Bug 1988139 - Make HTTPS node servers automatically add cert to DB r=necko-reviewers,kershaw

Differential Revision: https://phabricator.services.mozilla.com/D264583

Author: valenting

dom/tests/unit/test_Fetch.js

@@ -354,7 +354,35 @@ add_test(function test_PostTextData() {
     });
 });
 
+add_test(async function test_https() {
+  do_test_pending();
+
+  const { NodeHTTP2Server } = ChromeUtils.importESModule(
+    "resource://testing-common/NodeServer.sys.mjs"
+  );
+  let h2server = new NodeHTTP2Server();
+  await h2server.start();
+  await h2server.registerPathHandler("/test", (req, resp) => {
+    resp.writeHead(200);
+    resp.end("done");
+  });
+
+  fetch(`${h2server.origin()}/test`)
+    .then(async response => {
+      Assert.equal(await response.text(), "done");
+    })
+    .catch(e => {
+      Assert.ok(false, `Fetch failed ${e}`);
+    })
+    .finally(async () => {
+      await h2server.stop();
+      do_test_finished();
+      run_next_test();
+    });
+});
+
 function run_test() {
+  do_get_profile(); // So certificate installation works.
   // Set up an HTTP Server
   server = new HttpServer();
   server.start(-1);

netwerk/docs/network_test_guidelines.md

@@ -110,6 +110,9 @@ The most typical form of necko xpcsehll-test is creating an HTTP server and test
   This is what it looks like to create a simple HTTP server:
 
   ```js
+  const {
+    NodeHTTPServer,
+  } = ChromeUtils.importESModule("resource://testing-common/NodeServer.sys.mjs");
   let server = new NodeHTTPServer();
   await server.start();
   registerCleanupFunction(async () => {
@@ -121,14 +124,18 @@ The most typical form of necko xpcsehll-test is creating an HTTP server and test
   });
   ```
 
-  We can also create a `HTTP/2` server easily by replacing `NodeHTTPServer` with `NodeHTTP2Server` and adding the server certification.
+  We can also create a `HTTP/2` server easily by replacing `NodeHTTPServer` with `NodeHTTP2Server`.
 
   ```js
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
+  // Normally HTTPS servers require us adding the certificate to the
+  // certDB, but that happens automatically in BaseNodeServer.installCert
+  // which is called from server.start.
+  // But the test does need to call do_get_profile(); for this to work.
+  const {
+    NodeHTTP2Server,
+  } = ChromeUtils.importESModule("resource://testing-common/NodeServer.sys.mjs");
   let server = new NodeHTTP2Server();
+  await server.start();
   ```
 
 - Code at client side
@@ -154,6 +161,9 @@ The most typical form of necko xpcsehll-test is creating an HTTP server and test
   This is what it looks like to put everything together:
 
