chore: Replaced static openssl cert usage with in-process cert

THIRD_PARTY_NOTICES.md

@@ -93,7 +93,7 @@ code, the source code can be found at [https://github.com/newrelic/node-newrelic
 
 ### @grpc/grpc-js
 
-This product includes source derived from [@grpc/grpc-js](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js) ([v1.11.3](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js/tree/v1.11.3)), distributed under the [Apache-2.0 License](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js/blob/v1.11.3/LICENSE):
+This product includes source derived from [@grpc/grpc-js](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js) ([v1.12.2](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js/tree/v1.12.2)), distributed under the [Apache-2.0 License](https://github.com/grpc/grpc-node/tree/master/packages/grpc-js/blob/v1.12.2/LICENSE):
 
 ```
                                  Apache License
@@ -1043,7 +1043,7 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 ### winston-transport
 
-This product includes source derived from [winston-transport](https://github.com/winstonjs/winston-transport) ([v4.7.1](https://github.com/winstonjs/winston-transport/tree/v4.7.1)), distributed under the [MIT License](https://github.com/winstonjs/winston-transport/blob/v4.7.1/LICENSE):
+This product includes source derived from [winston-transport](https://github.com/winstonjs/winston-transport) ([v4.8.0](https://github.com/winstonjs/winston-transport/tree/v4.8.0)), distributed under the [MIT License](https://github.com/winstonjs/winston-transport/blob/v4.8.0/LICENSE):
 
 ```
 The MIT License (MIT)
@@ -1076,7 +1076,7 @@ SOFTWARE.
 
 ### @aws-sdk/client-s3
 
-This product includes source derived from [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3) ([v3.658.1](https://github.com/aws/aws-sdk-js-v3/tree/v3.658.1)), distributed under the [Apache-2.0 License](https://github.com/aws/aws-sdk-js-v3/blob/v3.658.1/LICENSE):
+This product includes source derived from [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3) ([v3.676.0](https://github.com/aws/aws-sdk-js-v3/tree/v3.676.0)), distributed under the [Apache-2.0 License](https://github.com/aws/aws-sdk-js-v3/blob/v3.676.0/LICENSE):
 
 ```
                                 Apache License
@@ -1285,7 +1285,7 @@ This product includes source derived from [@aws-sdk/client-s3](https://github.co
 
 ### @aws-sdk/s3-request-presigner
 
-This product includes source derived from [@aws-sdk/s3-request-presigner](https://github.com/aws/aws-sdk-js-v3) ([v3.658.1](https://github.com/aws/aws-sdk-js-v3/tree/v3.658.1)), distributed under the [Apache-2.0 License](https://github.com/aws/aws-sdk-js-v3/blob/v3.658.1/LICENSE):
+This product includes source derived from [@aws-sdk/s3-request-presigner](https://github.com/aws/aws-sdk-js-v3) ([v3.676.0](https://github.com/aws/aws-sdk-js-v3/tree/v3.676.0)), distributed under the [Apache-2.0 License](https://github.com/aws/aws-sdk-js-v3/blob/v3.676.0/LICENSE):
 
 ```
                                 Apache License
@@ -2208,7 +2208,7 @@ THE SOFTWARE.
 
 ### @slack/bolt
 
-This product includes source derived from [@slack/bolt](https://github.com/slackapi/bolt) ([v3.21.4](https://github.com/slackapi/bolt/tree/v3.21.4)), distributed under the [MIT License](https://github.com/slackapi/bolt/blob/v3.21.4/LICENSE):
+This product includes source derived from [@slack/bolt](https://github.com/slackapi/bolt) ([v3.22.0](https://github.com/slackapi/bolt/tree/v3.22.0)), distributed under the [MIT License](https://github.com/slackapi/bolt/blob/v3.22.0/LICENSE):
 
 ```
 The MIT License (MIT)
@@ -3372,7 +3372,7 @@ THE SOFTWARE.
 
 ### express
 
-This product includes source derived from [express](https://github.com/expressjs/express) ([v4.21.0](https://github.com/expressjs/express/tree/v4.21.0)), distributed under the [MIT License](https://github.com/expressjs/express/blob/v4.21.0/LICENSE):
+This product includes source derived from [express](https://github.com/expressjs/express) ([v4.21.1](https://github.com/expressjs/express/tree/v4.21.1)), distributed under the [MIT License](https://github.com/expressjs/express/blob/v4.21.1/LICENSE):
 
 ```
 (The MIT License)
@@ -3508,7 +3508,7 @@ SOFTWARE.
 
