apns_h2/

client.rs

//! The client module for sending requests and parsing responses

use crate::error::Error;
use crate::error::Error::ResponseError;
use crate::signer::Signer;
use tokio::time::timeout;

use crate::request::payload::PayloadLike;
use crate::response::Response;
use http::header::{AUTHORIZATION, CONTENT_LENGTH, CONTENT_TYPE};
use http_body_util::combinators::BoxBody;
use http_body_util::{BodyExt, Full};
use hyper::body::Bytes;
use hyper::{self, StatusCode};
use hyper_rustls::{HttpsConnector, HttpsConnectorBuilder};
use hyper_util::client::legacy::Client as HttpClient;
use hyper_util::client::legacy::connect::HttpConnector;
use hyper_util::rt::{TokioExecutor, TokioTimer};
use std::convert::Infallible;
use std::io::Read;
use std::sync::Arc;
use std::time::Duration;
use std::{fmt, io};

const DEFAULT_REQUEST_TIMEOUT: Duration = Duration::from_secs(20);

type HyperConnector = HttpsConnector<HttpConnector>;

/// The APNs service endpoint to connect.
#[derive(Debug, Clone)]
pub enum Endpoint {
    /// The production environment (api.push.apple.com)
    Production,
    /// The development/test environment (api.sandbox.push.apple.com)
    Sandbox,
}

impl fmt::Display for Endpoint {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let host = match self {
            Endpoint::Production => "api.push.apple.com",
            Endpoint::Sandbox => "api.sandbox.push.apple.com",
        };

        write!(f, "{}", host)
    }
}

/// Handles requests to and responses from Apple Push Notification service.
/// Connects using a given connector. Handles the needed authentication and
/// maps responses.
///
/// The `send` method returns a future, which is successful when APNs receives
/// the notification and responds with a status OK. In any other case the future
/// fails. If APNs gives a reason for the failure, the returned `Err`
/// holds the response for handling.
#[derive(Debug, Clone)]
pub struct Client {
    options: ConnectionOptions,
    http_client: HttpClient<HyperConnector, BoxBody<Bytes, Infallible>>,
}

#[derive(Debug, Clone)]
/// The default implementation uses [`Endpoint::Production`] and can be created
/// trough calling [`ClientConfig::default`].
pub struct ClientConfig {
    /// The endpoint where the requests are sent to
    pub endpoint: Endpoint,
    /// The timeout of the HTTP requests
    pub request_timeout: Option<Duration>,
    /// The timeout for idle sockets being kept alive
    pub pool_idle_timeout: Option<Duration>,
    pub http2_keep_alive_interval: Option<Duration>,
    pub http2_keep_alive_while_idle: bool,
}

impl Default for ClientConfig {
    fn default() -> Self {
        Self {
            endpoint: Endpoint::Production,
            request_timeout: Some(DEFAULT_REQUEST_TIMEOUT),
            pool_idle_timeout: None,
            // Send HTTP/2 PING every 1 hour as per: https://developer.apple.com/documentation/usernotifications/sending-notification-requests-to-apns#Follow-best-practices-while-sending-push-notifications-with-APNs
            // Reuse a connection as long as possible. In most cases, you can reuse a connection for many hours to days. If your connection is mostly idle, you may send a HTTP2 PING frame after an hour of inactivity. Reusing a connection often results in less bandwidth and CPU consumption.
            http2_keep_alive_interval: Some(Duration::from_secs(60 * 60)),
            http2_keep_alive_while_idle: true,
        }
    }
}

impl ClientConfig {
    pub fn new(endpoint: Endpoint) -> Self {
        ClientConfig {
            endpoint,
            ..Default::default()
        }
    }
}

#[derive(Debug, Clone, Default)]
struct ClientBuilder {
    config: ClientConfig,
    signer: Option<Signer>,
    connector: Option<HyperConnector>,
}

impl ClientBuilder {
    fn connector(mut self, connector: HyperConnector) -> Self {
        self.connector = Some(connector);
        self
    }

    fn signer(mut self, signer: Signer) -> Self {
        self.signer = Some(signer);
        self
    }

    fn config(mut self, config: ClientConfig) -> Self {
        self.config = config;
        self
    }

    fn build(self) -> Result<Client, Error> {
        let ClientBuilder {
            config:
                ClientConfig {
                    endpoint,
                    request_timeout,
                    pool_idle_timeout,
                    http2_keep_alive_interval,
                    http2_keep_alive_while_idle,
                },
            signer,
            connector,
        } = self;

        let connector = if let Some(connector) = connector {
            connector
        } else {
            default_connector()?
        };

        let http_client = HttpClient::builder(TokioExecutor::new())
            .pool_idle_timeout(pool_idle_timeout)
            .http2_only(true)
            .http2_keep_alive_interval(http2_keep_alive_interval)
            .http2_keep_alive_while_idle(http2_keep_alive_while_idle)
            .timer(TokioTimer::new())
            .build(connector);

