itsi-server 0.1.1 → 0.1.7

data/ext/itsi_server/src/server/tls.rs

@@ -1,20 +1,112 @@
 use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
-use itsi_tracing::{info, warn};
-use rcgen::{CertificateParams, DnType, KeyPair, SanType};
+use itsi_tracing::info;
+use locked_dir_cache::LockedDirCache;
+use rcgen::{
+    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
 use rustls_pemfile::{certs, pkcs8_private_keys};
-use std::{collections::HashMap, fs, io::BufReader};
-use tokio_rustls::rustls::{Certificate, PrivateKey, ServerConfig};
-
-const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
-const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
-
-// Generates a TLS configuration based on either :
-// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
-// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
-// If a non-local host or optional domain parameter is provided,
-// an automated certificate will attempt to be fetched using let's encrypt.
-pub fn configure_tls(host: &str, query_params: &HashMap<String, String>) -> Result<ServerConfig> {
+use std::{
+    collections::HashMap,
+    fs,
+    io::{BufReader, Error},
+    sync::Arc,
+};
+use tokio::sync::Mutex;
+use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
+use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
+mod locked_dir_cache;
+
+#[derive(Clone)]
+pub enum ItsiTlsAcceptor {
+    Manual(TlsAcceptor),
+    Automatic(
+        AcmeAcceptor,
+        Arc<Mutex<AcmeState<Error>>>,
+        Arc<ServerConfig>,
+    ),
+}
+
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
+pub fn configure_tls(
+    host: &str,
+    query_params: &HashMap<String, String>,
+) -> Result<ItsiTlsAcceptor> {
+    let domains = query_params
+        .get("domains")
+        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
+
+    if query_params.get("cert").is_some_and(|c| c == "auto") {
+        if let Some(domains) = domains {
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
+            info!(
+                domains = format!("{:?}", domains),
+                directory_url, "Requesting acme cert"
+            );
+
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", (*ITSI_ACME_CONTACT_EMAIL).as_ref().map_err(|_| {
+                    itsi_error::ItsiError::ArgumentError(
+                      "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
+                          .to_string(),
+                  )
+                })?)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+
+            let mut rustls_config = ServerConfig::builder()
+                .with_no_client_auth()
+                .with_cert_resolver(acme_state.resolver());
+
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
+            let acceptor = acme_state.acceptor();
+            return Ok(ItsiTlsAcceptor::Automatic(
+                acceptor,
+                Arc::new(Mutex::new(acme_state)),
+                Arc::new(rustls_config),
+            ));
+        }
+    }
     let (certs, key) = if let (Some(cert_path), Some(key_path)) =
         (query_params.get("cert"), query_params.get("key"))
     {
@@ -22,41 +114,20 @@ pub fn configure_tls(host: &str, query_params: &HashMap<String, String>) -> Resu
         let certs = load_certs(cert_path);
         let key = load_private_key(key_path);
         (certs, key)
-    } else if query_params
-        .get("cert")
-        .map(|v| v == "auto")
-        .unwrap_or(false)
-    {
-        let domain_param = query_params.get("domain");
-        let host_string = host.to_string();
-        let domain = domain_param.or_else(|| {
-            if host_string != "localhost" {
-                Some(&host_string)
-            } else {
-                None
-            }
-        });
-
-        if let Some(domain) = domain {
-            retrieve_acme_cert(domain)?
-        } else {
-            generate_ca_signed_cert(host)?
-        }
     } else {
-        generate_ca_signed_cert(host)?
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
     };
 
     let mut config = ServerConfig::builder()
-        .with_safe_defaults()
         .with_no_client_auth()
         .with_single_cert(certs, key)
         .expect("Failed to build TLS config");
 
     config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
-    Ok(config)
+    Ok(ItsiTlsAcceptor::Manual(TlsAcceptor::from(Arc::new(config))))
 }
 
-pub fn load_certs(path: &str) -> Vec<Certificate> {
+pub fn load_certs(path: &str) -> Vec<CertificateDer<'static>> {
     let data = if let Some(stripped) = path.strip_prefix("base64:") {
         general_purpose::STANDARD
             .decode(stripped)
@@ -74,14 +145,20 @@ pub fn load_certs(path: &str) -> Vec<Certificate> {
             })
             .collect::<Result<_>>()
             .expect("Failed to parse certificate file");
-        certs_der.into_iter().map(Certificate).collect()
+        certs_der
+            .into_iter()
+            .map(|vec| {
+                // Convert the owned Vec<u8> into a CertificateDer and force 'static.
+                unsafe { std::mem::transmute(CertificateDer::from(vec)) }
+            })
+            .collect()
     } else {
-        vec![Certificate(data)]
+        vec![CertificateDer::from(data)]
     }
 }
 
