add support for BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER (#921)

- Enabling the new environment variable will load and active the legacy openssl provider - Removes `use_legacy_openssl` buildpack.yml setting in favour of the environment variable
cloudfoundry · Feb 15, 2024 · 4ef12fd · 4ef12fd
1 parent 47bdd36
commit 4ef12fd
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 65 deletions.
diff --git a/fixtures/source_apps/simple_legacy_openssl/README.md b/fixtures/source_apps/simple_legacy_openssl/README.md
@@ -1,4 +1,7 @@
-This app was generated with the .NET Core CLI v6:
-```
-dotnet new mvc -o source_6.0
-```
+This app is used to test the functionality to load the legacy openssl provider
+when using cflinuxfs4
+
+The app is tested with the addition of the `BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER` environment
+variable set to `true`
+
+See ssl-related integration test in `src/dotnetcore/integration/default_test.go`
diff --git a/fixtures/source_apps/simple_legacy_openssl/buildpack.yml b/fixtures/source_apps/simple_legacy_openssl/buildpack.yml
diff --git a/src/dotnetcore/integration/default_test.go b/src/dotnetcore/integration/default_test.go
@@ -213,11 +213,12 @@ func testDefault(t *testing.T, context spec.G, it spec.S) {
 			})
 		})
 
-		context("with use_legacy_openssl specified in buildpack.yml", func() {
+		context("with BP_USE_LEGACY_OPENSSL set to `true`", func() {
 			it.Before(func() {
 				// this feature is not available on cflinuxfs3, because the stack already supports the legacy ssl provider
 				SkipOnCflinuxfs3(t)
 				app = cutlass.New(filepath.Join(settings.FixturesPath, "source_apps", "simple_legacy_openssl"))
+				app.SetEnv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER", "true")
 			})
 
 			it("activates openssl legacy provider and builds/runs successfully", func() {

diff --git a/src/dotnetcore/supply/supply.go b/src/dotnetcore/supply/supply.go
@@ -401,18 +401,26 @@ func (s *Supplier) InstallDotnetSdk() error {
 	return s.installRuntimeIfNeeded()
 }
 
+// Users can load the legacy SSL provider via:
+// - the BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER=true environment variable
+// - provide an openssl.cnf file in the application directory
 func (s *Supplier) LoadLegacySSLProvider() error {
-	loadLegacySSLProvider, err := s.parseBuildpackYamlOpenssl()
-	if err != nil {
-		return err
+	var loadLegacySSLProvider bool
+	var err error
+
+	if legacySSLEnvVar, ok := os.LookupEnv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER"); ok {
+		loadLegacySSLProvider, err = strconv.ParseBool(legacySSLEnvVar)
+		if err != nil {
+			return err
+		}
 	}
 
 	if loadLegacySSLProvider {
 		if os.Getenv("CF_STACK") == "cflinuxfs3" {
 			s.Log.Warning("Legacy SSL support requested, this feature is not available on cflinuxfs3")
 			return nil
 		}
-		// If a user sets the buidpack.yml to include legacy provider AND
+		// If a user requests the legacy provider AND
 		// includes their own openssl.cnf, just use the provided openssl.cnf
 		opensslCnfFile := filepath.Join(s.Stager.BuildDir(), "openssl.cnf")
 		exists, err := libbuildpack.FileExists(opensslCnfFile)
@@ -527,7 +535,6 @@ type buildpackYaml struct {
 	DotnetCore struct {
 		Version string `yaml:"sdk"`
 	} `yaml:"dotnet-core"`
-	UseLegacyOpenssl bool `yaml:"use_legacy_openssl"`
 }
 
 func (s *Supplier) parseBuildpackYamlVersion() (string, error) {
@@ -538,14 +545,6 @@ func (s *Supplier) parseBuildpackYamlVersion() (string, error) {
 	return content.DotnetCore.Version, nil
 }
 
-func (s *Supplier) parseBuildpackYamlOpenssl() (bool, error) {
-	content, err := s.parseBuildpackYamlFile()
-	if err != nil {
-		return false, err
-	}
-	return content.UseLegacyOpenssl, nil
-}
-
 func (s *Supplier) parseBuildpackYamlFile() (buildpackYaml, error) {
 	obj := buildpackYaml{}
 	if found, err := libbuildpack.FileExists(filepath.Join(s.Stager.BuildDir(), "buildpack.yml")); err != nil || !found {

diff --git a/src/dotnetcore/supply/supply_test.go b/src/dotnetcore/supply/supply_test.go
@@ -217,89 +217,63 @@ var _ = Describe("Supply", func() {
 	})
 
 	Describe("LoadLegacySSLProvider", func() {
-		Context("with buildpack.yml", func() {
-			Context("contains use_legacy_openssl: true", func() {
+		Context("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER is set", func() {
+			Context("set to true", func() {
 				BeforeEach(func() {
-					Expect(os.WriteFile(filepath.Join(buildDir, "buildpack.yml"), []byte("dotnet-core:\n  sdk: 6.7.8\nuse_legacy_openssl: true\n"), 0644)).To(Succeed())
+					Expect(os.Setenv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER", "true")).To(Succeed())
 				})
 				AfterEach(func() {
-					Expect(os.Remove(filepath.Join(buildDir, "buildpack.yml"))).To(Succeed())
+					Expect(os.Unsetenv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER")).To(Succeed())
 				})
 				It("Loads legacy SSL provider", func() {
 					Expect(supplier.LoadLegacySSLProvider()).To(Succeed())
 					Expect(filepath.Join(buildDir, "openssl.cnf")).To(BeARegularFile())
 					Expect(buffer.String()).To(ContainSubstring("Loading legacy SSL provider"))
 				})
 			})
-			Context("contains use_legacy_openssl: false", func() {
-				BeforeEach(func() {
-					Expect(os.WriteFile(filepath.Join(buildDir, "buildpack.yml"), []byte("dotnet-core:\n  sdk: 6.7.8\nuse_legacy_openssl: false\n"), 0644)).To(Succeed())
-				})
-				AfterEach(func() {
-					Expect(os.Remove(filepath.Join(buildDir, "buildpack.yml"))).To(Succeed())
-				})
-				It("does not load legacy SSL provider", func() {
-					Expect(supplier.LoadLegacySSLProvider()).To(Succeed())
-					Expect(filepath.Join(buildDir, "openssl.cnf")).NotTo(BeARegularFile())
-				})
-			})
 
