fix: quickstart env variables

Author: jinseopkim0

bazel/curl.BUILD

@@ -145,6 +145,8 @@ CURL_WIN_COPTS = [
     "/DCURL_DISABLE_PROXY",
     "/DHAVE_LIBZ",
     "/DHAVE_ZLIB_H",
+    "/DUSE_OPENSSL",    # UPDATED: Enable OpenSSL interface
+    "/DHAVE_BORINGSSL", # UPDATED: Explicitly define BoringSSL
     # Defining _USING_V110_SDK71_ is hackery to defeat curl's incorrect
     # detection of what OS releases we can build on with VC 2012. This
     # may not be needed (or may have to change) if the WINVER setting
@@ -157,8 +159,7 @@ CURL_WIN_SRCS = [
     "lib/inet_ntop.c",
     "lib/system_win32.c",
     "lib/x509asn1.c",
-    "lib/vtls/schannel.c",
-    "lib/vtls/schannel_verify.c",
+    "lib/vtls/openssl.c", # UPDATED: Use OpenSSL/BoringSSL impl
     "lib/idn_win32.c",
 ]
 
@@ -455,12 +456,8 @@ cc_library(
         ":define-ca-bundle-location",
         "@com_github_cares_cares//:ares",
         "@zlib",
-    ] + select({
-        ":windows": [],
-        "//conditions:default": [
-            "@boringssl//:ssl",
-        ],
-    }),
+        "@boringssl//:ssl", # UPDATED: Always link BoringSSL (even on Windows)
+    ],
 )
 
 write_file(
@@ -495,9 +492,15 @@ write_file(
         "#  define CURL_DISABLE_TELNET 1",
         "#  define CURL_DISABLE_TFTP 1",
         "#  define CURL_PULL_WS2TCPIP_H 1",
-        "#  define USE_WINDOWS_SSPI 1",
+        "#  define USE_OPENSSL 1",          // UPDATED: Added
+        "#  define HAVE_BORINGSSL 1",       // UPDATED: Added
+        "#  define HAVE_LIBSSL 1",          // UPDATED: Added
+        "#  define HAVE_OPENSSL_SSL_H 1",   // UPDATED: Added
+        "#  define HAVE_OPENSSL_CRYPTO_H 1",// UPDATED: Added
+        "#  define HAVE_OPENSSL_PEM_H 1",   // UPDATED: Added
+        "#  define HAVE_OPENSSL_X509_H 1",  // UPDATED: Added
+        "#  define HAVE_OPENSSL_ERR_H 1",   // UPDATED: Added
         "#  define USE_WIN32_IDN 1",
-        "#  define USE_SCHANNEL 1",
         "#  define WANT_IDN_PROTOTYPES 1",
         "#elif defined(__APPLE__)",
         "#  define HAVE_FSETXATTR_6 1",

ci/kokoro/windows/builds/bazel.ps1

@@ -6,7 +6,7 @@
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     https://www.apache.org/licenses/LICENSE-2.0
+#      https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -62,32 +62,151 @@ if ($LastExitCode) {
 . ci/kokoro/windows/lib/integration.ps1
 
 function Invoke-REST-Quickstart {
-    bazelisk $common_flags run $build_flags `
-      //google/cloud/storage/quickstart:quickstart -- `
-      "${env:GOOGLE_CLOUD_CPP_STORAGE_TEST_BUCKET_NAME}"
-    if ($LastExitCode) {
-        Write-Host -ForegroundColor Red "bazel run (storage/quickstart) failed with exit code ${LastExitCode}."
-        Exit ${LastExitCode}
+    param($bazel_bin)
+    try {
+        $executable = Join-Path $bazel_bin "google/cloud/storage/quickstart/quickstart.exe"
+        Write-Host "Running REST Quickstart, attempting to run: $executable"
+        if (-not (Test-Path $executable)) {
+          Write-Host -ForegroundColor Red "Executable not found at the specified path."
+          Exit 1
+        }
+        & $executable "${env:GOOGLE_CLOUD_CPP_STORAGE_TEST_BUCKET_NAME}"
+        if ($LastExitCode) {
+            Write-Host -ForegroundColor Red "Execution of (storage/quickstart) failed with exit code ${LastExitCode}."
+            Exit ${LastExitCode}
+        }
+    } catch {
+        Write-Host -ForegroundColor Red "Caught exception while trying to run storage/quickstart: $_"
+        Exit 1
     }
 }
 
