Support NIO Transport Services - part 2 (#184)

This is the continuation of the good work of @Yasumoto and @weissi in #135

The following code adds support for NIO Transport services. When the ConnectionPool asks for a connection bootstrap it is returned a NIOClientTCPBootstrap which wraps either a NIOTSConnectionBootstrap or a ClientBootstrap depending on whether the EventLoop we are running on is NIOTSEventLoop.

If you initialize an HTTPClient with eventLoopGroupProvider set to .createNew then if you are running on iOS, macOS 10.14 or later it will provide a NIOTSEventLoopGroup instead of a EventLoopGroup.

Currently a number of tests are failing. 4 of these are related to the NIOSSLUncleanShutdown error the others all seem related to various race conditions which are being dealt with on other PRs. I have tested this code with aws-sdk-swift and it is working on both macOS and iOS.

Things look into:

The aws-sdk-swift NIOTS HTTP client had issues with on Mojave. We should check if this is the case for async-http-client as well.

Co-authored-by: Joe Smith <[email protected]>
Co-authored-by: Johannes Weiss <[email protected]>

Author: 3 people

Diff for: Package.swift

@@ -21,14 +21,15 @@ let package = Package(
         .library(name: "AsyncHTTPClient", targets: ["AsyncHTTPClient"]),
     ],
     dependencies: [
-        .package(url: "https://github.com/apple/swift-nio.git", from: "2.13.1"),
-        .package(url: "https://github.com/apple/swift-nio-ssl.git", from: "2.4.1"),
+        .package(url: "https://github.com/apple/swift-nio.git", from: "2.16.0"),
+        .package(url: "https://github.com/apple/swift-nio-ssl.git", from: "2.7.0"),
         .package(url: "https://github.com/apple/swift-nio-extras.git", from: "1.3.0"),
+        .package(url: "https://github.com/apple/swift-nio-transport-services.git", from: "1.5.1"),
     ],
     targets: [
         .target(
             name: "AsyncHTTPClient",
-            dependencies: ["NIO", "NIOHTTP1", "NIOSSL", "NIOConcurrencyHelpers", "NIOHTTPCompression", "NIOFoundationCompat"]
+            dependencies: ["NIO", "NIOHTTP1", "NIOSSL", "NIOConcurrencyHelpers", "NIOHTTPCompression", "NIOFoundationCompat", "NIOTransportServices"]
         ),
         .testTarget(
             name: "AsyncHTTPClientTests",

Diff for: Sources/AsyncHTTPClient/ConnectionPool.swift

@@ -17,6 +17,7 @@ import NIO
 import NIOConcurrencyHelpers
 import NIOHTTP1
 import NIOTLS
+import NIOTransportServices
 
 /// A connection pool that manages and creates new connections to hosts respecting the specified preferences
 ///
@@ -373,9 +374,15 @@ final class ConnectionPool {
 
         private func makeConnection(on eventLoop: EventLoop) -> EventLoopFuture<Connection> {
             self.activityPrecondition(expected: [.opened])
-            let handshakePromise = eventLoop.makePromise(of: Void.self)
-            let bootstrap = ClientBootstrap.makeHTTPClientBootstrapBase(group: eventLoop, host: self.key.host, port: self.key.port, configuration: self.configuration)
             let address = HTTPClient.resolveAddress(host: self.key.host, port: self.key.port, proxy: self.configuration.proxy)
+            let requiresTLS = self.key.scheme == .https
+            let bootstrap: NIOClientTCPBootstrap
+            do {
+                bootstrap = try NIOClientTCPBootstrap.makeHTTPClientBootstrapBase(on: eventLoop, host: self.key.host, port: self.key.port, requiresTLS: requiresTLS, configuration: self.configuration)
+            } catch {
+                return eventLoop.makeFailedFuture(error)
+            }
+            let handshakePromise = eventLoop.makePromise(of: Void.self)
 
             let channel: EventLoopFuture<Channel>
             switch self.key.scheme {
@@ -386,9 +393,17 @@ final class ConnectionPool {
             }
 
             return channel.flatMap { channel -> EventLoopFuture<ConnectionPool.Connection> in
-                channel.pipeline.addSSLHandlerIfNeeded(for: self.key, tlsConfiguration: self.configuration.tlsConfiguration, handshakePromise: handshakePromise)
+                let requiresSSLHandler = self.configuration.proxy != nil && self.key.scheme == .https
+                channel.pipeline.addSSLHandlerIfNeeded(for: self.key, tlsConfiguration: self.configuration.tlsConfiguration, addSSLClient: requiresSSLHandler, handshakePromise: handshakePromise)
                 return handshakePromise.futureResult.flatMap {
                     channel.pipeline.addHTTPClientHandlers(leftOverBytesStrategy: .forwardBytes)
+                }.flatMap {
+                    #if canImport(Network)
+                        if #available(OSX 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *), bootstrap.underlyingBootstrap is NIOTSConnectionBootstrap {
+                            return channel.pipeline.addHandler(HTTPClient.NWErrorHandler(), position: .first)
+                        }
+                    #endif
+                    return eventLoop.makeSucceededFuture(())
                 }.map {
                     let connection = Connection(key: self.key, channel: channel, parentPool: self.parentPool)
                     connection.isLeased = true
@@ -398,6 +413,12 @@ final class ConnectionPool {
                 self.configureCloseCallback(of: connection)
                 return connection
             }.flatMapError { error in
+                var error = error
+                #if canImport(Network)
+                    if #available(OSX 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *), bootstrap.underlyingBootstrap is NIOTSConnectionBootstrap {
+                        error = HTTPClient.NWErrorHandler.translateError(error)
+                    }
+                #endif
                 // This promise may not have been completed if we reach this
                 // so we fail it to avoid any leak
                 handshakePromise.fail(error)

