[grpc_clients] fix gRPC client on native

Summary: The gRPC client needs a set of root certificates for the TLS handshake. When running the keyserver (both inside a Docker container and not) or simulator, the client is able to locate the root certificates at one of the paths we had enumerated. However, on physical iOS and Android devices, the certificates have to be bundled with the app. The tls-webpki-roots feature adds Mozilla's root certificates to our rustls-based gRPC client, so we don't have to rely on platform certs. Test Plan: This branch contains @kamil's code from D10327. I used that code (and verifyUserLoggedIn on keyserver) to test that the shared gRPC client could talk to staging AND local identity services (https and http) from: - local keyserver (non-Docker) - local keyserver (Docker) - iOS simulator - Android emulator - Physical iPhone - Physical Pixel 3 Reviewers: bartek, kamil, ashoat Reviewed By: bartek Subscribers: tomek, kamil Differential Revision: https://phab.comm.dev/D10343
CommE2E · Dec 15, 2023 · 62bd71e · 62bd71e
1 parent d4f399f
commit 62bd71e
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 31 deletions.
diff --git a/keyserver/addons/rust-node-addon/Cargo.lock b/keyserver/addons/rust-node-addon/Cargo.lock
diff --git a/native/native_rust_library/Cargo.lock b/native/native_rust_library/Cargo.lock
diff --git a/services/identity/Cargo.lock b/services/identity/Cargo.lock
diff --git a/shared/grpc_clients/Cargo.lock b/shared/grpc_clients/Cargo.lock
diff --git a/shared/grpc_clients/Cargo.toml b/shared/grpc_clients/Cargo.toml
@@ -6,7 +6,7 @@ edition = "2021"
 [dependencies]
 derive_more = "0.99"
 prost = "0.11"
-tonic = { version = "0.9.1", features = ["tls"]}
+tonic = { version = "0.9.1", features = ["tls-webpki-roots"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3.16", features = ["env-filter"] }
 

diff --git a/shared/grpc_clients/src/lib.rs b/shared/grpc_clients/src/lib.rs
@@ -6,43 +6,18 @@ pub mod tunnelbroker;
 pub use tonic;
 
 use error::Error;
-use std::path::Path;
 use std::time::Duration;
-use tonic::transport::{Certificate, Channel, ClientTlsConfig};
+use tonic::transport::Channel;
 use tracing::info;
 
-const CERT_PATHS: &[&str] = &[
-  // MacOS and newer Ubuntu
-  "/etc/ssl/cert.pem",
-  // Common CA cert paths
-  "/etc/ssl/certs/ca-bundle.crt",
-  "/etc/ssl/certs/ca-certificates.crt",
-];
 const CONNECT_TIMEOUT_DURATION: Duration = Duration::from_secs(5);
 
-pub(crate) fn get_ca_cert_contents() -> Option<String> {
-  CERT_PATHS
-    .iter()
-    .map(Path::new)
-    .filter(|p| p.exists())
-    .filter_map(|f| std::fs::read_to_string(f).ok())
-    .next()
-}
 pub(crate) async fn get_grpc_service_channel(
   url: &str,
 ) -> Result<Channel, Error> {
-  let ca_cert = crate::get_ca_cert_contents().expect("Unable to get CA bundle");
-
   info!("Connecting to gRPC service at {}", url);
-  let mut channel = Channel::from_shared(url.to_string())?
+  let channel = Channel::from_shared(url.to_string())?
     .connect_timeout(CONNECT_TIMEOUT_DURATION);
 
-  // tls_config will fail if the underlying URI is only http://
-  if url.starts_with("https:") {
-    channel = channel.tls_config(
-      ClientTlsConfig::new().ca_certificate(Certificate::from_pem(&ca_cert)),
-    )?
-  }
-
   Ok(channel.connect().await?)
 }