        Ok(Client {
            http_client,
            options: ConnectionOptions::new(endpoint, signer, request_timeout),
        })
    }
}

#[derive(Debug, Clone)]
struct ConnectionOptions {
    endpoint: Endpoint,
    request_timeout: Duration,
    signer: Option<Signer>,
}

impl ConnectionOptions {
    fn new(endpoint: Endpoint, signer: Option<Signer>, request_timeout: Option<Duration>) -> Self {
        let request_timeout = request_timeout.unwrap_or(DEFAULT_REQUEST_TIMEOUT);
        Self {
            endpoint,
            request_timeout,
            signer,
        }
    }
}

impl Client {
    /// Creates a builder for the [`Client`] that uses the default connector and
    /// [`Endpoint::Production`]
    fn builder() -> ClientBuilder {
        ClientBuilder::default()
    }

    /// Create a connection to APNs using a PKCS#12 provider certificate (PFX/.p12).
    pub fn certificate<R>(certificate: &mut R, password: &str, config: ClientConfig) -> Result<Client, Error>
    where
        R: Read,
    {
        #[cfg(feature = "aws-lc-rs")]
        fn create_connector(
            certificate_bytes: &[u8],
            password: &str,
        ) -> Result<HttpsConnector<HttpConnector>, Error> {
            // Parse the PKCS#12 archive into PEM-encoded certificate chain and private key
            let (cert_pem, key_pem) = crate::pkcs12::parse_pkcs12(certificate_bytes, password)?;
            // Build a TLS connector using the parsed certificate and key PEM blocks

            client_cert_connector(&cert_pem, &key_pem)
        }

        #[cfg(all(not(feature = "aws-lc-rs"), feature = "openssl"))]
        fn create_connector(
            certificate_bytes: &[u8],
            password: &str,
        ) -> Result<HttpsConnector<HttpConnector>, Error> {
            let pkcs = openssl::pkcs12::Pkcs12::from_der(certificate_bytes)?.parse2(password)?;
            let Some((cert, pkey)) = pkcs.cert.zip(pkcs.pkey) else {
                return Err(Error::InvalidCertificate);
            };
            client_cert_connector(&cert.to_pem()?, &pkey.private_key_to_pem_pkcs8()?)
        }

        // Load all bytes from the certificate reader
        let certificate_bytes = {
            let mut data = Vec::<u8>::new();
            certificate.read_to_end(&mut data)?;
            data
        };

        let connector = create_connector(certificate_bytes.as_ref(), password)?;
        Self::builder().connector(connector).config(config).build()
    }

    /// Create a connection to APNs using the raw PEM-formatted certificate and
    /// key, extracted from the provider client certificate you obtain from your
    /// [Apple developer account](https://developer.apple.com/account/)
    pub fn certificate_parts(cert_pem: &[u8], key_pem: &[u8], config: ClientConfig) -> Result<Client, Error> {
        let connector = client_cert_connector(cert_pem, key_pem)?;

        Self::builder().config(config).connector(connector).build()
    }

    /// Create a connection to APNs using system certificates, signing every
    /// request with a signature using a private key, key id and team id
    /// provisioned from your [Apple developer
    /// account](https://developer.apple.com/account/).
    pub fn token<S, T, R>(pkcs8_pem: R, key_id: S, team_id: T, config: ClientConfig) -> Result<Client, Error>
    where
        S: Into<String>,
        T: Into<String>,
        R: Read,
    {
        let signature_ttl = Duration::from_secs(60 * 55);
        let signer = Signer::new(pkcs8_pem, key_id, team_id, signature_ttl)?;

