fips-core 0.3.9

Reusable FIPS mesh, endpoint, transport, and protocol library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375

//! Gateway configuration types.
//!
//! Configuration for the outbound LAN gateway (`gateway.*`).

use std::collections::HashSet;
use std::net::SocketAddrV6;

use serde::{Deserialize, Serialize};

/// Default gateway DNS listen address.
///
/// The canonical gateway deployment already has a LAN resolver on port 53
/// forwarding `.fips` queries to the gateway over loopback. Use an
/// unprivileged loopback port by default to avoid colliding with dnsmasq,
/// systemd-resolved, or BIND. Hosts without another resolver can set
/// `gateway.dns.listen: "[::]:53"` explicitly.
const DEFAULT_DNS_LISTEN: &str = "[::1]:5353";

/// Default upstream DNS resolver (FIPS daemon).
///
/// Must match the daemon's `dns.bind_addr` default (`::1`). Linux
/// IPv6 sockets bound to explicit `::1` do not accept v4-mapped
/// traffic — so a v4 upstream like `127.0.0.1:5354` cannot reach a
/// daemon bound on `[::1]:5354`. Operators who set a non-default
/// `dns.bind_addr` on the daemon must also set this field
/// accordingly.
const DEFAULT_DNS_UPSTREAM: &str = "[::1]:5354";

/// Default DNS TTL in seconds.
const DEFAULT_DNS_TTL: u32 = 60;

/// Default pool grace period in seconds.
const DEFAULT_GRACE_PERIOD: u64 = 60;

/// Default conntrack TCP established timeout (5 days).
const DEFAULT_CT_TCP_ESTABLISHED: u64 = 432_000;

/// Default conntrack UDP timeout (unreplied).
const DEFAULT_CT_UDP_TIMEOUT: u64 = 30;

/// Default conntrack UDP assured timeout (bidirectional).
const DEFAULT_CT_UDP_ASSURED: u64 = 180;

/// Default conntrack ICMP timeout.
const DEFAULT_CT_ICMP_TIMEOUT: u64 = 30;

/// Gateway configuration (`gateway.*`).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct GatewayConfig {
    /// Enable the gateway (`gateway.enabled`, default: false).
    #[serde(default)]
    pub enabled: bool,

    /// Virtual IP pool CIDR (e.g., `fd01::/112`).
    pub pool: String,

    /// LAN-facing interface for proxy ARP/NDP.
    pub lan_interface: String,

    /// Gateway DNS configuration.
    #[serde(default)]
    pub dns: GatewayDnsConfig,

    /// Pool grace period in seconds after last session before reclamation.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub pool_grace_period: Option<u64>,

    /// Conntrack timeout overrides.
    #[serde(default)]
    pub conntrack: ConntrackConfig,

    /// Inbound mesh port forwarding rules. See TASK-2026-0061.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub port_forwards: Vec<PortForward>,
}

impl GatewayConfig {
    /// Get pool grace period (default: 60 seconds).
    pub fn grace_period(&self) -> u64 {
        self.pool_grace_period.unwrap_or(DEFAULT_GRACE_PERIOD)
    }

    /// Validate inbound port-forward rules: non-zero listen ports and
    /// uniqueness of `(listen_port, proto)` pairs across the list.
    /// IPv6-only targets are enforced by `SocketAddrV6` at deserialize
    /// time.
    pub fn validate_port_forwards(&self) -> Result<(), String> {
        let mut seen = HashSet::new();
        for pf in &self.port_forwards {
            if pf.listen_port == 0 {
                return Err("port_forward listen_port must be non-zero".to_string());
            }
            if !seen.insert((pf.listen_port, pf.proto)) {
                return Err(format!(
                    "duplicate port_forward ({:?} {}) — each (listen_port, proto) must be unique",
                    pf.proto, pf.listen_port
                ));
            }
        }
        Ok(())
    }
}

/// Transport protocol for an inbound port forward.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum Proto {
    Tcp,
    Udp,
}

/// An inbound port-forward rule: `fips0:listen_port/proto` → `target`.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PortForward {
    /// Port on `fips0` that mesh peers connect to.
    pub listen_port: u16,
    /// Transport protocol to match.
    pub proto: Proto,
    /// IPv6 LAN destination (`[addr]:port`). IPv4 targets are rejected
    /// at parse time by `SocketAddrV6`.
    pub target: SocketAddrV6,
}