 function Invoke-gRPC-Quickstart {
-    bazelisk $common_flags run $build_flags `
-      //google/cloud/pubsub/quickstart:quickstart -- `
-      "${env:GOOGLE_CLOUD_PROJECT}" "${env:GOOGLE_CLOUD_CPP_PUBSUB_TEST_QUICKSTART_TOPIC}"
-    if ($LastExitCode) {
-        Write-Host -ForegroundColor Red "bazel run (pubsub/quickstart) failed with exit code ${LastExitCode}."
-        Exit ${LastExitCode}
+    param($bazel_bin)
+    try {
+        $executable = Join-Path $bazel_bin "google/cloud/pubsub/quickstart/quickstart.exe"
+        Write-Host "Running gRPC Quickstart, attempting to run: $executable"
+        if (-not (Test-Path $executable)) {
+          Write-Host -ForegroundColor Red "Executable not found at the specified path."
+          Exit 1
+        }
+        & $executable "${env:GOOGLE_CLOUD_PROJECT}" "${env:GOOGLE_CLOUD_CPP_PUBSUB_TEST_QUICKSTART_TOPIC}"
+        if ($LastExitCode) {
+            Write-Host -ForegroundColor Red "Execution of (pubsub/quickstart) failed with exit code ${LastExitCode}."
+            Exit ${LastExitCode}
+        }
+    } catch {
+        Write-Host -ForegroundColor Red "Caught exception while trying to run pubsub/quickstart: $_"
+        Exit 1
     }
 }
 
