Element 34

One of the nice things about using Redis via Elasticache is that it gives you a Primary endpoint and a Reader endpoint which means we can split our load more easily (in addition to having the redundancy that they provides.) Unfortunately, Laravel doesn’t have this out of the box which is forever a paper cut I experience. (My only guess is that it is because it really is an AWS thing and by-and-large things are pretty agnostic. Going all-in on AWS is a rant for another day.)

Anyhow, we’re re-examining our caching strategy and this finally bothered me enough to do something about it.

Our main way of interacting with the cache is currently through remember() and rememberForever() … which uses only the Primary endpoint. Now, these functions just wrap a get and if nothing is returned, runs the closure output as a put. So there is our roadmap.

First, we need to do some setup.

In config/database.php I copied the cache block and created a cache_read and cache_write one as well. I left the original one as well as a transition … though let’s be honest, I’m never going to delete it.

    'cache_read' => [
        'url' => env('REDIS_URL'),
        'host' => env('REDIS_HOST_READ', '127.0.0.1'),
        'username' => env('REDIS_USERNAME'),
        'password' => env('REDIS_PASSWORD'),
        'port' => env('REDIS_PORT', '6379'),
        'database' => env('REDIS_CACHE_DB', '1'),
    ],

    'cache_write' => [
        'url' => env('REDIS_URL'),
        'host' => env('REDIS_HOST_WRITE', '127.0.0.1'),
        'username' => env('REDIS_USERNAME'),
        'password' => env('REDIS_PASSWORD'),
        'port' => env('REDIS_PORT', '6379'),
        'database' => env('REDIS_CACHE_DB', '1'),
    ],

You’ll also notice that the only thing that changed in there is the host is being populated from a different environment variable, so you’ll need to update your various .env processes as well.

Now that the connections are configured, we need to teach the caching system how to access these new stores in config/cache.php by, again, copy and pasting the existing redis blocks and update the connection to use.

    'redis_read' => [
        'driver' => 'redis',
        'connection' => 'cache_read',
        'lock_connection' => 'default',
    ],

    'redis_write' => [
        'driver' => 'redis',
        'connection' => 'cache_write',
        'lock_connection' => 'default',
    ],

All that is left now is to start pulling our code towards acting-like-remember-but-not.

$value = Cache::store('redis_read')->get('key');
if (! $value) {
    $value = 'foo'; // or whatever you would do in the remember closure
    Cache::store('redis_write')->put('key');
}

And just like that, your hit percentage starts to go up on your Replica.

Though I really do think Laravel should be smart enough that if you give a Redis connection read and write options that things automatically route accordingly…

Eloquent can make things really easy. But sometimes that thing is shooting yourself in the foot with a performance problem.

We recently released an API endpoint to a customer that was paginated. The first version of the code looked something like this.

return $model
    ->relationship
    ->map(function ($relation) {
        // tonne of heavy lifting
    })
    ->paginate();

It is nothing crazy — just manipulate the objects in the relationship and send it on its way back to the caller. Tests all passed and things were great.

Until it was deployed into production and it took almost 3 minutes to run.

What was happening was that it was doing the ‘tonne of heavy lifting’ against all 3000 models and then returning the page that was requested. That’s not quite efficient.

The solution is to flip things around and paginate first and then the map.

$items = $model
    ->relationship
    ->paginate();

$mapped = $items
    ->getCollection()
    ->map(function ($relation) {
        // a tonne of heavy lifting
    });

$items->setCollection($mapped);

return $items;

By mapping only the things in the requested pagination page, the time dropped by around 85%.

Needless to say, we’ve stopped using the map-then-paginate pattern in our application … and you likely should as well.

On the upside, my mail is getting nicely sorted. On the downside, its now sorted /and/ neglected. So this is one of, hopefully, many posts where I catch up on things. First up, is the ArchTech Newsletter which has some hightlights from their weekly twitter thread to your inbox, plus some other bits around products and packages they are working on. Subscribe here.

• LazilyRefreshDatabase looks like a nice cleanup for tests.
• Sidecar has a tonne of potential. It feels like it farms your queue workers to the AWS Lambda — and so in any language it supports
• The Road to PHP: Static Analysis is an email drip course, on, well, status analysis
• Laravel 8.x and newer projects shouldn’t be using Guzzle (or heaven forbid, curl) but should be using the built-in HTTP client. Getting it to throw errors is a useful thing to know how to do.
• Laravel SEO looks like it could reduce some code on some of my projects.
• Mail Intercept lets you test mail in Laravel by, well, intercepting it rather than Faking it. I think I like this concept. We’ll be testing a tonne of mail for i18n reasons by the end of February so might make use of this.
• I don’t think you should ever be storing sensitive data as properties of jobs, but if you insist, then you should be using ShouldBeEncrypted on those jobs

This is another in the small series of ‘things that have changed in Selenium Grid but I have not yet added to the official docs’ posts.

When Selenium Grid was first created, the expectation was that your Grid Hub was nicely secured inside your network, along with your Nodes so everything should be trusted to communicate. But now that we live in a cloud environment, that assumption isn’t quite as tight as it once was. You could have everything tightly locked down in your AWS account, but if someone gets their access key comprimised who can make instances, well, it’s a problem. I know if I was a bad guy, I would be scanning for open Grid Hubs and then figure out how to register with them. There is a wealth of information to be had; competitive intelligence on new features not available in the wild, account details for production testing, etc.

