Make --use-system-ca per-env rather than per-process

[Aditi-1400]

Makes the --use-system-ca option a per-environment option rather than a per-process option so that workers can enable/disable them individually

[nodejs-github-bot]

Review requested:

• @nodejs/config
• @nodejs/crypto
• @nodejs/startup

[joyeecheung]

Hmm, I think this may need more work than just updating the options - the implication of being per-env is that each worker would then be able to toggle this independently. Say when the main thread does not enable it but a worker does, then the worker will have the system CA certs in their default store but the parent doesn't. Can you add a test for this, and the other way around (parent enables it, worker disables it)? My impression is that the default store initialisation code is not yet ready for this and it's still shared across the process (so if a worker enables it, suddenly the parent get it too, which would be unexpected).

[codecov]

Codecov Report

❌ Patch coverage is 74.57627% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.51%. Comparing base (903f647) to head (d8281c4).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
src/crypto/crypto_context.cc	75.60%	4 Missing and 6 partials ⚠️
src/quic/tlscontext.cc	58.33%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #60678      +/-   ##
==========================================
- Coverage   88.54%   88.51%   -0.03%     
==========================================
  Files         704      704              
  Lines      208793   208815      +22     
  Branches    40307    40315       +8     
==========================================
- Hits       184866   184835      -31     
- Misses      15913    15957      +44     
- Partials     8014     8023       +9     

Files with missing lines	Coverage Δ
src/crypto/crypto_common.cc	79.67% <100.00%> (ø)
src/crypto/crypto_context.h	100.00% <ø> (ø)
src/node.cc	75.80% <ø> (-0.17%)	⬇️
src/node_options.cc	77.92% <100.00%> (+0.02%)	⬆️
src/node_options.h	97.89% <100.00%> (ø)
src/quic/endpoint.cc	56.51% <100.00%> (ø)
src/quic/tlscontext.h	65.38% <ø> (ø)
src/quic/tlscontext.cc	36.85% <58.33%> (ø)
src/crypto/crypto_context.cc	70.98% <75.60%> (+0.14%)	⬆️

... and 31 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[joyeecheung]

Can you add some tests to test/parallel that checks this affects tls.getCACertificates('default') in a worker if tls.getCACertificates('system') returns non-empty in a parent? (if there are no system CAs in the testing machine, then the test can be skipped - that way it can run even without the mock certificates installed)

[joyeecheung]

I think it might be worth it to tweak StartLoadingCertificatesOffThread so that if no thread has started loading system CAs off thread, and a new worker is run with --use-system-ca, then the new worker can still trigger an off-thread load (right now I think it only try once, and if the first try does not include system CA then there won't be any off-thread loading anymore). Although, this can just be a TODO and doesn't need to be addressed here.

[joyeecheung]

Can you remove the TODO comment above? :)

[Aditi-1400]

Oops! 🤦‍♀️