        Self::builder().config(config).signer(signer).build()
    }

    /// Send a notification payload.
    ///
    /// See [ErrorReason](enum.ErrorReason.html) for possible errors.
    #[cfg_attr(feature = "tracing", ::tracing::instrument)]
    pub async fn send<T: PayloadLike>(&self, payload: T) -> Result<Response, Error> {
        let request = self.build_request(payload)?;
        let requesting = self.http_client.request(request);

        let Ok(response_result) = timeout(self.options.request_timeout, requesting).await else {
            return Err(Error::RequestTimeout(self.options.request_timeout.as_secs()));
        };

        let response = response_result?;

        let header_map = response.headers();

        fn get_header_key_opt(header_map: &http::HeaderMap, key: &'static str) -> Option<String> {
            header_map
                .get(key)
                .and_then(|s| s.to_str().ok())
                .map(String::from)
        }

        let apns_id = get_header_key_opt(header_map, "apns-id");

        let apns_unique_id = if matches!(self.options.endpoint, Endpoint::Sandbox) {
            get_header_key_opt(header_map, "apns-unique-id")
        } else {
            None
        };

        match response.status() {
            StatusCode::OK => Ok(Response {
                apns_id,
                apns_unique_id,
                error: None,
                code: response.status().as_u16(),
            }),
            status => {
                let body = response.into_body().collect().await?;

                Err(ResponseError(Response {
                    apns_id,
                    apns_unique_id,
                    error: serde_json::from_slice(&body.to_bytes()).ok(),
                    code: status.as_u16(),
                }))
            }
        }
    }

    fn build_request<T: PayloadLike>(
        &self,
        payload: T,
    ) -> Result<hyper::Request<BoxBody<Bytes, Infallible>>, Error> {
        let path = format!(
            "https://{}/3/device/{}",
            self.options.endpoint,
            payload.get_device_token()
        );

        let mut builder = hyper::Request::builder()
            .uri(&path)
            .method("POST")
            .header(CONTENT_TYPE, "application/json");

        let options = payload.get_options();
        if let Some(ref apns_priority) = options.apns_priority {
            builder = builder.header("apns-priority", apns_priority.to_string().as_bytes());
        }
        if let Some(apns_id) = options.apns_id {
            builder = builder.header("apns-id", apns_id.as_bytes());
        }
        if let Some(apns_push_type) = options.apns_push_type.as_ref() {
            builder = builder.header("apns-push-type", apns_push_type.to_string().as_bytes());
        }
        if let Some(ref apns_expiration) = options.apns_expiration {
            builder = builder.header("apns-expiration", apns_expiration.to_string().as_bytes());
        }
        if let Some(ref apns_collapse_id) = options.apns_collapse_id {
            builder = builder.header("apns-collapse-id", apns_collapse_id.value.as_bytes());
        }
        if let Some(apns_topic) = options.apns_topic {
            builder = builder.header("apns-topic", apns_topic.as_bytes());
        }
        if let Some(ref signer) = self.options.signer {
            let auth = signer.with_signature(|signature| format!("Bearer {}", signature))?;

            builder = builder.header(AUTHORIZATION, auth.as_bytes());
        }

        let payload_json = payload.to_json_string()?;
        builder = builder.header(CONTENT_LENGTH, format!("{}", payload_json.len()).as_bytes());

        let request_body = Full::from(payload_json.into_bytes()).boxed();
        builder.body(request_body).map_err(Error::BuildRequestError)
    }
}

#[cfg(feature = "aws-lc-rs")]
fn default_crypto_provider() -> Arc<rustls::crypto::CryptoProvider> {
    Arc::new(rustls::crypto::aws_lc_rs::default_provider())
}

#[cfg(all(not(feature = "aws-lc-rs"), feature = "openssl"))]
fn default_crypto_provider() -> Arc<rustls::crypto::CryptoProvider> {
    Arc::new(rustls_openssl::default_provider())
}

#[cfg(all(not(feature = "aws-lc-rs"), not(feature = "openssl")))]
fn default_crypto_provider() -> Arc<rustls::crypto::CryptoProvider> {
    panic!("No provider set");
}

/// Create a [`rustls::ConfigBuilder`] with the provider preset and platform
/// verifier enabled
fn client_config_builder()
-> Result<rustls::ConfigBuilder<rustls::ClientConfig, rustls::client::WantsClientCert>, Error> {
    use hyper_rustls::ConfigBuilderExt as _;
    // Allow setting a runtime default crypto provider, otherwise use the
    // default.
    let provider = rustls::crypto::CryptoProvider::get_default()
        .cloned()
        .unwrap_or_else(default_crypto_provider);

