cassandra_cpp/cassandra/
ssl.rs

1use crate::cassandra::error::*;
2use crate::cassandra::util::{Protected, ProtectedInner};
3
4use crate::cassandra_sys::cass_ssl_add_trusted_cert_n;
5use crate::cassandra_sys::cass_ssl_free;
6use crate::cassandra_sys::cass_ssl_new;
7use crate::cassandra_sys::cass_ssl_set_cert_n;
8#[cfg(feature = "early_access_min_tls_version")]
9use crate::cassandra_sys::cass_ssl_set_min_protocol_version;
10use crate::cassandra_sys::cass_ssl_set_private_key_n;
11use crate::cassandra_sys::cass_ssl_set_verify_flags;
12use crate::cassandra_sys::CassSsl as _Ssl;
13#[cfg(feature = "early_access_min_tls_version")]
14pub use crate::cassandra_sys::CassSslTlsVersion as SslTlsVersion;
15use crate::cassandra_sys::CassSslVerifyFlags;
16
17use std::os::raw::c_char;
18
19/// The individual SSL verification levels.
20#[derive(Debug, Eq, PartialEq, Copy, Clone, Hash)]
21#[allow(missing_docs)] // Meanings are defined in CQL documentation.
22#[allow(non_camel_case_types)] // Names are traditional.
23pub enum SslVerifyFlag {
24    NONE,
25    PEER_CERT,
26    PEER_IDENTITY,
27    PEER_IDENTITY_DNS,
28}
29
30enhance_nullary_enum!(SslVerifyFlag, CassSslVerifyFlags, {
31    (NONE, CASS_SSL_VERIFY_NONE, "NONE"),
32    (PEER_CERT, CASS_SSL_VERIFY_PEER_CERT, "PEER_CERT"),
33    (PEER_IDENTITY, CASS_SSL_VERIFY_PEER_IDENTITY, "PEER_IDENTITY"),
34    (PEER_IDENTITY_DNS, CASS_SSL_VERIFY_PEER_IDENTITY_DNS, "PEER_IDENTITY_DNS"),
35});
36
37fn to_bitset(flags: &[SslVerifyFlag]) -> i32 {
38    let mut res = 0;
39    for f in flags.iter() {
40        res |= f.inner() as u32;
41    }
42    res as i32
43}
44
45/// Describes the SSL configuration of a cluster.
46#[derive(Debug)]
47pub struct Ssl(*mut _Ssl);
48
49// The underlying C type has no thread-local state, and forbids only concurrent
50// mutation/free: https://datastax.github.io/cpp-driver/topics/#thread-safety
51unsafe impl Send for Ssl {}
52unsafe impl Sync for Ssl {}
53
54impl ProtectedInner<*mut _Ssl> for Ssl {
55    fn inner(&self) -> *mut _Ssl {
56        self.0
57    }
58}
59
60impl Protected<*mut _Ssl> for Ssl {
61    fn build(inner: *mut _Ssl) -> Self {
62        if inner.is_null() {
63            panic!("Unexpected null pointer")
64        };
65        Ssl(inner)
66    }
67}
68
69impl Drop for Ssl {
70    /// Frees a SSL context instance.
71    fn drop(&mut self) {
72        unsafe { cass_ssl_free(self.0) }
73    }
74}
75
76impl Default for Ssl {
77    /// Creates a new SSL context.
78    fn default() -> Ssl {
79        unsafe { Ssl(cass_ssl_new()) }
80    }
81}
82
83impl Ssl {
84    /// Adds a trusted certificate. This is used to verify
85    /// the peer's certificate.
86    pub fn add_trusted_cert(&mut self, cert: impl AsRef<str>) -> Result<&mut Self> {
87        let cert = cert.as_ref();
88        unsafe {
89            let cert_ptr = cert.as_ptr() as *const c_char;
90            cass_ssl_add_trusted_cert_n(self.0, cert_ptr, cert.len()).to_result(self)
91        }
92    }
93
94    /// Sets verification performed on the peer's certificate.
95    ///
96    /// CASS_SSL_VERIFY_NONE - No verification is performed
97    ///
98    /// CASS_SSL_VERIFY_PEER_CERT - Certificate is present and valid
99    ///
100    /// CASS_SSL_VERIFY_PEER_IDENTITY - IP address matches the certificate's
101    /// common name or one of its subject alternative names. This implies the
102    /// certificate is also present.
103    ///
104    /// <b>Default:</b> CASS_SSL_VERIFY_PEER_CERT
105    pub fn set_verify_flags(&mut self, flags: &[SslVerifyFlag]) {
106        unsafe { cass_ssl_set_verify_flags(self.0, to_bitset(flags)) }
107    }
108
109    /// Set client-side certificate chain. This is used to authenticate
110    /// the client on the server-side. This should contain the entire
111    /// Certificate chain starting with the certificate itself.
112    pub fn set_cert(&mut self, cert: &str) -> Result<&mut Self> {
113        unsafe {
114            let cert_ptr = cert.as_ptr() as *const c_char;
115            cass_ssl_set_cert_n(self.0, cert_ptr, cert.len()).to_result(self)
116        }
117    }
118
119    /// Set client-side private key. This is used to authenticate
120    /// the client on the server-side.
121    pub fn set_private_key(&mut self, key: &str, password: &str) -> Result<&mut Self> {
122        unsafe {
123            let key_ptr = key.as_ptr() as *const c_char;
124            let password_ptr = key.as_ptr() as *const c_char;
125            cass_ssl_set_private_key_n(self.0, key_ptr, key.len(), password_ptr, password.len())
126                .to_result(self)
127        }
128    }
129
130    /// Set minimum TLS version. This helps avoid TLS downgrade attacks.
131    #[cfg(feature = "early_access_min_tls_version")]
132    pub fn set_min_protocol_version(
133        &mut self,
134        min_tls_version: SslTlsVersion,
135    ) -> Result<&mut Self> {
136        unsafe { cass_ssl_set_min_protocol_version(self.0, min_tls_version).to_result(self) }
137    }
138}
cassandra_cpp/cassandra/ssl.rs

cassandra_cpp/cassandra/
ssl.rs
