numa 0.15.1

Portable DNS resolver in Rust — .numa local domains, ad blocking, developer overrides, DNS-over-HTTPS
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322

use std::collections::HashSet;
use std::path::Path;
use std::sync::Arc;

use log::{info, warn};

use crate::ctx::ServerCtx;
use rcgen::{
    BasicConstraints, CertificateParams, DnType, IsCa, Issuer, KeyPair, KeyUsagePurpose, SanType,
};
use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
use rustls::ServerConfig;
use time::{Duration, OffsetDateTime};

const CA_VALIDITY_DAYS: i64 = 3650; // 10 years
const CERT_VALIDITY_DAYS: i64 = 365; // 1 year

/// Common Name on Numa's local CA. Referenced by trust-store helpers
/// (`security`, `certutil`) when locating the cert for removal.
pub const CA_COMMON_NAME: &str = "Numa Local CA";

/// Filename of the CA certificate inside the data dir.
pub const CA_FILE_NAME: &str = "ca.pem";

/// Collect all service + LAN peer names and regenerate the TLS cert.
pub fn regenerate_tls(ctx: &ServerCtx) {
    let tls = match &ctx.tls_config {
        Some(t) => t,
        None => return,
    };

    let mut names: HashSet<String> = ctx.services.lock().unwrap().names().into_iter().collect();
    names.extend(ctx.lan_peers.lock().unwrap().names());
    let names: Vec<String> = names.into_iter().collect();

    match build_tls_config(&ctx.proxy_tld, &names, Vec::new(), &ctx.data_dir) {
        Ok(new_config) => {
            tls.store(new_config);
            info!("TLS cert regenerated for {} services", names.len());
        }
        Err(e) => warn!("TLS regeneration failed: {}", e),
    }
}

/// Advisory for TLS-setup failures caused by a non-writable data dir;
/// `None` if not applicable so the caller can fall back to the raw error.
pub fn try_data_dir_advisory(err: &crate::Error, data_dir: &Path) -> Option<String> {
    let io_err = err.downcast_ref::<std::io::Error>()?;
    if io_err.kind() != std::io::ErrorKind::PermissionDenied {
        return None;
    }
    let o = "\x1b[1;38;2;192;98;58m";
    let r = "\x1b[0m";
    Some(format!(
        "
{o}Numa{r} — HTTPS proxy disabled: cannot write TLS CA to {}.

  The data directory is not writable by the current user. Numa needs
  to persist a local Certificate Authority there to serve .numa over
  HTTPS. DNS resolution and plain-HTTP proxy continue to work.

  Fix — pick one:

    1. Install Numa as the system resolver (sets up a writable data dir):

         sudo numa install       (on Windows, run as Administrator)

    2. Point data_dir at a path you can write.
       Create {} with:

         [server]
         data_dir = \"/path/you/can/write\"

",
        data_dir.display(),
        crate::suggested_config_path().display()
    ))
}

/// Build a TLS config with a cert covering all provided service names.
/// Wildcards under single-label TLDs (*.numa) are rejected by browsers,
/// so we list each service explicitly as a SAN.
/// `alpn` is advertised in the TLS ServerHello — pass empty for the proxy
/// (which accepts any ALPN), or `[b"dot"]` for DoT (RFC 7858 §3.2).
/// `data_dir` is where the CA material is stored — taken from
/// `[server] data_dir` in numa.toml (defaults to `crate::data_dir()`).
pub fn build_tls_config(
    tld: &str,
    service_names: &[String],
    alpn: Vec<Vec<u8>>,
    data_dir: &Path,
) -> crate::Result<Arc<ServerConfig>> {
    let (ca_der, issuer) = ensure_ca(data_dir)?;
    let (cert_chain, key) = generate_service_cert(&ca_der, &issuer, tld, service_names)?;

