Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Rotate WebRTC Direct certificates #2997

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: Rotate WebRTC Direct certificates #2997

wants to merge 4 commits into from

Conversation

Aryakoste
Copy link

Title

Rotating web RTC certificate when expiring

Description

Fixes #2989

Notes & open questions

I know this PR is not be perfect. Please provide me suggestions or changes that needed to be done.

Change checklist

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation if necessary (this includes comments as well)
  • I have added tests that prove my fix is effective or that my feature works

@Aryakoste Aryakoste requested a review from a team as a code owner February 23, 2025 18:56
achingbrain
achingbrain requested changes Mar 5, 2025
View reviewed changes
Copy link
Member

@achingbrain achingbrain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for opening this, comments inline.

packages/transport-webrtc/src/private-to-public/listener.ts
@@ -154,20 +164,19 @@ export class WebRTCDirectListener extends TypedEventEmitter<ListenerEvents> impl
server: Promise.resolve()
.then(async (): Promise<StunServer> => {
// ensure we have a certificate
if (this.certificate == null) {
if (this.certificate == null || this.isCertificateExpiring()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check will only run when the node is started.

If the certificate expires while the node is running it will continue using it and connections will start to fail.

Instead a timeout should be set that fires a short(ish) time before the certificate expiry that creates a new certificate, restarts the server with the new cert and emits the "listening" event.

packages/transport-webrtc/src/index.ts Outdated
@@ -280,6 +280,7 @@ export interface TransportCertificate {
* The hash of the certificate
*/
certhash: string
notAfter: string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be better as a number so we don't have to convert the string back to a date in order to see if the cert is about to expire, instead it can just be compared to Date.now() - threshold .

packages/transport-webrtc/src/private-to-public/listener.ts Outdated
const expiryDate = new Date(this.certificate.notAfter)
const now = new Date()
const timeToExpiry = expiryDate.getTime() - now.getTime()
const threshold = 30 * 24 * 60 * 60 * 1000
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

threshold should be configurable.

packages/transport-webrtc/test/certificate.spec.ts Outdated
Comment on lines 18 to 25
peerId: { toB58String: () => 'QmPeerId' } as any,
privateKey: {} as any,
logger: {
forComponent: () => ({
trace: () => {},
error: () => {}
})
} as any,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These fields can be filled using actual values, see other tests here for an example.

packages/transport-webrtc/test/certificate.spec.ts Outdated
error: () => {}
})
} as any,
transportManager: {} as any
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use stubInterface<TransportManager>() from sinon-ts here to avoid casting to any.

@Aryakoste
Copy link
Author

Making this changes

achingbrain
achingbrain requested changes Mar 18, 2025
View reviewed changes
packages/transport-webrtc/src/private-to-public/listener.ts
Comment on lines +90 to +91
const now = new Date()
const timeToExpiry = expiryDate - now.getTime()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to allocate a new Date object:

Suggested change
const now = new Date()
const timeToExpiry = expiryDate - now.getTime()
const timeToExpiry = expiryDate - Date.now()

packages/transport-webrtc/src/private-to-public/listener.ts
const expiryDate = this.certificate.notAfter
const now = new Date()
const timeToExpiry = expiryDate - now.getTime()
const threshold = this.init.certificateExpiryThreshold ?? 7 * 86400000
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7 * 86400000

Please make this value a constant at the top of the file.

packages/transport-webrtc/src/private-to-public/listener.ts
const timeToExpiry = expiryDate.getTime() - now.getTime()
const timeoutDuration = timeToExpiry - 7 * 86400000

setTimeout(async () => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If node.stop() is called, this timeout will prevent the process from stopping until it fires when the certificate expires long into the future.

Instead you should store a ref to the returned value and pass it to clearTimeout when the listener is stopped.

packages/transport-webrtc/src/private-to-public/listener.ts
Comment on lines +194 to +195
const now = new Date()
const timeToExpiry = expiryDate.getTime() - now.getTime()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to allocate a new Date object:

Suggested change
const now = new Date()
const timeToExpiry = expiryDate.getTime() - now.getTime()
const timeToExpiry = expiryDate.getTime() - Date.now()

packages/transport-webrtc/src/private-to-public/listener.ts
const expiryDate = new Date(this.certificate.notAfter)
const now = new Date()
const timeToExpiry = expiryDate.getTime() - now.getTime()
const timeoutDuration = timeToExpiry - 7 * 86400000
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should use the configurable threshold.

7 * 86400000

Please make/reuse this default value as a constant at the top of the file.

packages/transport-webrtc/test/certificate.spec.ts
Comment on lines +55 to +93
it('should re-emit listening event when a new certificate is generated', async () => {
const emitSpy = sinon.spy(listener as any, 'safeDispatchEvent')
const generateCertificateSpy = sinon.spy(generateTransportCertificate)

await (listener as any).startUDPMuxServer('127.0.0.1', 0)

expect(generateCertificateSpy.called).to.be.true
expect(emitSpy.calledWith('listening')).to.be.true
})

it('should generate a new certificate before expiry with default threshold', async () => {
init.certificateExpiryThreshold = undefined
listener = new WebRTCDirectListener(components, init)
;(listener as any).certificate = {
notAfter: new Date(Date.now() + 5 * 86400000).getTime()
}

const isCertificateExpiringSpy = sinon.spy(listener as any, 'isCertificateExpiring')
const generateCertificateSpy = sinon.spy(listener as any, 'createAndSetCertificate')

await (listener as any).startUDPMuxServer('127.0.0.1', 0)

expect(isCertificateExpiringSpy.returned(true)).to.be.true
expect(generateCertificateSpy.called).to.be.true
})

it('should generate a new certificate before expiry with custom threshold', async () => {
(listener as any).certificate = {
notAfter: new Date(Date.now() + 4 * 86400000).getTime()
}

const isCertificateExpiringSpy = sinon.spy(listener as any, 'isCertificateExpiring')
const generateCertificateSpy = sinon.spy(listener as any, 'createAndSetCertificate')

await (listener as any).startUDPMuxServer('127.0.0.1', 0)

expect(isCertificateExpiringSpy.returned(true)).to.be.true
expect(generateCertificateSpy.called).to.be.true
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For these tests please do not depend on internal state (e.g. private fields and methods), it makes the tests fragile and which then makes them hard to maintain.

Instead, make the WebRTCDirectListener.certificate field public, configure short timeouts for certificate expiry/renewal thresholds (e.g. under 100ms), use delay and assert on the certificate status after time has passed.

packages/transport-webrtc/src/index.ts
@@ -283,6 +283,7 @@ export interface TransportCertificate {
* The hash of the certificate
*/
certhash: string
notAfter: number
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a jsdoc comment explaining what this field is for.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@achingbrain achingbrain achingbrain requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rotate WebRTC Direct certificates
2 participants
@Aryakoste @achingbrain