itsi-server 0.1.6 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/ext/itsi_error/src/lib.rs +1 -1
- data/ext/itsi_server/Cargo.toml +1 -0
- data/ext/itsi_server/src/env.rs +43 -0
- data/ext/itsi_server/src/lib.rs +1 -0
- data/ext/itsi_server/src/server/tls/locked_dir_cache.rs +3 -3
- data/ext/itsi_server/src/server/tls.rs +74 -39
- data/lib/itsi/server/version.rb +1 -1
- metadata +3 -4
- data/ext/itsi_server/src/server/itsi_ca/itsi_ca.crt +0 -13
- data/ext/itsi_server/src/server/itsi_ca/itsi_ca.key +0 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6c78fb06dfb13a068cac3b1bcae5b7cdd05bfe40f0ee7ad1cdf96bdc82443676
|
|
4
|
+
data.tar.gz: 057a4d8a6bcf7be7b67a1326083d476092772713bf0ced1a07bdbd882311c422
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: dea363f4a2701a8135726b4e21a52b95d06bf16e7b81074ce9a09c511a22cb455f127abe0d1e5c503b5873afb35d2827dcb1a716bcf25b2085991d1033e138eb
|
|
7
|
+
data.tar.gz: 2a3df9fe440d7095ff597fb994e83497205ecfec205811c11208c19f21fe18a79f5bae575c0fc6e80c9169490a41754279476247a0898a58c4ce036780270cd3
|
data/ext/itsi_error/src/lib.rs
CHANGED
data/ext/itsi_server/Cargo.toml
CHANGED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
use std::{
|
|
2
|
+
env::{var, VarError},
|
|
3
|
+
path::PathBuf,
|
|
4
|
+
sync::LazyLock,
|
|
5
|
+
};
|
|
6
|
+
|
|
7
|
+
type StringVar = LazyLock<String>;
|
|
8
|
+
type MaybeStringVar = LazyLock<Result<String, VarError>>;
|
|
9
|
+
type PathVar = LazyLock<PathBuf>;
|
|
10
|
+
|
|
11
|
+
/// ACME Configuration for auto-generating production certificates
|
|
12
|
+
/// *ITSI_ACME_CACHE_DIR* - Directory to store cached certificates
|
|
13
|
+
/// so that these are not regenerated every time the server starts
|
|
14
|
+
pub static ITSI_ACME_CACHE_DIR: StringVar = LazyLock::new(|| {
|
|
15
|
+
var("ITSI_ACME_CACHE_DIR").unwrap_or_else(|_| "./.rustls_acme_cache".to_string())
|
|
16
|
+
});
|
|
17
|
+
|
|
18
|
+
/// *ITSI_ACME_CONTACT_EMAIL* - Contact Email address to provide to ACME server during certificate renewal
|
|
19
|
+
pub static ITSI_ACME_CONTACT_EMAIL: MaybeStringVar =
|
|
20
|
+
LazyLock::new(|| var("ITSI_ACME_CONTACT_EMAIL"));
|
|
21
|
+
|
|
22
|
+
/// *ITSI_ACME_CA_PEM_PATH* - Optional CA Pem path, used for testing with non-trusted CAs for certifcate generation.
|
|
23
|
+
pub static ITSI_ACME_CA_PEM_PATH: MaybeStringVar = LazyLock::new(|| var("ITSI_ACME_CA_PEM_PATH"));
|
|
24
|
+
|
|
25
|
+
/// *ITSI_ACME_DIRECTORY_URL* - Directory URL to use for ACME certificate generation.
|
|
26
|
+
pub static ITSI_ACME_DIRECTORY_URL: StringVar = LazyLock::new(|| {
|
|
27
|
+
var("ITSI_ACME_DIRECTORY_URL")
|
|
28
|
+
.unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string())
|
|
29
|
+
});
|
|
30
|
+
|
|
31
|
+
/// *ITSI_ACME_LOCK_FILE_NAME* - Name of the lock file used to prevent concurrent certificate generation.