    Ok(rustls::client::ClientConfig::builder_with_provider(provider)
        .with_safe_default_protocol_versions()?
        .try_with_platform_verifier()?)
}

/// Create a connector with safe defaults
fn default_connector() -> Result<HyperConnector, Error> {
    let config = client_config_builder()?.with_no_client_auth();

    Ok(HttpsConnectorBuilder::new()
        .with_tls_config(config)
        .https_only()
        .enable_http2()
        .build())
}

fn client_cert_connector(cert_pem: &[u8], key_pem: &[u8]) -> Result<HyperConnector, Error> {
    use rustls_pki_types::{CertificateDer, PrivatePkcs8KeyDer, pem::PemObject};

    let cert_error_fn = |e: rustls_pki_types::pem::Error| io::Error::new(io::ErrorKind::InvalidData, e);

    let key = PrivatePkcs8KeyDer::from_pem_slice(key_pem).map_err(cert_error_fn)?;

    let cert_chain = CertificateDer::pem_slice_iter(cert_pem)
        .collect::<Result<Vec<_>, _>>()
        .map_err(cert_error_fn)?;

    let config = client_config_builder()?.with_client_auth_cert(cert_chain, key.into())?;

    Ok(HttpsConnectorBuilder::new()
        .with_tls_config(config)
        .https_only()
        .enable_http2()
        .build())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::PushType;
    use crate::request::notification::DefaultNotificationBuilder;
    use crate::request::notification::NotificationBuilder;
    use crate::request::notification::{CollapseId, NotificationOptions, Priority};
    use crate::signer::Signer;
    use http::header::{AUTHORIZATION, CONTENT_LENGTH, CONTENT_TYPE};
    use hyper::Method;

    const PRIVATE_KEY: &str = "-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8g/n6j9roKvnUkwu
lCEIvbDqlUhA5FOzcakkG90E8L+hRANCAATKS2ZExEybUvchRDuKBftotMwVEus3
jDwmlD1Gg0yJt1e38djFwsxsfr5q2hv0Rj9fTEqAPr8H7mGm0wKxZ7iQ
-----END PRIVATE KEY-----";

    #[test]
    fn test_production_request_uri() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let uri = format!("{}", request.uri());

        assert_eq!("https://api.push.apple.com/3/device/a_test_id", &uri);
    }

    #[test]
    fn test_sandbox_request_uri() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder()
            .config(ClientConfig {
                endpoint: Endpoint::Sandbox,
                ..Default::default()
            })
            .build()
            .unwrap();
        let request = client.build_request(payload).unwrap();
        let uri = format!("{}", request.uri());

        assert_eq!("https://api.sandbox.push.apple.com/3/device/a_test_id", &uri);
    }

    #[test]
    fn test_request_method() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();

        assert_eq!(&Method::POST, request.method());
    }

    #[test]
    fn test_request_invalid() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("\r\n", Default::default());
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload);

        assert!(matches!(request, Err(Error::BuildRequestError(_))));
    }

    #[test]
    fn test_request_content_type() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();

        assert_eq!("application/json", request.headers().get(CONTENT_TYPE).unwrap());
    }

    #[test]
    fn test_request_content_length() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload.clone()).unwrap();
        let payload_json = payload.to_json_string().unwrap();
        let content_length = request.headers().get(CONTENT_LENGTH).unwrap().to_str().unwrap();

        assert_eq!(&format!("{}", payload_json.len()), content_length);
    }

    #[test]
    fn test_request_authorization_with_no_signer() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();

        assert_eq!(None, request.headers().get(AUTHORIZATION));
    }

    #[test]
    fn test_request_authorization_with_a_signer() {
        let signer = Signer::new(
            PRIVATE_KEY.as_bytes(),
            "89AFRD1X22",
            "ASDFQWERTY",
            Duration::from_secs(100),
        )
        .unwrap();

