From dc99104f555189601e84cc761460446b04f30e08 Mon Sep 17 00:00:00 2001
From: Josh Matthews <josh@joshmatthews.net>
Date: Wed, 5 Apr 2017 16:34:16 -0400
Subject: [PATCH] Add command-line argument to use a custom SSL certificate
 database.

---
 components/config/opts.rs                          |  6 ++++++
 components/net/connector.rs                        |  8 ++------
 components/net/resource_thread.rs                  | 14 ++++++++++++--
 tests/unit/net/fetch.rs                            |  3 ++-
 tests/unit/net/lib.rs                              |  4 +++-
 tests/wpt/harness/wptrunner/browsers/servo.py      |  9 ++++++---
 .../harness/wptrunner/executors/executorservo.py   |  5 +++++
 7 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/components/config/opts.rs b/components/config/opts.rs
index ca0c24f8d09..e62bade0cdc 100644
--- a/components/config/opts.rs
+++ b/components/config/opts.rs
@@ -230,6 +230,9 @@ pub struct Opts {
 
     /// Print the version and exit.
     pub is_printing_version: bool,
+
+    /// Path to SSL certificates.
+    pub certificate_path: Option<String>,
 }
 
 fn print_usage(app: &str, opts: &Options) {
@@ -566,6 +569,7 @@ pub fn default_opts() -> Opts {
         webrender_record: false,
         precache_shaders: false,
         signpost: false,
+        certificate_path: None,
     }
 }
 
@@ -615,6 +619,7 @@ pub fn from_cmdline_args(args: &[String]) -> ArgumentParsingResult {
                   "A comma-separated string of debug options. Pass help to show available options.", "");
     opts.optflag("h", "help", "Print this message");
     opts.optopt("", "resources-path", "Path to find static resources", "/home/servo/resources");
+    opts.optopt("", "certificate-path", "Path to find SSL certificates", "/home/servo/resources/certs");
     opts.optopt("", "content-process" , "Run as a content process and connect to the given pipe",
                 "servo-ipc-channel.abcdefg");
     opts.optmulti("", "pref",
@@ -868,6 +873,7 @@ pub fn from_cmdline_args(args: &[String]) -> ArgumentParsingResult {
         webrender_record: debug_options.webrender_record,
         precache_shaders: debug_options.precache_shaders,
         signpost: debug_options.signpost,
+        certificate_path: opt_match.opt_str("certificate-path"),
     };
 
     set_defaults(opts);
diff --git a/components/net/connector.rs b/components/net/connector.rs
index 3f0dc0e12a9..f74d0a28f90 100644
--- a/components/net/connector.rs
+++ b/components/net/connector.rs
@@ -7,16 +7,12 @@ use hyper::net::HttpsConnector;
 use hyper_openssl::OpensslClient;
 use openssl::ssl::{SSL_OP_NO_COMPRESSION, SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3};
 use openssl::ssl::{SslConnectorBuilder, SslMethod};
-use servo_config::resource_files::resources_dir_path;
+use std::path::PathBuf;
 use std::sync::Arc;
 
 pub type Connector = HttpsConnector<OpensslClient>;
 
-pub fn create_ssl_client(certificate_file: &str) -> OpensslClient {
-    let ca_file = &resources_dir_path()
-        .expect("Need certificate file to make network requests")
-        .join(certificate_file);
-
+pub fn create_ssl_client(ca_file: &PathBuf) -> OpensslClient {
     let mut ssl_connector_builder = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
     {
         let context = ssl_connector_builder.builder_mut();
diff --git a/components/net/resource_thread.rs b/components/net/resource_thread.rs
index 312b0ea45a6..44671cd8452 100644
--- a/components/net/resource_thread.rs
+++ b/components/net/resource_thread.rs
@@ -25,6 +25,8 @@ use net_traits::storage_thread::StorageThreadMsg;
 use profile_traits::time::ProfilerChan;
 use serde::{Deserialize, Serialize};
 use serde_json;
+use servo_config::opts;
+use servo_config::resource_files::resources_dir_path;
 use servo_url::ServoUrl;
 use std::borrow::{Cow, ToOwned};
 use std::collections::HashMap;
@@ -108,13 +110,21 @@ fn create_resource_groups(config_dir: Option<&Path>)
         auth_cache: RwLock::new(auth_cache),
         hsts_list: RwLock::new(hsts_list),
     };
-    let ssl_client = create_ssl_client("certs");
+
+    let ca_file = match opts::get().certificate_path {
+        Some(ref path) => PathBuf::from(path),
+        None => resources_dir_path()
+            .expect("Need certificate file to make network requests")
+            .join("certs"),
+    };
+    let ssl_client = create_ssl_client(&ca_file);
+
     let resource_group = ResourceGroup {
         http_state: Arc::new(http_state),
         ssl_client: ssl_client.clone(),
         connector: create_http_connector(ssl_client.clone()),
     };
-    let private_ssl_client = create_ssl_client("certs");
+    let private_ssl_client = create_ssl_client(&ca_file);
     let private_resource_group = ResourceGroup {
         http_state: Arc::new(HttpState::new()),
         ssl_client: private_ssl_client.clone(),
diff --git a/tests/unit/net/fetch.rs b/tests/unit/net/fetch.rs
index 73be2a5fbbd..09ddb7ce9bd 100644
--- a/tests/unit/net/fetch.rs
+++ b/tests/unit/net/fetch.rs
@@ -530,7 +530,8 @@ fn test_fetch_with_hsts() {
     //takes an address and something that implements hyper::net::Ssl
     let mut server = Server::https("0.0.0.0:0", ssl).unwrap().handle_threads(handler, 1).unwrap();
 
