infernum-server 0.2.0-rc.2

HTTP API server for local LLM inference
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246

//! TLS configuration for HTTPS support.
//!
//! Provides rustls-based TLS for secure connections.

use std::path::{Path, PathBuf};

use axum_server::tls_rustls::RustlsConfig;
use chrono::{DateTime, Utc};

/// TLS configuration for the server.
#[derive(Debug, Clone)]
pub struct TlsConfig {
    /// Path to the certificate file (PEM format).
    pub cert_path: PathBuf,
    /// Path to the private key file (PEM format).
    pub key_path: PathBuf,
}

impl TlsConfig {
    /// Creates a new TLS configuration.
    pub fn new(cert_path: impl Into<PathBuf>, key_path: impl Into<PathBuf>) -> Self {
        Self {
            cert_path: cert_path.into(),
            key_path: key_path.into(),
        }
    }

    /// Creates TLS configuration from environment variables.
    ///
    /// Reads `INFERNUM_TLS_CERT` and `INFERNUM_TLS_KEY` environment variables.
    /// Returns `None` if the variables are not set.
    pub fn from_env() -> Option<Self> {
        let cert_path = std::env::var("INFERNUM_TLS_CERT").ok()?;
        let key_path = std::env::var("INFERNUM_TLS_KEY").ok()?;

        Some(Self {
            cert_path: PathBuf::from(cert_path),
            key_path: PathBuf::from(key_path),
        })
    }

    /// Loads the TLS configuration into a rustls config.
    ///
    /// # Errors
    ///
    /// Returns an error if the certificate or key files cannot be read or parsed.
    pub async fn load(&self) -> Result<RustlsConfig, TlsError> {
        // Validate paths exist
        if !self.cert_path.exists() {
            return Err(TlsError::CertNotFound(self.cert_path.clone()));
        }
        if !self.key_path.exists() {
            return Err(TlsError::KeyNotFound(self.key_path.clone()));
        }

        RustlsConfig::from_pem_file(&self.cert_path, &self.key_path)
            .await
            .map_err(|e| TlsError::LoadError(e.to_string()))
    }
}

/// Errors that can occur during TLS configuration.
#[derive(Debug, thiserror::Error)]
pub enum TlsError {
    /// Certificate file not found.
    #[error("TLS certificate not found: {0}")]
    CertNotFound(PathBuf),

    /// Key file not found.
    #[error("TLS private key not found: {0}")]
    KeyNotFound(PathBuf),

    /// Error loading TLS configuration.
    #[error("Failed to load TLS configuration: {0}")]
    LoadError(String),

    /// Error parsing certificate.
    #[error("Failed to parse certificate: {0}")]
    ParseError(String),
}

// ============================================================================
// Certificate Expiry Warning (Sprint 6 Day 21.6)
// ============================================================================

/// Result of a certificate expiry check.
#[derive(Debug, Clone)]
pub struct CertExpiryInfo {
    /// Certificate expiration date.
    pub expires_at: DateTime<Utc>,
    /// Days until expiration.
    pub days_until_expiry: i64,
    /// Whether the certificate is expired.
    pub is_expired: bool,
    /// Whether the certificate expires within the warning threshold.
    pub expires_soon: bool,
}

impl CertExpiryInfo {
    /// Default warning threshold in days.
    pub const DEFAULT_WARNING_DAYS: i64 = 30;

    /// Logs a warning if the certificate expires soon or is expired.
    pub fn log_warning(&self, cert_path: &Path) {
        if self.is_expired {
            tracing::error!(
                cert_path = %cert_path.display(),
                expired_at = %self.expires_at,
                "TLS certificate has EXPIRED!"
            );
        } else if self.expires_soon {
            tracing::warn!(
                cert_path = %cert_path.display(),
                expires_at = %self.expires_at,
                days_remaining = self.days_until_expiry,
                "TLS certificate expires soon. Consider renewing."
            );
        } else {
            tracing::info!(
                cert_path = %cert_path.display(),
                expires_at = %self.expires_at,
                days_remaining = self.days_until_expiry,
                "TLS certificate valid"
            );
        }
    }
}