-			Context("does not contain use_legacy_openssl at all", func() {
+			Context("set to false", func() {
 				BeforeEach(func() {
-					Expect(os.WriteFile(filepath.Join(buildDir, "buildpack.yml"), []byte("dotnet-core:\n  sdk: 6.7.8\n"), 0644)).To(Succeed())
+					Expect(os.Setenv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER", "false")).To(Succeed())
 				})
 				AfterEach(func() {
-					Expect(os.Remove(filepath.Join(buildDir, "buildpack.yml"))).To(Succeed())
+					Expect(os.Unsetenv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER")).To(Succeed())
 				})
 				It("does not load legacy SSL provider", func() {
 					Expect(supplier.LoadLegacySSLProvider()).To(Succeed())
 					Expect(filepath.Join(buildDir, "openssl.cnf")).NotTo(BeARegularFile())
+					Expect(buffer.String()).NotTo(ContainSubstring("Loading legacy SSL provider"))
 				})
 			})
 
-			Context("openssl.cnf file already exists in app", func() {
+			Context("both environment variable and openssl.cnf are present", func() {
 				BeforeEach(func() {
-					Expect(os.WriteFile(filepath.Join(buildDir, "buildpack.yml"), []byte("dotnet-core:\n  sdk: 6.7.8\nuse_legacy_openssl: true\n"), 0644)).To(Succeed())
-					Expect(os.WriteFile(filepath.Join(buildDir, "openssl.cnf"), []byte("some-data"), 0644)).To(Succeed())
+					Expect(os.Setenv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER", "true")).To(Succeed())
+					Expect(os.WriteFile(filepath.Join(buildDir, "openssl.cnf"), []byte(""), 0644)).To(Succeed())
 				})
 				AfterEach(func() {
-					Expect(os.Remove(filepath.Join(buildDir, "buildpack.yml"))).To(Succeed())
+					Expect(os.Unsetenv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER")).To(Succeed())
 					Expect(os.Remove(filepath.Join(buildDir, "openssl.cnf"))).To(Succeed())
 				})
-				It("uses the openssl.cnf file that already exists", func() {
+				It("the openssl.cnf file takes precedence", func() {
 					Expect(supplier.LoadLegacySSLProvider()).To(Succeed())
 					Expect(filepath.Join(buildDir, "openssl.cnf")).To(BeARegularFile())
+					Expect(buffer.String()).To(ContainSubstring("Loading legacy SSL provider"))
 					Expect(buffer.String()).To(ContainSubstring("Application already contains openssl.cnf file"))
 				})
 			})
-			Context("on cflinuxfs3", func() {
-				Context("contains use_legacy_openssl: true", func() {
-					BeforeEach(func() {
-						Expect(os.WriteFile(filepath.Join(buildDir, "buildpack.yml"), []byte("dotnet-core:\n  sdk: 6.7.8\nuse_legacy_openssl: true\n"), 0644)).To(Succeed())
-						Expect(os.Setenv("CF_STACK", "cflinuxfs3")).To(Succeed())
-					})
-					AfterEach(func() {
-						Expect(os.Remove(filepath.Join(buildDir, "buildpack.yml"))).To(Succeed())
-						Expect(os.Unsetenv("CF_STACK")).To(Succeed())
-					})
-					It("doesn not load legacy SSL provider", func() {
-						Expect(supplier.LoadLegacySSLProvider()).To(Succeed())
-						Expect(buffer.String()).To(ContainSubstring("Legacy SSL support requested, this feature is not available on cflinuxfs3"))
-					})
-				})
-			})
 		})
 
 		Context("error cases", func() {
-			Context("cannot parse buildpack.yaml", func() {
+			Context("cannot parse the BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER boolean", func() {
 				BeforeEach(func() {
-					Expect(os.WriteFile(filepath.Join(buildDir, "buildpack.yml"), []byte("bad yaml"), 0644)).To(Succeed())
+					Expect(os.Setenv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER", "bad boolean")).To(Succeed())
 				})
 				AfterEach(func() {
-					Expect(os.Remove(filepath.Join(buildDir, "buildpack.yml"))).To(Succeed())
+					Expect(os.Unsetenv("BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER")).To(Succeed())
 				})
 				It("returns an error", func() {
-					Expect(supplier.LoadLegacySSLProvider()).To(MatchError(ContainSubstring("cannot unmarshal")))
+					Expect(supplier.LoadLegacySSLProvider()).To(MatchError(ContainSubstring(`parsing "bad boolean": invalid syntax`)))
 					Expect(filepath.Join(buildDir, "openssl.cnf")).NotTo(BeARegularFile())
 				})
 			})