/// Gateway DNS resolver configuration (`gateway.dns.*`).
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct GatewayDnsConfig {
    /// Listen address and port (default: `[::1]:5353`).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub listen: Option<String>,

    /// Upstream FIPS daemon DNS resolver (default: `[::1]:5354`,
    /// matching the daemon's `dns.bind_addr` default).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub upstream: Option<String>,

    /// DNS record TTL in seconds (default: 60).
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub ttl: Option<u32>,
}

impl GatewayDnsConfig {
    /// Get the listen address (default: `[::1]:5353`).
    pub fn listen(&self) -> &str {
        self.listen.as_deref().unwrap_or(DEFAULT_DNS_LISTEN)
    }

    /// Get the upstream resolver address (default: `[::1]:5354`).
    pub fn upstream(&self) -> &str {
        self.upstream.as_deref().unwrap_or(DEFAULT_DNS_UPSTREAM)
    }

    /// Get the TTL in seconds (default: 60).
    pub fn ttl(&self) -> u32 {
        self.ttl.unwrap_or(DEFAULT_DNS_TTL)
    }
}

/// Conntrack timeout overrides (`gateway.conntrack.*`).
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct ConntrackConfig {
    /// TCP established timeout in seconds.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub tcp_established: Option<u64>,

    /// UDP unreplied timeout in seconds.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub udp_timeout: Option<u64>,

    /// UDP assured (bidirectional) timeout in seconds.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub udp_assured: Option<u64>,

    /// ICMP timeout in seconds.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub icmp_timeout: Option<u64>,
}

impl ConntrackConfig {
    /// TCP established timeout (default: 432000s / 5 days).
    pub fn tcp_established(&self) -> u64 {
        self.tcp_established.unwrap_or(DEFAULT_CT_TCP_ESTABLISHED)
    }

    /// UDP unreplied timeout (default: 30s).
    pub fn udp_timeout(&self) -> u64 {
        self.udp_timeout.unwrap_or(DEFAULT_CT_UDP_TIMEOUT)
    }

    /// UDP assured timeout (default: 180s).
    pub fn udp_assured(&self) -> u64 {
        self.udp_assured.unwrap_or(DEFAULT_CT_UDP_ASSURED)
    }

    /// ICMP timeout (default: 30s).
    pub fn icmp_timeout(&self) -> u64 {
        self.icmp_timeout.unwrap_or(DEFAULT_CT_ICMP_TIMEOUT)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_gateway_config_defaults() {
        let yaml = r#"
pool: "fd01::/112"
lan_interface: "eth0"
"#;
        let config: GatewayConfig = serde_yaml::from_str(yaml).unwrap();
        assert!(!config.enabled);
        assert_eq!(config.pool, "fd01::/112");
        assert_eq!(config.lan_interface, "eth0");
        assert_eq!(config.dns.listen(), "[::1]:5353");
        assert_eq!(config.dns.upstream(), "[::1]:5354");
        assert_eq!(config.dns.ttl(), 60);
        assert_eq!(config.grace_period(), 60);
        assert_eq!(config.conntrack.tcp_established(), 432_000);
        assert_eq!(config.conntrack.udp_timeout(), 30);
    }

    #[test]
    fn test_gateway_config_custom() {
        let yaml = r#"
enabled: true
pool: "fd01::/112"
lan_interface: "enp3s0"
dns:
  listen: "192.168.1.1:53"
  upstream: "127.0.0.1:5354"
  ttl: 120
pool_grace_period: 30
conntrack:
  tcp_established: 3600
  udp_timeout: 60
"#;
        let config: GatewayConfig = serde_yaml::from_str(yaml).unwrap();
        assert!(config.enabled);
        assert_eq!(config.dns.listen(), "192.168.1.1:53");
        assert_eq!(config.dns.ttl(), 120);
        assert_eq!(config.grace_period(), 30);
        assert_eq!(config.conntrack.tcp_established(), 3600);
        assert_eq!(config.conntrack.udp_timeout(), 60);
        // Unset fields use defaults
        assert_eq!(config.conntrack.udp_assured(), 180);
        assert_eq!(config.conntrack.icmp_timeout(), 30);
    }

