amaters-server 0.2.0

AmateRS server binary
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319

//! TLS configuration builder for gRPC server
//!
//! This module provides functionality to build TLS/mTLS configurations
//! for the AmateRS gRPC server from server configuration.

use crate::config::{NetworkSettings, ServerConfig};
use crate::server::{ServerError, ServerResult};
use std::fs;
use std::path::Path;
use tonic::transport::{Certificate, Identity, ServerTlsConfig};
use tracing::{debug, info};

/// TLS server configuration builder
pub struct TlsServerBuilder;

impl TlsServerBuilder {
    /// Build TLS configuration from server config
    ///
    /// Returns None if TLS is not enabled.
    /// Returns ServerError if TLS is enabled but configuration is invalid.
    pub fn build(config: &ServerConfig) -> ServerResult<Option<ServerTlsConfig>> {
        let network = &config.network;

        if !network.tls_enabled {
            debug!("TLS is not enabled");
            return Ok(None);
        }

        info!("Building TLS configuration");

        // Load server certificate and key
        let cert_path = network.tls_cert.as_ref().ok_or_else(|| {
            ServerError::ConfigValidation(
                "TLS cert path is required when TLS is enabled".to_string(),
            )
        })?;

        let key_path = network.tls_key.as_ref().ok_or_else(|| {
            ServerError::ConfigValidation(
                "TLS key path is required when TLS is enabled".to_string(),
            )
        })?;

        let cert_pem = Self::load_file(cert_path)
            .map_err(|e| ServerError::TlsSetup(format!("Failed to load certificate: {}", e)))?;

        let key_pem = Self::load_file(key_path)
            .map_err(|e| ServerError::TlsSetup(format!("Failed to load private key: {}", e)))?;

        let identity = Identity::from_pem(&cert_pem, &key_pem);

        let mut tls_config = ServerTlsConfig::new().identity(identity);

        // Configure mTLS if client certificates are required
        if network.require_client_cert {
            info!("mTLS enabled - requiring client certificates");

            let ca_path = network.tls_ca.as_ref().ok_or_else(|| {
                ServerError::ConfigValidation(
                    "TLS CA path is required when client certificates are required".to_string(),
                )
            })?;

            let ca_pem = Self::load_file(ca_path).map_err(|e| {
                ServerError::TlsSetup(format!("Failed to load CA certificate: {}", e))
            })?;

            let ca_cert = Certificate::from_pem(&ca_pem);

            tls_config = tls_config
                .client_ca_root(ca_cert)
                .client_auth_optional(false); // Require client certificates
        }

        info!("TLS configuration built successfully");
        Ok(Some(tls_config))
    }

    /// Load a file as a byte vector
    fn load_file(path: &Path) -> ServerResult<Vec<u8>> {
        fs::read(path)
            .map_err(|e| ServerError::TlsSetup(format!("Failed to read file {:?}: {}", path, e)))
    }
}

/// Builder for client TLS configuration (for connecting to other nodes)
pub struct TlsClientBuilder;

impl TlsClientBuilder {
    /// Build client TLS configuration from network settings
    ///
    /// This is used when the server needs to connect to other nodes in a cluster.
    pub fn build(
        network: &NetworkSettings,
    ) -> ServerResult<Option<tonic::transport::ClientTlsConfig>> {
        if !network.tls_enabled {
            debug!("TLS is not enabled for client connections");
            return Ok(None);
        }

        info!("Building client TLS configuration");

        let mut tls_config = tonic::transport::ClientTlsConfig::new();

        // If mTLS is enabled, load client certificate and key
        if network.require_client_cert {
            let cert_path = network.tls_cert.as_ref().ok_or_else(|| {
                ServerError::ConfigValidation(
                    "TLS cert path is required for client mTLS".to_string(),
                )
            })?;

            let key_path = network.tls_key.as_ref().ok_or_else(|| {
                ServerError::ConfigValidation(
                    "TLS key path is required for client mTLS".to_string(),
                )
            })?;

            let cert_pem = TlsServerBuilder::load_file(cert_path).map_err(|e| {
                ServerError::TlsSetup(format!("Failed to load client certificate: {}", e))
            })?;

            let key_pem = TlsServerBuilder::load_file(key_path).map_err(|e| {
                ServerError::TlsSetup(format!("Failed to load client private key: {}", e))
            })?;

            let identity = Identity::from_pem(&cert_pem, &key_pem);
            tls_config = tls_config.identity(identity);
        }

        // Load CA certificate if provided
        if let Some(ca_path) = &network.tls_ca {
            let ca_pem = TlsServerBuilder::load_file(ca_path).map_err(|e| {
                ServerError::TlsSetup(format!("Failed to load CA certificate for client: {}", e))
            })?;

            let ca_cert = Certificate::from_pem(&ca_pem);
            tls_config = tls_config.ca_certificate(ca_cert);
        }

        info!("Client TLS configuration built successfully");
        Ok(Some(tls_config))
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::config::{
        AuthSettings, AuthorizationSettings, ClusterSettings, LoggingSettings, MetricsSettings,
        ServerSettings, StorageSettings,
    };
    use std::env;
    use std::fs;
    use std::path::PathBuf;

    fn create_test_config(
        tls_enabled: bool,
        require_client_cert: bool,
    ) -> (ServerConfig, tempfile::TempDir) {
        let temp_dir = tempfile::tempdir().expect("Failed to create temp dir");
        let data_dir = temp_dir.path().join("data");
        fs::create_dir(&data_dir).expect("Failed to create data dir");

