rift-http-proxy 0.4.0

Rift: high-performance HTTP chaos engineering proxy with Lua/Rhai/JavaScript scripting for fault injection.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396

//! ProxyServer struct and main run loop.
//!
//! This module contains the ProxyServer struct which holds all state,
//! and the main run loop that accepts connections and handles requests.

use super::client::{create_http_client, should_skip_tls_verify, HttpClient};
use super::handler::handle_request;
use super::network::create_reusable_listener;
use super::tls::create_tls_acceptor;
use crate::behaviors::{CsvCache, ResponseCycler};
use crate::config::{Config, Protocol as RiftProtocol, Upstream};
use crate::extensions::flow_state::{create_flow_store, FlowStore};
use crate::extensions::matcher::CompiledRule;
use crate::extensions::routing::Router;
use crate::proxy::context::RequestHandlerContext;
use crate::recording::{ProxyMode, RecordingStore};
#[cfg(feature = "javascript")]
use crate::scripting::compile_js_to_bytecode;
#[cfg(feature = "lua")]
use crate::scripting::compile_to_bytecode;
use crate::scripting::RhaiEngine;
use crate::scripting::{
    CompiledScript, DecisionCache, DecisionCacheConfig, ScriptPool, ScriptPoolConfig,
};

#[cfg(any(feature = "lua", feature = "javascript"))]
use anyhow::Context;
use http_body_util::combinators::BoxBody;
use hyper::body::Bytes;
use hyper::server::conn::http1;
use hyper::service::service_fn;
use hyper_util::rt::TokioIo;
use std::convert::Infallible;
use std::net::SocketAddr;
use std::sync::Arc;
use tracing::{error, info};

/// The main proxy server struct.
pub struct ProxyServer {
    config: Arc<Config>,
    compiled_rules: Arc<Vec<CompiledRule>>,
    rule_upstreams: Arc<Vec<Option<String>>>, // Upstream filter for each rule (parallel to compiled_rules)
    upstream_uri: String,                     // Used for sidecar mode
    upstreams: Vec<Upstream>,                 // Used for reverse proxy mode
    router: Option<Router>,
    flow_store: Arc<dyn FlowStore>, // Flow store for scripts (may be NoOp if not configured)
    script_pool: Option<Arc<ScriptPool>>, // Script pool for optimized execution
    compiled_scripts: Option<Vec<(CompiledScript, CompiledRule, Option<String>)>>, // Precompiled scripts for pool
    decision_cache: Option<Arc<DecisionCache>>, // Decision cache for memoization
    http_client: HttpClient,                    // Shared HTTP client for HTTP/1.1
    // Mountebank-compatible behavior state
    // Will be wired up when response cycling is fully integrated
    response_cycler: Arc<ResponseCycler>, // Response cycling state (repeat behavior)
    csv_cache: Arc<CsvCache>,             // CSV data cache (lookup behavior)
    recording_store: Arc<RecordingStore>, // Recording store (proxyOnce/proxyAlways modes)
}

impl ProxyServer {
    /// Create a new ProxyServer from configuration.
    pub async fn new(config: Config) -> Result<Self, anyhow::Error> {
        Self::new_internal(config, None).await
    }

    /// Create a new ProxyServer with a shared flow store.
    pub async fn new_with_shared_flow_store(
        config: Config,
        flow_store: Arc<dyn FlowStore>,
    ) -> Result<Self, anyhow::Error> {
        Self::new_internal(config, Some(flow_store)).await
    }

    async fn new_internal(
        config: Config,
        shared_flow_store: Option<Arc<dyn FlowStore>>,
    ) -> Result<Self, anyhow::Error> {
        // Compile rules and extract upstream filters
        let mut compiled_rules = Vec::new();
        let mut rule_upstreams = Vec::new();

        for rule in &config.rules {
            compiled_rules.push(CompiledRule::compile(rule.clone())?);
            rule_upstreams.push(rule.upstream.clone());
        }

        // Get upstream URI (backward compatible with sidecar mode)
        let upstream_uri = if let Some(ref upstream) = config.upstream {
            let protocol = upstream.get_protocol();
            format!(
                "{}://{}:{}",
                protocol.as_str(),
                upstream.host,
                upstream.port
            )
        } else if !config.upstreams.is_empty() {
            // For reverse proxy mode, use first upstream as fallback
            config.upstreams[0].url.clone()
        } else {
            anyhow::bail!("Config must specify either 'upstream' (sidecar mode) or 'upstreams' (reverse proxy mode)");
        };

