plane 0.5.5

Session backend orchestrator for ambitious browser-based apps.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

use self::proxy_connection::ProxyConnection;
use crate::proxy::cert_manager::watcher_manager_pair;
use crate::signals::wait_for_shutdown_signal;
use anyhow::Result;
use plane_common::names::ProxyName;
use plane_common::types::ClusterName;
use plane_common::PlaneClient;
use plane_dynamic_proxy::server::{
    ServerWithHttpRedirect, ServerWithHttpRedirectConfig, ServerWithHttpRedirectHttpsConfig,
};
use proxy_server::ProxyState;
use serde::{Deserialize, Serialize};
use std::path::PathBuf;
use std::sync::Arc;
use std::time::Duration;
use url::Url;

pub mod cert_manager;
mod cert_pair;
pub mod command;
pub mod connection_monitor;
pub mod proxy_connection;
pub mod proxy_server;
mod request;
mod route_map;

#[derive(Debug, Clone, Copy)]
pub enum Protocol {
    Http,
    Https,
}

impl Protocol {
    pub fn as_str(&self) -> &'static str {
        match self {
            Protocol::Http => "http",
            Protocol::Https => "https",
        }
    }
}

#[derive(Debug, Copy, Clone, Serialize, Deserialize)]
pub struct ServerPortConfig {
    /// The port to listen on for HTTP requests.
    /// If https_port is provided, this port will only serve a redirect to HTTPS.
    pub http_port: u16,

    /// The port to listen on for HTTPS requests.
    pub https_port: Option<u16>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AcmeEabConfiguration {
    /// The key identifier for the ACME EAB key.
    pub key_id: String,

    /// The HMAC key for the ACME EAB key, base64-encoded (URL, no-pad).
    pub key: String,
}

impl AcmeEabConfiguration {
    pub fn eab_key_b64(&self) -> String {
        self.key.clone()
    }

    pub fn new(key_id: String, key_b64: String) -> Result<Self> {
        let _ = data_encoding::BASE64URL_NOPAD.decode(key_b64.as_bytes())?;
        Ok(Self {
            key_id,
            key: key_b64,
        })
    }

    pub fn key_bytes(&self) -> Result<Vec<u8>> {
        Ok(data_encoding::BASE64URL_NOPAD.decode(self.key.as_bytes())?)
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AcmeConfig {
    pub endpoint: Url,
    pub mailto_email: String,
    pub acme_eab_keypair: Option<AcmeEabConfiguration>,
    /// Don't validate the ACME server's certificate chain. This is ONLY for testing,
    /// and should not be used otherwise.
    #[serde(default, skip_serializing_if = "is_false")]
    pub accept_insecure_certs_for_testing: bool,
}

fn is_false(value: &bool) -> bool {
    !value
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ProxyConfig {
    pub name: ProxyName,
    pub controller_url: Url,
    pub cluster: ClusterName,
    pub cert_path: Option<PathBuf>,
    pub port_config: ServerPortConfig,
    pub acme_config: Option<AcmeConfig>,
    pub root_redirect_url: Option<Url>,
}

pub async fn run_proxy(config: ProxyConfig) -> Result<()> {
    tracing::info!(name=%config.name, "Starting proxy");
    let client = PlaneClient::new(config.controller_url);
    let (mut cert_watcher, cert_manager) = watcher_manager_pair(
        config.cluster.clone(),
        config.cert_path.as_deref(),
        config.acme_config,
    )
    .await?;

    let state = Arc::new(ProxyState::new(
        config.root_redirect_url.map(|u| u.to_string()),
    ));

    // This returns a guard, we need to keep it in scope so that the connection is not terminated.
    let _proxy_connection = ProxyConnection::new(
        config.name,
        client,
        config.cluster,
        cert_manager,
        state.clone(),
    );

    let server = if let Some(https_port) = config.port_config.https_port {
        tracing::info!("Waiting for initial certificate.");
        cert_watcher.wait_for_initial_cert().await?;

        let https_config = ServerWithHttpRedirectHttpsConfig {
            https_port,
            resolver: Arc::new(cert_watcher),
        };

        let server_config = ServerWithHttpRedirectConfig {
            http_port: config.port_config.http_port,
            https_config: Some(https_config),
        };

        ServerWithHttpRedirect::new(state, server_config).await?
    } else {
        let server_config = ServerWithHttpRedirectConfig {
            http_port: config.port_config.http_port,
            https_config: None,
        };

        ServerWithHttpRedirect::new(state, server_config).await?
    };

    wait_for_shutdown_signal().await;
    tracing::info!("Shutting down proxy server.");

    server
        .graceful_shutdown_with_timeout(Duration::from_secs(10))
        .await;

    Ok(())
}