CDRIVER-4730 TLS Backend Cleanup #1408
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a --tls build parameter to switch TLS backends. This PR also adds a "str" utility for doing more concise string manipulation in POSIX sh.
This refactors earthly.py for extensibility and to match the parameterization used in Earthfile. Task names now use NBSP for whitespace.
vector-of-bool
requested review from
kevinAlbs,
rcsanchez97 and
kkloberdanz
and removed request for
rcsanchez97
vector-of-bool
requested review from
adriandole
and removed request for
kkloberdanz
kevinAlbs
reviewed
Sep 22, 2023
src/libmongoc/CMakeLists.txt
Outdated
| set(SecureTransport/pkg_config_LIBS -framework Corefoundation -framework Security) | ||
| set(SecureChannel/LINK_LIBRARIES secur32.lib crypt32.lib Bcrypt.lib) | ||
| set(SecureChannel/pkg_config_LIBS ${SecureChannel/LINK_LIBRARIES}) | ||
| set(LibreSSL/LINK_LIBRARIES LibreSSL::TLS LibreSSL::SSL LibreSSL::Crypto) |
There was a problem hiding this comment.
Suggested change
| set(LibreSSL/LINK_LIBRARIES LibreSSL::TLS LibreSSL::SSL LibreSSL::Crypto) | |
| set(LibreSSL/LINK_LIBRARIES LibreSSL::TLS LibreSSL::Crypto) |
I expect linking to LibreSSL's libssl (OpenSSL compat library) is not needed.
Current C driver config includes: set (SSL_LIBRARIES -ltls -lcrypto).
Change was tested with:
./tools/earthly.sh +build --env=alpine3.18 --tls=LibreSSL --sasl=Cyrus
| if(_tls_package) | ||
| # XXX: Some platforms (e.g. Arch) install LibreSSL in a qualified path to not collide | ||
| # with OpenSSL. Adding those as "roots" here will cause FindLibreSSL to search | ||
| # thos directories as well. |
There was a problem hiding this comment.
Suggested change
| # thos directories as well. | |
| # those directories as well. |
CMakeLists.txt
Outdated
| @@ -623,4 +618,4 @@ if (CMAKE_GENERATOR STREQUAL "Ninja Multi-Config" AND PROJECT_IS_TOP_LEVEL) | |||
| set (CMAKE_CROSS_CONFIGS "all") | |||
| endif () | |||
|
|
|||
| feature_summary(WHAT ENABLED_FEATURES DISABLED_FEATURES) | |||
| feature_summary(WHAT ALL) | |||
There was a problem hiding this comment.
Suggested change
| feature_summary(WHAT ALL) | |
| feature_summary(WHAT ENABLED_FEATURES DISABLED_FEATURES) |
Revert?
Testing configuring with:
cmake \
-G "Ninja" \
-DENABLE_SSL=DARWIN \
-S$(pwd) -B$(pwd)/cmake-build
Before these changes shows:
-- The following features have been enabled:
* TLS, for secure network communication (SecureTransport)
* Cryptography, cryptographic primitives (SecureTransport)
* AWS Authentication, authenticate with MongoDB servers using credentials from AWS instance metadata
* SASL Authentication, authenticate with MongoDB servers using SASL: “Simple Authentication and Security Layer” (Cyrus)
-- Configuring done (0.8s)
After these changes:
-- The following features have been enabled:
* TLS, for secure network communication (SecureTransport)
* Cryptography, cryptographic primitives (SecureTransport)
* AWS Authentication, authenticate with MongoDB servers using credentials from AWS instance metadata
* SASL Authentication, authenticate with MongoDB servers using SASL: “Simple Authentication and Security Layer” (Cyrus)
-- The following OPTIONAL packages have been found:
* Python
* Python3
* PkgConfig
* mongocrypt
-- The following REQUIRED packages have been found:
* SASL2 (required version >= 2.0), Cyrus implementation of SASL
Provides libmongoc SASL authentication support
* Threads
* Sphinx
-- The following REQUIRED packages have not been found:
* Utf8Proc
-- Configuring done (0.7s)
The listing of Utf8Proc as "REQUIRED" and "not found" seems unexpected. That may be surfacing a separate issue. Until that is addressed, I suggest excluding from the feature summary.