    #[test]
    fn test_root_config_with_gateway() {
        let yaml = r#"
gateway:
  enabled: true
  pool: "fd01::/112"
  lan_interface: "eth0"
"#;
        let config: crate::Config = serde_yaml::from_str(yaml).unwrap();
        assert!(config.gateway.is_some());
        let gw = config.gateway.unwrap();
        assert!(gw.enabled);
        assert_eq!(gw.pool, "fd01::/112");
    }

    #[test]
    fn test_root_config_without_gateway() {
        let yaml = "node: {}";
        let config: crate::Config = serde_yaml::from_str(yaml).unwrap();
        assert!(config.gateway.is_none());
    }

    #[test]
    fn test_port_forwards_default_empty() {
        let yaml = r#"
pool: "fd01::/112"
lan_interface: "eth0"
"#;
        let config: GatewayConfig = serde_yaml::from_str(yaml).unwrap();
        assert!(config.port_forwards.is_empty());
        config.validate_port_forwards().unwrap();
    }

    #[test]
    fn test_port_forwards_parse() {
        let yaml = r#"
pool: "fd01::/112"
lan_interface: "eth0"
port_forwards:
  - listen_port: 8080
    proto: tcp
    target: "[fd12:3456::10]:80"
  - listen_port: 2222
    proto: tcp
    target: "[fd12:3456::20]:22"
  - listen_port: 5353
    proto: udp
    target: "[fd12:3456::10]:53"
"#;
        let config: GatewayConfig = serde_yaml::from_str(yaml).unwrap();
        assert_eq!(config.port_forwards.len(), 3);
        assert_eq!(config.port_forwards[0].listen_port, 8080);
        assert_eq!(config.port_forwards[0].proto, Proto::Tcp);
        assert_eq!(
            config.port_forwards[0].target,
            "[fd12:3456::10]:80".parse::<SocketAddrV6>().unwrap()
        );
        assert_eq!(config.port_forwards[2].proto, Proto::Udp);
        config.validate_port_forwards().unwrap();
    }

    #[test]
    fn test_port_forwards_reject_ipv4_target() {
        let yaml = r#"
pool: "fd01::/112"
lan_interface: "eth0"
port_forwards:
  - listen_port: 8080
    proto: tcp
    target: "192.168.1.10:80"
"#;
        let result: Result<GatewayConfig, _> = serde_yaml::from_str(yaml);
        assert!(
            result.is_err(),
            "IPv4 target must fail to deserialize as SocketAddrV6"
        );
    }

    #[test]
    fn test_port_forwards_reject_zero_listen_port() {
        let yaml = r#"
pool: "fd01::/112"
lan_interface: "eth0"
port_forwards:
  - listen_port: 0
    proto: tcp
    target: "[fd12:3456::10]:80"
"#;
        let config: GatewayConfig = serde_yaml::from_str(yaml).unwrap();
        assert!(config.validate_port_forwards().is_err());
    }

    #[test]
    fn test_port_forwards_reject_duplicate() {
        let yaml = r#"
pool: "fd01::/112"
lan_interface: "eth0"
port_forwards:
  - listen_port: 8080
    proto: tcp
    target: "[fd12:3456::10]:80"
  - listen_port: 8080
    proto: tcp
    target: "[fd12:3456::20]:80"
"#;
        let config: GatewayConfig = serde_yaml::from_str(yaml).unwrap();
        let err = config.validate_port_forwards().unwrap_err();
        assert!(err.contains("duplicate"), "got: {err}");
    }

    #[test]
    fn test_port_forwards_same_port_different_proto_ok() {
        let yaml = r#"
pool: "fd01::/112"
lan_interface: "eth0"
port_forwards:
  - listen_port: 53
    proto: tcp
    target: "[fd12:3456::10]:53"
  - listen_port: 53
    proto: udp
    target: "[fd12:3456::10]:53"
"#;
        let config: GatewayConfig = serde_yaml::from_str(yaml).unwrap();
        config.validate_port_forwards().unwrap();
    }
}