    // Ensure a crypto provider is installed (rustls needs one)
    let _ = rustls::crypto::ring::default_provider().install_default();

    let mut config = ServerConfig::builder()
        .with_no_client_auth()
        .with_single_cert(cert_chain, key)?;
    config.alpn_protocols = alpn;

    info!(
        "TLS configured for {} .{} domains",
        service_names.len(),
        tld
    );
    Ok(Arc::new(config))
}

fn ensure_ca(dir: &Path) -> crate::Result<(CertificateDer<'static>, Issuer<'static, KeyPair>)> {
    let ca_key_path = dir.join("ca.key");
    let ca_cert_path = dir.join(CA_FILE_NAME);

    if ca_key_path.exists() && ca_cert_path.exists() {
        let key_pem = std::fs::read_to_string(&ca_key_path)?;
        let cert_pem = std::fs::read_to_string(&ca_cert_path)?;
        let key_pair = KeyPair::from_pem(&key_pem)?;
        let ca_der = rustls_pemfile::certs(&mut cert_pem.as_bytes())
            .next()
            .ok_or("empty CA PEM file")??;
        let issuer = Issuer::from_ca_cert_der(&ca_der, key_pair)?;
        info!("loaded CA from {:?}", ca_cert_path);
        return Ok((ca_der, issuer));
    }

    // Generate new CA
    std::fs::create_dir_all(dir)?;

    let key_pair = KeyPair::generate()?;
    let mut params = CertificateParams::default();
    params
        .distinguished_name
        .push(DnType::CommonName, CA_COMMON_NAME);
    params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
    params.key_usages = vec![KeyUsagePurpose::KeyCertSign, KeyUsagePurpose::CrlSign];
    params.not_before = OffsetDateTime::now_utc();
    params.not_after = OffsetDateTime::now_utc() + Duration::days(CA_VALIDITY_DAYS);

    let cert = params.self_signed(&key_pair)?;

    std::fs::write(&ca_key_path, key_pair.serialize_pem())?;
    std::fs::write(&ca_cert_path, cert.pem())?;

    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        std::fs::set_permissions(&ca_key_path, std::fs::Permissions::from_mode(0o600))?;
    }

    info!("generated CA at {:?}", ca_cert_path);
    let ca_der = cert.der().clone();
    let issuer = Issuer::new(params, key_pair);
    Ok((ca_der, issuer))
}

/// Generate a cert with explicit SANs for each service name.
/// Always regenerated at startup (~5ms) — no disk caching needed.
fn generate_service_cert(
    ca_der: &CertificateDer<'static>,
    issuer: &Issuer<'_, KeyPair>,
    tld: &str,
    service_names: &[String],
) -> crate::Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
    let key_pair = KeyPair::generate()?;
    let mut params = CertificateParams::default();
    params
        .distinguished_name
        .push(DnType::CommonName, format!("Numa .{} services", tld));

    // Add a wildcard SAN so any .numa domain gets a valid cert (including
    // unregistered services — lets the proxy show a styled 404 over HTTPS).
    // Also add each service explicitly for clients that don't match wildcards.
    let mut sans = Vec::new();
    let wildcard = format!("*.{}", tld);
    match wildcard.clone().try_into() {
        Ok(ia5) => sans.push(SanType::DnsName(ia5)),
        Err(e) => warn!("invalid wildcard SAN {}: {}", wildcard, e),
    }
    for name in service_names {
        let fqdn = format!("{}.{}", name, tld);
        match fqdn.clone().try_into() {
            Ok(ia5) => sans.push(SanType::DnsName(ia5)),
            Err(e) => warn!("invalid SAN {}: {}", fqdn, e),
        }
    }

    // Loopback IP SANs so browsers can reach DoH at https://127.0.0.1/dns-query
    sans.push(SanType::IpAddress(std::net::IpAddr::V4(
        std::net::Ipv4Addr::LOCALHOST,
    )));
    sans.push(SanType::IpAddress(std::net::IpAddr::V6(
        std::net::Ipv6Addr::LOCALHOST,
    )));

    for name in ["localhost", tld] {
        match name.to_string().try_into() {
            Ok(ia5) => sans.push(SanType::DnsName(ia5)),
            Err(e) => warn!("invalid SAN {}: {}", name, e),
        }
    }

    params.subject_alt_names = sans;
    params.not_before = OffsetDateTime::now_utc();
    params.not_after = OffsetDateTime::now_utc() + Duration::days(CERT_VALIDITY_DAYS);

    let cert = params.signed_by(&key_pair, issuer)?;

    info!(
        "generated TLS cert for: {}",
        service_names
            .iter()
            .map(|n| format!("{}.{}", n, tld))
            .collect::<Vec<_>>()
            .join(", ")
    );

    let cert_der = cert.der().clone();
    let ca_cert_der = ca_der.clone();
    let key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialize_der()));