There was a problem hiding this comment.
I forgot about the misleading Utf8Proc report, which is why I didn't use ALL in the prior PR. I can see the cause and opened a ticket for this one: CDRIVER-4732
kevinAlbs
reviewed
Sep 22, 2023
src/libmongoc/CMakeLists.txt
Outdated
| endif () | ||
| endif () | ||
| # Per-backend link libs/options: | ||
| set(SecureTransport/LINK_OPTIONS "SHELL:-framework CoreFoundation" "SHELL:-framework Security") |
There was a problem hiding this comment.
Remove SHELL:?
On local install (with macOS), this produced a package config file with SHELL: in Libs:
# pkg-config .pc file generated by CMake 3.27.4 for libmongoc-1.11.1. DO NOT EDIT!
prefix=/Users/kevin.albertson/review/mongo-c-driver-1408/.install
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
Name: libmongoc
Description: The MongoDB C Database Driver library
Version: 1.11.1
Requires: libbson-static-1.0
Libs: -L${libdir} -lmongoc-static-1.0 -lresolv -lsasl2 -framework Corefoundation -framework Security -L/opt/homebrew/Cellar/zstd/1.5.5/lib -lzstd -L/Users/kevin.albertson/code/c-bootstrap/install/libmongocrypt-1.8.0-alpha1/lib -lmongocrypt -fsanitize=address,leak SHELL:-framework CoreFoundation SHELL:-framework Security
Cflags: -fPIC -fsanitize=address,leak -DMONGOC_STATIC -DBSON_STATIC -I${prefix}/include/libmongoc-1.0
Attempting to use resulted in an error:
% export PKG_CONFIG_PATH=/Users/kevin.albertson/review/mongo-c-driver-1408/.install/lib/pkgconfig
% /opt/homebrew/opt/llvm/bin/clang -o test.c $(pkg-config --libs --cflags libmongoc-static-1.0)
clang-16: error: no such file or directory: 'SHELL:-framework'
clang-16: error: no such file or directory: 'CoreFoundation'
clang-16: error: no such file or directory: 'SHELL:-framework'
clang-16: error: no such file or directory: 'Security'
I prefer avoiding the "No-break space". I often use the |
Needs CDRIVER-4732 fixed to support `WHAT ALL`
kevinAlbs
approved these changes
Sep 26, 2023
|
|
||
| def task_filter(env: EnvKey, conf: Configuration) -> bool: | ||
| """ | ||
| Control which tasks are actually defined by matching on the |
adriandole
approved these changes
Sep 27, 2023
vector-of-bool
added a commit
to vector-of-bool/mongo-c-driver
that referenced
this pull request
Nov 3, 2023
* Clean up of TLS detection and import * Earthly TLS controls and cleaner build envs Adds a --tls build parameter to switch TLS backends. This PR also adds a "str" utility for doing more concise string manipulation in POSIX sh. * EVG Earthly tasks for more build configurations This refactors earthly.py for extensibility and to match the parameterization used in Earthfile. * Support "auto" in Earthfile * Tweak name spacing * More feature and package summary information * Unused LibreSSL compat
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a continuation of work from #1405, and addresses the
ENABLE_SSLsetting and related logic.Changed
FindLibreSSL.cmakemodule has been added, and comes from the LibreSSL project itself, plus a few bugfixes. Newer LibreSSL ships CMake config-file packages, so maybe we should rely on those instead? It depends on whether our LibreSSL userbase is all on the newer version (very unlikely, as that's a new feature).tlsbuild option, which controls which packages are installed and sets the appropriate CMake build settings.earthly.pyfile has been expanded to express these additional complexities, since it now needs to exclude tasks on certain platforms that do not (yet) have a LibreSSL.Task Goofiness
I wasn't particularly happy with the way EVG tasks are named, as they're quite hard on the eyes. Evergreen does not allow spaces in task names, forward-slash breaks things, and commas are "not supported", so I broke out the unicode to create new exciting names, such as:
which uses U+00a0 "No-break space" and U+2022 "bullet". I'm not married to this trick, so feel free to veto this aside change.