Diff for: Sources/AsyncHTTPClient/HTTPClient.swift

@@ -19,6 +19,7 @@ import NIOHTTP1
 import NIOHTTPCompression
 import NIOSSL
 import NIOTLS
+import NIOTransportServices
 
 /// HTTPClient class provides API for request execution.
 ///
@@ -65,7 +66,15 @@ public class HTTPClient {
         case .shared(let group):
             self.eventLoopGroup = group
         case .createNew:
-            self.eventLoopGroup = MultiThreadedEventLoopGroup(numberOfThreads: 1)
+            #if canImport(Network)
+                if #available(OSX 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *) {
+                    self.eventLoopGroup = NIOTSEventLoopGroup()
+                } else {
+                    self.eventLoopGroup = MultiThreadedEventLoopGroup(numberOfThreads: 1)
+                }
+            #else
+                self.eventLoopGroup = MultiThreadedEventLoopGroup(numberOfThreads: 1)
+            #endif
         }
         self.configuration = configuration
         self.pool = ConnectionPool(configuration: configuration)
@@ -672,19 +681,24 @@ extension ChannelPipeline {
         return addHandlers([encoder, decoder, handler])
     }
 
-    func addSSLHandlerIfNeeded(for key: ConnectionPool.Key, tlsConfiguration: TLSConfiguration?, handshakePromise: EventLoopPromise<Void>) {
+    func addSSLHandlerIfNeeded(for key: ConnectionPool.Key, tlsConfiguration: TLSConfiguration?, addSSLClient: Bool, handshakePromise: EventLoopPromise<Void>) {
         guard key.scheme == .https else {
             handshakePromise.succeed(())
             return
         }
 
         do {
-            let tlsConfiguration = tlsConfiguration ?? TLSConfiguration.forClient()
-            let context = try NIOSSLContext(configuration: tlsConfiguration)
-            let handlers: [ChannelHandler] = [
-                try NIOSSLClientHandler(context: context, serverHostname: key.host.isIPAddress ? nil : key.host),
-                TLSEventsHandler(completionPromise: handshakePromise),
-            ]
+            let handlers: [ChannelHandler]
+            if addSSLClient {
+                let tlsConfiguration = tlsConfiguration ?? TLSConfiguration.forClient()
+                let context = try NIOSSLContext(configuration: tlsConfiguration)
+                handlers = [
+                    try NIOSSLClientHandler(context: context, serverHostname: key.host.isIPAddress ? nil : key.host),
+                    TLSEventsHandler(completionPromise: handshakePromise),
+                ]
+            } else {
+                handlers = [TLSEventsHandler(completionPromise: handshakePromise)]
+            }
             self.addHandlers(handlers).cascadeFailure(to: handshakePromise)
         } catch {
             handshakePromise.fail(error)

Diff for: Sources/AsyncHTTPClient/NIOTransportServices/NWErrorHandler.swift

@@ -0,0 +1,84 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the AsyncHTTPClient open source project
+//
+// Copyright (c) 2020 Apple Inc. and the AsyncHTTPClient project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+#if canImport(Network)
+
+    import Network
+    import NIO
+    import NIOHTTP1
+    import NIOTransportServices
+
+    extension HTTPClient {
+        public struct NWPOSIXError: Error, CustomStringConvertible {
+            /// POSIX error code (enum)
+            public let errorCode: POSIXErrorCode
+
+            /// actual reason, in human readable form
+            private let reason: String
+
+            /// Initialise a NWPOSIXError
+            /// - Parameters:
+            ///   - errorType: posix error type
+            ///   - reason: String describing reason for error
+            public init(_ errorCode: POSIXErrorCode, reason: String) {
+                self.errorCode = errorCode
+                self.reason = reason
+            }
+
+            public var description: String { return self.reason }
+        }
+
+        public struct NWTLSError: Error, CustomStringConvertible {
+            /// TLS error status. List of TLS errors can be found in <Security/SecureTransport.h>
+            public let status: OSStatus
+
+            /// actual reason, in human readable form
+            private let reason: String
+
+            /// initialise a NWTLSError
+            /// - Parameters:
+            ///   - status: TLS status
+            ///   - reason: String describing reason for error
+            public init(_ status: OSStatus, reason: String) {
+                self.status = status
+                self.reason = reason
+            }
+
+            public var description: String { return self.reason }
+        }
+
+        @available(macOS 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *)
+        class NWErrorHandler: ChannelInboundHandler {
+            typealias InboundIn = HTTPClientResponsePart
+
+            func errorCaught(context: ChannelHandlerContext, error: Error) {
+                context.fireErrorCaught(NWErrorHandler.translateError(error))
+            }
+
+            static func translateError(_ error: Error) -> Error {
+                if let error = error as? NWError {
+                    switch error {
+                    case .tls(let status):
+                        return NWTLSError(status, reason: error.localizedDescription)
+                    case .posix(let errorCode):
+                        return NWPOSIXError(errorCode, reason: error.localizedDescription)
+                    default:
+                        return error
+                    }
+                }
+                return error
+            }
+        }
+    }
+#endif