        // Create router for multi-upstream mode
        let router = if !config.routing.is_empty() {
            let r = Router::new(config.routing.clone())
                .map_err(|e| anyhow::anyhow!("Failed to create router: {e}"))?;
            Some(r)
        } else {
            None
        };

        // Use shared flow store if provided, otherwise initialize new one
        let flow_store: Arc<dyn FlowStore> = if let Some(store) = shared_flow_store {
            // Using shared flow store across workers
            store
        } else if let Some(ref fs_config) = config.flow_state {
            // Create new flow store for this worker (backward compatible mode)
            create_flow_store(fs_config)?
        } else if !config.script_rules.is_empty() {
            // Scripts are configured but no flow_state - use no-op store
            tracing::info!("Using NoOpFlowStore for scripts (flow_state not configured)");
            Arc::new(crate::extensions::flow_state::NoOpFlowStore)
        } else {
            // Neither scripts nor flow_state configured - use no-op store as placeholder
            Arc::new(crate::extensions::flow_state::NoOpFlowStore)
        };

        // Create script pool and decision cache for script execution
        let (script_pool, compiled_scripts, decision_cache) = if !config.script_rules.is_empty() {
            let mut scripts = Vec::new();
            let engine_type = config
                .script_engine
                .as_ref()
                .map(|cfg| cfg.engine.as_str())
                .unwrap_or("rhai");

            for script_rule in &config.script_rules {
                // Compile script to appropriate format
                let compiled = match engine_type {
                    "rhai" => {
                        let engine = RhaiEngine::new(&script_rule.script, script_rule.id.clone())?;
                        CompiledScript::Rhai {
                            ast: engine.ast().clone(),
                            rule_id: script_rule.id.clone(),
                        }
                    }
                    #[cfg(feature = "lua")]
                    "lua" => {
                        let bytecode =
                            compile_to_bytecode(&script_rule.script).with_context(|| {
                                format!(
                                    "Failed to compile Lua script for rule '{}'",
                                    script_rule.id
                                )
                            })?;
                        CompiledScript::Lua {
                            bytecode: Arc::new(bytecode),
                            rule_id: script_rule.id.clone(),
                        }
                    }
                    #[cfg(not(feature = "lua"))]
                    "lua" => {
                        anyhow::bail!("Lua engine not enabled. Enable the 'lua' feature flag")
                    }
                    #[cfg(feature = "javascript")]
                    "javascript" | "js" => {
                        let bytecode =
                            compile_js_to_bytecode(&script_rule.script).with_context(|| {
                                format!(
                                    "Failed to compile JavaScript script for rule '{}'",
                                    script_rule.id
                                )
                            })?;
                        CompiledScript::JavaScript {
                            bytecode: Arc::new(bytecode),
                            rule_id: script_rule.id.clone(),
                        }
                    }
                    #[cfg(not(feature = "javascript"))]
                    "javascript" | "js" => {
                        anyhow::bail!(
                            "JavaScript engine not enabled. Enable the 'javascript' feature flag"
                        )
                    }
                    other => anyhow::bail!("Unknown script engine type: {other}"),
                };

                let matcher = CompiledRule::compile(crate::config::Rule {
                    id: script_rule.id.clone(),
                    match_config: script_rule.match_config.clone(),
                    fault: Default::default(),
                    upstream: None,
                })?;

                scripts.push((compiled, matcher, script_rule.upstream.clone()));
            }

            // Create script pool with config (or defaults)
            let pool_config = if let Some(ref pool_cfg) = config.script_pool {
                ScriptPoolConfig {
                    workers: pool_cfg.workers,
                    queue_size: pool_cfg.queue_size,
                    timeout_ms: pool_cfg.timeout_ms,
                }
            } else {
                ScriptPoolConfig::default()
            };
            let pool = Arc::new(ScriptPool::new(pool_config.clone())?);
            info!(
                "Script pool initialized with {} workers",
                pool_config.workers
            );

