itsi-scheduler 0.1.5 → 0.1.14

data/ext/itsi_server/src/server/tls.rs

@@ -2,21 +2,29 @@ use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
-use rcgen::{CertificateParams, DnType, KeyPair, SanType};
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rcgen::{
+    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
-    env, fs,
+    fs,
     io::{BufReader, Error},
     sync::Arc,
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
 mod locked_dir_cache;
-const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
-const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
 #[derive(Clone)]
 pub enum ItsiTlsAcceptor {
@@ -28,35 +36,72 @@ pub enum ItsiTlsAcceptor {
     ),
 }
 
-// Generates a TLS configuration based on either :
-// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
-// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
-// If a non-local host or optional domain parameter is provided,
-// an automated certificate will attempt to be fetched using let's encrypt.
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
 pub fn configure_tls(
     host: &str,
     query_params: &HashMap<String, String>,
 ) -> Result<ItsiTlsAcceptor> {
     let domains = query_params
         .get("domains")
-        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
+        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>())
+        .or_else(|| query_params.get("domain").map(|v| vec![v.to_string()]));
 
-    if query_params.get("cert").is_none() || query_params.get("key").is_none() {
+    if query_params.get("cert").is_some_and(|c| c == "acme") {
         if let Some(domains) = domains {
-            let directory_url = env::var("ACME_DIRECTORY_URL")
-                .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
             info!(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
-            let acme_state = AcmeConfig::new(domains)
-                .contact(["mailto:wc@pico.net.nz"])
-                .cache(LockedDirCache::new("./rustls_acme_cache"))
-                .directory(directory_url)
-                .state();
-            let rustls_config = ServerConfig::builder()
+            let acme_contact_email = query_params
+                .get("acme_email")
+                .map(|s| s.to_string())
+                .or_else(|| (*ITSI_ACME_CONTACT_EMAIL).as_ref().ok().map(|s| s.to_string()))
+                .ok_or_else(|| itsi_error::ItsiError::ArgumentError(
+                    "acme_email query param or ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate let's encrypt certificates".to_string(),
+                ))?;
+
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", acme_contact_email)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+
+            let mut rustls_config = ServerConfig::builder()
                 .with_no_client_auth()
                 .with_cert_resolver(acme_state.resolver());
+
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
             let acceptor = acme_state.acceptor();
             return Ok(ItsiTlsAcceptor::Automatic(
                 acceptor,
@@ -73,7 +118,7 @@ pub fn configure_tls(
         let key = load_private_key(key_path);
         (certs, key)
     } else {
-        generate_ca_signed_cert(vec![host.to_owned()])?
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
     };
 
     let mut config = ServerConfig::builder()
@@ -144,10 +189,19 @@ pub fn load_private_key(path: &str) -> PrivateKeyDer<'static> {
 pub fn generate_ca_signed_cert(
     domains: Vec<String>,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
-    info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
+    info!(
+        domains = format!("{}", domains.join(", ")),
+        "Self signed cert",
+    );
+    info!(
+        "Add {} to your system's trusted cert store to resolve certificate errors.",
+        format!("{}/itsi_dev_ca.crt", ITSI_LOCAL_CA_DIR.to_str().unwrap())
+    );
+    info!("Dev CA path can be overridden by setting env var: `ITSI_LOCAL_CA_DIR`.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
 
-    let ca_kp = KeyPair::from_pem(ITS_CA_KEY).expect("Failed to load embedded CA key");
-    let ca_cert = CertificateParams::from_ca_cert_pem(ITS_CA_CERT)
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
         .expect("Failed to parse embedded CA certificate")
         .self_signed(&ca_kp)
         .expect("Failed to self-sign embedded CA cert");
@@ -155,10 +209,6 @@ pub fn generate_ca_signed_cert(
     let ee_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
     let mut ee_params = CertificateParams::default();
 
