enable SSL (#19)

2019-08-17 17:38:24 +02:00 · 2019-08-17 17:38:24 +02:00 · ce35326ab4
commit ce35326ab4
parent fc9c4c384f
6 changed files with 83 additions and 4 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -11,6 +11,7 @@ jobs:
    working_directory: ~/repo
    environment:
      LEIN_ROOT: "true"
+      GRAALVM_HOME: /home/circleci/graalvm-ce-19.2.0-dev
    steps:
      - checkout
      - run:
@ -29,6 +30,18 @@ jobs:
            wget -nc https://download.clojure.org/install/linux-install-1.10.1.447.sh
            chmod +x linux-install-1.10.1.447.sh
            sudo ./linux-install-1.10.1.447.sh
+      - run:
+          name: Download GraalVM
+          command: |
+            cd ~
+            if ! [ -d graalvm-ce-19.2.0-dev ]; then
+              curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz
+              tar xzf graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz
+            fi
+      - run:
+          name: Install GraalVM SSL libs
+          command: |
+            .circleci/script/graalvm_ssl
      - run:
          name: Run JVM tests
          command: |
@ -83,6 +96,10 @@ jobs:
              curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz
              tar xzf graalvm-ce-linux-amd64-19.2.0-dev-b01.tar.gz
            fi
+      - run:
+          name: Install GraalVM SSL libs
+          command: |
+            .circleci/script/graalvm_ssl
      - run:
          name: Build binary
          command: |
@ -133,7 +150,6 @@ jobs:
          name: Install Leiningen
          command: |
            .circleci/script/install-leiningen
-
      - run:
          name: Download GraalVM
          command: |
@ -143,6 +159,10 @@ jobs:
              curl -O -sL https://github.com/oracle/graal/releases/download/vm-19.2.0-dev-b01/graalvm-ce-darwin-amd64-19.2.0-dev-b01.tar.gz
              tar xzf graalvm-ce-darwin-amd64-19.2.0-dev-b01.tar.gz
            fi
+      - run:
+          name: Install GraalVM SSL libs
+          command: |
+            .circleci/script/graalvm_ssl
      - run:
          name: Build binary
          command: |
--- a/.circleci/script/graalvm_ssl
+++ b/.circleci/script/graalvm_ssl
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+mkdir -p ~/.babashka/lib/security
+
+echo "GRAAL: $GRAALVM_HOME"
+# Mac:
+cp $GRAALVM_HOME/jre/lib/libsunec.dylib ~/.babashka/lib || true
+# Linux:
+cp $GRAALVM_HOME/jre/lib/amd64/libsunec.so ~/.babashka/lib || true
+
+cp $GRAALVM_HOME/jre/lib/security/cacerts ~/.babashka/lib/security
--- a/README.md
+++ b/README.md
@ -183,6 +183,42 @@ Fetching url: https://www.clojure.org
 Writing file: /tmp/clojure.org.html
 ```

+## Enabling SSL
+
+This is a bit tricky, but you only have to do it once. Binaries compiled with
+GraalVM need a runtime dependency called `libsunec.so`. Because I don't know if
+I'm allowed to ship this library with babashka, I have chosen to let the user
+take care of these and put them in a known location. This also allows you to
+include a different `cacerts`.
+
+To enable SSL, create a `~/.babashka/lib` directory and copy the`libsunec.so`
+(Linux) or `libsunec.dylib` (Mac) to it. This library comes with GraalVM and is
+located in `<JAVA_HOME>/jre/lib/<platform>` inside the distribution. Also create a and
+`~/.babashka/lib/security` directory and copy `cacerts` to it which comes
+bundled with GraalVM and is located in
+`<JAVA_HOME>/jre/lib/security`.
+
+As a shell script:
+
+``` shellsession
+mkdir -p ~/.babashka/lib/security
+
+# Linux:
+cp $GRAALVM_HOME/jre/lib/amd64/libsunec.so ~/.babashka/lib
+
+# Mac:
+cp $GRAALVM_HOME/jre/lib/libsunec.dylib ~/.babashka/lib
+
+cp $GRAALVM_HOME/jre/lib/security/cacerts ~/.babashka/lib/security
+```
+
+You can download a distribution of GraalVM for your platform on
+[Github](https://github.com/oracle/graal/releases).
+
+More information about GraalVM and SSL can be found
+[here](https://blog.taylorwood.io/2018/10/04/graalvm-https.html) and
+[here](https://quarkus.io/guides/native-and-ssl-guide).
+
 ## Test

 Test on the JVM:
--- a/script/compile
+++ b/script/compile
@ -30,6 +30,9 @@ $GRAALVM_HOME/bin/native-image \
  --initialize-at-run-time=java.lang.Math\$RandomNumberGeneratorHolder \
  --initialize-at-build-time \
  -H:Log=registerResource: \
+  -H:EnableURLProtocols=http,https \
+  --enable-all-security-services \
+  -H:+JNI \
  --verbose \
  --no-fallback \
  --no-server \
--- a/src/babashka/main.clj
+++ b/src/babashka/main.clj
@ -128,6 +128,14 @@
  [& args]
  #_(binding [*out* *err*]
      (prn ">> args" args))
+  (let [home (System/getProperty "user.home")
+        bb-lib-dir (io/file home ".babashka" "lib")
+        lib-path (System/getProperty "java.library.path")
+        ca-certs-dir (io/file bb-lib-dir "security")
+        ca-certs (.getPath (io/file ca-certs-dir "cacerts"))]
+    (System/setProperty "java.library.path" (str (.getPath  bb-lib-dir) ":" lib-path))
+    (System/setProperty "javax.net.ssl.trustStore" ca-certs)
+    (System/setProperty "javax.net.ssl.trustAnchors" ca-certs))
  (let [t0 (System/currentTimeMillis)
        {:keys [:version :raw-in :raw-out :println?
                :help? :file :command-line-args
--- a/test/babashka/main_test.clj
+++ b/test/babashka/main_test.clj
@ -83,9 +83,8 @@
  (is (thrown-with-msg? Exception #"expression"
                        (bb nil))))

-#_(deftest raw-in-test
-  (is (= "[1 2 3\n4 5 6 [\"1 2 3\" \"4 5 6\"]]"
-         (bb "1 2 3\n4 5 6" "-i" "(format \"[%s %s]\" bb/*in* *in*)'"))))
+(deftest ssl-test
+  (is (re-find #"doctype html" (bb nil "(slurp \"https://www.google.com\")"))))

 (deftest stream-test
  (is (= "2\n3\n4\n" (test-utils/bb "1 2 3" "--stream" "(inc *in*)")))