Diff for: Sources/AsyncHTTPClient/NIOTransportServices/TLSConfiguration.swift

@@ -0,0 +1,140 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the AsyncHTTPClient open source project
+//
+// Copyright (c) 2020 Apple Inc. and the AsyncHTTPClient project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+#if canImport(Network)
+
+    import Foundation
+    import Network
+    import NIOSSL
+    import NIOTransportServices
+
+    extension TLSVersion {
+        /// return Network framework TLS protocol version
+        var nwTLSProtocolVersion: tls_protocol_version_t {
+            switch self {
+            case .tlsv1:
+                return .TLSv10
+            case .tlsv11:
+                return .TLSv11
+            case .tlsv12:
+                return .TLSv12
+            case .tlsv13:
+                return .TLSv13
+            }
+        }
+    }
+
+    extension TLSVersion {
+        /// return as SSL protocol
+        var sslProtocol: SSLProtocol {
+            switch self {
+            case .tlsv1:
+                return .tlsProtocol1
+            case .tlsv11:
+                return .tlsProtocol11
+            case .tlsv12:
+                return .tlsProtocol12
+            case .tlsv13:
+                return .tlsProtocol13
+            }
+        }
+    }
+
+    @available(macOS 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *)
+    extension TLSConfiguration {
+        /// Dispatch queue used by Network framework TLS to control certificate verification
+        static var tlsDispatchQueue = DispatchQueue(label: "TLSDispatch")
+
+        /// create NWProtocolTLS.Options for use with NIOTransportServices from the NIOSSL TLSConfiguration
+        ///
+        /// - Parameter queue: Dispatch queue to run `sec_protocol_options_set_verify_block` on.
+        /// - Returns: Equivalent NWProtocolTLS Options
+        func getNWProtocolTLSOptions() -> NWProtocolTLS.Options {
+            let options = NWProtocolTLS.Options()
+
+            // minimum TLS protocol
+            if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
+                sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, self.minimumTLSVersion.nwTLSProtocolVersion)
+            } else {
+                sec_protocol_options_set_tls_min_version(options.securityProtocolOptions, self.minimumTLSVersion.sslProtocol)
+            }
+
+            // maximum TLS protocol
+            if let maximumTLSVersion = self.maximumTLSVersion {
+                if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
+                    sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, maximumTLSVersion.nwTLSProtocolVersion)
+                } else {
+                    sec_protocol_options_set_tls_max_version(options.securityProtocolOptions, maximumTLSVersion.sslProtocol)
+                }
+            }
+
+            // application protocols
+            for applicationProtocol in self.applicationProtocols {
+                applicationProtocol.withCString { buffer in
+                    sec_protocol_options_add_tls_application_protocol(options.securityProtocolOptions, buffer)
+                }
+            }
+
+            // the certificate chain
+            if self.certificateChain.count > 0 {
+                preconditionFailure("TLSConfiguration.certificateChain is not supported")
+            }
+
+            // cipher suites
+            if self.cipherSuites.count > 0 {
+                // TODO: Requires NIOSSL to provide list of cipher values before we can continue
+                // https://github.com/apple/swift-nio-ssl/issues/207
+            }
+
+            // key log callback
+            if self.keyLogCallback != nil {
+                preconditionFailure("TLSConfiguration.keyLogCallback is not supported")
+            }
+
+            // private key
+            if self.privateKey != nil {
+                preconditionFailure("TLSConfiguration.privateKey is not supported")
+            }
+
+            // renegotiation support key is unsupported
+
+            // trust roots
+            if let trustRoots = self.trustRoots {
+                guard case .default = trustRoots else {
+                    preconditionFailure("TLSConfiguration.trustRoots != .default is not supported")
+                }
+            }
+
+            switch self.certificateVerification {
+            case .none:
+                // add verify block to control certificate verification
+                sec_protocol_options_set_verify_block(
+                    options.securityProtocolOptions,
+                    { _, _, sec_protocol_verify_complete in
+                        sec_protocol_verify_complete(true)
+                    }, TLSConfiguration.tlsDispatchQueue
+                )
+
+            case .noHostnameVerification:
+                precondition(self.certificateVerification != .noHostnameVerification, "TLSConfiguration.certificateVerification = .noHostnameVerification is not supported")
+
+            case .fullVerification:
+                break
+            }
+
+            return options
+        }
+    }
+
+#endif