-    info!(
-        "Generated certificate will be valid for domains {:?}",
-        domains
-    );
     use std::net::IpAddr;
 
     ee_params.subject_alt_names = domains
@@ -187,3 +237,29 @@ pub fn generate_ca_signed_cert(
         PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
     ))
 }
+
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+
+        let CertifiedKey { cert, key_pair } =
+            generate_simple_self_signed(subject_alt_names).unwrap();
+
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
+}

data/ext/itsi_server/src/server/types.rs

@@ -0,0 +1,43 @@
+use std::convert::Infallible;
+
+use bytes::Bytes;
+use http::{Request, Response};
+use http_body_util::combinators::BoxBody;
+use hyper::body::Incoming;
+
+pub type HttpResponse = Response<BoxBody<Bytes, Infallible>>;
+pub type HttpRequest = Request<Incoming>;
+
+pub trait RequestExt {
+    fn content_type(&self) -> Option<&str>;
+    fn accept(&self) -> Option<&str>;
+    fn header(&self, header_name: &str) -> Option<&str>;
+    fn query_param(&self, query_name: &str) -> Option<&str>;
+}
+
+impl RequestExt for HttpRequest {
+    fn content_type(&self) -> Option<&str> {
+        self.headers()
+            .get("content-type")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn accept(&self) -> Option<&str> {
+        self.headers()
+            .get("accept")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn header(&self, header_name: &str) -> Option<&str> {
+        self.headers()
+            .get(header_name)
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn query_param(&self, query_name: &str) -> Option<&str> {
+        self.uri()
+            .query()
+            .and_then(|query| query.split('&').find(|param| param.starts_with(query_name)))
+            .map(|param| param.split('=').nth(1).unwrap_or(""))
+    }
+}

data/ext/itsi_tracing/Cargo.toml

@@ -14,3 +14,4 @@ tracing-subscriber = { version = "0.3.19", features = [
 ] }
 tracing-attributes = "0.1"
 atty = "0.2.14"
+tracing-appender = "0.2.3"

data/ext/itsi_tracing/src/lib.rs

@@ -1,41 +1,229 @@
-use std::env;
-
 use atty::{Stream, is};
-pub use tracing::{debug, error, info, trace, warn};
-pub use tracing_attributes::instrument; // Explicitly export from tracing-attributes
-use tracing_subscriber::{
-    EnvFilter,
-    fmt::{self, format},
+use std::{
+    env,
+    sync::{Mutex, OnceLock},
 };
+pub use tracing::{debug, error, info, trace, warn};
+use tracing_appender::rolling;
+use tracing_subscriber::Layer;
+use tracing_subscriber::fmt::writer::BoxMakeWriter;
+use tracing_subscriber::{EnvFilter, fmt, prelude::*, reload};
+
+// Global reload handle for changing the level at runtime.
+static RELOAD_HANDLE: OnceLock<
+    Mutex<Option<reload::Handle<EnvFilter, tracing_subscriber::Registry>>>,
+> = OnceLock::new();
+
+/// Log format: Plain or JSON.
+#[derive(Debug, Clone)]
+pub enum LogFormat {
+    Plain,
+    Json,
+}
+
+/// Log target: STDOUT, File, or Both.
+#[derive(Debug, Clone)]
+pub enum LogTarget {
+    Stdout,
+    File(String), // file name (rotated daily)
+    Both(String), // file name (rotated daily) plus STDOUT
+}
+
+/// Logger configuration.
+#[derive(Debug, Clone)]
+pub struct LogConfig {
+    /// Log level as a string (e.g. "info", "debug").
+    pub level: String,
+    /// Format: Plain (with optional ANSI) or JSON.
+    pub format: LogFormat,
+    /// Target: STDOUT, File, or Both.
+    pub target: LogTarget,
+    /// Whether to enable ANSI coloring (for plain text).
+    pub use_ansi: bool,
+}
 