Last night I pushed a change that prevents rouge Grid Nodes from registering in your Grid Hub (so it will be available in the next alpha or you can build it yourself now). I don’t know if this has ever happened in the wild, but the fact that it could is enough that it needed to be closed down.

In order to secure Node registration, you need to supply the new argument --registration-secret in a couple different places. If the secrets do not match, the Node is not registered. This secret should be treated like any other password in your infrastructure, which is to say, not checked into a repo or other practice. Instead it should be kept in something like Hashicorp Vault or AWS Secrets Manager and only accessed (via automated means) when needed.

Standalone Server

When running your Hub as a single instance, there is only one process so only one place that needs the secret handed to it

  java -jar selenium.jar \
       hub \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       --registration-secret cheese

Distributed Server

When running your Hub in a distributed configuration, the Distributor and Router servers need to have it.

  java -jar selenium.jar \
       distributor \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       -s https://sessions.grid.com:5556 \
       --registration-secret cheese \

  java -jar selenium.jar \
       router \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       -s https://sessions.grid.com:5556 \
       -d https://distributor.grid.com:5553 \
       --registration-secret cheese

Node

Regardless of your approach to running the Server, the Node needs it too. (Obviously.)

  java -jar selenium.jar \
       node \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       --detect-drivers \
       --registration-secret cheese

Detection

When a Node fails to register, two things happen;

1. A log entry is created at an ERROR level saying a Node did not register correctly. Your Selenium infrastructure needs the same attention to its logging as your production infrastructure. So this should trip an alert to someone in whatever manner it is this would happen for a potential security problem in any other environment.
2. An event is dropped onto the bus. The Selenium Server shipped with a 0mq bus built-in, but when deploying in a real environment I would suggest using it with something like AWS SQS (or your cloud’s equivilant) as your queuing system which you and then have something like AWS Lambda watch for these events and trigger actions accordingly.

It should be noted further that these are all on the side of the Server, not the Node. The rouge Node is not given any indication that secrets are configured or that the secret they sent was incorrect.

For the last couple years, my schtick has been that I don’t care about your scripts, just your infrastructure. I’m pretty sure in my talk at SeConf London I mused that it was bonkers that we had got away communicating to the Se Server via HTTP. (I have to deal with vendor audits at work and they get really antsy at any mention of HTTP.) At SeConf Chicago I crashed the Se Grid workshop and asked (knowingly) if I was correct that communication was only via HTTP hoping someone would fix it for me. Alas, no one took the bait so at SeConf in London, I was describing the problem to Simon who happened to be creating a ticket (actually, a couple) as I talked, and then I got an alert saying it was assigned to me. The squeaky wheel applies its own grease it seems.

There are a couple catch-22’s in place before I can update the official Selenium Documentation (have you seen the new doc site? It’s great!), so in lieu of that, here is a quick how-to on something that will be in Selenium 4 Alpha 2 (or now if you build it yourself).

What is below is the output of ‘info security’ on the new server. (The ‘info’ command is also new and as of yet undocumented.)

---

Selenium Grid by default communicates over HTTP. This is fine for a lot of use cases, especially if everything is contained within the firewall and against test sites with testing data. However, if your server is exposed to the Internet or is being used in environments with production data (or that which has PII) then you should secure it.

Standalone

In order to run the server using HTTPS instead of HTTP you need to start it with the --https-private-key and --https-certificate flags to provide it the certificate and private key (as a PKCS8 file).

  java -jar selenium.jar \
       hub \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem

Distributed

Alternatively, if you are starting things individually you would also specify HTTPS when telling where to find things.

  java -jar selenium.jar \
       sessions \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem

  java -jar selenium.jar \
       distributor \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       -s https://sessions.grid.com:5556

  java -jar selenium.jar \
       router \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       -s https://sessions.grid.com:5556 \
       -d https://distributor.grid.com:5553 \

Certificates

The Selenium Grid will not operate with self-signed certificates, as a result you will need to have some provisioned to you from a Certificate Authority of some sort. For experimentation purposes you can use MiniCA to create and sign your certificates.

  minica --domains sessions.grid.com,distributor.grid.com,router.grid.com

This will create minica.pem and minica.key in the current directory as well as cert.pem and key.pem in a directory sessions.grid.com which will have both distributor.grid.com and router.grid.com as alternative names. Because Selenium Grid requires the key to be in PKCS8, you have to convert it.

  openssl pkcs8 \
    -in sessions.grid.com/key.pem \
    -topk8 \
    -out sessions.grid.com/key.pkcs8 \
    -nocrypt

And since we are using a non-standard CA, we have to teach Java about it. To do that you add it to the cacert truststore which is by default, $JAVA_HOME/jre/lib/security/cacerts

  sudo keytool \
      -import \
      -file /path/to/minica.pem \
      -alias minica \
      -keystore $JAVA_HOME/jre/lib/security/cacerts \
      -storepass changeit \
      -cacerts

Clients

None of the official clients have been updated yet to support this, but if you are using a CA that the system knows about you can just use an HTTPS Command Executor and everything will work. If you are using a non-standard one (like MiniCA) you probably will have to just through a hoop or two similar to here in Python which basically says “Yes, yes, I know you don’t know about the CA but I do so just continue along anyways.”

from selenium import webdriver

import urllib3
urllib3.disable_warnings()

options = webdriver.FirefoxOptions()
driver = webdriver.Remote(
    command_executor='https://router.grid.com:4444',
    options = options
)

driver.close()