itsi 0.1.5 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3c3da3f1e894f11eff41ba4294705e11b323b0c67ced5056ded2ba3bf3fe214e
-  data.tar.gz: 7f47c950da4d638c639a9a5045bc21c6b9a1fa33180700bce2a1605816067ce2
+  metadata.gz: 88879d13925e0738ba948eb707096da6e8b039cb317ce0975333295550725c70
+  data.tar.gz: 0eaf0dc170f15efb83428313c7b2554f1e19fe8c9dc81a8c5c4d553a03b586cd
 SHA512:
-  metadata.gz: 97a77b338eb51a461bc93d8f822111cd7582105252174fd4b29665eb6be508acb1ad314afa4286bba915d57da38d78922a81cc7a32c61a9c95495aee6f348aff
-  data.tar.gz: 0c1484b3474f3a1acf5df54eeb0657a1dc4e5fb8d63a388576f39a9883e6bb19acb9630fedb19852d55c78bf4d81553ab0337201a573516c9a52da66988959a9
+  metadata.gz: e37c041ee042a7d7e69f4f577864e08890aa3bb9fe855c292fc95950c9fc682d5afa0e2e74fc4bd5fb9c5cb7f60733e6e5fcf250f205742c6caec32a23399c68
+  data.tar.gz: d7c9cdd9bcde2a58192798e601a8b5a3099a76b9e924d4b58e206c11a3f015b094a0d975f4f87fd5338e3cfd05f46cd3f4684f59fb140643be85e8452be84195

data/Cargo.lock

@@ -398,6 +398,27 @@ dependencies = [
  "unicode-xid",
 ]
 
+[[package]]
+name = "dirs"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3e8aa94d75141228480295a7d0e7feb620b1a5ad9f12bc40be62411e38cce4e"
+dependencies = [
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e01a3366d27ee9890022452ee61b2b63a67e6f13f58900b651ff5665f0bb1fab"
+dependencies = [
+ "libc",
+ "option-ext",
+ "redox_users",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "displaydoc"
 version = "0.2.5"
@@ -989,6 +1010,7 @@ dependencies = [
  "bytes",
  "crossbeam",
  "derive_more",
+ "dirs",
  "fs2",
  "futures",
  "http",
@@ -1106,6 +1128,16 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "libredox"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
+dependencies = [
+ "bitflags",
+ "libc",
+]
+
 [[package]]
 name = "linux-raw-sys"
 version = "0.4.15"
@@ -1321,6 +1353,12 @@ version = "1.20.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e"
 
+[[package]]
+name = "option-ext"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+
 [[package]]
 name = "overload"
 version = "0.1.1"
@@ -1608,6 +1646,17 @@ dependencies = [
  "bitflags",
 ]
 
+[[package]]
+name = "redox_users"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd6f9d3d47bdd2ad6945c5015a226ec6155d0bcdfd8f7cd29f86b71f8de99d2b"
+dependencies = [
+ "getrandom 0.2.15",
+ "libredox",
+ "thiserror 2.0.11",
+]
+
 [[package]]
 name = "regex"
 version = "1.11.1"

data/crates/itsi_error/src/lib.rs

@@ -3,7 +3,7 @@ use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, ItsiError>;
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Clone)]
 pub enum ItsiError {
     #[error("Invalid input {0}")]
     InvalidInput(String),

data/crates/itsi_server/Cargo.toml

@@ -44,3 +44,4 @@ rustls = "0.23.23"
 fs2 = "0.4.3"
 ring = "0.17.14"
 async-trait = "0.1.87"
+dirs = "6.0.0"

