Add support for TestKit's new SSL tests (#778)

 * Enable feature flags `Feature:API:SSLConfig` and `Feature:API:SSLSchemes`
 * Map TestKit's ssl config options to driver's native options
 * Adjust TestKit image Docker file to copy customCA certificates

Author: robsdedude

.gitignore

@@ -17,4 +17,5 @@ docs/build
 coverage
 .vscode
 *.code-workspace
-/testkit/CAs
+/testkit/CAs
+/testkit/CustomCAs

packages/testkit-backend/src/request-handlers.js

@@ -17,7 +17,7 @@ const SUPPORTED_TLS = (() => {
   return [];
 })();
 
-export function NewDriver (context, data, { writeResponse }) {
+export function NewDriver (context, data, wire) {
   const {
     uri,
     authorizationToken: { data: authToken },
@@ -51,17 +51,39 @@ export function NewDriver (context, data, { writeResponse }) {
     ? address =>
       new Promise((resolve, reject) => {
         const id = context.addResolverRequest(resolve, reject)
-        writeResponse('ResolverResolutionRequired', { id, address })
+        wire.writeResponse('ResolverResolutionRequired', { id, address })
       })
     : undefined
-  const driver = neo4j.driver(uri, parsedAuthToken, {
+  const config = {
     userAgent,
     resolver,
     useBigInt: true,
     logging: neo4j.logging.console(process.env.LOG_LEVEL)
-  })
+  }
+  if ('encrypted' in data) {
+    config.encrypted = data.encrypted ? 'ENCRYPTION_ON' : 'ENCRYPTION_OFF'
+  }
+  if ('trustedCertificates' in data) {
+    if (data.trustedCertificates === null) {
+      config.trust = 'TRUST_SYSTEM_CA_SIGNED_CERTIFICATES'
+    } else if (data.trustedCertificates.length === 0) {
+      config.trust = 'TRUST_ALL_CERTIFICATES'
+    } else {
+      config.trust = 'TRUST_CUSTOM_CA_SIGNED_CERTIFICATES'
+      config.trustedCertificates = data.trustedCertificates.map(
+        e => '/usr/local/share/custom-ca-certificates/' + e
+      )
+    }
+  }
+  let driver
+  try {
+    driver = neo4j.driver(uri, parsedAuthToken, config)
+  } catch (err) {
+    wire.writeError(err)
+    return
+  }
   const id = context.addDriver(driver)
-  writeResponse('Driver', { id })
+  wire.writeResponse('Driver', { id })
 }
 
 export function DriverClose (context, data, wire) {
@@ -293,6 +315,8 @@ export function GetFeatures (_context, _params, wire) {
       'Feature:Auth:Custom',
       'Feature:Auth:Kerberos',
       'Feature:Auth:Bearer',
+      'Feature:API:SSLConfig',
+      'Feature:API:SSLSchemes',
       'AuthorizationExpiredTreatment',
       'ConfHint:connection.recv_timeout_seconds',
       'Feature:Impersonation',

testkit/CAs/trustedRoot.crt

@@ -9,26 +9,28 @@ RUN apt-get update && \
         curl \
         python3 \
         nodejs \
-        npm \ 
+        npm \
         firefox \
     && rm -rf /var/lib/apt/lists/*
 
 RUN npm install -g npm@7 \
     && /bin/bash -c "hash -d npm"
 
 # Enable tls v1.0
-RUN echo "openssl_conf = openssl_configuration\n"|cat - /etc/ssl/openssl.cnf > /tmp/openssl_conf.cnf \  
-    && mv /tmp/openssl_conf.cnf /etc/ssl/openssl.cnf  
+RUN echo "openssl_conf = openssl_configuration\n"|cat - /etc/ssl/openssl.cnf > /tmp/openssl_conf.cnf \
+    && mv /tmp/openssl_conf.cnf /etc/ssl/openssl.cnf
 RUN echo "[openssl_configuration]\n\
 ssl_conf = ssl_configuration\n\
 [ssl_configuration]\n\
 system_default = tls_system_default\n\
 [tls_system_default]\n\
-CipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf 
+CipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf
 
 # Install our own CAs on the image.
 # Assumes Linux Debian based image.
 COPY CAs/* /usr/local/share/ca-certificates/
+# Store custom CAs somewhere where the backend can find them later.
+COPY CustomCAs/* /usr/local/share/custom-ca-certificates/
 RUN update-ca-certificates
 
 # Creating an user for building the driver and running the tests