 if (Test-Integration-Enabled) {
     Write-Host "`n$(Get-Date -Format o) Running minimal quickstart prorams"
+    
+    # 1. Install the certificates
     Install-Roots-Pem
-    ${env:GRPC_DEFAULT_SSL_ROOTS_FILE_PATH}="${env:KOKORO_GFILE_DIR}/roots.pem"
-    ${env:GOOGLE_APPLICATION_CREDENTIALS}="${env:KOKORO_GFILE_DIR}/kokoro-run-key.json"
-    Invoke-REST-Quickstart
-    Invoke-gRPC-Quickstart
+
+    # 2. Normalize paths to use Forward Slashes (/)
+    # This is critical for C++ binaries (BoringSSL/libcurl) to parse paths correctly on Windows.
+    $RawRootsPath = Join-Path $env:KOKORO_GFILE_DIR "roots.pem"
+    $RootsPath = $RawRootsPath -replace '\\', '/'
+    
+    $RawKeyPath = Join-Path $env:KOKORO_GFILE_DIR "kokoro-run-key.json"
+    $KeyPath = $RawKeyPath -replace '\\', '/'
+
+    # 3. Set ALL SSL Environment Variables
+    # OpenSSL/BoringSSL may look at SSL_CERT_FILE before CURL_CA_BUNDLE
+    # Use Forward Slashes ($RootsPath) for BoringSSL
+    $env:GRPC_DEFAULT_SSL_ROOTS_FILE_PATH = $RootsPath
+    $env:CURL_CA_BUNDLE = $RootsPath
+    $env:SSL_CERT_FILE = $RootsPath
+    $env:GOOGLE_APPLICATION_CREDENTIALS = $KeyPath
+    
+    # 4. Enable Deep Library Logging
+    $env:GOOGLE_CLOUD_CPP_ENABLE_TRACING="http"
+    $env:CURL_VERBOSE="1"
+
+    # --- DEBUG CHECKS ---
+    Write-Host -ForegroundColor Cyan "`n--- DEBUG: Environment & File Check ---"
+    Write-Host "Roots Path: $RootsPath"
+    
+    Write-Host "`n[Check 1] Environment Variables:"
+    Get-ChildItem Env: | Where-Object { $_.Name -match 'CURL_|GOOGLE_|GRPC_|SSL_' } | Format-Table -AutoSize | Out-Host
+    
+    Write-Host "`n[Check 2] File Verify:"
+    if (Test-Path $RootsPath) {
+        Write-Host -ForegroundColor Green "File exists."
+        Get-Item $RootsPath | Select-Object Length, LastWriteTime
+    } else {
+        Write-Host -ForegroundColor Red "CRITICAL: File not found at $RootsPath"
+    }
+    Write-Host "--- DEBUG END ---`n"
+
+    bazelisk $common_flags build $build_flags `
+        //google/cloud/storage/quickstart:quickstart `
+        //google/cloud/pubsub/quickstart:quickstart
+
+    $bazel_bin = (bazelisk $common_flags info $build_flags bazel-bin).Trim()
+    # Fix bazel-bin path for PowerShell invocation just in case
+    $bazel_bin = $bazel_bin.Replace('/', '\') 
+    Write-Host "bazel-bin directory: $bazel_bin"
+
+    # --- VERIFICATION EXPERIMENT START ---
+    Write-Host -ForegroundColor Cyan "`n--- EXPERIMENT: The 'Strip & Retry' Test ---"
+    
+    # Define paths
+    $DirtyFile = $RawRootsPath
+    $CleanFile = Join-Path $env:KOKORO_GFILE_DIR "roots_clean.pem"
+    $CleanFileForward = $CleanFile -replace '\\', '/'
+
+    # Check for the "Poison" (\r)
+    $text = [System.IO.File]::ReadAllText($DirtyFile)
+    if ($text.Contains("`r")) {
+        Write-Host -ForegroundColor Red "[CONFIRMED] 'roots.pem' contains Carriage Returns (\r)."
+        Write-Host "      Attempting to sanitize and run binary..."
+        
+        # Create the Antidote (Remove all \r)
+        $cleanText = $text.Replace("`r", "")
+        [System.IO.File]::WriteAllText($CleanFile, $cleanText)
+        Write-Host "Created sanitized file: $CleanFileForward"
+
+        # Run the Binary against the CLEAN file
+        Write-Host "`nRunning quickstart.exe using CLEAN file..."
+        
+        # Temporarily override the env var just for this test
+        $env:CURL_CA_BUNDLE = $CleanFileForward
+        $env:SSL_CERT_FILE = $CleanFileForward
+        $env:GRPC_DEFAULT_SSL_ROOTS_FILE_PATH = $CleanFileForward
+        
+        # Construct executable path
+        $QuickstartExe = Join-Path $bazel_bin "google/cloud/storage/quickstart/quickstart.exe"
+
+        try {
+           & $QuickstartExe "${env:GOOGLE_CLOUD_CPP_STORAGE_TEST_BUCKET_NAME}"
+           if ($LastExitCode -eq 0) {
+               Write-Host -ForegroundColor Green "`n[SUCCESS] The binary worked with the clean file!"
+               Write-Host -ForegroundColor Green "CONCLUSION: Carriage Returns were the root cause."
+           } else {
+               Write-Host -ForegroundColor Red "`n[FAILURE] The binary still failed ($LastExitCode) even with the clean file."
+               Write-Host -ForegroundColor Red "CONCLUSION: The issue is NOT carriage returns."
+           }
+        } catch {
+            Write-Host "Execution failed: $_"
+        }
+        
+        # Restore Env Vars for standard test flow
+        $env:CURL_CA_BUNDLE = $RootsPath
+        $env:SSL_CERT_FILE = $RootsPath
+        $env:GRPC_DEFAULT_SSL_ROOTS_FILE_PATH = $RootsPath
+    } else {
+        Write-Host -ForegroundColor Green "[INFO] 'roots.pem' is already clean (No \r). Experiment skipped."
+    }
+    Write-Host "------------------------------------------------"
+    # --- VERIFICATION EXPERIMENT END ---
+
+    Invoke-REST-Quickstart $bazel_bin
+    Invoke-gRPC-Quickstart $bazel_bin
 }
 