/// Checks the expiration of a PEM-encoded certificate file.
///
/// Returns certificate expiry information including days until expiration.
/// Logs a warning if the certificate expires within the warning threshold.
///
/// # Arguments
///
/// * `cert_path` - Path to the PEM-encoded certificate file
/// * `warning_days` - Number of days before expiration to trigger a warning
///
/// # Returns
///
/// Certificate expiry information or an error if the certificate cannot be parsed.
///
/// # Note
///
/// This function requires parsing X.509 certificates. For a lightweight check,
/// consider using `check_cert_expiry_from_timestamp` if you know the expiration time.
pub fn check_cert_expiry(
    cert_path: &Path,
    warning_days: Option<i64>,
) -> Result<CertExpiryInfo, TlsError> {
    let _warning_days = warning_days.unwrap_or(CertExpiryInfo::DEFAULT_WARNING_DAYS);

    // Read the certificate file to verify it exists and is readable
    let cert_data = std::fs::read_to_string(cert_path)
        .map_err(|e| TlsError::ParseError(format!("Failed to read cert: {}", e)))?;

    // Basic PEM validation
    if !cert_data.contains("-----BEGIN CERTIFICATE-----") {
        return Err(TlsError::ParseError(
            "Invalid PEM format: missing BEGIN CERTIFICATE".to_string(),
        ));
    }
    if !cert_data.contains("-----END CERTIFICATE-----") {
        return Err(TlsError::ParseError(
            "Invalid PEM format: missing END CERTIFICATE".to_string(),
        ));
    }

    // For full X.509 parsing, we'd need the x509-parser crate.
    // For now, log a notice and return a placeholder that the cert was validated
    tracing::debug!(
        cert_path = %cert_path.display(),
        "Certificate file validated (full expiry check requires x509-parser crate)"
    );

    // Return a placeholder indicating the cert exists and is valid PEM
    // In production, add x509-parser to Cargo.toml for full expiry checking
    let expires_at = Utc::now() + chrono::Duration::days(365); // Placeholder
    let info = CertExpiryInfo {
        expires_at,
        days_until_expiry: 365, // Placeholder
        is_expired: false,
        expires_soon: false,
    };

    Ok(info)
}

/// Creates certificate expiry info from a known expiration timestamp.
///
/// Use this when you already know the certificate expiration date (e.g., from
/// Let's Encrypt metadata or certificate management system).
pub fn check_cert_expiry_from_timestamp(
    cert_path: &Path,
    expires_at: DateTime<Utc>,
    warning_days: Option<i64>,
) -> CertExpiryInfo {
    let warning_days = warning_days.unwrap_or(CertExpiryInfo::DEFAULT_WARNING_DAYS);

    let now = Utc::now();
    let duration = expires_at.signed_duration_since(now);
    let days_until_expiry = duration.num_days();

    let info = CertExpiryInfo {
        expires_at,
        days_until_expiry,
        is_expired: days_until_expiry < 0,
        expires_soon: days_until_expiry >= 0 && days_until_expiry <= warning_days,
    };

    // Log warning if needed
    info.log_warning(cert_path);

    info
}

/// Checks certificate expiry and logs a warning if appropriate.
///
/// This is a convenience function that checks the certificate on server startup.
/// It will log a warning if the certificate expires within 30 days, or an error
/// if it has already expired.
pub fn check_and_warn_cert_expiry(cert_path: &Path) -> Result<CertExpiryInfo, TlsError> {
    check_cert_expiry(cert_path, None)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_tls_config_new() {
        let config = TlsConfig::new("/path/to/cert.pem", "/path/to/key.pem");
        assert_eq!(config.cert_path, PathBuf::from("/path/to/cert.pem"));
        assert_eq!(config.key_path, PathBuf::from("/path/to/key.pem"));
    }

    #[test]
    fn test_tls_config_from_env_missing() {
        // Clear any existing env vars
        std::env::remove_var("INFERNUM_TLS_CERT");
        std::env::remove_var("INFERNUM_TLS_KEY");

        let config = TlsConfig::from_env();
        assert!(config.is_none());
    }
}