 /// Loads a private key from a file or Base64.
-pub fn load_private_key(path: &str) -> PrivateKey {
+pub fn load_private_key(path: &str) -> PrivateKeyDer<'static> {
     let key_data = if let Some(stripped) = path.strip_prefix("base64:") {
         general_purpose::STANDARD
             .decode(stripped)
@@ -100,39 +177,82 @@ pub fn load_private_key(path: &str) -> PrivateKey {
             .collect::<Result<_>>()
             .expect("Failed to parse private key");
         if !keys.is_empty() {
-            return PrivateKey(keys[0].clone());
+            return PrivateKeyDer::try_from(keys[0].clone()).unwrap();
         }
     }
-    PrivateKey(key_data)
+    PrivateKeyDer::try_from(key_data).unwrap()
 }
 
-pub fn generate_ca_signed_cert(domain: &str) -> Result<(Vec<Certificate>, PrivateKey)> {
+pub fn generate_ca_signed_cert(
+    domains: Vec<String>,
+) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
     info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
 
-    let ca_kp = KeyPair::from_pem(ITS_CA_KEY).unwrap();
-    let params = CertificateParams::from_ca_cert_pem(ITS_CA_CERT).unwrap();
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
+        .expect("Failed to parse embedded CA certificate")
+        .self_signed(&ca_kp)
+        .expect("Failed to self-sign embedded CA cert");
 
-    let ca_cert = params.self_signed(&ca_kp).unwrap();
-    let ee_key = KeyPair::generate().unwrap();
+    let ee_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
     let mut ee_params = CertificateParams::default();
 
-    // Set the domain in the subject alternative names (SAN)
-    ee_params.subject_alt_names = vec![SanType::DnsName(domain.try_into()?)];
-    // Optionally, set the Common Name (CN) in the distinguished name:
+    info!(
+        "Generated certificate will be valid for domains {:?}",
+        domains
+    );
+    use std::net::IpAddr;
+
+    ee_params.subject_alt_names = domains
+        .iter()
+        .map(|domain| {
+            if let Ok(ip) = domain.parse::<IpAddr>() {
+                SanType::IpAddress(ip)
+            } else {
+                SanType::DnsName(domain.clone().try_into().unwrap())
+            }
+        })
+        .collect();
+
     ee_params
         .distinguished_name
-        .push(DnType::CommonName, domain);
+        .push(DnType::CommonName, domains[0].clone());
 
     ee_params.use_authority_key_identifier_extension = true;
 
-    let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ee_key).unwrap();
+    let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ca_kp).unwrap();
     let ee_cert_der = ee_cert.der().to_vec();
-    let ee_cert = Certificate(ee_cert_der);
-    Ok((vec![ee_cert], PrivateKey(ee_key.serialize_der())))
+    let ee_cert = CertificateDer::from(ee_cert_der);
+    let ca_cert = CertificateDer::from(ca_cert.der().to_vec());
+    Ok((
+        vec![ee_cert, ca_cert],
+        PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
+    ))
 }
 
-/// Retrieves an ACME certificate for a given domain.
-pub fn retrieve_acme_cert(domain: &str) -> Result<(Vec<Certificate>, PrivateKey)> {
-    warn!("Retrieving ACME cert for {}", domain);
-    generate_ca_signed_cert(domain)
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+
+        let CertifiedKey { cert, key_pair } =
+            generate_simple_self_signed(subject_alt_names).unwrap();
+
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
 }

data/ext/itsi_tracing/Cargo.toml

@@ -9,4 +9,8 @@ tracing-subscriber = { version = "0.3.19", features = [
   "env-filter",
   "std",
   "fmt",
+  "json",
+  "ansi",
 ] }
+tracing-attributes = "0.1"
+atty = "0.2.14"

data/ext/itsi_tracing/src/lib.rs

@@ -1,11 +1,41 @@
+use std::env;
+
+use atty::{Stream, is};
 pub use tracing::{debug, error, info, trace, warn};
-use tracing_subscriber::{EnvFilter, fmt};
+pub use tracing_attributes::instrument; // Explicitly export from tracing-attributes
+use tracing_subscriber::{
+    EnvFilter,
+    fmt::{self, format},
+};
 