 # Shutdown the Bazel server to release any locks

ci/kokoro/windows/lib/integration.ps1

@@ -4,7 +4,7 @@
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     https://www.apache.org/licenses/LICENSE-2.0
+#      https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -14,29 +14,149 @@
 
 # Helper functions to run the minimal integration tests
 
-$PROJECT_ROOT = (Get-Item -Path ".\" -Verbose).FullName
+$PROJECT_ROOT = (Get-Item -Path ".\").FullName
 $integration_tests_config="${PROJECT_ROOT}/ci/etc/integration-tests-config.ps1"
 . "${integration_tests_config}"
 
 function Test-Integration-Enabled {
     if ((Test-Path env:KOKORO_GFILE_DIR) -and
        (Test-Path "${env:KOKORO_GFILE_DIR}/kokoro-run-key.json")) {
-        return $True
+       return $True
     }
     return $False
 }
 
+function Debug-Network {
+    param([string]$targetUrl)
+    Write-Host -ForegroundColor Cyan "`n--- NETWORK DEBUG START ($targetUrl) ---"
+    try {
+        $uri = New-Object System.Uri($targetUrl)
+        $hostName = $uri.DnsSafeHost
+
+        # 1. DNS Resolution
+        Write-Host "1. Testing DNS resolution for $hostName..."
+        $dns = Resolve-DnsName -Name $hostName -ErrorAction SilentlyContinue
+        if ($dns) { $dns | Format-Table -AutoSize | Out-Host } else { Write-Host -ForegroundColor Red "DNS Resolution FAILED" }
+
+        # 2. Basic TCP Connectivity (checking port 443)
+        Write-Host "`n2. Testing TCP connectivity to $hostName`:443..."
+        try {
+             $tcp = Test-NetConnection -ComputerName $hostName -Port 443 -WarningAction SilentlyContinue
+             if ($tcp.TcpTestSucceeded) { Write-Host "TCP connection SUCCEEDED" } else { Write-Host -ForegroundColor Red "TCP connection FAILED" }
+             Write-Host "Detailed Info: $($tcp | Out-String)"
+        } catch {
+             Write-Host -ForegroundColor Red "Test-NetConnection failed to run: $_"
+        }
+
+        # 3. Proxy Detection
+        Write-Host "`n3. Checking System Proxy for $targetUrl..."
+        $proxy = [System.Net.WebRequest]::GetSystemWebProxy()
+        $proxyUri = $proxy.GetProxy($uri)
+        Write-Host "Effective Proxy: $proxyUri"
+        Write-Host "Is Bypassed: $($proxy.IsBypassed($uri))"
+
+    } catch {
+        Write-Host -ForegroundColor Red "An error occurred during network debug: $_"
+    }
+    Write-Host -ForegroundColor Cyan "--- NETWORK DEBUG END ---`n"
+}
+
 function Install-Roots-Pem {
-    Write-Host -ForegroundColor Yellow "`n$(Get-Date -Format o) " `
-        "Downloading roots.pem [$_]"
+    Debug-Network -targetUrl "https://curl.se/ca/cacert.pem"
+    $RootsPath = "${env:KOKORO_GFILE_DIR}/roots.pem"
+
     ForEach($attempt in (1, 2, 3)) {
+        Write-Host -ForegroundColor Yellow "`n$(Get-Date -Format o) " `
+            "Downloading roots.pem [$attempt]"
         try {
-            (New-Object System.Net.WebClient).Downloadfile(
-                    'https://pki.google.com/roots.pem',
-                    "${env:KOKORO_GFILE_DIR}/roots.pem")
+            # 1. Download the Mozilla Bundle to memory string
+            # We avoid saving to disk immediately to prevent PowerShell from adding CRLF
+            $WebClient = New-Object System.Net.WebClient
+            $MozillaCerts = $WebClient.DownloadString('https://curl.se/ca/cacert.pem')
+
+            # 2. Gather Windows System Certificates
+            # We check both 'Root' (Trusted Root CAs) and 'CA' (Intermediate CAs)
+            # as corporate proxies often sign with an Intermediate.
+            Write-Host "Gathering Windows System Root Certificates..."
+            $WindowsCerts = ""
+            $storesToCheck = @("Root", "CA")
+            
+            foreach ($storeName in $storesToCheck) {
+                Write-Host -ForegroundColor Cyan "Processing Store: LocalMachine\$storeName"