data/crates/itsi_server/src/env.rs

@@ -0,0 +1,43 @@
+use std::{
+    env::{var, VarError},
+    path::PathBuf,
+    sync::LazyLock,
+};
+
+type StringVar = LazyLock<String>;
+type MaybeStringVar = LazyLock<Result<String, VarError>>;
+type PathVar = LazyLock<PathBuf>;
+
+/// ACME Configuration for auto-generating production certificates
+/// *ITSI_ACME_CACHE_DIR* - Directory to store cached certificates
+/// so that these are not regenerated every time the server starts
+pub static ITSI_ACME_CACHE_DIR: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_CACHE_DIR").unwrap_or_else(|_| "./.rustls_acme_cache".to_string())
+});
+
+/// *ITSI_ACME_CONTACT_EMAIL* - Contact Email address to provide to ACME server during certificate renewal
+pub static ITSI_ACME_CONTACT_EMAIL: MaybeStringVar =
+    LazyLock::new(|| var("ITSI_ACME_CONTACT_EMAIL"));
+
+/// *ITSI_ACME_CA_PEM_PATH* - Optional CA Pem path, used for testing with non-trusted CAs for certifcate generation.
+pub static ITSI_ACME_CA_PEM_PATH: MaybeStringVar = LazyLock::new(|| var("ITSI_ACME_CA_PEM_PATH"));
+
+/// *ITSI_ACME_DIRECTORY_URL* - Directory URL to use for ACME certificate generation.
+pub static ITSI_ACME_DIRECTORY_URL: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_DIRECTORY_URL")
+        .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string())
+});
+
+/// *ITSI_ACME_LOCK_FILE_NAME* - Name of the lock file used to prevent concurrent certificate generation.
+pub static ITSI_ACME_LOCK_FILE_NAME: StringVar =
+    LazyLock::new(|| var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+
+pub static ITSI_LOCAL_CA_DIR: PathVar = LazyLock::new(|| {
+    var("ITSI_LOCAL_CA_DIR")
+        .map(PathBuf::from)
+        .unwrap_or_else(|_| {
+            dirs::home_dir()
+                .expect("Failed to find HOME directory when initializing ITSI_LOCAL_CA_DIR")
+                .join(".itsi")
+        })
+});

data/crates/itsi_server/src/lib.rs

@@ -6,6 +6,7 @@ use server::{itsi_server::Server, signal::reset_signal_handlers};
 use tracing::*;
 
 pub mod body_proxy;
+pub mod env;
 pub mod request;
 pub mod response;
 pub mod server;

data/crates/itsi_server/src/server/serve_strategy/single_mode.rs

@@ -83,7 +83,7 @@ impl SingleMode {
         Ok(())
     }
 
-    #[instrument(parent=None, skip(self))]
+    #[instrument(parent=None, skip(self), fields(pid=format!("{}", Pid::this())))]
     pub fn run(self: Arc<Self>) -> Result<()> {
         let mut listener_task_set = JoinSet::new();
         let self_ref = Arc::new(self);

data/crates/itsi_server/src/server/tls/locked_dir_cache.rs

@@ -1,34 +1,68 @@
 use async_trait::async_trait;
-use fs2::FileExt; // for lock_exclusive, unlock
-use std::fs::OpenOptions;
+use fs2::FileExt;
+use parking_lot::Mutex;
+use std::fs::{self, OpenOptions};
 use std::io::Error as IoError;
 use std::path::{Path, PathBuf};
 use tokio_rustls_acme::caches::DirCache;
 use tokio_rustls_acme::{AccountCache, CertCache};
 
+use crate::env::ITSI_ACME_LOCK_FILE_NAME;
+
 /// A wrapper around DirCache that locks a file before writing cert/account data.
 pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
     inner: DirCache<P>,
     lock_path: PathBuf,
+    current_lock: Mutex<Option<std::fs::File>>,
 }
 
 impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
     pub fn new(dir: P) -> Self {
         let dir_path = dir.as_ref().to_path_buf();
-        let lock_path = dir_path.join(".acme.lock");
+        std::fs::create_dir_all(&dir_path).unwrap();
+        let lock_path = dir_path.join(&*ITSI_ACME_LOCK_FILE_NAME);
+        Self::touch_file(&lock_path).expect("Failed to create lock file");
+
         Self {
             inner: DirCache::new(dir),
             lock_path,
+            current_lock: Mutex::new(None),
+        }
+    }
+
+    fn touch_file(path: &PathBuf) -> std::io::Result<()> {
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent)?;
         }
+        fs::OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(path)?;
+        Ok(())
     }
 
-    fn lock_exclusive(&self) -> Result<std::fs::File, IoError> {
+    fn lock_exclusive(&self) -> Result<(), IoError> {
+        if self.current_lock.lock().is_some() {
+            return Ok(());
+        }
+
+        if let Some(parent) = self.lock_path.parent() {
+            std::fs::create_dir_all(parent)?;
+        }
         let lockfile = OpenOptions::new()
+            .create(true)
             .write(true)
             .truncate(true)
             .open(&self.lock_path)?;
         lockfile.lock_exclusive()?;
-        Ok(lockfile)
+        *self.current_lock.lock() = Some(lockfile);
+        Ok(())
+    }
+
+    fn unlock(&self) -> Result<(), IoError> {
+        self.current_lock.lock().take();
+        Ok(())
     }
 }
 
