From 32df445dc9a132e1cb86d479e848e0172d4dbdf8 Mon Sep 17 00:00:00 2001 From: Serhii Volovyk Date: Fri, 19 Jul 2024 19:40:04 +0300 Subject: [PATCH 1/4] use https only when connecting to GCP --- chain-signatures/node/src/gcp/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chain-signatures/node/src/gcp/mod.rs b/chain-signatures/node/src/gcp/mod.rs index 84a6f984f..1e96826e7 100644 --- a/chain-signatures/node/src/gcp/mod.rs +++ b/chain-signatures/node/src/gcp/mod.rs @@ -345,7 +345,7 @@ impl GcpService { let client = hyper::Client::builder().build( hyper_rustls::HttpsConnectorBuilder::new() .with_native_roots() - .https_or_http() + .https_only() .enable_http1() .enable_http2() .build(), From 6392f41c009959ce1efbcd09a410872e83bdad6d Mon Sep 17 00:00:00 2001 From: Serhii Volovyk Date: Mon, 22 Jul 2024 15:06:12 +0300 Subject: [PATCH 2/4] create http or https client depending on passed parameters --- chain-signatures/node/src/gcp/mod.rs | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/chain-signatures/node/src/gcp/mod.rs b/chain-signatures/node/src/gcp/mod.rs index 1e96826e7..1da7ee146 100644 --- a/chain-signatures/node/src/gcp/mod.rs +++ b/chain-signatures/node/src/gcp/mod.rs @@ -342,15 +342,16 @@ impl GcpService { ) -> anyhow::Result { let project_id = storage_options.gcp_project_id.clone(); let secret_manager; - let client = hyper::Client::builder().build( - hyper_rustls::HttpsConnectorBuilder::new() - .with_native_roots() - .https_only() - .enable_http1() - .enable_http2() - .build(), - ); let datastore = if let Some(gcp_datastore_url) = storage_options.gcp_datastore_url.clone() { + // restring client to use https + let client = hyper::Client::builder().build( + hyper_rustls::HttpsConnectorBuilder::new() + .with_native_roots() + .https_only() + .enable_http1() + .enable_http2() + .build(), + ); // Assuming custom GCP URL points to an emulator, so the token does not matter let authenticator = AccessTokenAuthenticator::builder("TOKEN".to_string()) .build() @@ -361,6 +362,14 @@ impl GcpService { datastore.root_url(gcp_datastore_url); datastore } else { + let client = hyper::Client::builder().build( + hyper_rustls::HttpsConnectorBuilder::new() + .with_native_roots() + .https_or_http() + .enable_http1() + .enable_http2() + .build(), + ); let opts = ApplicationDefaultCredentialsFlowOpts::default(); let authenticator = match ApplicationDefaultCredentialsAuthenticator::builder(opts) .await From 9fa32ec4035c44f7cb7abda7d992887cd8eabd45 Mon Sep 17 00:00:00 2001 From: Serhii Volovyk Date: Mon, 22 Jul 2024 15:17:29 +0300 Subject: [PATCH 3/4] ignore RUSTSEC-2024-0357 --- .github/workflows/unit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index 4151f4766..7acadc911 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -77,10 +77,10 @@ jobs: - name: Run Audit (FastAuth) working-directory: integration-tests/fastauth run: | - cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2022-0093 --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0019 --ignore RUSTSEC-2024-0344 + cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2022-0093 --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0019 --ignore RUSTSEC-2024-0344 --ignore RUSTSEC-2024-0357 - name: Run Audit (Chain Signatures) # even if previous audit step fails, run this audit step to ensure all crates are audited if: always() working-directory: integration-tests/chain-signatures run: | - cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2022-0093 --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0019 --ignore RUSTSEC-2024-0344 --ignore RUSTSEC-2022-0093 --ignore RUSTSEC-2024-0346 --ignore RUSTSEC-2024-0347 + cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2022-0093 --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0019 --ignore RUSTSEC-2024-0344 --ignore RUSTSEC-2022-0093 --ignore RUSTSEC-2024-0346 --ignore RUSTSEC-2024-0347 --ignore RUSTSEC-2024-0357 From 3969f0766ddb640bac8ac4aeb9534382ca199c16 Mon Sep 17 00:00:00 2001 From: Serhii Volovyk Date: Mon, 22 Jul 2024 18:23:19 +0300 Subject: [PATCH 4/4] use https in prod --- chain-signatures/Cargo.lock | 1 + chain-signatures/node/src/gcp/mod.rs | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/chain-signatures/Cargo.lock b/chain-signatures/Cargo.lock index 74c78e429..035997a34 100644 --- a/chain-signatures/Cargo.lock +++ b/chain-signatures/Cargo.lock @@ -1753,6 +1753,7 @@ dependencies = [ "near-sdk", "serde", "serde_json", + "sha3", "subtle", ] diff --git a/chain-signatures/node/src/gcp/mod.rs b/chain-signatures/node/src/gcp/mod.rs index 1da7ee146..19ab55d90 100644 --- a/chain-signatures/node/src/gcp/mod.rs +++ b/chain-signatures/node/src/gcp/mod.rs @@ -343,11 +343,10 @@ impl GcpService { let project_id = storage_options.gcp_project_id.clone(); let secret_manager; let datastore = if let Some(gcp_datastore_url) = storage_options.gcp_datastore_url.clone() { - // restring client to use https let client = hyper::Client::builder().build( hyper_rustls::HttpsConnectorBuilder::new() .with_native_roots() - .https_only() + .https_or_http() .enable_http1() .enable_http2() .build(), @@ -362,10 +361,11 @@ impl GcpService { datastore.root_url(gcp_datastore_url); datastore } else { + // restring client to use https in production let client = hyper::Client::builder().build( hyper_rustls::HttpsConnectorBuilder::new() .with_native_roots() - .https_or_http() + .https_only() .enable_http1() .enable_http2() .build(),