+                $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $storeName, "LocalMachine"
+                $certStore.Open('ReadOnly')
+                
+                $certStore.Certificates | ForEach-Object {
+                    $cert = $_
+                    Write-Host "  Adding: $($cert.Subject)"
+                    
+                    # Export to Base64
+                    $b64 = [Convert]::ToBase64String($cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert), 'InsertLineBreaks')
+                    
+                    # Construct PEM with explicit Unix Newlines (\n)
+                    $header = "-----BEGIN CERTIFICATE-----"
+                    $footer = "-----END CERTIFICATE-----"
+                    $WindowsCerts += "$header`n$b64`n$footer`n"
+                }
+                $certStore.Close()
+            }
+
+            # 3. Write Combined File with Strict UNIX Line Endings (\n)
+            # We use .NET IO classes to bypass PowerShell's default CRLF behavior.
+            Write-Host "Writing combined roots.pem with Unix LF line endings..."
+            $FinalContent = $MozillaCerts + "`n" + $WindowsCerts
+            
+            # Normalize: Replace any Windows \r\n with Unix \n
+            # This is the CRITICAL FIX for BoringSSL/gRPC which can choke on Carriage Returns (\r)
+            $FinalContent = $FinalContent -replace "`r`n", "`n"
+            
+            [System.IO.File]::WriteAllText($RootsPath, $FinalContent, [System.Text.Encoding]::ASCII)
+
+            # --- DEBUG START ---
+            Write-Host -ForegroundColor Cyan "`nDEBUG: Inspecting roots.pem..."
+            
+            # Check for Seams/Corruption
+            $corruption = Select-String -Path $RootsPath -Pattern "-----END CERTIFICATE----------BEGIN CERTIFICATE-----"
+            if ($corruption) {
+                Write-Host -ForegroundColor Red "FAIL: Found corrupted certificate boundaries!"
+            } else {
+                Write-Host -ForegroundColor Green "PASS: No certificate boundary corruption detected."
+            }
+
+            # Check for Carriage Returns (The "BoringSSL Killer")
+            if ($FinalContent.Contains("`r")) {
+                 Write-Host -ForegroundColor Red "FAIL: File still contains Carriage Returns (\r)!"
+            } else {
+                 Write-Host -ForegroundColor Green "PASS: File contains strict Unix Line Feeds (\n)."
+            }
+
+            Write-Host -ForegroundColor Cyan "`nDEBUG: Testing SSL connection to GCS..."
+            
+            # Relax ErrorActionPreference so curl -v stderr doesn't crash the script
+            $OldEAP = $ErrorActionPreference
+            $ErrorActionPreference = "Continue"
+            
+            try {
+                & curl.exe --version
+                & curl.exe -v https://storage.googleapis.com --cacert $RootsPath 2>&1 | Out-Host
+                if ($LastExitCode -ne 0) {
+                    Write-Host -ForegroundColor Red "Curl exited with error code: $LastExitCode"
+                } else {
+                     Write-Host -ForegroundColor Green "Curl connection test PASSED."
+                }
+            } catch {
+                 Write-Host -ForegroundColor Red "Debug curl command failed unexpectedly: $_"
+            } finally {
+                $ErrorActionPreference = $OldEAP
+            }
+            # --- DEBUG END ---
+
             return
         } catch {
-            Write-Host -ForegroundColor Yellow "`n$(Get-Date -Format o) download error"
+            Write-Host -ForegroundColor Yellow "`n$(Get-Date -Format o) download/setup error: $_"
+            if ($attempt -eq 3) {
+                 Debug-Network -targetUrl "https://storage.googleapis.com"
+            }
         }
         Start-Sleep -Seconds (60 * $attempt)
     }