|
|
32
|
+
pub static ITSI_ACME_LOCK_FILE_NAME: StringVar =
|
|
33
|
+
LazyLock::new(|| var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
|
|
34
|
+
|
|
35
|
+
pub static ITSI_LOCAL_CA_DIR: PathVar = LazyLock::new(|| {
|
|
36
|
+
var("ITSI_LOCAL_CA_DIR")
|
|
37
|
+
.map(PathBuf::from)
|
|
38
|
+
.unwrap_or_else(|_| {
|
|
39
|
+
dirs::home_dir()
|
|
40
|
+
.expect("Failed to find HOME directory when initializing ITSI_LOCAL_CA_DIR")
|
|
41
|
+
.join(".itsi")
|
|
42
|
+
})
|
|
43
|
+
});
|
data/ext/itsi_server/src/lib.rs
CHANGED
|
@@ -1,13 +1,14 @@
|
|
|
1
1
|
use async_trait::async_trait;
|
|
2
2
|
use fs2::FileExt;
|
|
3
3
|
use parking_lot::Mutex;
|
|
4
|
-
use std::env;
|
|
5
4
|
use std::fs::{self, OpenOptions};
|
|
6
5
|
use std::io::Error as IoError;
|
|
7
6
|
use std::path::{Path, PathBuf};
|
|
8
7
|
use tokio_rustls_acme::caches::DirCache;
|
|
9
8
|
use tokio_rustls_acme::{AccountCache, CertCache};
|
|
10
9
|
|
|
10
|
+
use crate::env::ITSI_ACME_LOCK_FILE_NAME;
|
|
11
|
+
|
|
11
12
|
/// A wrapper around DirCache that locks a file before writing cert/account data.
|
|
12
13
|
pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
|
|
13
14
|
inner: DirCache<P>,
|
|
@@ -19,8 +20,7 @@ impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
|
|
|
19
20
|
pub fn new(dir: P) -> Self {
|
|
20
21
|
let dir_path = dir.as_ref().to_path_buf();
|
|
21
22
|
std::fs::create_dir_all(&dir_path).unwrap();
|
|
22
|
-
let lock_path =
|
|
23
|
-
dir_path.join(env::var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
|
|
23
|
+
let lock_path = dir_path.join(&*ITSI_ACME_LOCK_FILE_NAME);
|
|
24
24
|
Self::touch_file(&lock_path).expect("Failed to create lock file");
|
|
25
25
|
|
|
26
26
|
Self {
|
|
@@ -2,7 +2,9 @@ use base64::{engine::general_purpose, Engine as _};
|
|
|
2
2
|
use itsi_error::Result;
|
|
3
3
|
use itsi_tracing::info;
|
|
4
4
|
use locked_dir_cache::LockedDirCache;
|
|
5
|
-
use rcgen::{
|
|
5
|
+
use rcgen::{
|
|
6
|
+
generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
|
|
7
|
+
};
|
|
6
8
|
use rustls::{
|
|
7
9
|
pki_types::{CertificateDer, PrivateKeyDer},
|
|
8
10
|
ClientConfig, RootCertStore,
|
|
@@ -10,16 +12,19 @@ use rustls::{
|
|
|
10
12
|
use rustls_pemfile::{certs, pkcs8_private_keys};
|
|
11
13
|
use std::{
|
|
12
14
|
collections::HashMap,
|
|
13
|
-
|
|
15
|
+
fs,
|
|
14
16
|
io::{BufReader, Error},
|
|
15
17
|
sync::Arc,
|
|
16
18
|
};
|
|
17
19
|
use tokio::sync::Mutex;
|
|
18
20
|
use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
|
|
19
21
|
use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
|
|
22
|
+
|
|
23
|
+
use crate::env::{
|
|
24
|
+
ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
|
|
25
|
+
ITSI_LOCAL_CA_DIR,
|
|
26
|
+
};
|
|
20
27
|
mod locked_dir_cache;
|
|
21
|
-
const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
|
|
22
|
-
const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
|
|
23
28
|
|
|
24
29
|
#[derive(Clone)]
|
|
25
30
|
pub enum ItsiTlsAcceptor {
|
|
@@ -31,11 +36,12 @@ pub enum ItsiTlsAcceptor {
|
|
|
31
36
|
),
|
|
32
37
|
}
|
|
33
38
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
+
/// Generates a TLS configuration based on either :
|
|
40
|
+
/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
|
|
41
|
+
/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
|
|
42
|
+
///
|
|
43
|
+
/// If a non-local host or optional domain parameter is provided,
|
|
44
|
+
/// an automated certificate will attempt to be fetched using let's encrypt.
|
|
39
45
|
pub fn configure_tls(
|
|
40
46
|
host: &str,
|
|
41
47
|
query_params: &HashMap<String, String>,
|
|
@@ -44,17 +50,27 @@ pub fn configure_tls(
|
|
|
44
50
|
.get("domains")
|
|
45
51
|
.map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
|
|
46
52
|
|
|
47
|
-
if query_params.get("cert").