-#[instrument]
+impl Default for LogConfig {
+    fn default() -> Self {
+        let level = env::var("ITSI_LOG").unwrap_or_else(|_| "info".into());
+        let format = match env::var("ITSI_LOG_FORMAT").as_deref() {
+            Ok("json") => LogFormat::Json,
+            _ => LogFormat::Plain,
+        };
+        let target = match env::var("ITSI_LOG_TARGET").as_deref() {
+            Ok("file") => {
+                let file = env::var("ITSI_LOG_FILE").unwrap_or_else(|_| "app.log".into());
+                LogTarget::File(file)
+            }
+            Ok("both") => {
+                let file = env::var("ITSI_LOG_FILE").unwrap_or_else(|_| "app.log".into());
+                LogTarget::Both(file)
+            }
+            _ => LogTarget::Stdout,
+        };
+        // If ITSI_LOG_ANSI is set, use that; otherwise, use ANSI if stdout is a TTY.
+        let use_ansi = env::var("ITSI_LOG_ANSI")
+            .map(|s| s == "true")
+            .unwrap_or_else(|_| is(Stream::Stdout));
+        Self {
+            level,
+            format,
+            target,
+            use_ansi,
+        }
+    }
+}
+
+/// Initialize the global tracing subscriber with the default configuration.
 pub fn init() {
-    let env_filter = EnvFilter::builder()
-        .with_env_var("ITSI_LOG")
-        .try_from_env()
-        .unwrap_or_else(|_| EnvFilter::new("info"));
-
-    let format = fmt::format()
-        .compact()
-        .with_file(false)
-        .with_level(true)
-        .with_line_number(false)
-        .with_source_location(false)
-        .with_target(false)
-        .with_thread_ids(false);
-
-    let is_tty = is(Stream::Stdout);
-
-    let subscriber = tracing_subscriber::fmt()
-        .event_format(format)
-        .with_env_filter(env_filter);
-
-    if (is_tty && env::var("ITSI_LOG_PLAIN").is_err()) || env::var("ITSI_LOG_ANSI").is_ok() {
-        subscriber.with_ansi(true).init();
+    init_with_config(LogConfig::default());
+}
+
+/// Initialize the global tracing subscriber with a given configuration.
+pub fn init_with_config(config: LogConfig) {
+    // Build an EnvFilter from the configured level.
+    let env_filter = EnvFilter::new(config.level);
+
+    // Build the formatting layer based on target and format.
+    let fmt_layer = match config.target {
+        LogTarget::Stdout => match config.format {
+            LogFormat::Plain => fmt::layer()
+                .compact()
+                .with_file(false)
+                .with_line_number(false)
+                .with_target(false)
+                .with_thread_ids(false)
+                .with_writer(BoxMakeWriter::new(std::io::stdout))
+                .with_ansi(config.use_ansi)
+                .boxed(),
+            LogFormat::Json => fmt::layer()
+                .compact()
+                .with_file(false)
+                .with_line_number(false)
+                .with_target(false)
+                .with_thread_ids(false)
+                .with_writer(BoxMakeWriter::new(std::io::stdout))
+                .with_ansi(config.use_ansi)
+                .json()
+                .boxed(),
+        },
+        LogTarget::File(file) => match config.format {
+            LogFormat::Plain => fmt::layer()
+                .compact()
+                .with_file(false)
+                .with_line_number(false)
+                .with_target(false)
+                .with_thread_ids(false)
+                .with_writer(BoxMakeWriter::new({
+                    let file = file.clone();
+                    move || rolling::daily(".", file.clone())
+                }))
+                .with_ansi(false)
+                .boxed(),
+            LogFormat::Json => fmt::layer()
+                .compact()
+                .with_file(false)
+                .with_line_number(false)
+                .with_target(false)
+                .with_thread_ids(false)
+                .with_writer(BoxMakeWriter::new({
+                    let file = file.clone();
+                    move || rolling::daily(".", file.clone())
+                }))
+                .with_ansi(false)
+                .json()
+                .boxed(),
+        },
+        LogTarget::Both(file) => {
+            // For "Both" target, handle each format separately to avoid type mismatches
+            match config.format {
+                LogFormat::Plain => {
