
}
Expand Down
Loading

0 comments on commit bf6ef13

Please sign in to comment.