fix: make the file fetcher respect the root certificate store configured via DENO_TLS_CA_STORE (#633)

* fix: make the file fetcher respect the root certificate store configured via `DENO_TLS_CA_STORE`

* stamp: oops

Author: nyannyacha

crates/base/src/runtime/mod.rs

@@ -42,9 +42,6 @@ use deno::deno_package_json;
 use deno::deno_telemetry;
 use deno::deno_telemetry::OtelConfig;
 use deno::deno_tls;
-use deno::deno_tls::deno_native_certs::load_native_certs;
-use deno::deno_tls::rustls::RootCertStore;
-use deno::deno_tls::RootCertStoreProvider;
 use deno::deno_url;
 use deno::deno_web;
 use deno::deno_webidl;
@@ -70,6 +67,7 @@ use deno_core::OpState;
 use deno_core::PollEventLoopOptions;
 use deno_core::ResolutionKind;
 use deno_core::RuntimeOptions;
+use deno_facade::cert_provider::get_root_cert_store_provider;
 use deno_facade::generate_binary_eszip;
 use deno_facade::metadata::Entrypoint;
 use deno_facade::migrate::MigrateOptions;
@@ -82,7 +80,6 @@ use either::Either;
 use either::Either::Left;
 use either::Either::Right;
 use ext_event_worker::events::WorkerEventWithMetadata;
-use ext_runtime::cert::ValueRootCertStoreProvider;
 use ext_runtime::external_memory::CustomAllocator;
 use ext_runtime::MemCheckWaker;
 use ext_runtime::PromiseMetrics;
@@ -2239,53 +2236,6 @@ fn terminate_execution_if_cancelled(
   )
 }
 
-fn get_root_cert_store_provider(
-) -> Result<Arc<dyn RootCertStoreProvider>, AnyError> {
-  // Create and populate a root cert store based on environment variable.
-  // Reference: https://github.com/denoland/deno/blob/v1.37.0/cli/args/mod.rs#L467
-  let mut root_cert_store = RootCertStore::empty();
-  let ca_stores: Vec<String> = (|| {
-    let env_ca_store = std::env::var("DENO_TLS_CA_STORE").ok()?;
-    Some(
-      env_ca_store
-        .split(',')
-        .map(|s| s.trim().to_string())
-        .filter(|s| !s.is_empty())
-        .collect(),
-    )
-  })()
-  .unwrap_or_else(|| vec!["mozilla".to_string()]);
-
-  for store in ca_stores.iter() {
-    match store.as_str() {
-      "mozilla" => {
-        root_cert_store = deno_tls::create_default_root_cert_store();
-      }
-      "system" => {
-        let roots = load_native_certs().expect("could not load platform certs");
-        for root in roots {
-          root_cert_store
-            .add((&*root.0).into())
-            .expect("Failed to add platform cert to root cert store");
-        }
-      }
-      _ => {
-        bail!(
-          concat!(
-            "Unknown certificate store \"{0}\" specified ",
-            "(allowed: \"system,mozilla\")"
-          ),
-          store
-        );
-      }
-    }
-  }
-
-  Ok(Arc::new(ValueRootCertStoreProvider::new(
-    root_cert_store.clone(),
-  )))
-}
-
 fn set_v8_flags() {
   let v8_flags = std::env::var("V8_FLAGS").unwrap_or("".to_string());
   let mut vec = vec![""];

crates/deno_facade/cert_provider.rs

@@ -0,0 +1,56 @@
+use std::sync::Arc;
+
+use anyhow::bail;
+use deno::deno_tls;
+use deno::deno_tls::deno_native_certs::load_native_certs;
+use deno::deno_tls::rustls::RootCertStore;
+use deno::deno_tls::RootCertStoreProvider;
+use deno_core::error::AnyError;
+use ext_runtime::cert::ValueRootCertStoreProvider;
+
+pub fn get_root_cert_store_provider(
+) -> Result<Arc<dyn RootCertStoreProvider>, AnyError> {
+  // Create and populate a root cert store based on environment variable.
+  // Reference: https://github.com/denoland/deno/blob/v1.37.0/cli/args/mod.rs#L467
+  let mut root_cert_store = RootCertStore::empty();
+  let ca_stores: Vec<String> = (|| {
+    let env_ca_store = std::env::var("DENO_TLS_CA_STORE").ok()?;
+    Some(
+      env_ca_store
+        .split(',')
+        .map(|s| s.trim().to_string())
+        .filter(|s| !s.is_empty())
+        .collect(),
+    )
+  })()
+  .unwrap_or_else(|| vec!["mozilla".to_string()]);
+
+  for store in ca_stores.iter() {
+    match store.as_str() {
+      "mozilla" => {
+        root_cert_store = deno_tls::create_default_root_cert_store();
+      }
+      "system" => {
+        let roots = load_native_certs().expect("could not load platform certs");
+        for root in roots {
+          root_cert_store
+            .add((&*root.0).into())
+            .expect("Failed to add platform cert to root cert store");
+        }
+      }
+      _ => {
+        bail!(
+          concat!(
+            "Unknown certificate store \"{0}\" specified ",
+            "(allowed: \"system,mozilla\")"
+          ),
+          store
+        );
+      }
+    }
+  }
+
+  Ok(Arc::new(ValueRootCertStoreProvider::new(
+    root_cert_store.clone(),
+  )))
+}

crates/deno_facade/emitter.rs

@@ -58,6 +58,7 @@ use ext_node::DenoFsNodeResolverEnv;
 use ext_node::NodeResolver;
 use ext_node::PackageJsonResolver;
 
+use crate::cert_provider::get_root_cert_store_provider;
 use crate::permissions::RuntimePermissionDescriptorParser;
 
 struct Deferred<T>(once_cell::unsync::OnceCell<T>);
@@ -281,9 +282,12 @@ impl EmitterFactory {
   }
 
   pub fn http_client_provider(&self) -> &Arc<HttpClientProvider> {
-    self
-      .http_client_provider
-      .get_or_init(|| Arc::new(HttpClientProvider::new(None, None)))
+    self.http_client_provider.get_or_init(|| {
+      Arc::new(HttpClientProvider::new(
+        get_root_cert_store_provider().ok(),
+        None,
+      ))
+    })
   }
 
   pub fn fs(&self) -> Arc<dyn deno::deno_fs::FileSystem> {

crates/deno_facade/lib.rs

@@ -13,6 +13,7 @@ use tokio::fs::create_dir_all;
 mod emitter;
 mod eszip;
 
+pub mod cert_provider;
 pub mod errors;
 pub mod graph;
 pub mod jsr;

examples/serve/deno.json

@@ -0,0 +1,6 @@
+{
+  "workspace": [],
+  "imports": {
+    "@supabase/functions-js": "jsr:@supabase/functions-js@^2.5.0"
+  }
+}

examples/serve/index.ts

@@ -1 +1,10 @@
+import { FunctionsClient } from "@supabase/functions-js";
+import "@supabase/functions-js/edge-runtime.d.ts";
+
+console.log(FunctionsClient);
+addEventListener("beforeunload", (ev: CustomEvent<BeforeunloadReason>) => {
+  console.log(ev);
+});
+
+console.log("meow");
 Deno.serve((_req) => new Response("Hello, world"));