+                    let stdout_layer = fmt::layer()
+                        .compact()
+                        .with_file(false)
+                        .with_line_number(false)
+                        .with_target(false)
+                        .with_thread_ids(false)
+                        .with_writer(BoxMakeWriter::new(std::io::stdout))
+                        .with_ansi(config.use_ansi);
+
+                    let file_layer = fmt::layer()
+                        .compact()
+                        .with_file(false)
+                        .with_line_number(false)
+                        .with_target(false)
+                        .with_thread_ids(false)
+                        .with_writer(BoxMakeWriter::new({
+                            let file = file.clone();
+                            move || rolling::daily(".", file.clone())
+                        }))
+                        .with_ansi(false);
+
+                    stdout_layer.and_then(file_layer).boxed()
+                }
+                LogFormat::Json => {
+                    let stdout_layer = fmt::layer()
+                        .compact()
+                        .with_file(false)
+                        .with_line_number(false)
+                        .with_target(false)
+                        .with_thread_ids(false)
+                        .with_writer(BoxMakeWriter::new(std::io::stdout))
+                        .with_ansi(config.use_ansi)
+                        .json();
+
+                    let file_layer = fmt::layer()
+                        .compact()
+                        .with_file(false)
+                        .with_line_number(false)
+                        .with_target(false)
+                        .with_thread_ids(false)
+                        .with_writer(BoxMakeWriter::new({
+                            let file = file.clone();
+                            move || rolling::daily(".", file.clone())
+                        }))
+                        .with_ansi(false)
+                        .json();
+
+                    stdout_layer.and_then(file_layer).boxed()
+                }
+            }
+        }
+    };
+
+    // Create a reloadable filter layer so we can update the level at runtime.
+    let (filter_layer, handle) = reload::Layer::new(env_filter);
+
+    // Build the subscriber registry
+    let subscriber = tracing_subscriber::registry()
+        .with(filter_layer)
+        .with(fmt_layer);
+
+    tracing::subscriber::set_global_default(subscriber)
+        .expect("Unable to set global tracing subscriber");
+
+    RELOAD_HANDLE.set(Mutex::new(Some(handle))).unwrap();
+}
+
+/// Change the log level at runtime.
+pub fn set_level(new_level: &str) {
+    if let Some(handle) = RELOAD_HANDLE.get().unwrap().lock().unwrap().as_ref() {
+        handle
+            .modify(|filter| *filter = EnvFilter::new(new_level))
+            .expect("Failed to update log level");
     } else {
-        subscriber
-            .fmt_fields(format::JsonFields::default())
-            .event_format(fmt::format().json())
-            .init();
+        eprintln!("Reload handle not initialized; call init() first.");
     }
 }
+
+/// Run a function silently by temporarily setting a no-op subscriber.
+pub fn run_silently<F, R>(f: F) -> R
+where
+    F: FnOnce() -> R,
+{
+    let no_op_subscriber = tracing_subscriber::fmt()
+        .with_writer(std::io::sink)
+        .with_max_level(tracing_subscriber::filter::LevelFilter::OFF)
+        .finish();
+    let dispatch = tracing::Dispatch::new(no_op_subscriber);
+    tracing::dispatcher::with_default(&dispatch, f)
+}

data/lib/itsi/scheduler/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Scheduler
-    VERSION = "0.1.5"
+    VERSION = "0.1.14"
   end
 end

data/lib/itsi/scheduler.rb

@@ -73,7 +73,7 @@ module Itsi
         fiber.resume
       end
     rescue StandardError => e
-      warn "Failed to resume fiber #{fiber}: #{e.message}"
+      warn "Fiber #{fiber} terminated on exception: #{e.message}"
     end
 
     def resume_fiber_with_readiness((token, readiness))
@@ -81,7 +81,7 @@ module Itsi
         fiber.resume(readiness)
       end
     rescue StandardError => e
-      warn "Failed to resume fiber #{fiber}: #{e.message}"
+      warn "Fiber #{fiber} terminated on exception: #{e.message}"
     end
 
     def resume_blocked(fiber)