|
|
53
|
+
if query_params.get("cert").is_some_and(|c| c == "auto") {
|
|
48
54
|
if let Some(domains) = domains {
|
|
49
|
-
let directory_url =
|
|
50
|
-
.unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
|
|
55
|
+
let directory_url = &*ITSI_ACME_DIRECTORY_URL;
|
|
51
56
|
info!(
|
|
52
57
|
domains = format!("{:?}", domains),
|
|
53
58
|
directory_url, "Requesting acme cert"
|
|
54
59
|
);
|
|
55
60
|
|
|
56
|
-
let
|
|
57
|
-
|
|
61
|
+
let acme_config = AcmeConfig::new(domains)
|
|
62
|
+
.contact([format!("mailto:{}", (*ITSI_ACME_CONTACT_EMAIL).as_ref().map_err(|_| {
|
|
63
|
+
itsi_error::ItsiError::ArgumentError(
|
|
64
|
+
"ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
|
|
65
|
+
.to_string(),
|
|
66
|
+
)
|
|
67
|
+
})?)])
|
|
68
|
+
.cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
|
|
69
|
+
.directory(directory_url);
|
|
70
|
+
|
|
71
|
+
let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
|
|
72
|
+
let mut root_cert_store = RootCertStore::empty();
|
|
73
|
+
|
|
58
74
|
let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
|
|
59
75
|
let mut ca_reader = BufReader::new(&ca_pem[..]);
|
|
60
76
|
let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
|
|
@@ -66,31 +82,23 @@ pub fn configure_tls(
|
|
|
66
82
|
))
|
|
67
83
|
})?;
|
|
68
84
|
root_cert_store.add_parsable_certificates(der_certs);
|
|
69
|
-
}
|
|
70
85
|
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
let cache_dir = env::var("ITSI_ACME_CACHE_DIR")
|
|
83
|
-
.unwrap_or_else(|_| "./.rustls_acme_cache".to_string());
|
|
84
|
-
|
|
85
|
-
let acme_state = AcmeConfig::new(domains)
|
|
86
|
-
.contact([format!("mailto:{}", contact_email)])
|
|
87
|
-
.cache(LockedDirCache::new(cache_dir))
|
|
88
|
-
.directory(directory_url)
|
|
89
|
-
.client_tls_config(Arc::new(client_config))
|
|
90
|
-
.state();
|
|
91
|
-
let rustls_config = ServerConfig::builder()
|
|
86
|
+
let client_config = ClientConfig::builder()
|
|
87
|
+
.with_root_certificates(root_cert_store)
|
|
88
|
+
.with_no_client_auth();
|
|
89
|
+
acme_config
|
|
90
|
+
.client_tls_config(Arc::new(client_config))
|
|
91
|
+
.state()
|
|
92
|
+
} else {
|
|
93
|
+
acme_config.state()
|
|
94
|
+
};
|
|
95
|
+
|
|
96
|
+
let mut rustls_config = ServerConfig::builder()
|
|
92
97
|
.with_no_client_auth()
|
|
93
98
|
.with_cert_resolver(acme_state.resolver());
|
|
99
|
+
|
|
100
|
+
rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
|
|
101
|
+
|
|
94
102
|
let acceptor = acme_state.acceptor();
|
|
95
103
|
return Ok(ItsiTlsAcceptor::Automatic(
|
|
96
104
|
acceptor,
|
|
@@ -107,7 +115,7 @@ pub fn configure_tls(
|
|
|
107
115
|
let key = load_private_key(key_path);
|
|
108
116
|
(certs, key)
|
|
109
117
|
} else {
|
|
110
|
-
generate_ca_signed_cert(vec![host.to_owned()])?