   ```js
+  const {
+    NodeHTTPServer,
+  } = ChromeUtils.importESModule("resource://testing-common/NodeServer.sys.mjs");
   add_task(async function test_http() {
     let server = new NodeHTTPServer();
     await server.start();

netwerk/test/httpserver/NodeServer.sys.mjs

@@ -3,6 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 import { AppConstants } from "resource://gre/modules/AppConstants.sys.mjs";
+import { NetUtil } from "resource://gre/modules/NetUtil.sys.mjs";
 
 /* globals require, __dirname, global, Buffer, process */
 
@@ -114,6 +115,73 @@ class BaseNodeServer {
     return `localhost`;
   }
 
+  static async installCert(filename) {
+    if (Services.appinfo.processType != Ci.nsIXULRuntime.PROCESS_TYPE_DEFAULT) {
+      // Can't install cert from content process.
+      return;
+    }
+    let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+      Ci.nsIX509CertDB
+    );
+
+    function readFile(file) {
+      let fstream = Cc[
+        "@mozilla.org/network/file-input-stream;1"
+      ].createInstance(Ci.nsIFileInputStream);
+      fstream.init(file, -1, 0, 0);
+      let data = NetUtil.readInputStreamToString(fstream, fstream.available());
+      fstream.close();
+      return data;
+    }
+
+    // Find the root directory that contains netwerk/
+    let currentDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+    let rootDir = currentDir.clone();
+
+    // XXX(valentin) The certs are stored in netwerk/test/unit
+    // Walk up until the dir contains netwerk/
+    // This is hacky, but the alternative would also require
+    // us to walk up the path to the root dir.
+    while (rootDir) {
+      let netwerkDir = rootDir.clone();
+      netwerkDir.append("netwerk");
+      if (netwerkDir.exists() && netwerkDir.isDirectory()) {
+        break;
+      }
+      let parent = rootDir.parent;
+      if (!parent || parent.equals(rootDir)) {
+        // Reached filesystem root, fallback to current directory
+        rootDir = currentDir;
+        break;
+      }
+      rootDir = parent;
+    }
+
+    let certFile = rootDir.clone();
+    certFile.append("netwerk");
+    certFile.append("test");
+    certFile.append("unit");
+    certFile.append(filename);
+
+    try {
+      let pem = readFile(certFile)
+        .replace(/-----BEGIN CERTIFICATE-----/, "")
+        .replace(/-----END CERTIFICATE-----/, "")
+        .replace(/[\r\n]/g, "");
+      certdb.addCertFromBase64(pem, "CTu,u,u");
+    } catch (e) {
+      let errStr = e.toString();
+      console.log(`Error installing cert ${errStr}`);
+      if (errStr.includes("0x805a1fe8")) {
+        // Can't install the cert without a profile
+        // Let's show an error, otherwise this will be difficult to diagnose.
+        console.log(
+          `!!! BaseNodeServer.installCert > Make sure your unit test calls do_get_profile()`
+        );
+      }
+    }
+  }
+
   /// Stops the server
   async stop() {
     if (this.processId) {
@@ -194,6 +262,9 @@ export class NodeHTTPSServer extends BaseNodeServer {
   /// @port - default 0
   ///    when provided, will attempt to listen on that port.
   async start(port = 0) {
+    if (!this._skipCert) {
+      await BaseNodeServer.installCert("http2-ca.pem");
+    }
     this.processId = await NodeServer.fork();
 
     await this.execute(BaseNodeHTTPServerCode);
@@ -245,6 +316,9 @@ export class NodeHTTP2Server extends BaseNodeServer {
   /// @port - default 0
   ///    when provided, will attempt to listen on that port.
   async start(port = 0) {
+    if (!this._skipCert) {
+      await BaseNodeServer.installCert("http2-ca.pem");
+    }
     this.processId = await NodeServer.fork();
 
     await this.execute(BaseNodeHTTPServerCode);
@@ -466,6 +540,9 @@ export class NodeHTTPSProxyServer extends BaseHTTPProxy {
   /// @port - default 0
   ///    when provided, will attempt to listen on that port.
   async start(port = 0) {
+    if (!this._skipCert) {
+      await BaseNodeServer.installCert("proxy-ca.pem");
+    }
     this.processId = await NodeServer.fork();
 
     await this.execute(BaseProxyCode);
@@ -641,6 +718,9 @@ export class NodeHTTP2ProxyServer extends BaseHTTPProxy {
   /// @port - default 0
   ///    when provided, will attempt to listen on that port.
   async start(port = 0, auth, maxConcurrentStreams = 100) {
+    if (!this._skipCert) {
+      await BaseNodeServer.installCert("proxy-ca.pem");
+    }
     this.processId = await NodeServer.fork();
 
     await this.execute(BaseProxyCode);
@@ -705,6 +785,9 @@ export class NodeWebSocketServer extends BaseNodeServer {
   /// @port - default 0
   ///    when provided, will attempt to listen on that port.
   async start(port = 0) {
+    if (!this._skipCert) {
+      await BaseNodeServer.installCert("http2-ca.pem");
+    }
     this.processId = await NodeServer.fork();
 
     await this.execute(BaseNodeHTTPServerCode);
@@ -775,6 +858,9 @@ export class NodeWebSocketHttp2Server extends BaseNodeServer {
   /// @port - default 0
   ///    when provided, will attempt to listen on that port.
   async start(port = 0, fallbackToH1 = false) {
+    if (!this._skipCert) {
+      await BaseNodeServer.installCert("http2-ca.pem");
+    }