 ### jsdoc
 
-This product includes source derived from [jsdoc](https://github.com/jsdoc/jsdoc) ([v4.0.3](https://github.com/jsdoc/jsdoc/tree/v4.0.3)), distributed under the [Apache-2.0 License](https://github.com/jsdoc/jsdoc/blob/v4.0.3/LICENSE.md):
+This product includes source derived from [jsdoc](https://github.com/jsdoc/jsdoc) ([v4.0.4](https://github.com/jsdoc/jsdoc/tree/v4.0.4)), distributed under the [Apache-2.0 License](https://github.com/jsdoc/jsdoc/blob/v4.0.4/LICENSE.md):
 
 ```
 # License

lib/collector/http-agents.js

@@ -53,11 +53,14 @@ exports.proxyAgent = function proxyAgent(config) {
   }
   const proxyUrl = proxyOptions(config)
 
+  // Tests may supply 127.0.0.1 as the host, but SNI requires a hostname.
+  const servername = config.host
   const proxyOpts = {
     secureEndpoint: config.ssl,
     auth: proxyUrl.auth,
     ca: config?.certificates?.length ? config.certificates : [],
-    keepAlive: true
+    keepAlive: true,
+    servername
   }
 
   logger.info(`using proxy: ${proxyUrl}`)

package.json

@@ -195,7 +195,7 @@
     "newrelic-naming-rules": "./bin/test-naming-rules.js"
   },
   "dependencies": {
-    "@grpc/grpc-js": "^1.9.4",
+    "@grpc/grpc-js": "^1.12.2",
     "@grpc/proto-loader": "^0.7.5",
     "@newrelic/security-agent": "^2.0.0",
     "@tyriar/fibonacci-heap": "^2.0.7",

test/integration/grpc/reconnect.tap.js

@@ -16,8 +16,14 @@ const MetricMapper = require('../../../lib/metrics/mapper')
 const MetricNormalizer = require('../../../lib/metrics/normalizer')
 const StreamingSpanEvent = require('../../../lib/spans/streaming-span-event')
 
+const fakeCert = require('../../lib/fake-cert')
 const helper = require('../../lib/agent_helper')
 
+// We generate the certificate once for the whole suite because it is a CPU
+// intensive operation and would slow down tests if each test created its
+// own certificate.
+const cert = fakeCert({ commonName: 'localhost' })
+
 tap.test('test that connection class reconnects', async (t) => {
   // one assert for the initial connection
   // a second assert for the disconnect
@@ -50,7 +56,7 @@ tap.test('test that connection class reconnects', async (t) => {
 
   // Currently test-only configuration
   const origEnv = process.env.NEWRELIC_GRPCCONNECTION_CA
-  process.env.NEWRELIC_GRPCCONNECTION_CA = sslOpts.ca
+  process.env.NEWRELIC_GRPCCONNECTION_CA = cert.certificate
   t.teardown(() => {
     process.env.NEWRELIC_GRPCCONNECTION_CA = origEnv
   })
@@ -133,7 +139,7 @@ tap.test('Should reconnect even when data sent back', async (t) => {
 
   // Currently test-only configuration
   const origEnv = process.env.NEWRELIC_GRPCCONNECTION_CA
-  process.env.NEWRELIC_GRPCCONNECTION_CA = sslOpts.ca
+  process.env.NEWRELIC_GRPCCONNECTION_CA = cert.certificate
   t.teardown(() => {
     process.env.NEWRELIC_GRPCCONNECTION_CA = origEnv
   })
@@ -186,13 +192,12 @@ tap.test('Should reconnect even when data sent back', async (t) => {
 })
 
 async function setupSsl() {
-  const [key, certificate, ca] = await helper.withSSL()
   return {
-    ca,
+    ca: null,
     authPairs: [
       {
-        private_key: key,
-        cert_chain: certificate
+        private_key: cert.privateKeyBuffer,
+        cert_chain: cert.certificateBuffer
       }
     ]
   }

test/integration/infinite-tracing-connection.tap.js

@@ -11,8 +11,14 @@ const path = require('path')
 const grpc = require('@grpc/grpc-js')
 const protoLoader = require('@grpc/proto-loader')
 
+const fakeCert = require('../lib/fake-cert')
 const helper = require('../lib/agent_helper')
 
+// We generate the certificate once for the whole suite because it is a CPU
+// intensive operation and would slow down tests if each test created its
+// own certificate.
+const cert = fakeCert({ commonName: 'localhost' })
+
 const PROTO_PATH = path.join(__dirname, '../..', '/lib/grpc/endpoints/infinite-tracing/v1.proto')
 
 const TEST_DOMAIN = 'test-collector.newrelic.com'
@@ -258,70 +264,63 @@ const infiniteTracingService = grpc.loadPackageDefinition(packageDefinition).com
       nock.disableNetConnect()
       startingEndpoints = setupConnectionEndpoints(INITIAL_RUN_ID, INITIAL_SESSION_ID)
 
-      helper
-        .withSSL()
-        .then(([key, certificate, ca]) => {
-          const sslOpts = {
-            ca,