@@ -41,8 +75,14 @@ impl<P: AsRef<Path> + Send + Sync> CertCache for LockedDirCache<P> {
         domains: &[String],
         directory_url: &str,
     ) -> Result<Option<Vec<u8>>, Self::EC> {
-        // Just delegate to the inner DirCache
-        self.inner.load_cert(domains, directory_url).await
+        self.lock_exclusive()?;
+        let result = self.inner.load_cert(domains, directory_url).await;
+
+        if let Ok(Some(_)) = result {
+            self.unlock()?;
+        }
+
+        result
     }
 
     async fn store_cert(
@@ -52,13 +92,14 @@ impl<P: AsRef<Path> + Send + Sync> CertCache for LockedDirCache<P> {
         cert: &[u8],
     ) -> Result<(), Self::EC> {
         // Acquire the lock before storing
-        let lockfile = self.lock_exclusive()?;
+        self.lock_exclusive()?;
 
         // Perform the store operation
         let result = self.inner.store_cert(domains, directory_url, cert).await;
 
-        // Unlock and return
-        let _ = fs2::FileExt::unlock(&lockfile);
+        if let Ok(()) = result {
+            self.unlock()?;
+        }
         result
     }
 }
@@ -72,6 +113,7 @@ impl<P: AsRef<Path> + Send + Sync> AccountCache for LockedDirCache<P> {
         contact: &[String],
         directory_url: &str,
     ) -> Result<Option<Vec<u8>>, Self::EA> {
+        self.lock_exclusive()?;
         self.inner.load_account(contact, directory_url).await
     }
 
@@ -81,14 +123,10 @@ impl<P: AsRef<Path> + Send + Sync> AccountCache for LockedDirCache<P> {
         directory_url: &str,
         account: &[u8],
     ) -> Result<(), Self::EA> {
-        let lockfile = self.lock_exclusive()?;
+        self.lock_exclusive()?;
 
-        let result = self
-            .inner
+        self.inner
             .store_account(contact, directory_url, account)
-            .await;
-
-        let _ = fs2::FileExt::unlock(&lockfile);
-        result
+            .await
     }
 }

data/crates/itsi_server/src/server/tls.rs

@@ -2,21 +2,29 @@ use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
-use rcgen::{CertificateParams, DnType, KeyPair, SanType};
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rcgen::{
+    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     collections::HashMap,
-    env, fs,
+    fs,
     io::{BufReader, Error},
     sync::Arc,
 };
 use tokio::sync::Mutex;
 use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
 mod locked_dir_cache;
-const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
-const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
 #[derive(Clone)]
 pub enum ItsiTlsAcceptor {
@@ -28,11 +36,12 @@ pub enum ItsiTlsAcceptor {
     ),
 }
 
-// Generates a TLS configuration based on either :
-// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
-// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
-// If a non-local host or optional domain parameter is provided,
-// an automated certificate will attempt to be fetched using let's encrypt.
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
 pub fn configure_tls(
     host: &str,
     query_params: &HashMap<String, String>,
@@ -41,22 +50,55 @@ pub fn configure_tls(
         .get("domains")
         .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
 
-    if query_params.get("cert").is_none() || query_params.get("key").is_none() {
+    if query_params.get("cert").is_some_and(|c| c == "auto") {
         if let Some(domains) = domains {
-            let directory_url = env::var("ACME_DIRECTORY_URL")
-                .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
             info!(
                 domains = format!("{:?}", domains),
                 directory_url, "Requesting acme cert"
             );
-            let acme_state = AcmeConfig::new(domains)
-                .contact(["mailto:wc@pico.net.nz"])
-                .cache(LockedDirCache::new("./rustls_acme_cache"))
-                .directory(directory_url)
-                .state();
-            let rustls_config = ServerConfig::builder()
+
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", (*ITSI_ACME_CONTACT_EMAIL).as_ref().map_err(|_| {
+                    itsi_error::ItsiError::ArgumentError(
+                      "ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate production certificates"
+                          .to_string(),
+                  )
+                })?)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+
+            let mut rustls_config = ServerConfig::builder()
                 .with_no_client_auth()
                 .with_cert_resolver(acme_state.resolver());
+
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
             let acceptor = acme_state.acceptor();
             return Ok(ItsiTlsAcceptor::Automatic(
                 acceptor,
@@ -73,7 +115,7 @@ pub fn configure_tls(
         let key = load_private_key(key_path);
         (certs, key)
     } else {
-        generate_ca_signed_cert(vec![host.to_owned()])?
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
     };
 
     let mut config = ServerConfig::builder()
@@ -145,9 +187,10 @@ pub fn generate_ca_signed_cert(
     domains: Vec<String>,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
     info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
 