    Ok((vec![cert_der, ca_cert_der], key_der))
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::path::PathBuf;

    #[test]
    fn try_data_dir_advisory_permission_denied() {
        let err: crate::Error =
            Box::new(std::io::Error::from(std::io::ErrorKind::PermissionDenied));
        let path = PathBuf::from("/usr/local/var/numa");
        let msg = try_data_dir_advisory(&err, &path).expect("should advise");
        assert!(msg.contains("HTTPS proxy disabled"));
        assert!(msg.contains("/usr/local/var/numa"));
        assert!(msg.contains("numa install"));
        assert!(msg.contains("data_dir"));
    }

    #[test]
    fn try_data_dir_advisory_skips_other_io_kinds() {
        let err: crate::Error = Box::new(std::io::Error::from(std::io::ErrorKind::NotFound));
        assert!(try_data_dir_advisory(&err, &PathBuf::from("/x")).is_none());
    }

    #[test]
    fn try_data_dir_advisory_skips_non_io_errors() {
        let err: crate::Error = "rcgen failure".into();
        assert!(try_data_dir_advisory(&err, &PathBuf::from("/x")).is_none());
    }

    #[test]
    fn service_cert_contains_expected_sans() {
        use x509_parser::prelude::GeneralName;

        let dir = std::env::temp_dir().join(format!("numa-test-san-{}", std::process::id()));
        let _ = std::fs::remove_dir_all(&dir);
        let (ca_der, issuer) = ensure_ca(&dir).unwrap();

        let names = vec!["grafana".into(), "router".into()];
        let (chain, _) = generate_service_cert(&ca_der, &issuer, "numa", &names).unwrap();
        assert_eq!(chain.len(), 2, "chain should be [leaf, CA]");

        let (_, cert) = x509_parser::parse_x509_certificate(chain[0].as_ref()).unwrap();
        let san = cert
            .tbs_certificate
            .subject_alternative_name()
            .unwrap()
            .unwrap();

        let dns: Vec<&str> = san
            .value
            .general_names
            .iter()
            .filter_map(|gn| match gn {
                GeneralName::DNSName(s) => Some(*s),
                _ => None,
            })
            .collect();

        let ips: Vec<std::net::IpAddr> = san
            .value
            .general_names
            .iter()
            .filter_map(|gn| match gn {
                GeneralName::IPAddress(b) => match b.len() {
                    4 => Some(std::net::IpAddr::V4(std::net::Ipv4Addr::new(
                        b[0], b[1], b[2], b[3],
                    ))),
                    16 => {
                        let a: [u8; 16] = (*b).try_into().unwrap();
                        Some(std::net::IpAddr::V6(std::net::Ipv6Addr::from(a)))
                    }
                    _ => None,
                },
                _ => None,
            })
            .collect();

        // DNS SANs
        assert!(dns.contains(&"*.numa"), "missing wildcard SAN");
        assert!(dns.contains(&"grafana.numa"), "missing service SAN");
        assert!(dns.contains(&"router.numa"), "missing service SAN");
        assert!(dns.contains(&"localhost"), "missing localhost SAN");
        assert!(dns.contains(&"numa"), "missing bare TLD SAN");

        // IP SANs
        assert!(
            ips.contains(&std::net::IpAddr::V4(std::net::Ipv4Addr::LOCALHOST)),
            "missing 127.0.0.1 SAN"
        );
        assert!(
            ips.contains(&std::net::IpAddr::V6(std::net::Ipv6Addr::LOCALHOST)),
            "missing ::1 SAN"
        );

        let _ = std::fs::remove_dir_all(&dir);
    }
}