-    let ssl_client = create_ssl_client("self_signed_certificate_for_testing.crt");
+    let ca_file = resources_dir_path().unwrap().join("self_signed_certificate_for_testing.crt");
+    let ssl_client = create_ssl_client(&ca_file);
     let connector = create_http_connector(ssl_client);
 
     let context =  FetchContext {
diff --git a/tests/unit/net/lib.rs b/tests/unit/net/lib.rs
index 6326faade4d..021db151fe4 100644
--- a/tests/unit/net/lib.rs
+++ b/tests/unit/net/lib.rs
@@ -42,6 +42,7 @@ use net::test::HttpState;
 use net_traits::FetchTaskTarget;
 use net_traits::request::Request;
 use net_traits::response::Response;
+use servo_config::resource_files::resources_dir_path;
 use servo_url::ServoUrl;
 use std::sync::Arc;
 use std::sync::mpsc::{Sender, channel};
@@ -53,7 +54,8 @@ struct FetchResponseCollector {
 }
 
 fn new_fetch_context(dc: Option<Sender<DevtoolsControlMsg>>) -> FetchContext {
-    let ssl_client = create_ssl_client("certs");
+    let ca_file = resources_dir_path().unwrap().join("certs");
+    let ssl_client = create_ssl_client(&ca_file);
     let connector = create_http_connector(ssl_client);
     FetchContext {
         state: Arc::new(HttpState::new()),
diff --git a/tests/wpt/harness/wptrunner/browsers/servo.py b/tests/wpt/harness/wptrunner/browsers/servo.py
index 2eeb5aaa158..639099a9dd7 100644
--- a/tests/wpt/harness/wptrunner/browsers/servo.py
+++ b/tests/wpt/harness/wptrunner/browsers/servo.py
@@ -32,7 +32,8 @@ def browser_kwargs(**kwargs):
             "debug_info": kwargs["debug_info"],
             "binary_args": kwargs["binary_args"],
             "user_stylesheets": kwargs.get("user_stylesheets"),
-            "render_backend": kwargs.get("servo_backend")}
+            "render_backend": kwargs.get("servo_backend"),
+            "ca_certificate_path": kwargs["ssl_env"].ca_cert_path()}
 
 
 def executor_kwargs(test_type, server_config, cache_manager, run_info_data,
@@ -65,17 +66,19 @@ def render_arg(render_backend):
 
 class ServoBrowser(NullBrowser):
     def __init__(self, logger, binary, debug_info=None, binary_args=None,
-                 user_stylesheets=None, render_backend="webrender"):
+                 user_stylesheets=None, render_backend="webrender", ca_certificate_path=None):
         NullBrowser.__init__(self, logger)
         self.binary = binary
         self.debug_info = debug_info
         self.binary_args = binary_args or []
         self.user_stylesheets = user_stylesheets or []
         self.render_backend = render_backend
+        self.ca_certificate_path = ca_certificate_path
 
     def executor_browser(self):
         return ExecutorBrowser, {"binary": self.binary,
                                  "debug_info": self.debug_info,
                                  "binary_args": self.binary_args,
                                  "user_stylesheets": self.user_stylesheets,
-                                 "render_backend": self.render_backend}
+                                 "render_backend": self.render_backend,
+                                 "ca_certificate_path": self.ca_certificate_path}
diff --git a/tests/wpt/harness/wptrunner/executors/executorservo.py b/tests/wpt/harness/wptrunner/executors/executorservo.py
index b627223a7df..e4a10f55bfe 100644
--- a/tests/wpt/harness/wptrunner/executors/executorservo.py
+++ b/tests/wpt/harness/wptrunner/executors/executorservo.py
@@ -86,6 +86,8 @@ class ServoTestharnessExecutor(ProcessTestExecutor):
             args += ["--user-stylesheet", stylesheet]
         for pref, value in test.environment.get('prefs', {}).iteritems():
             args += ["--pref", "%s=%s" % (pref, value)]
+        if self.browser.ca_certificate_path:
+            args += ["--certificate-path", self.browser.ca_certificate_path]
         args += self.browser.binary_args
         debug_args, command = browser_command(self.binary, args, self.debug_info)
 
@@ -226,6 +228,9 @@ class ServoRefTestExecutor(ProcessTestExecutor):
 
             command += ["--resolution", viewport_size or "800x600"]
 
+            if self.browser.ca_certificate_path:
+                command += ["--certificate-path", self.browser.ca_certificate_path]
+
             if dpi:
                 command += ["--device-pixel-ratio", dpi]