From aab991f9a43a698bd3a9df7a6174c8b0f08f1ca9 Mon Sep 17 00:00:00 2001
From: Colton Hurst <colton@coltonhurst.com>
Date: Thu, 22 Aug 2024 10:49:21 -0400
Subject: [PATCH] [SM-1407] Use rustls-tls-native-roots on Windows (#990)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## 🎟️ Tracking

https://bitwarden.atlassian.net/browse/SM-1407

## 📔 Objective

We are having TLS runtime issues for GitHub artifacts built on Windows
when using `rustls-platform-verifier`. There is a repository with a
simplified example showcasing this bug here:

https://github.com/Thomas-Avery/test-rustls-platform-verifier

The goal of this PR is to use a work-around on Windows until the bug is
fixed.

A GitHub issue for this has been created:
https://github.com/rustls/rustls-platform-verifier/issues/126

## ⏰ Reminders before review

- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or
informed the documentation
  team

## 🦮 Reviewer guidelines

<!-- Suggested interactions but feel free to use (or not) as you desire!
-->

- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
  issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes
---
 Cargo.lock                                 | 2 ++
 crates/bitwarden-core/Cargo.toml           | 8 +++++++-
 crates/bitwarden-core/src/client/client.rs | 3 ++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 8ec312beb..807e5011a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1997,6 +1997,7 @@ dependencies = [
  "hyper",
  "hyper-util",
  "rustls",
+ "rustls-native-certs",
  "rustls-pki-types",
  "tokio",
  "tokio-rustls",
@@ -3179,6 +3180,7 @@ dependencies = [
  "pin-project-lite",
  "quinn",
  "rustls",
+ "rustls-native-certs",
  "rustls-pemfile",
  "rustls-pki-types",
  "serde",
diff --git a/crates/bitwarden-core/Cargo.toml b/crates/bitwarden-core/Cargo.toml
index 07a7ba426..d6f6131ee 100644
--- a/crates/bitwarden-core/Cargo.toml
+++ b/crates/bitwarden-core/Cargo.toml
@@ -64,7 +64,7 @@ validator = { version = "0.18.1", features = ["derive"] }
 zeroize = { version = ">=1.7.0, <2.0", features = ["derive", "aarch64"] }
 zxcvbn = ">=3.0.1, <4.0"
 
-[target.'cfg(not(target_arch="wasm32"))'.dependencies]
+[target.'cfg(all(not(target_arch="wasm32"), not(windows)))'.dependencies]
 # By default, we use rustls as the TLS stack and rust-platform-verifier to support user-installed root certificates
 # The only exception is WASM, as it just uses the browsers/node fetch
 reqwest = { version = ">=0.12.5, <0.13", features = [
@@ -72,6 +72,12 @@ reqwest = { version = ">=0.12.5, <0.13", features = [
 ], default-features = false }
 rustls-platform-verifier = "0.3.3"
 
+[target.'cfg(windows)'.dependencies]
+# We are having issues with rustls-platform-verifier on Windows GitHub runners
+reqwest = { version = ">=0.12.5, <0.13", features = [
+    "rustls-tls-native-roots",
+], default-features = false }
+
 [dev-dependencies]
 bitwarden-crypto = { workspace = true }
 rand_chacha = "0.3.1"
diff --git a/crates/bitwarden-core/src/client/client.rs b/crates/bitwarden-core/src/client/client.rs
index e736d8c99..5f73fcd8a 100644
--- a/crates/bitwarden-core/src/client/client.rs
+++ b/crates/bitwarden-core/src/client/client.rs
@@ -25,7 +25,7 @@ impl Client {
             #[allow(unused_mut)]
             let mut client_builder = reqwest::Client::builder();
 
-            #[cfg(not(target_arch = "wasm32"))]
+            #[cfg(all(not(target_arch = "wasm32"), not(windows)))]
             {
                 client_builder =
                     client_builder.use_preconfigured_tls(rustls_platform_verifier::tls_config());
@@ -86,6 +86,7 @@ impl Client {
 
 #[cfg(test)]
 mod tests {
+    #[cfg(all(not(target_arch = "wasm32"), not(windows)))]
     #[test]
     fn test_reqwest_rustls_platform_verifier_are_compatible() {
         // rustls-platform-verifier is generating a rustls::ClientConfig,