enable SSL (#19)

.circleci/config.yml

@@ -11,6 +11,7 @@ jobs:
     working_directory: ~/repo
     environment:
       LEIN_ROOT: "true"
+      GRAALVM_HOME: /home/circleci/graalvm-ce-19.2.0-dev
     steps:
       - checkout
       - run:
@@ -29,6 +30,18 @@ jobs:
             wget -nc https://download.clojure.org/install/linux-install-1.10.1.447.sh
             chmod +x linux-install-1.10.1.447.sh
             sudo ./linux-install-1.10.1.447.sh
+      - run:
+          name: Download GraalVM
+          command: |
+            cd ~
+            if ! [ -d graalvm-ce-19.2.0-dev ]; then
+              curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz
+              tar xzf graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz
+            fi
+      - run:
+          name: Install GraalVM SSL libs
+          command: |
+            .circleci/script/graalvm_ssl
       - run:
           name: Run JVM tests
           command: |
@@ -83,6 +96,10 @@ jobs:
               curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz
               tar xzf graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz
             fi
+      - run:
+          name: Install GraalVM SSL libs
+          command: |
+            .circleci/script/graalvm_ssl
       - run:
           name: Build binary
           command: |
@@ -133,7 +150,6 @@ jobs:
           name: Install Leiningen
           command: |
             .circleci/script/install-leiningen
-
       - run:
           name: Download GraalVM
           command: |
@@ -143,6 +159,10 @@ jobs:
               curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-darwin-amd64-19.2.0-dev-b01.tar.gz
               tar xzf graalvm-ce-darwin-amd64-19.2.0-dev-b01.tar.gz
             fi
+      - run:
+          name: Install GraalVM SSL libs
+          command: |
+            .circleci/script/graalvm_ssl
       - run:
           name: Build binary
           command: |

.circleci/script/graalvm_ssl

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+mkdir -p ~/.babashka/lib/security
+
+echo "GRAAL: $GRAALVM_HOME"
+# Mac:
+cp $GRAALVM_HOME/jre/lib/libsunec.dylib ~/.babashka/lib || true
+# Linux:
+cp $GRAALVM_HOME/jre/lib/amd64/libsunec.so ~/.babashka/lib || true
+
+cp $GRAALVM_HOME/jre/lib/security/cacerts ~/.babashka/lib/security

README.md

@@ -183,6 +183,42 @@ Fetching url: https://www.clojure.org
 Writing file: /tmp/clojure.org.html
 ```
 
+## Enabling SSL
+
+This is a bit tricky, but you only have to do it once. Binaries compiled with
+GraalVM need a runtime dependency called `libsunec.so`. Because I don't know if
+I'm allowed to ship this library with babashka, I have chosen to let the user
+take care of these and put them in a known location. This also allows you to
+include a different `cacerts`.
+
+To enable SSL, create a `~/.babashka/lib` directory and copy the`libsunec.so`
+(Linux) or `libsunec.dylib` (Mac) to it. This library comes with GraalVM and is
+located in `<JAVA_HOME>/jre/lib/<platform>` inside the distribution. Also create a and
+`~/.babashka/lib/security` directory and copy `cacerts` to it which comes
+bundled with GraalVM and is located in
+`<JAVA_HOME>/jre/lib/security`.
+
+As a shell script:
+
+``` shellsession
+mkdir -p ~/.babashka/lib/security
+
+# Linux:
+cp $GRAALVM_HOME/jre/lib/amd64/libsunec.so ~/.babashka/lib
+
+# Mac:
+cp $GRAALVM_HOME/jre/lib/libsunec.dylib ~/.babashka/lib
+
+cp $GRAALVM_HOME/jre/lib/security/cacerts ~/.babashka/lib/security
+```
+
+You can download a distribution of GraalVM for your platform on
+[Github](https://github.com/oracle/graal/releases).
+
+More information about GraalVM and SSL can be found
+[here](https://blog.taylorwood.io/2018/10/04/graalvm-https.html) and
+[here](https://quarkus.io/guides/native-and-ssl-guide).
+
 ## Test
 
 Test on the JVM:

script/compile

@@ -30,6 +30,9 @@ $GRAALVM_HOME/bin/native-image \
   --initialize-at-run-time=java.lang.Math\$RandomNumberGeneratorHolder \
   --initialize-at-build-time \
   -H:Log=registerResource: \
+  -H:EnableURLProtocols=http,https \
+  --enable-all-security-services \
+  -H:+JNI \
   --verbose \
   --no-fallback \
   --no-server \

src/babashka/main.clj

@@ -128,6 +128,14 @@
   [& args]
   #_(binding [*out* *err*]
       (prn ">> args" args))
+  (let [home (System/getProperty "user.home")
+        bb-lib-dir (io/file home ".babashka" "lib")
+        lib-path (System/getProperty "java.library.path")
+        ca-certs-dir (io/file bb-lib-dir "security")
+        ca-certs (.getPath (io/file ca-certs-dir "cacerts"))]
+    (System/setProperty "java.library.path" (str (.getPath  bb-lib-dir) ":" lib-path))
+    (System/setProperty "javax.net.ssl.trustStore" ca-certs)
+    (System/setProperty "javax.net.ssl.trustAnchors" ca-certs))
   (let [t0 (System/currentTimeMillis)
         {:keys [:version :raw-in :raw-out :println?
                 :help? :file :command-line-args

test/babashka/main_test.clj

@@ -83,9 +83,8 @@
   (is (thrown-with-msg? Exception #"expression"
                         (bb nil))))
 
-#_(deftest raw-in-test
+(deftest ssl-test
-  (is (= "[1 2 3\n4 5 6 [\"1 2 3\" \"4 5 6\"]]"
+  (is (re-find #"doctype html" (bb nil "(slurp \"https://www.google.com\")"))))
-         (bb "1 2 3\n4 5 6" "-i" "(format \"[%s %s]\" bb/*in* *in*)'"))))
 
 (deftest stream-test
   (is (= "2\n3\n4\n" (test-utils/bb "1 2 3" "--stream" "(inc *in*)")))