+#[instrument]
 pub fn init() {
-    let env_filter = EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("info"));
-    let format = fmt::format().with_level(true).with_target(false).compact();
-    tracing_subscriber::fmt()
-        .with_env_filter(env_filter)
+    let env_filter = EnvFilter::builder()
+        .with_env_var("ITSI_LOG")
+        .try_from_env()
+        .unwrap_or_else(|_| EnvFilter::new("info"));
+
+    let format = fmt::format()
+        .compact()
+        .with_file(false)
+        .with_level(true)
+        .with_line_number(false)
+        .with_source_location(false)
+        .with_target(false)
+        .with_thread_ids(false);
+
+    let is_tty = is(Stream::Stdout);
+
+    let subscriber = tracing_subscriber::fmt()
         .event_format(format)
-        .init();
+        .with_env_filter(env_filter);
+
+    if (is_tty && env::var("ITSI_LOG_PLAIN").is_err()) || env::var("ITSI_LOG_ANSI").is_ok() {
+        subscriber.with_ansi(true).init();
+    } else {
+        subscriber
+            .fmt_fields(format::JsonFields::default())
+            .event_format(fmt::format().json())
+            .init();
+    }
 }

data/lib/itsi/request.rb

@@ -1,10 +1,17 @@
 # frozen_string_literal: true
 
-require "stringio"
-
 module Itsi
   class Request
+    require "stringio"
+    require "socket"
+
+    attr_accessor :hijacked
+
     def to_env
+      path = self.path
+      host = self.host
+      version = self.version
+      body = self.body
       {
         "SERVER_SOFTWARE" => "Itsi",
         "SCRIPT_NAME" => script_name,
@@ -13,27 +20,36 @@ module Itsi
         "REQUEST_PATH" => path,
         "QUERY_STRING" => query_string,
         "REMOTE_ADDR" => remote_addr,
-        "SERVER_NAME" => host,
         "SERVER_PORT" => port.to_s,
+        "SERVER_NAME" => host,
+        "HTTP_HOST" => host,
         "SERVER_PROTOCOL" => version,
         "HTTP_VERSION" => version,
-        "HTTP_HOST" => host,
-        "rack.input" => StringIO.new(body),
+        "rack.version" => [version],
+        "rack.url_scheme" => scheme,
+        "rack.input" => \
+          case body
+          when Array then File.open(body.first, "rb")
+          when String then StringIO.new(body)
+          else body
+          end,
         "rack.errors" => $stderr,
-        "rack.version" => version,
         "rack.multithread" => true,
         "rack.multiprocess" => true,
         "rack.run_once" => false,
-        "rack.multipart.buffer_size" => 16_384
-      }.merge(
-        headers.transform_keys do |k|
-          case k
-          when "content-length" then "CONTENT_LENGTH"
-          when "content-type" then "CONTENT_TYPE"
-          else "HTTP_#{k.upcase.tr("-", "_")}"
+        "rack.hijack?" => true,
+        "rack.multipart.buffer_size" => 16_384,
+        "rack.hijack" => lambda do
+          self.hijacked = true
+          UNIXSocket.pair.yield_self do |(server_sock, app_sock)|
+            response.hijack(server_sock.fileno)
+            server_sock.sync = true
+            app_sock.sync = true
+            app_sock.instance_variable_set("@server_sock", server_sock)
+            app_sock
           end
         end
-      )
+      }.tap { |r| headers.each { |(k, v)| r[k] = v } }
     end
   end
 end

data/lib/itsi/server/rack/handler/itsi.rb

@@ -0,0 +1,25 @@
+return unless defined?(::Rackup::Handler) || defined?(Rack::Handler)
+
+module Rack
+  module Handler
+    module Itsi
+
+      def self.run(app, options = {})
+        ::Itsi::Server.new(
+          app: ->{ app },
+          binds: ["#{options.fetch(:host, "127.0.0.1")}:#{options.fetch(:Port, 3001)}"],
+          workers: options.fetch(:workers, 1),
+          threads: options.fetch(:threads, 1),
+        ).start
+      end
+    end
+  end
+end
+
+if defined?(Rackup)
+  ::Rackup::Handler.register("itsi", Rack::Handler::Itsi)
+  ::Rackup::Handler.register("Itsi", Rack::Handler::Itsi)
+elsif defined?(Rack)
+  ::Rack::Handler.register("itsi", Rack::Handler::Itsi)
+  ::Rack::Handler.register("Itsi", Rack::Handler::Itsi)
+end