        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder().signer(signer).build().unwrap();
        let request = client.build_request(payload).unwrap();

        assert_ne!(None, request.headers().get(AUTHORIZATION));
    }

    #[test]
    fn test_request_with_background_type() {
        let builder = DefaultNotificationBuilder::new();
        let options = NotificationOptions {
            apns_push_type: Some(PushType::Background),
            ..Default::default()
        };
        let payload = builder.build("a_test_id", options);
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_push_type = request.headers().get("apns-push-type").unwrap();

        assert_eq!("background", apns_push_type);
    }

    #[test]
    fn test_request_with_default_priority() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_priority = request.headers().get("apns-priority");

        assert_eq!(None, apns_priority);
    }

    #[test]
    fn test_request_with_normal_priority() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build(
            "a_test_id",
            NotificationOptions {
                apns_priority: Some(Priority::Normal),
                ..Default::default()
            },
        );

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_priority = request.headers().get("apns-priority").unwrap();

        assert_eq!("5", apns_priority);
    }

    #[test]
    fn test_request_with_high_priority() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build(
            "a_test_id",
            NotificationOptions {
                apns_priority: Some(Priority::High),
                ..Default::default()
            },
        );

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_priority = request.headers().get("apns-priority").unwrap();

        assert_eq!("10", apns_priority);
    }

    #[test]
    fn test_request_with_default_apns_id() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build("a_test_id", Default::default());

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_id = request.headers().get("apns-id");

        assert_eq!(None, apns_id);
    }

    #[test]
    fn test_request_with_an_apns_id() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build(
            "a_test_id",
            NotificationOptions {
                apns_id: Some("a-test-apns-id"),
                ..Default::default()
            },
        );

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_id = request.headers().get("apns-id").unwrap();

        assert_eq!("a-test-apns-id", apns_id);
    }

    #[test]
    fn test_request_with_default_apns_expiration() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build("a_test_id", Default::default());

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_expiration = request.headers().get("apns-expiration");

        assert_eq!(None, apns_expiration);
    }

    #[test]
    fn test_request_with_an_apns_expiration() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build(
            "a_test_id",
            NotificationOptions {
                apns_expiration: Some(420),
                ..Default::default()
            },
        );

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_expiration = request.headers().get("apns-expiration").unwrap();

        assert_eq!("420", apns_expiration);
    }

    #[test]
    fn test_request_with_default_apns_collapse_id() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build("a_test_id", Default::default());

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_collapse_id = request.headers().get("apns-collapse-id");

        assert_eq!(None, apns_collapse_id);
    }

    #[test]
    fn test_request_with_an_apns_collapse_id() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build(
            "a_test_id",
            NotificationOptions {
                apns_collapse_id: Some(CollapseId::new("a_collapse_id").unwrap()),
                ..Default::default()
            },
        );

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_collapse_id = request.headers().get("apns-collapse-id").unwrap();

        assert_eq!("a_collapse_id", apns_collapse_id);
    }

    #[test]
    fn test_request_with_default_apns_topic() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build("a_test_id", Default::default());

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_topic = request.headers().get("apns-topic");

        assert_eq!(None, apns_topic);
    }

    #[test]
    fn test_request_with_an_apns_topic() {
        let builder = DefaultNotificationBuilder::new();

        let payload = builder.build(
            "a_test_id",
            NotificationOptions {
                apns_topic: Some("a_topic"),
                ..Default::default()
            },
        );

        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload).unwrap();
        let apns_topic = request.headers().get("apns-topic").unwrap();

        assert_eq!("a_topic", apns_topic);
    }

    #[tokio::test]
    async fn test_request_body() {
        let builder = DefaultNotificationBuilder::new();
        let payload = builder.build("a_test_id", Default::default());
        let client = Client::builder().build().unwrap();
        let request = client.build_request(payload.clone()).unwrap();

        let body = request.into_body().collect().await.unwrap().to_bytes();
        let body_str = String::from_utf8(body.to_vec()).unwrap();

        assert_eq!(payload.to_json_string().unwrap(), body_str,);
    }

    #[tokio::test]
    /// Try to create a test client using the unencrypted key & cert provided.
    /// These are test values that do not work with Apple, but mimic the sort
    /// of values you should get from the Apple Developer Console.
    async fn test_cert_parts() -> Result<(), Error> {
        let key: Vec<u8> = include_str!("../test_cert/test.key").bytes().collect();
        let cert: Vec<u8> = include_str!("../test_cert/test.crt").bytes().collect();

        let c = Client::certificate_parts(&cert, &key, ClientConfig::default())?;
        assert!(c.options.signer.is_none());
        Ok(())
    }
}