-    let ca_kp = KeyPair::from_pem(ITS_CA_KEY).expect("Failed to load embedded CA key");
-    let ca_cert = CertificateParams::from_ca_cert_pem(ITS_CA_CERT)
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
         .expect("Failed to parse embedded CA certificate")
         .self_signed(&ca_kp)
         .expect("Failed to self-sign embedded CA cert");
@@ -187,3 +230,29 @@ pub fn generate_ca_signed_cert(
         PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
     ))
 }
+
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+
+        let CertifiedKey { cert, key_pair } =
+            generate_simple_self_signed(subject_alt_names).unwrap();
+
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
+}

data/gems/scheduler/ext/itsi_error/src/lib.rs

@@ -3,7 +3,7 @@ use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, ItsiError>;
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Clone)]
 pub enum ItsiError {
     #[error("Invalid input {0}")]
     InvalidInput(String),

data/gems/scheduler/ext/itsi_server/Cargo.toml

@@ -44,3 +44,4 @@ rustls = "0.23.23"
 fs2 = "0.4.3"
 ring = "0.17.14"
 async-trait = "0.1.87"
+dirs = "6.0.0"

data/gems/scheduler/ext/itsi_server/src/env.rs

@@ -0,0 +1,43 @@
+use std::{
+    env::{var, VarError},
+    path::PathBuf,
+    sync::LazyLock,
+};
+
+type StringVar = LazyLock<String>;
+type MaybeStringVar = LazyLock<Result<String, VarError>>;
+type PathVar = LazyLock<PathBuf>;
+
+/// ACME Configuration for auto-generating production certificates
+/// *ITSI_ACME_CACHE_DIR* - Directory to store cached certificates
+/// so that these are not regenerated every time the server starts
+pub static ITSI_ACME_CACHE_DIR: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_CACHE_DIR").unwrap_or_else(|_| "./.rustls_acme_cache".to_string())
+});
+
+/// *ITSI_ACME_CONTACT_EMAIL* - Contact Email address to provide to ACME server during certificate renewal
+pub static ITSI_ACME_CONTACT_EMAIL: MaybeStringVar =
+    LazyLock::new(|| var("ITSI_ACME_CONTACT_EMAIL"));
+
+/// *ITSI_ACME_CA_PEM_PATH* - Optional CA Pem path, used for testing with non-trusted CAs for certifcate generation.
+pub static ITSI_ACME_CA_PEM_PATH: MaybeStringVar = LazyLock::new(|| var("ITSI_ACME_CA_PEM_PATH"));
+
+/// *ITSI_ACME_DIRECTORY_URL* - Directory URL to use for ACME certificate generation.
+pub static ITSI_ACME_DIRECTORY_URL: StringVar = LazyLock::new(|| {
+    var("ITSI_ACME_DIRECTORY_URL")
+        .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string())
+});
+
+/// *ITSI_ACME_LOCK_FILE_NAME* - Name of the lock file used to prevent concurrent certificate generation.
+pub static ITSI_ACME_LOCK_FILE_NAME: StringVar =
+    LazyLock::new(|| var("ITSI_ACME_LOCK_FILE_NAME").unwrap_or(".acme.lock".to_string()));
+
+pub static ITSI_LOCAL_CA_DIR: PathVar = LazyLock::new(|| {
+    var("ITSI_LOCAL_CA_DIR")
+        .map(PathBuf::from)
+        .unwrap_or_else(|_| {
+            dirs::home_dir()
+                .expect("Failed to find HOME directory when initializing ITSI_LOCAL_CA_DIR")
+                .join(".itsi")
+        })
+});

data/gems/scheduler/ext/itsi_server/src/lib.rs

@@ -6,6 +6,7 @@ use server::{itsi_server::Server, signal::reset_signal_handlers};
 use tracing::*;
 
 pub mod body_proxy;
+pub mod env;
 pub mod request;
 pub mod response;
 pub mod server;

data/gems/scheduler/ext/itsi_server/src/server/serve_strategy/single_mode.rs

@@ -83,7 +83,7 @@ impl SingleMode {
         Ok(())
     }
 
-    #[instrument(parent=None, skip(self))]
+    #[instrument(parent=None, skip(self), fields(pid=format!("{}", Pid::this())))]
     pub fn run(self: Arc<Self>) -> Result<()> {
         let mut listener_task_set = JoinSet::new();
         let self_ref = Arc::new(self);