     this.processId = await NodeServer.fork();
 
     await this.execute(BaseNodeHTTPServerCode);

netwerk/test/unit/test_brotli_http.js

@@ -89,10 +89,6 @@ add_task(
       "network.http.encoding.trustworthy_is_https",
       true
     );
-    let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-      Ci.nsIX509CertDB
-    );
-    addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
 
     let server = new NodeHTTPSServer();
     await server.start();

netwerk/test/unit/test_bug1984469.js

@@ -62,11 +62,6 @@ class AuthRequestor {
 add_task(async function test_http2_auth_retry_twice() {
   Services.prefs.setIntPref("network.auth.subresource-http-auth-allow", 2);
 
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-
   let server = new NodeHTTP2Server();
   await server.start();
   registerCleanupFunction(async () => {

netwerk/test/unit/test_cert_verification_failure.js

@@ -15,13 +15,6 @@ const {
 /* import-globals-from head_cookies.js */
 /* import-globals-from head_channels.js */
 
-// We don't normally allow localhost channels to be proxied, but this
-// is easier than updating all the certs and/or domains.
-Services.prefs.setBoolPref("network.proxy.allow_hijacking_localhost", true);
-registerCleanupFunction(() => {
-  Services.prefs.clearUserPref("network.proxy.allow_hijacking_localhost");
-});
-
 function makeChan(uri) {
   let chan = NetUtil.newChannel({
     uri,
@@ -31,13 +24,18 @@ function makeChan(uri) {
   return chan;
 }
 
+add_task(async function setup() {
+  Services.prefs.setBoolPref("network.dns.native-is-localhost", true);
+});
+
 async function test_cert_failure(server_or_proxy, server_cert) {
   let server = new server_or_proxy();
+  server._skipCert = true;
   await server.start();
   registerCleanupFunction(async () => {
     await server.stop();
   });
-  let chan = makeChan(`https://localhost:${server.port()}/test`);
+  let chan = makeChan(`https://alt1.example.com:${server.port()}/test`);
   let req = await new Promise(resolve => {
     chan.asyncOpen(new ChannelListener(resolve, null, CL_EXPECT_FAILURE));
   });
@@ -61,6 +59,7 @@ add_task(async function test_http2() {
 
 add_task(async function test_https_proxy() {
   let proxy = new NodeHTTPSProxyServer();
+  proxy._skipCert = true;
   await proxy.start();
   registerCleanupFunction(() => {
     proxy.stop();
@@ -70,6 +69,7 @@ add_task(async function test_https_proxy() {
 
 add_task(async function test_http2_proxy() {
   let proxy = new NodeHTTP2ProxyServer();
+  proxy._skipCert = true;
   await proxy.start();
   registerCleanupFunction(() => {
     proxy.stop();

netwerk/test/unit/test_servers.js

@@ -105,11 +105,6 @@ add_task(async function test_http() {
 });
 
 add_task(async function test_https() {
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-
   let server = new NodeHTTPSServer();
   await server.start();
   registerCleanupFunction(async () => {
@@ -134,11 +129,6 @@ add_task(async function test_https() {
 });
 
 add_task(async function test_http2() {
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-
   let server = new NodeHTTP2Server();
   await server.start();
   registerCleanupFunction(async () => {
@@ -163,11 +153,6 @@ add_task(async function test_http2() {
 });
 
 add_task(async function test_http1_proxy() {
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-
   let proxy = new NodeHTTPProxyServer();
   await proxy.start();
   registerCleanupFunction(async () => {
@@ -208,12 +193,6 @@ add_task(async function test_http1_proxy() {
 });
 
 add_task(async function test_https_proxy() {
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-  addCertFromFile(certdb, "proxy-ca.pem", "CTu,u,u");
-
   let proxy = new NodeHTTPSProxyServer();
   await proxy.start();
   registerCleanupFunction(async () => {
@@ -249,12 +228,6 @@ add_task(async function test_https_proxy() {
 });
 
 add_task(async function test_http2_proxy() {
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-  addCertFromFile(certdb, "proxy-ca.pem", "CTu,u,u");
-
   let proxy = new NodeHTTP2ProxyServer();
   await proxy.start();
   registerCleanupFunction(async () => {
@@ -289,11 +262,6 @@ add_task(async function test_http2_proxy() {
 });
 
 add_task(async function test_proxy_with_redirects() {
-  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-    Ci.nsIX509CertDB
-  );
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-
   let proxies = [
     NodeHTTPProxyServer,
     NodeHTTPSProxyServer,

netwerk/test/unit/test_websocket_fails.js

@@ -46,6 +46,7 @@ registerCleanupFunction(() => {
 async function test_tls_fail_on_direct_ws_server_handshake() {
   // no cert and no proxy
   let wss = new NodeWebSocketServer();
+  wss._skipCert = true;
   await wss.start();
   registerCleanupFunction(async () => {
     await wss.stop();
@@ -72,9 +73,8 @@ async function test_tls_fail_on_direct_ws_server_handshake() {
 // TLS handshake to proxy fails
 async function test_tls_fail_on_proxy_handshake() {
   // we have ws cert, but no proxy cert
-  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");
-
   let proxy = new NodeHTTPSProxyServer();
+  proxy._skipCert = true;
   await proxy.start();
 
   let wss = new NodeWebSocketServer();