        // Create dummy certificate files if TLS is enabled
        let (tls_cert, tls_key, tls_ca) = if tls_enabled {
            let cert_path = temp_dir.path().join("server.crt");
            let key_path = temp_dir.path().join("server.key");
            let ca_path = temp_dir.path().join("ca.crt");

            // Write dummy PEM data (not valid certificates, just for testing path loading)
            fs::write(
                &cert_path,
                b"-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----\n",
            )
            .expect("Failed to write cert");
            fs::write(
                &key_path,
                b"-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----\n",
            )
            .expect("Failed to write key");
            fs::write(
                &ca_path,
                b"-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----\n",
            )
            .expect("Failed to write CA");

            (Some(cert_path), Some(key_path), Some(ca_path))
        } else {
            (None, None, None)
        };

        let config = ServerConfig {
            server: ServerSettings {
                bind_address: "127.0.0.1:50051".to_string(),
                data_dir,
                pid_file: temp_dir.path().join("server.pid"),
                max_connections: 1000,
                shutdown_timeout_secs: 30,
            },
            storage: StorageSettings {
                engine: "memory".to_string(),
                wal: crate::config::WalSettings {
                    enabled: true,
                    dir: PathBuf::from("wal"),
                    segment_size_mb: 64,
                    sync_mode: "interval".to_string(),
                },
                memtable_size_mb: 64,
                block_cache_size_mb: 256,
                compaction: crate::config::CompactionSettings {
                    strategy: "leveled".to_string(),
                    num_levels: 7,
                    level_multiplier: 10,
                    max_concurrent: 2,
                },
            },
            network: NetworkSettings {
                tls_enabled,
                tls_cert,
                tls_key,
                tls_ca,
                require_client_cert,
                connection_timeout_secs: 30,
                keepalive_interval_secs: 60,
            },
            cluster: None,
            logging: LoggingSettings {
                level: "info".to_string(),
                format: "json".to_string(),
                file_enabled: false,
                file_path: None,
                rotation: crate::config::LogRotationSettings::default(),
            },
            metrics: MetricsSettings {
                enabled: true,
                bind_address: "127.0.0.1:9090".to_string(),
                export_interval_secs: 60,
            },
            auth: AuthSettings::default(),
            authz: AuthorizationSettings {
                enabled: false,
                default_role: "user".to_string(),
                roles_file: None,
                policies_file: None,
                collection_permissions: true,
                default_mode: "deny-by-default".to_string(),
                audit_enabled: false,
                audit_log_path: None,
            },
        };

        (config, temp_dir)
    }

    #[test]
    fn test_tls_disabled() {
        let (config, _temp_dir) = create_test_config(false, false);

        let result = TlsServerBuilder::build(&config);
        assert!(result.is_ok());
        assert!(result.ok().and_then(|x| x).is_none());
    }

    #[test]
    fn test_tls_enabled_basic() {
        let (config, _temp_dir) = create_test_config(true, false);

        let result = TlsServerBuilder::build(&config);
        // This will fail because the dummy PEM data is invalid,
        // but it proves that the file loading logic works
        // In a real test with valid certificates, this would succeed
        assert!(result.is_ok() || result.is_err());
    }

    #[test]
    fn test_mtls_enabled() {
        let (config, _temp_dir) = create_test_config(true, true);

        let result = TlsServerBuilder::build(&config);
        // Same as above - proves file loading works
        assert!(result.is_ok() || result.is_err());
    }

    #[test]
    fn test_load_file() {
        let temp_dir = tempfile::tempdir().expect("Failed to create temp dir");
        let file_path = temp_dir.path().join("test.txt");
        fs::write(&file_path, b"test content").expect("Failed to write file");

        let content = TlsServerBuilder::load_file(&file_path);
        assert!(content.is_ok());
        assert_eq!(content.ok(), Some(b"test content".to_vec()));
    }

    #[test]
    fn test_load_file_not_found() {
        let result = TlsServerBuilder::load_file(Path::new("/nonexistent/file.txt"));
        assert!(result.is_err());
    }

    #[test]
    fn test_client_tls_disabled() {
        let (config, _temp_dir) = create_test_config(false, false);

        let result = TlsClientBuilder::build(&config.network);
        assert!(result.is_ok());
        assert!(result.ok().and_then(|x| x).is_none());
    }

    #[test]
    fn test_client_tls_enabled() {
        let (config, _temp_dir) = create_test_config(true, false);

        let result = TlsClientBuilder::build(&config.network);
        // Same as server tests - validates logic but not certificate validity
        assert!(result.is_ok() || result.is_err());
    }
}