data/lib/itsi/server/scheduler_mode.rb

@@ -0,0 +1,6 @@
+if defined?(ActiveSupport::IsolatedExecutionState) && !ENV["ITSI_DISABLE_AS_AUTO_FIBER_ISOLATION_LEVEL"]
+  Itsi.log_info \
+    "ActiveSupport Isolated Execution state detected. Automatically switching to :fiber mode. "\
+    "Use ENV['ITSI_DISABLE_AS_AUTO_FIBER_ISOLATION_LEVEL'] to disable this behavior"
+  ActiveSupport::IsolatedExecutionState.isolation_level = :fiber
+end

data/lib/itsi/server/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Server
-    VERSION = "0.1.1"
+    VERSION = "0.1.7"
   end
 end

data/lib/itsi/server.rb

@@ -2,12 +2,92 @@
 
 require_relative "server/version"
 require_relative "server/itsi_server"
+require_relative "signals"
+require_relative "request"
+require_relative "stream_io"
+require_relative "server/rack/handler/itsi"
 
 module Itsi
   class Server
-    # Call our Rack app with our request ENV.
+
+    def self.running?
+      @running ||= false
+    end
+
+    def self.start(app:, **opts)
+      server = new(app: ->{app}, **opts)
+      @running = true
+      Signal.trap('INT', 'DEFAULT')
+      server.start
+    ensure
+      @running = false
+    end
+
     def self.call(app, request)
-      app.call(request.to_env)
+      respond request, app.call(request.to_env)
+    end
+
+    def self.streaming_body?(body)
+      body.respond_to?(:call) && !body.respond_to?(:each)
+    end
+
+    def self.respond(request, (status, headers, body))
+      response = request.response
+
+      # Don't try and respond if we've been hijacked.
+      # The hijacker is now responsible for this.
+      return if request.hijacked
+
+      # 1. Set Status
+      response.status = status
+
+      # 2. Set Headers
+      headers.each do |key, value|
+        next response.add_header(key, value) unless value.is_a?(Array)
+
+        value.each do |v|
+          response.add_header(key, v)
+        end
+      end
+
+      # 3. Set Body
+      # As soon as we start setting the response
+      # the server will begin to stream it to the client.
+
+      # If we're partially hijacked or returned a streaming body,
+      # stream this response.
+
+      if (body_streamer = streaming_body?(body) ? body : headers.delete("rack.hijack"))
+        body_streamer.call(StreamIO.new(response))
+
+      # If we're enumerable with more than one chunk
+      # also stream, otherwise write in a single chunk
+      elsif body.respond_to?(:each) || body.respond_to?(:to_ary)
+        unless body.respond_to?(:each)
+          body = body.to_ary
+          raise "Body #to_ary didn't return an array" unless body.is_a?(Array)
+        end
+        # We offset this iteration intentionally,
+        # to optimize for the case where there's only one chunk.
+        buffer = nil
+        body.each do |part|
+          response.send_frame(buffer.to_s) if buffer
+          buffer = part
+        end
+
+        response.send_and_close(buffer.to_s)
+      else
+        response.send_and_close(body.to_s)
+      end
+    ensure
+      response.close_write
+      body.close if body.respond_to?(:close)
+    end
+
+    def self.start_scheduler_loop(scheduler_class, scheduler_task)
+      scheduler = scheduler_class.new
+      Fiber.set_scheduler(scheduler)
+      [scheduler, Fiber.schedule(&scheduler_task)]
     end
 
     # If scheduler is enabled

data/lib/itsi/signals.rb

@@ -0,0 +1,23 @@
+module Itsi
+  module Signals
+    DEFAULT_SIGNALS = ["DEFAULT", ""].freeze
+    module SignalTrap
+      def self.trap(signal, *args, &block)
+        if DEFAULT_SIGNALS.include?(command.to_s) && block.nil?
+          Itsi::Server.reset_signal_handlers
+          nil
+        else
+          super(signal, *args, &block)
+        end
+      end
+    end
+  end
+end
+
+[Kernel, Signal].each do |receiver|
+  receiver.singleton_class.prepend(Itsi::Signals::SignalTrap)
+end
+
+[Object].each do |receiver|
+  receiver.include(Itsi::Signals::SignalTrap)
+end

data/lib/itsi/stream_io.rb

@@ -0,0 +1,38 @@
+module Itsi
+  class StreamIO
+    attr :response
+    def initialize(response)
+      @response = response
+    end
+
+    def read
+      response.recv_frame
+    end
+
+    def write(string)
+      response.send_frame(string)
+    end
+
+    def <<(string)
+      response.send_frame(string)
+    end
+
+    def flush
+      # No-op
+    end
+
+    def close
+      close_read
+      close_write
+    end
+
+    def close_read
+      response.close_read
+    end
+
+    def close_write
+      response.close_write
+    end
+
+  end
+end