-            authPairs: [{ private_key: key, cert_chain: certificate }]
-          }
+      const sslOpts = {
+        ca: cert.certificateBuffer,
+        authPairs: [{ private_key: cert.privateKeyBuffer, cert_chain: cert.certificateBuffer }]
+      }
 
-          const services = [
-            {
-              serviceDefinition: infiniteTracingService.IngestService.service,
-              implementation: { recordSpan, recordSpanBatch }
+      const services = [
+        {
+          serviceDefinition: infiniteTracingService.IngestService.service,
+          implementation: { recordSpan, recordSpanBatch }
+        }
+      ]
+
+      server = createGrpcServer(sslOpts, services, (err, port) => {
+        t.error(err)
+
+        agent = helper.loadMockedAgent({
+          license_key: EXPECTED_LICENSE_KEY,
+          apdex_t: Number.MIN_VALUE, // force transaction traces
+          host: TEST_DOMAIN,
+          plugins: {
+            // turn off native metrics to avoid unwanted gc metrics
+            native_metrics: { enabled: false }
+          },
+          distributed_tracing: { enabled: true },
+          slow_sql: { enabled: true },
+          transaction_tracer: {
+            record_sql: 'obfuscated',
+            explain_threshold: Number.MIN_VALUE // force SQL traces
+          },
+          utilization: {
+            detect_aws: false
+          },
+          infinite_tracing: {
+            ...config,
+            span_events: {
+              queue_size: 2
+            },
+            trace_observer: {
+              host: helper.SSL_HOST,
+              port
             }
-          ]
-
-          server = createGrpcServer(sslOpts, services, (err, port) => {
-            t.error(err)
-
-            agent = helper.loadMockedAgent({
-              license_key: EXPECTED_LICENSE_KEY,
-              apdex_t: Number.MIN_VALUE, // force transaction traces
-              host: TEST_DOMAIN,
-              plugins: {
-                // turn off native metrics to avoid unwanted gc metrics
-                native_metrics: { enabled: false }
-              },
-              distributed_tracing: { enabled: true },
-              slow_sql: { enabled: true },
-              transaction_tracer: {
-                record_sql: 'obfuscated',
-                explain_threshold: Number.MIN_VALUE // force SQL traces
-              },
-              utilization: {
-                detect_aws: false
-              },
-              infinite_tracing: {
-                ...config,
-                span_events: {
-                  queue_size: 2
-                },
-                trace_observer: {
-                  host: helper.SSL_HOST,
-                  port
-                }
-              }
-            })
+          }
+        })
 
-            agent.config.no_immediate_harvest = true
+        agent.config.no_immediate_harvest = true
 
-            // Currently test-only configuration
-            const origEnv = process.env.NEWRELIC_GRPCCONNECTION_CA
-            process.env.NEWRELIC_GRPCCONNECTION_CA = ca
-            t.teardown(() => {
-              process.env.NEWRELIC_GRPCCONNECTION_CA = origEnv
-            })
-
-            if (callback) {
-              callback()
-            }
-          })
-        })
-        .catch((err) => {
-          t.error(err)
+        // Currently test-only configuration
+        const origEnv = process.env.NEWRELIC_GRPCCONNECTION_CA
+        process.env.NEWRELIC_GRPCCONNECTION_CA = cert.certificate
+        t.teardown(() => {
+          process.env.NEWRELIC_GRPCCONNECTION_CA = origEnv
         })
+
+        if (callback) {
+          callback()
+        }
+      })
     }
   })
 })
@@ -387,11 +386,10 @@ function createGrpcServer(sslOptions, services, callback) {
     server.addService(service.serviceDefinition, service.implementation)
   }
 
-  const { ca, authPairs } = sslOptions
-  const credentials = grpc.ServerCredentials.createSsl(ca, authPairs, false)
+  const { authPairs } = sslOptions
+  const credentials = grpc.ServerCredentials.createSsl(null, authPairs, false)
 
-  // Select a random port
-  server.bindAsync('localhost:0', credentials, (err, port) => {
+  server.bindAsync('127.0.0.1:0', credentials, (err, port) => {
     if (err) {
       callback(err)
     }