From ce35326ab40435003e55b0ce2a61fb2adb25c75b Mon Sep 17 00:00:00 2001 From: Michiel Borkent Date: Sat, 17 Aug 2019 17:38:24 +0200 Subject: [PATCH] enable SSL (#19) --- .circleci/config.yml | 22 +++++++++++++++++++++- .circleci/script/graalvm_ssl | 13 +++++++++++++ README.md | 36 ++++++++++++++++++++++++++++++++++++ script/compile | 3 +++ src/babashka/main.clj | 8 ++++++++ test/babashka/main_test.clj | 5 ++--- 6 files changed, 83 insertions(+), 4 deletions(-) create mode 100755 .circleci/script/graalvm_ssl diff --git a/.circleci/config.yml b/.circleci/config.yml index 4d9446f1..6ebc49e1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -11,6 +11,7 @@ jobs: working_directory: ~/repo environment: LEIN_ROOT: "true" + GRAALVM_HOME: /home/circleci/graalvm-ce-19.2.0-dev steps: - checkout - run: @@ -29,6 +30,18 @@ jobs: wget -nc https://download.clojure.org/install/linux-install-1.10.1.447.sh chmod +x linux-install-1.10.1.447.sh sudo ./linux-install-1.10.1.447.sh + - run: + name: Download GraalVM + command: | + cd ~ + if ! [ -d graalvm-ce-19.2.0-dev ]; then + curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz + tar xzf graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz + fi + - run: + name: Install GraalVM SSL libs + command: | + .circleci/script/graalvm_ssl - run: name: Run JVM tests command: | @@ -83,6 +96,10 @@ jobs: curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz tar xzf graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz fi + - run: + name: Install GraalVM SSL libs + command: | + .circleci/script/graalvm_ssl - run: name: Build binary command: | @@ -133,7 +150,6 @@ jobs: name: Install Leiningen command: | .circleci/script/install-leiningen - - run: name: Download GraalVM command: | @@ -143,6 +159,10 @@ jobs: curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-darwin-amd64-19.2.0-dev-b01.tar.gz tar xzf graalvm-ce-darwin-amd64-19.2.0-dev-b01.tar.gz fi + - run: + name: Install GraalVM SSL libs + command: | + .circleci/script/graalvm_ssl - run: name: Build binary command: | diff --git a/.circleci/script/graalvm_ssl b/.circleci/script/graalvm_ssl new file mode 100755 index 00000000..97a1b841 --- /dev/null +++ b/.circleci/script/graalvm_ssl @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +set -eo pipefail + +mkdir -p ~/.babashka/lib/security + +echo "GRAAL: $GRAALVM_HOME" +# Mac: +cp $GRAALVM_HOME/jre/lib/libsunec.dylib ~/.babashka/lib || true +# Linux: +cp $GRAALVM_HOME/jre/lib/amd64/libsunec.so ~/.babashka/lib || true + +cp $GRAALVM_HOME/jre/lib/security/cacerts ~/.babashka/lib/security diff --git a/README.md b/README.md index decbdafb..bc6d9e0b 100644 --- a/README.md +++ b/README.md @@ -183,6 +183,42 @@ Fetching url: https://www.clojure.org Writing file: /tmp/clojure.org.html ``` +## Enabling SSL + +This is a bit tricky, but you only have to do it once. Binaries compiled with +GraalVM need a runtime dependency called `libsunec.so`. Because I don't know if +I'm allowed to ship this library with babashka, I have chosen to let the user +take care of these and put them in a known location. This also allows you to +include a different `cacerts`. + +To enable SSL, create a `~/.babashka/lib` directory and copy the`libsunec.so` +(Linux) or `libsunec.dylib` (Mac) to it. This library comes with GraalVM and is +located in `/jre/lib/` inside the distribution. Also create a and +`~/.babashka/lib/security` directory and copy `cacerts` to it which comes +bundled with GraalVM and is located in +`/jre/lib/security`. + +As a shell script: + +``` shellsession +mkdir -p ~/.babashka/lib/security + +# Linux: +cp $GRAALVM_HOME/jre/lib/amd64/libsunec.so ~/.babashka/lib + +# Mac: +cp $GRAALVM_HOME/jre/lib/libsunec.dylib ~/.babashka/lib + +cp $GRAALVM_HOME/jre/lib/security/cacerts ~/.babashka/lib/security +``` + +You can download a distribution of GraalVM for your platform on +[Github](https://github.com/oracle/graal/releases). + +More information about GraalVM and SSL can be found +[here](https://blog.taylorwood.io/2018/10/04/graalvm-https.html) and +[here](https://quarkus.io/guides/native-and-ssl-guide). + ## Test Test on the JVM: diff --git a/script/compile b/script/compile index 2aa18da6..d148e715 100755 --- a/script/compile +++ b/script/compile @@ -30,6 +30,9 @@ $GRAALVM_HOME/bin/native-image \ --initialize-at-run-time=java.lang.Math\$RandomNumberGeneratorHolder \ --initialize-at-build-time \ -H:Log=registerResource: \ + -H:EnableURLProtocols=http,https \ + --enable-all-security-services \ + -H:+JNI \ --verbose \ --no-fallback \ --no-server \ diff --git a/src/babashka/main.clj b/src/babashka/main.clj index 88e7344a..be815fe9 100644 --- a/src/babashka/main.clj +++ b/src/babashka/main.clj @@ -128,6 +128,14 @@ [& args] #_(binding [*out* *err*] (prn ">> args" args)) + (let [home (System/getProperty "user.home") + bb-lib-dir (io/file home ".babashka" "lib") + lib-path (System/getProperty "java.library.path") + ca-certs-dir (io/file bb-lib-dir "security") + ca-certs (.getPath (io/file ca-certs-dir "cacerts"))] + (System/setProperty "java.library.path" (str (.getPath bb-lib-dir) ":" lib-path)) + (System/setProperty "javax.net.ssl.trustStore" ca-certs) + (System/setProperty "javax.net.ssl.trustAnchors" ca-certs)) (let [t0 (System/currentTimeMillis) {:keys [:version :raw-in :raw-out :println? :help? :file :command-line-args diff --git a/test/babashka/main_test.clj b/test/babashka/main_test.clj index 095d1072..66c36044 100644 --- a/test/babashka/main_test.clj +++ b/test/babashka/main_test.clj @@ -83,9 +83,8 @@ (is (thrown-with-msg? Exception #"expression" (bb nil)))) -#_(deftest raw-in-test - (is (= "[1 2 3\n4 5 6 [\"1 2 3\" \"4 5 6\"]]" - (bb "1 2 3\n4 5 6" "-i" "(format \"[%s %s]\" bb/*in* *in*)'")))) +(deftest ssl-test + (is (re-find #"doctype html" (bb nil "(slurp \"https://www.google.com\")")))) (deftest stream-test (is (= "2\n3\n4\n" (test-utils/bb "1 2 3" "--stream" "(inc *in*)")))