From 1039f1d10e7cf33e5359478989e2ac5abf69c14b Mon Sep 17 00:00:00 2001 From: Anna Henningsen Date: Thu, 26 Sep 2024 11:51:05 +0200 Subject: [PATCH] feat(devtools-proxy-support): support Node.js `allowPartialTrustChain` flag COMPASS-8253 (#476) This should allow getting back to faster startup times in mongosh. --- package-lock.json | 75 ++++++++++--------- packages/devtools-connect/package.json | 4 +- packages/devtools-connect/src/connect.spec.ts | 20 +++-- packages/devtools-connect/src/connect.ts | 2 +- packages/devtools-proxy-support/package.json | 2 +- .../devtools-proxy-support/src/agent.spec.ts | 65 ++++++++++++++-- packages/devtools-proxy-support/src/agent.ts | 11 ++- .../devtools-proxy-support/src/system-ca.ts | 35 +++++++-- .../test/fixtures/partial-trust-chain/ca.pem | 22 ++++++ .../fixtures/partial-trust-chain/cert.pem | 43 +++++++++++ .../test/fixtures/partial-trust-chain/key.pem | 27 +++++++ packages/mongodb-runner/package.json | 2 +- 12 files changed, 248 insertions(+), 60 deletions(-) create mode 100644 packages/devtools-proxy-support/test/fixtures/partial-trust-chain/ca.pem create mode 100644 packages/devtools-proxy-support/test/fixtures/partial-trust-chain/cert.pem create mode 100644 packages/devtools-proxy-support/test/fixtures/partial-trust-chain/key.pem diff --git a/package-lock.json b/package-lock.json index bd80fdf..7fc1753 100644 --- a/package-lock.json +++ b/package-lock.json @@ -17605,10 +17605,11 @@ } }, "node_modules/macos-export-certificate-and-key": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/macos-export-certificate-and-key/-/macos-export-certificate-and-key-1.1.1.tgz", - "integrity": "sha512-J2g0dJRLG3DghmdCkbJnif/zPmSylj6ql//xBYff5allzNlHPnWxRoyho9XznBYLbPJw4jZlKjMO69jtV8VC7Q==", + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/macos-export-certificate-and-key/-/macos-export-certificate-and-key-1.2.2.tgz", + "integrity": "sha512-+LwU/wG3wawI3yZ/CMf9C6jSSugJ823EuNJeV8J+FTbmYDJ8G3sF9Fha/0BLEbRZU28+oVvBD3a4mYxLQzDvLA==", "hasInstallScript": true, + "license": "Apache-2.0", "optional": true, "os": [ "darwin" @@ -17622,6 +17623,7 @@ "version": "4.3.0", "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-4.3.0.tgz", "integrity": "sha512-73sE9+3UaLYYFmDsFZnqCInzPyh3MqIwZO9cw58yIqAZhONrrabrYyYe3TuIqtIiOuTXVhsGau8hcrhhwSsDIQ==", + "license": "MIT", "optional": true }, "node_modules/magic-string": { @@ -18561,9 +18563,10 @@ } }, "node_modules/mongodb": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.8.0.tgz", - "integrity": "sha512-HGQ9NWDle5WvwMnrvUxsFYPd3JEbqD3RgABHBQRuoCEND0qzhsd0iH5ypHsf1eJ+sXmvmyKpP+FLOKY8Il7jMw==", + "version": "6.9.0", + "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.9.0.tgz", + "integrity": "sha512-UMopBVx1LmEUbW/QE0Hw18u583PEDVQmUmVzzBRH0o/xtE9DBRA5ZYLOjpLIa03i8FXjzvQECJcqoMvCXftTUA==", + "license": "Apache-2.0", "dependencies": { "@mongodb-js/saslprep": "^1.1.5", "bson": "^6.7.0", @@ -23510,12 +23513,13 @@ "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==" }, "node_modules/system-ca": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/system-ca/-/system-ca-2.0.0.tgz", - "integrity": "sha512-eEWsCZHEyXdRPPMO680gLUhb9x8RK7YlXvv+I0zCvmGg9zf9OCchJxDf5NHqGPwAzLDEFpLXL5qv9KEU62N4Nw==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/system-ca/-/system-ca-2.0.1.tgz", + "integrity": "sha512-9ZDV9yl8ph6Op67wDGPr4LykX86usE9x3le+XZSHfVMiiVJ5IRgmCWjLgxyz35ju9H3GDIJJZm4ogAeIfN5cQQ==", + "license": "Apache-2.0", "optionalDependencies": { - "macos-export-certificate-and-key": "^1.1.1", - "win-export-certificate-and-key": "^2.0.0" + "macos-export-certificate-and-key": "^1.2.0", + "win-export-certificate-and-key": "^2.1.0" } }, "node_modules/tabbable": { @@ -24867,10 +24871,11 @@ "license": "MIT" }, "node_modules/win-export-certificate-and-key": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/win-export-certificate-and-key/-/win-export-certificate-and-key-2.0.0.tgz", - "integrity": "sha512-bJBsQxyN+Chp4AqXIGSc2FkyTIQcv4npVIr74JvOE0dFjYkudAbulKz+ylia8dsNHwBA1nSxif0Xl8LrcRl9mg==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/win-export-certificate-and-key/-/win-export-certificate-and-key-2.1.0.tgz", + "integrity": "sha512-WeMLa/2uNZcS/HWGKU2G1Gzeh3vHpV/UFvwLhJLKxPHYFAbubxxVcJbqmPXaqySWK1Ymymh16zKK5WYIJ3zgzA==", "hasInstallScript": true, + "license": "Apache-2.0", "optional": true, "os": [ "win32" @@ -25378,7 +25383,7 @@ "eslint-plugin-promise": "^6.1.1", "gen-esm-wrapper": "^1.1.0", "mocha": "^8.4.0", - "mongodb": "^6.8.0", + "mongodb": "^6.9.0", "mongodb-log-writer": "^1.4.2", "nyc": "^15.1.0", "os-dns-native": "^1.2.0", @@ -25396,7 +25401,7 @@ }, "peerDependencies": { "@mongodb-js/oidc-plugin": "^1.1.0", - "mongodb": "^6.8.0", + "mongodb": "^6.9.0", "mongodb-log-writer": "^1.4.2" } }, @@ -26088,7 +26093,7 @@ "pac-proxy-agent": "^7.0.2", "socks-proxy-agent": "^8.0.4", "ssh2": "^1.15.0", - "system-ca": "^2.0.0" + "system-ca": "^2.0.1" }, "devDependencies": { "@mongodb-js/eslint-config-devtools": "0.9.10", @@ -26535,7 +26540,7 @@ "@mongodb-js/mongodb-downloader": "^0.3.6", "@mongodb-js/saslprep": "^1.1.9", "debug": "^4.3.4", - "mongodb": "^6.8.0", + "mongodb": "^6.9.0", "mongodb-connection-string-url": "^3.0.0", "yargs": "^17.7.2" }, @@ -32177,7 +32182,7 @@ "kerberos": "^2.1.0", "lodash.merge": "^4.6.2", "mocha": "^8.4.0", - "mongodb": "^6.8.0", + "mongodb": "^6.9.0", "mongodb-client-encryption": "^6.1.0", "mongodb-connection-string-url": "^3.0.0", "mongodb-log-writer": "^1.4.2", @@ -32667,7 +32672,7 @@ "sinon": "^9.2.3", "socks-proxy-agent": "^8.0.4", "ssh2": "^1.15.0", - "system-ca": "^2.0.0", + "system-ca": "^2.0.1", "typescript": "^5.0.4", "xvfb-maybe": "^0.2.1" }, @@ -42561,9 +42566,9 @@ } }, "macos-export-certificate-and-key": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/macos-export-certificate-and-key/-/macos-export-certificate-and-key-1.1.1.tgz", - "integrity": "sha512-J2g0dJRLG3DghmdCkbJnif/zPmSylj6ql//xBYff5allzNlHPnWxRoyho9XznBYLbPJw4jZlKjMO69jtV8VC7Q==", + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/macos-export-certificate-and-key/-/macos-export-certificate-and-key-1.2.2.tgz", + "integrity": "sha512-+LwU/wG3wawI3yZ/CMf9C6jSSugJ823EuNJeV8J+FTbmYDJ8G3sF9Fha/0BLEbRZU28+oVvBD3a4mYxLQzDvLA==", "optional": true, "requires": { "bindings": "^1.5.0", @@ -43280,9 +43285,9 @@ "dev": true }, "mongodb": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.8.0.tgz", - "integrity": "sha512-HGQ9NWDle5WvwMnrvUxsFYPd3JEbqD3RgABHBQRuoCEND0qzhsd0iH5ypHsf1eJ+sXmvmyKpP+FLOKY8Il7jMw==", + "version": "6.9.0", + "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.9.0.tgz", + "integrity": "sha512-UMopBVx1LmEUbW/QE0Hw18u583PEDVQmUmVzzBRH0o/xtE9DBRA5ZYLOjpLIa03i8FXjzvQECJcqoMvCXftTUA==", "requires": { "@mongodb-js/saslprep": "^1.1.5", "bson": "^6.7.0", @@ -43489,7 +43494,7 @@ "eslint": "^7.25.0", "gen-esm-wrapper": "^1.1.0", "mocha": "^8.4.0", - "mongodb": "^6.8.0", + "mongodb": "^6.9.0", "mongodb-connection-string-url": "^3.0.0", "nyc": "^15.1.0", "prettier": "2.3.2", @@ -47217,12 +47222,12 @@ "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==" }, "system-ca": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/system-ca/-/system-ca-2.0.0.tgz", - "integrity": "sha512-eEWsCZHEyXdRPPMO680gLUhb9x8RK7YlXvv+I0zCvmGg9zf9OCchJxDf5NHqGPwAzLDEFpLXL5qv9KEU62N4Nw==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/system-ca/-/system-ca-2.0.1.tgz", + "integrity": "sha512-9ZDV9yl8ph6Op67wDGPr4LykX86usE9x3le+XZSHfVMiiVJ5IRgmCWjLgxyz35ju9H3GDIJJZm4ogAeIfN5cQQ==", "requires": { - "macos-export-certificate-and-key": "^1.1.1", - "win-export-certificate-and-key": "^2.0.0" + "macos-export-certificate-and-key": "^1.2.0", + "win-export-certificate-and-key": "^2.1.0" } }, "tabbable": { @@ -48231,9 +48236,9 @@ "integrity": "sha512-CC1bOL87PIWSBhDcTrdeLo6eGT7mCFtrg0uIJtqJUFyK+eJnzl8A1niH56uu7KMa5XFrtiV+AQuHO3n7DsHnLQ==" }, "win-export-certificate-and-key": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/win-export-certificate-and-key/-/win-export-certificate-and-key-2.0.0.tgz", - "integrity": "sha512-bJBsQxyN+Chp4AqXIGSc2FkyTIQcv4npVIr74JvOE0dFjYkudAbulKz+ylia8dsNHwBA1nSxif0Xl8LrcRl9mg==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/win-export-certificate-and-key/-/win-export-certificate-and-key-2.1.0.tgz", + "integrity": "sha512-WeMLa/2uNZcS/HWGKU2G1Gzeh3vHpV/UFvwLhJLKxPHYFAbubxxVcJbqmPXaqySWK1Ymymh16zKK5WYIJ3zgzA==", "optional": true, "requires": { "bindings": "^1.5.0", diff --git a/packages/devtools-connect/package.json b/packages/devtools-connect/package.json index a9c1793..53f4ea3 100644 --- a/packages/devtools-connect/package.json +++ b/packages/devtools-connect/package.json @@ -55,7 +55,7 @@ }, "peerDependencies": { "@mongodb-js/oidc-plugin": "^1.1.0", - "mongodb": "^6.8.0", + "mongodb": "^6.9.0", "mongodb-log-writer": "^1.4.2" }, "devDependencies": { @@ -75,7 +75,7 @@ "eslint-plugin-promise": "^6.1.1", "gen-esm-wrapper": "^1.1.0", "mocha": "^8.4.0", - "mongodb": "^6.8.0", + "mongodb": "^6.9.0", "mongodb-log-writer": "^1.4.2", "nyc": "^15.1.0", "os-dns-native": "^1.2.0", diff --git a/packages/devtools-connect/src/connect.spec.ts b/packages/devtools-connect/src/connect.spec.ts index a705203..8e3c88f 100644 --- a/packages/devtools-connect/src/connect.spec.ts +++ b/packages/devtools-connect/src/connect.spec.ts @@ -51,7 +51,7 @@ describe('devtools connect', function () { expect(mClientType.getCalls()[0].args[0]).to.equal(uri); expect( Object.keys(mClientType.getCalls()[0].args[1]).sort() - ).to.deep.equal(['ca', 'lookup']); + ).to.deep.equal(['allowPartialTrustChain', 'ca', 'lookup']); expect(mClient.connect.getCalls()).to.have.lengthOf(1); expect(result.client).to.equal(mClient); }); @@ -73,7 +73,12 @@ describe('devtools connect', function () { expect(mClientType.getCalls()[0].args[0]).to.equal(uri); expect( Object.keys(mClientType.getCalls()[0].args[1]).sort() - ).to.deep.equal(['autoEncryption', 'ca', 'lookup']); + ).to.deep.equal([ + 'allowPartialTrustChain', + 'autoEncryption', + 'ca', + 'lookup', + ]); expect(mClientType.getCalls()[0].args[1].autoEncryption).to.deep.equal( opts.autoEncryption ); @@ -114,7 +119,7 @@ describe('devtools connect', function () { expect(calls[0].args[0]).to.equal(uri); expect( Object.keys(mClientType.getCalls()[0].args[1]).sort() - ).to.deep.equal(['ca', 'lookup']); + ).to.deep.equal(['allowPartialTrustChain', 'ca', 'lookup']); expect(commandSpy).to.have.been.calledOnceWithExactly({ buildInfo: 1 }); expect(result.client).to.equal(mClientSecond); }); @@ -192,7 +197,12 @@ describe('devtools connect', function () { expect(mClientType.getCalls()[0].args[0]).to.equal(uri); expect( Object.keys(mClientType.getCalls()[0].args[1]).sort() - ).to.deep.equal(['autoEncryption', 'ca', 'lookup']); + ).to.deep.equal([ + 'allowPartialTrustChain', + 'autoEncryption', + 'ca', + 'lookup', + ]); expect(mClient.connect.getCalls()).to.have.lengthOf(1); expect(result.client).to.equal(mClient); }); @@ -230,7 +240,7 @@ describe('devtools connect', function () { expect(mClientType.getCalls()[0].args[0]).to.equal(uri); expect( Object.keys(mClientType.getCalls()[0].args[1]).sort() - ).to.deep.equal(['ca', 'lookup']); + ).to.deep.equal(['allowPartialTrustChain', 'ca', 'lookup']); expect(commandSpy).to.have.been.calledOnceWithExactly({ buildInfo: 1 }); expect(result.client).to.equal(mClientSecond); }); diff --git a/packages/devtools-connect/src/connect.ts b/packages/devtools-connect/src/connect.ts index 8fd28bc..de3fb9b 100644 --- a/packages/devtools-connect/src/connect.ts +++ b/packages/devtools-connect/src/connect.ts @@ -498,7 +498,7 @@ export async function connectMongoClient( {}, clientOptions, shouldAddOidcCallbacks ? state.oidcPlugin.mongoClientOptions : {}, - { ca } + { ca, allowPartialTrustChain: true } ); // Adopt dns result order changes with Node v18 that affected the VSCode extension VSCODE-458. diff --git a/packages/devtools-proxy-support/package.json b/packages/devtools-proxy-support/package.json index fa02f31..5171678 100644 --- a/packages/devtools-proxy-support/package.json +++ b/packages/devtools-proxy-support/package.json @@ -64,7 +64,7 @@ "https-proxy-agent": "^7.0.5", "socks-proxy-agent": "^8.0.4", "ssh2": "^1.15.0", - "system-ca": "^2.0.0" + "system-ca": "^2.0.1" }, "devDependencies": { "@mongodb-js/eslint-config-devtools": "0.9.10", diff --git a/packages/devtools-proxy-support/src/agent.spec.ts b/packages/devtools-proxy-support/src/agent.spec.ts index 7bbb703..e3255a1 100644 --- a/packages/devtools-proxy-support/src/agent.spec.ts +++ b/packages/devtools-proxy-support/src/agent.spec.ts @@ -7,6 +7,11 @@ import { expect } from 'chai'; import sinon from 'sinon'; import { HTTPServerProxyTestSetup } from '../test/helpers'; import path from 'path'; +import type { Server as TLSServer } from 'tls'; +import { createServer as createTLSServer } from 'tls'; +import { promises as fs } from 'fs'; +import type { AddressInfo } from 'net'; +import { tlsSupportsAllowPartialTrustChainFlag } from './system-ca'; describe('createAgent', function () { let setup: HTTPServerProxyTestSetup; @@ -38,9 +43,11 @@ describe('createAgent', function () { agents = []; setup = new HTTPServerProxyTestSetup(); await setup.listen(); + resetSystemCACache(); }); afterEach(async function () { + resetSystemCACache(); await setup.teardown(); for (const agent of new Set(agents)) { agent.destroy(); @@ -183,13 +190,6 @@ describe('createAgent', function () { }); context('ca support', function () { - beforeEach(function () { - resetSystemCACache(); - }); - afterEach(function () { - resetSystemCACache(); - }); - it('can connect using CA as part of the agent options (no explicit CA set)', async function () { const res = await get( 'https://example.com/hello', @@ -362,4 +362,55 @@ q/I2+0j6dAkOGcK/68z7qQXByeGri3n28a1Kn6o= } }); }); + + // This mirrors https://github.com/nodejs/node/blob/1b3420274ea8d8cca339a1f10301d2e80f577c4c/test/parallel/test-tls-client-allow-partial-trust-chain.js + context( + 'TLS with partial trust chain in system certificate list', + function () { + const fixtures = path.resolve( + __dirname, + '..', + 'test', + 'fixtures', + 'partial-trust-chain' + ); + let server: TLSServer; + + beforeEach(async function () { + server = createTLSServer( + { + ca: await fs.readFile(path.join(fixtures, 'ca.pem')), + key: await fs.readFile(path.join(fixtures, 'key.pem')), + cert: await fs.readFile(path.join(fixtures, 'cert.pem')), + }, + (socket) => socket.end('HTTP/1.0 200 OK\r\n\r\nOK /hello') + ); + server.listen(0); + }); + + afterEach(function () { + server?.close(); + }); + + it('can connect using partial trust chains in the system CA list', async function () { + if ( + process.platform !== 'linux' || + !tlsSupportsAllowPartialTrustChainFlag() + ) + return this.skip(); // only really mock-able on Linux + resetSystemCACache({ + env: { + SSL_CERT_FILE: path.join(fixtures, 'ca.pem'), + SSL_CERT_DIR: '/nonexistent', + }, + }); + + const res = await get( + `https://localhost:${(server.address() as AddressInfo).port}/hello`, + createAgent({}) + ); + expect(res.body).to.equal('OK /hello'); + }); + } + ); }); diff --git a/packages/devtools-proxy-support/src/agent.ts b/packages/devtools-proxy-support/src/agent.ts index d93523a..1f9f826 100644 --- a/packages/devtools-proxy-support/src/agent.ts +++ b/packages/devtools-proxy-support/src/agent.ts @@ -49,7 +49,11 @@ class DevtoolsProxyAgent extends ProxyAgent implements AgentWithInitialize { private _reqLock: Promise | undefined; private _reqLockResolve: (() => void) | undefined; - constructor(proxyOptions: DevtoolsProxyOptions, logger: ProxyLogEmitter) { + // allowPartialTrustChain listed here until the Node.js types have it + constructor( + proxyOptions: DevtoolsProxyOptions & { allowPartialTrustChain?: boolean }, + logger: ProxyLogEmitter + ) { // NB: The Node.js HTTP agent implementation overrides request options // with agent options. Ideally, we'd want to merge them, but it seems like // there is little we can do about it at this point. @@ -128,7 +132,10 @@ class DevtoolsProxyAgentWithSystemCA extends AgentBase { this.proxyOptions = proxyOptions; this.agent = (async () => { const { ca } = await systemCA({ ca: proxyOptions.ca }); - return new DevtoolsProxyAgent({ ...proxyOptions, ca }, this.logger); + return new DevtoolsProxyAgent( + { ...proxyOptions, ca, allowPartialTrustChain: true }, + this.logger + ); })(); this.agent.catch(() => { /* handled later */ diff --git a/packages/devtools-proxy-support/src/system-ca.ts b/packages/devtools-proxy-support/src/system-ca.ts index 7883cd0..2800c58 100644 --- a/packages/devtools-proxy-support/src/system-ca.ts +++ b/packages/devtools-proxy-support/src/system-ca.ts @@ -11,7 +11,7 @@ let systemCertsCachePromise: | Promise<{ certs: string[]; asyncFallbackError?: Error }> | undefined; -export function resetSystemCACache(systemCAOpts: SystemCAOptions = {}) { +export function resetSystemCACache(systemCAOpts: SystemCAOptions = {}): void { systemCertsCachePromise = undefined; systemCertsCached(systemCAOpts).catch(() => undefined); } @@ -165,6 +165,18 @@ export function sortByExpirationDate(ca: ParsedX509Cert[]) { }); } +const nodeVersion = process.versions.node.slice(1).split('.').map(Number); + +export function tlsSupportsAllowPartialTrustChainFlag(): boolean { + // TODO: Remove this flag and all X.509 parsing here once all our products + // are at least on these Node.js versions + return ( + !!(process as any).__tlsSupportsAllowPartialTrustChainFlag || // for mongosh patch + (nodeVersion[0] >= 22 && nodeVersion[1] >= 9) || // https://github.com/nodejs/node/commit/c2bf0134c + (nodeVersion[0] === 20 && nodeVersion[1] >= 18) + ); // https://github.com/nodejs/node/commit/1b3420274 +} + // Thin wrapper around system-ca, which merges: // - Explicit CA options passed as options // - The Node.js TLS root store @@ -196,10 +208,19 @@ export async function systemCA( const messages: string[] = []; + const _tlsSupportsAllowPartialTrustChainFlag = + tlsSupportsAllowPartialTrustChainFlag(); try { const systemCertsResult = await systemCertsCached(); asyncFallbackError = systemCertsResult.asyncFallbackError; - systemCerts = parseCACerts(systemCertsResult.certs, messages); + if (_tlsSupportsAllowPartialTrustChainFlag) { + systemCerts = systemCertsResult.certs.map((pem) => ({ + pem, + parsed: null, + })); + } else { + systemCerts = parseCACerts(systemCertsResult.certs, messages); + } } catch (err: any) { systemCertsError = err; } @@ -208,16 +229,18 @@ export async function systemCA( !( allowCertificatesWithoutIssuer ?? !!process.env.DEVTOOLS_ALLOW_CERTIFICATES_WITHOUT_ISSUER - ) + ) && + !_tlsSupportsAllowPartialTrustChainFlag ) { systemCerts = removeCertificatesWithoutIssuer(systemCerts, messages); } return { ca: mergeCA( - sortByExpirationDate(systemCerts).map((cert) => { - return cert.pem; - }), + (_tlsSupportsAllowPartialTrustChainFlag + ? systemCerts + : sortByExpirationDate(systemCerts) + ).map(({ pem }) => pem), rootCertificates, existingOptions.ca, await readTLSCAFilePromise diff --git a/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/ca.pem b/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/ca.pem new file mode 100644 index 0000000..c377518 --- /dev/null +++ b/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIUFH02wcL3Qgben6tfIibXitsApCUwDQYJKoZIhvcNAQEL +BQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G +A1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANjYTExIDAe +BgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMCAXDTIyMDkwMzIxNDAzN1oY +DzIyOTYwNjE3MjE0MDM3WjB6MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ +BgNVBAcMAlNGMQ8wDQYDVQQKDAZKb3llbnQxEDAOBgNVBAsMB05vZGUuanMxDDAK +BgNVBAMMA2NhMzEgMB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC76GtbMvRM7E1diL6l/Y4qQuDK +ubmGWYOpz7kkUcApfJTa8gIhQvfvNdU/itpLIf1Nhmp9cDRk3BV6gU3P4SetVP+V +x3PSiZ6MJDbQXETn7cLJIewtMexGf8wJldTJ3wcv6/1dZDU3RM3ME7XCgNGBXPOj +c/TOz2StEGf4iwXKE7MHV0D2/hquOwuctqLjV969w8jea6BNqQjcKbq5Y17V4sxH +AO+epbpC88byAaMgmRcqlM660zpKdcsfjQZ/4Vzoce9OOSd/+aHdwLZM3BVL6vAI +09UqkaB+3M4n2pK6dPCQtimbaDyo7QZYgWpmp3/YDN1Hhh6IBoMoQqSu+/DFAgMB +AAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJwGWU3qa5eT +EEP/IXeZUJuZhqND+kBvBPPUYTeCXSbVRI2c6WaU7NZUqYkDz+lVrAMMG+eGPCW1 +8h8DehudZLNDvrz8uEPsYbgvZD+grFRmWh5kUdc2yz6gVVzTTGwy7ARgSoebUqK0 +O4uI8BW/UlF+OpGSpimMBnHqAq13k1Eb9kjckyZw2qIhW02mCsv9PnVQ8waDUq+C +3No8ZoNqgQVVOFSuJz9wxGFPdt0KhizYMh0n+BP7U5srTn0LwWBEXoPsHBWhudTC +NWYtx++OIWK/3QEufal83p2W3ICxAW3yqY7Qy03Z2LW07BDDdAmoFN9NTYuZKGd4 +DQYB7oHNx8E= +-----END CERTIFICATE----- diff --git a/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/cert.pem b/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/cert.pem new file mode 100644 index 0000000..e5cd19d --- /dev/null +++ b/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDfDCCAmSgAwIBAgIUW3XXftx/tbf6nxQk2kxk+4Fdy94wDQYJKoZIhvcNAQEL +BQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G +A1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANjYTMxIDAe +BgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMCAXDTIyMDkwMzIxNDAzN1oY +DzIyOTYwNjE3MjE0MDM3WjB0MQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBl +c3QxETAPBgNVBAoMCFRyZXNvcml0MRYwFAYDVQQDDA3DgWTDoW0gTGlwcGFpMScw +JQYJKoZIhvcNAQkBFhhhZGFtLmxpcHBhaUB0cmVzb3JpdC5jb20wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL+3lXygi/1QUopZMz1aW6eMvhbCWfm8/F +a8rkI6Rc+7LNEWdG37c2V/kgh+xRjFKuwRfh0BWX4xDo77asV2ejTaz6yI5DrSJO +paQdcKxgH9xqFsG96U+ODoqykXYSfO9E5qweFDZVPlUky18Ofv1k+dxQBSDAKJe3 +e9MSt3jgQ0vD3ZQIl9A2TOfRVJIbYcm0EQthQxpZSMA15W5FTdjMc4wB3i5tanH6 +NdKYV5L0cWGiLXAXkRYGmj/iQMSHipSazEHJAmmixuBa1HLGdwaUFziQ6syI0I2x +bBqJkyj2OhiNWTFcGWHoQP1DePDfqcF5MIfDej7mRwnaL3qD27cFAgMBAAEwDQYJ +KoZIhvcNAQELBQADggEBAFhJ0t5egdr3Z2zWuYmM+YQzOeLaGtfTQST7H5W64Ckx +OHwkYH1LjO5pGs+HGvbaA0DIocCB6fliWaf+kxUo7t+wyHr1Dnr5Po3ZvpHe6AU5 +i/J9bmFUk1oE28Ijgk8ktL77Lj8baihcaq1ca0o03zM16MEaA7eiT95ds2QDXgPL +8hdCsOHiEOllspcYRl3uh1WQQjzLOZmCi4dZI+nuTQ2rviD0T5KYZYJY4nzTssEK +yzfYeUUwUu14J1wYGTgTxKXAWjN0IkxFNq1hX6rC/2U819sVEYF8uWUp9dWJ1slT +z09yT9qZWiF5tebRaRNL1al/IjWkmN39W9DGEFMX2Vk= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIUFH02wcL3Qgben6tfIibXitsApCUwDQYJKoZIhvcNAQEL +BQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G +A1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANjYTExIDAe +BgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMCAXDTIyMDkwMzIxNDAzN1oY +DzIyOTYwNjE3MjE0MDM3WjB6MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ +BgNVBAcMAlNGMQ8wDQYDVQQKDAZKb3llbnQxEDAOBgNVBAsMB05vZGUuanMxDDAK +BgNVBAMMA2NhMzEgMB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC76GtbMvRM7E1diL6l/Y4qQuDK +ubmGWYOpz7kkUcApfJTa8gIhQvfvNdU/itpLIf1Nhmp9cDRk3BV6gU3P4SetVP+V +x3PSiZ6MJDbQXETn7cLJIewtMexGf8wJldTJ3wcv6/1dZDU3RM3ME7XCgNGBXPOj +c/TOz2StEGf4iwXKE7MHV0D2/hquOwuctqLjV969w8jea6BNqQjcKbq5Y17V4sxH +AO+epbpC88byAaMgmRcqlM660zpKdcsfjQZ/4Vzoce9OOSd/+aHdwLZM3BVL6vAI +09UqkaB+3M4n2pK6dPCQtimbaDyo7QZYgWpmp3/YDN1Hhh6IBoMoQqSu+/DFAgMB +AAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJwGWU3qa5eT +EEP/IXeZUJuZhqND+kBvBPPUYTeCXSbVRI2c6WaU7NZUqYkDz+lVrAMMG+eGPCW1 +8h8DehudZLNDvrz8uEPsYbgvZD+grFRmWh5kUdc2yz6gVVzTTGwy7ARgSoebUqK0 +O4uI8BW/UlF+OpGSpimMBnHqAq13k1Eb9kjckyZw2qIhW02mCsv9PnVQ8waDUq+C +3No8ZoNqgQVVOFSuJz9wxGFPdt0KhizYMh0n+BP7U5srTn0LwWBEXoPsHBWhudTC +NWYtx++OIWK/3QEufal83p2W3ICxAW3yqY7Qy03Z2LW07BDDdAmoFN9NTYuZKGd4 +DQYB7oHNx8E= +-----END CERTIFICATE----- diff --git a/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/key.pem b/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/key.pem new file mode 100644 index 0000000..af88bb8 --- /dev/null +++ b/packages/devtools-proxy-support/test/fixtures/partial-trust-chain/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAy/t5V8oIv9UFKKWTM9WlunjL4Wwln5vPxWvK5COkXPuyzRFn +Rt+3Nlf5IIfsUYxSrsEX4dAVl+MQ6O+2rFdno02s+siOQ60iTqWkHXCsYB/cahbB +velPjg6KspF2EnzvROasHhQ2VT5VJMtfDn79ZPncUAUgwCiXt3vTErd44ENLw92U +CJfQNkzn0VSSG2HJtBELYUMaWUjANeVuRU3YzHOMAd4ubWpx+jXSmFeS9HFhoi1w +F5EWBpo/4kDEh4qUmsxByQJposbgWtRyxncGlBc4kOrMiNCNsWwaiZMo9joYjVkx +XBlh6ED9Q3jw36nBeTCHw3o+5kcJ2i96g9u3BQIDAQABAoIBAAT2Ftt1xIS176wv +ascl+SPx8DOJZ9jb90+78XFfFI5WaODn/XUR1+jwdtS9uZe6LACoHaaWYxAQq8ae +nfjPH2wvZXesDRnESkNTcAxvQyILZFcIOqod1JuF6wWw2AhXFZK9cY5Bu5iTLYr5 +j1RQ7mTYVu1zUnqaAiaqUlXwNHZv4XXyuBgsRpaughcMrO85NKveMeqwU9jnEQTa +5i3m0E4qQohA8oSz22f0fXUMFrhSvNCR1e4g3ps+79ArYYPsMnVLgf4CiQIPDv2E +8jOOZ7p1V6A+rn3nn9P7lnkUi3r81Al3dJJmlXCKEKsCC9NMl2sf/ZWfn9ZWMHbo +jLmKwDkCgYEA7alWbTQLiPoKDdXUDOvjI0EmhUY1TAIeUbjplehBTgDsUugMpHvW +jZGkoNrt4dZhjhgTt6wXGCpWQNGGFKrF4/SXYAgXctxmr+4Pw2tcKLA3jf4jlcQ1 +dgDNKQ2jbZ8nqkZPrnmbAJcus1phzcNwmoVJsAa+KAuYJoUwljHcT68CgYEA27ja +Vjmq/djVMmJ8WOAiezwsFYrLOwgAsAbLLVqkHhIaOQSz3TEdq+gaHy8xMn8nF2zE +MyAvrOX5oMZW1823x9uIMDR3fPFoDP/j4v03P2XKIc55Cv1wvIfr9Y1wcdwAR11I +I9TRRswsHMUAMqIZPNcWlpg+lbx8VIp5VGfsfYsCgYB+luAuMraiM2z/iZH1f//w +W1eFTaw93DMCHJhu/NMsFVnLn0Z8pmnV5mnmNDbZQDOeWDzIbKWwfXyL8g6VG5Fk +pneq8yRqTfN0aj2DPcBM++/bdi7GK0i+nhapc1ZFoayjCeiPar6hReXeKppF24Az +DiP92tmWwvY8Ll1+4vgSiQKBgQCfYnRfX+29vnDI39A72DqrEncYGVpbM+7rwcHY +4It0lMUY32Rp65sOfIuWW3FgpAQDZg7c11g+H4T5L2cHnF7YR1N/RE/4/lTwOR9i +JTTSdFAwPcpoQnhpCmAL+9G5hlFdczlFZLd6l9jX9b+y+ws7qvrjuwSLMfMukFR6 ++ff/CQKBgQCiFqg+k0zGqhpfVOHxWaLgLZPlENUabpc54Ff6wdxrvY6d0F7F1/sy +T6PlSLvvq1VpEJJXTlEv8jc64OVsNps7jkYkgR9xG47Njytj2RVQtlZNSs+kEVmt +XfzU4J43WrX517ymzar520WksPrx4eYQO1TZICVywsAgs4vJ2ZqXVA== +-----END RSA PRIVATE KEY----- diff --git a/packages/mongodb-runner/package.json b/packages/mongodb-runner/package.json index 5e25b3f..9a239d4 100644 --- a/packages/mongodb-runner/package.json +++ b/packages/mongodb-runner/package.json @@ -52,7 +52,7 @@ "dependencies": { "@mongodb-js/mongodb-downloader": "^0.3.6", "debug": "^4.3.4", - "mongodb": "^6.8.0", + "mongodb": "^6.9.0", "@mongodb-js/saslprep": "^1.1.9", "mongodb-connection-string-url": "^3.0.0", "yargs": "^17.7.2"