|
|
118
|
+
generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
|
|
111
119
|
};
|
|
112
120
|
|
|
113
121
|
let mut config = ServerConfig::builder()
|
|
@@ -179,9 +187,10 @@ pub fn generate_ca_signed_cert(
|
|
|
179
187
|
domains: Vec<String>,
|
|
180
188
|
) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
|
|
181
189
|
info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
|
|
190
|
+
let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
|
|
182
191
|
|
|
183
|
-
let ca_kp = KeyPair::from_pem(
|
|
184
|
-
let ca_cert = CertificateParams::from_ca_cert_pem(
|
|
192
|
+
let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
|
|
193
|
+
let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
|
|
185
194
|
.expect("Failed to parse embedded CA certificate")
|
|
186
195
|
.self_signed(&ca_kp)
|
|
187
196
|
.expect("Failed to self-sign embedded CA cert");
|
|
@@ -221,3 +230,29 @@ pub fn generate_ca_signed_cert(
|
|
|
221
230
|
PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
|
|
222
231
|
))
|
|
223
232
|
}
|
|
233
|
+
|
|
234
|
+
fn get_or_create_local_dev_ca() -> Result<(String, String)> {
|
|
235
|
+
let ca_dir = &*ITSI_LOCAL_CA_DIR;
|
|
236
|
+
fs::create_dir_all(ca_dir)?;
|
|
237
|
+
|
|
238
|
+
let key_path = ca_dir.join("itsi_dev_ca.key");
|
|
239
|
+
let cert_path = ca_dir.join("itsi_dev_ca.crt");
|
|
240
|
+
|
|
241
|
+
if key_path.exists() && cert_path.exists() {
|
|
242
|
+
// Already have a local CA
|
|
243
|
+
let key_pem = fs::read_to_string(&key_path)?;
|
|
244
|
+
let cert_pem = fs::read_to_string(&cert_path)?;
|
|
245
|
+
|
|
246
|
+
Ok((key_pem, cert_pem))
|
|
247
|
+
} else {
|
|
248
|
+
let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
|
|
249
|
+
|
|
250
|
+
let CertifiedKey { cert, key_pair } =
|
|
251
|
+
generate_simple_self_signed(subject_alt_names).unwrap();
|
|
252
|
+
|
|
253
|
+
fs::write(&key_path, key_pair.serialize_pem())?;
|
|
254
|
+
fs::write(&cert_path, cert.pem())?;
|
|
255
|
+
|
|
256
|
+
Ok((key_pair.serialize_pem(), cert.pem()))
|
|
257
|
+
}
|
|
258
|
+
}
|
data/lib/itsi/server/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: itsi-server
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Wouter Coppieters
|
|
8
8
|
bindir: exe
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-03-
|
|
10
|
+
date: 2025-03-15 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: rack
|
|
@@ -75,6 +75,7 @@ files:
|
|
|
75
75
|
- ext/itsi_server/src/body_proxy/big_bytes.rs
|
|
76
76
|
- ext/itsi_server/src/body_proxy/itsi_body_proxy.rs
|
|
77
77
|
- ext/itsi_server/src/body_proxy/mod.rs
|
|
78
|
+
- ext/itsi_server/src/env.rs
|
|
78
79
|
- ext/itsi_server/src/lib.rs
|
|
79
80
|
- ext/itsi_server/src/request/itsi_request.rs
|
|
80
81
|
- ext/itsi_server/src/request/mod.rs
|
|
@@ -83,8 +84,6 @@ files:
|
|
|
83
84
|
- ext/itsi_server/src/server/bind.rs
|
|
84
85
|
- ext/itsi_server/src/server/bind_protocol.rs
|
|
85
86
|
- ext/itsi_server/src/server/io_stream.rs
|
|
86
|
-
- ext/itsi_server/src/server/itsi_ca/itsi_ca.crt
|
|
87
|
-
- ext/itsi_server/src/server/itsi_ca/itsi_ca.key
|
|
88
87
|
- ext/itsi_server/src/server/itsi_server.rs
|
|
89
88
|
- ext/itsi_server/src/server/lifecycle_event.rs
|
|
90
89
|
- ext/itsi_server/src/server/listener.rs
|
|
@@ -1,13 +0,0 @@
|
|
|
1
|
-
-----BEGIN CERTIFICATE-----
|
|
2
|
-
MIIB9TCCAZugAwIBAgIUMpQtAScU2Ow9c1Xy/0b/kS/BuwcwCgYIKoZIzj0EAwIw
|
|
3
|
-
UDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kxDTALBgNVBAcMBEl0c2kxEDAO
|
|
4
|
-
BgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2kuZnlpMB4XDTI1MDMwMzIwMjg1
|
|
5
|
-
N1oXDTM1MDMwMTIwMjg1N1owUDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBEl0c2kx
|
|
6
|
-
DTALBgNVBAcMBEl0c2kxEDAOBgNVBAoMB0l0c2kgQ0ExETAPBgNVBAMMCGl0c2ku
|
|
7
|
-
ZnlpMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqGdC9Vi1r7ARvqSkPXkAgiV5
|
|
8
|
-
gn2MMTeEafagrWT7G1onSh/G+Qstxl61kfFNLOTiy6NSgAtKG+gfveCTo0Pcz6NT
|
|
9
|
-
MFEwHQYDVR0OBBYEFN7zzDodmiK2VAzLDydDvb6Er+U+MB8GA1UdIwQYMBaAFN7z
|
|
10
|
-
zDodmiK2VAzLDydDvb6Er+U+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwID
|
|
11
|
-
SAAwRQIhAP8q3PiwqTwCbRvYvvetxH39mAce1mfQMosb33ns228VAiBXdb+p9s0o
|
|
12
|
-
5ug5g9/MTvrIPI7GgolXCWZunkouy0LSrw==
|
|
13
|
-
-----END CERTIFICATE-----
|