            // Create decision cache with config (or defaults)
            let cache_config = if let Some(ref cache_cfg) = config.decision_cache {
                DecisionCacheConfig {
                    enabled: cache_cfg.enabled,
                    max_size: cache_cfg.max_size,
                    ttl_seconds: cache_cfg.ttl_seconds,
                }
            } else {
                DecisionCacheConfig::default()
            };
            let cache = Arc::new(DecisionCache::new(cache_config.clone()));
            info!(
                "Decision cache initialized: enabled={}, max_size={}, ttl={}s",
                cache_config.enabled, cache_config.max_size, cache_config.ttl_seconds
            );

            (Some(pool), Some(scripts), Some(cache))
        } else {
            (None, None, None)
        };

        let upstreams = config.upstreams.clone();

        // Check if any upstream needs TLS verification skipped
        let skip_tls_verify = should_skip_tls_verify(&config);

        // Create shared HTTP client
        let http_client = create_http_client(&config, skip_tls_verify);

        // Extract recording mode before moving config into Arc
        let recording_mode = config.recording.mode;

        Ok(Self {
            config: Arc::new(config),
            compiled_rules: Arc::new(compiled_rules),
            rule_upstreams: Arc::new(rule_upstreams),
            upstream_uri,
            upstreams,
            router,
            flow_store,
            script_pool,
            compiled_scripts,
            decision_cache,
            http_client,
            // Initialize behavior state
            response_cycler: Arc::new(ResponseCycler::new()),
            csv_cache: Arc::new(CsvCache::new()),
            recording_store: Arc::new(RecordingStore::new(recording_mode)),
        })
    }

    /// Run the proxy server, accepting connections and handling requests.
    pub async fn run(self) -> Result<(), anyhow::Error> {
        let addr = SocketAddr::from(([0, 0, 0, 0], self.config.listen.port));
        let listener = create_reusable_listener(addr)?;
        let protocol = self.config.listen.protocol;

        // Create TLS acceptor if protocol is HTTPS
        let tls_acceptor = if protocol == RiftProtocol::Https {
            let tls_config =
                self.config.listen.tls.as_ref().ok_or_else(|| {
                    anyhow::anyhow!("TLS configuration required for HTTPS listener")
                })?;
            Some(create_tls_acceptor(
                &tls_config.cert_path,
                &tls_config.key_path,
            )?)
        } else {
            None
        };

        info!("Listening on {}://{}", protocol.as_str(), addr);
        info!("Proxying to {}", self.upstream_uri);
        info!("Loaded {} fault injection rules", self.compiled_rules.len());
        if let Some(ref scripts) = self.compiled_scripts {
            info!("Loaded {} script rules", scripts.len());
        }
        if self.recording_store.mode() != ProxyMode::ProxyTransparent {
            info!("Recording mode: {:?}", self.recording_store.mode());
        }

        let server = Arc::new(self);

        loop {
            let (stream, remote_addr) = listener.accept().await?;
            let server = Arc::clone(&server);
            let tls_acceptor = tls_acceptor.clone();

            tokio::spawn(async move {
                match protocol {
                    RiftProtocol::Https => {
                        // HTTPS: perform TLS handshake first
                        let Some(acceptor) = tls_acceptor else {
                            error!(
                                "TLS acceptor missing for HTTPS connection from {}",
                                remote_addr
                            );
                            return;
                        };
                        match acceptor.accept(stream).await {
                            Ok(tls_stream) => {
                                let io = TokioIo::new(tls_stream);
                                let service = service_fn(move |req| {
                                    let server = Arc::clone(&server);
                                    async move { server.handle_request_internal(req).await }
                                });

                                if let Err(err) =
                                    http1::Builder::new().serve_connection(io, service).await
                                {
                                    error!(
                                        "Error serving HTTPS connection from {}: {}",
                                        remote_addr, err
                                    );
                                }
                            }
                            Err(err) => {
                                error!("TLS handshake failed from {}: {}", remote_addr, err);
                            }
                        }
                    }
                    RiftProtocol::Http => {
                        // HTTP: serve directly
                        let io = TokioIo::new(stream);
                        let service = service_fn(move |req| {
                            let server = Arc::clone(&server);
                            async move { server.handle_request_internal(req).await }
                        });

                        if let Err(err) = http1::Builder::new().serve_connection(io, service).await
                        {
                            error!(
                                "Error serving HTTP connection from {}: {}",
                                remote_addr, err
                            );
                        }
                    }
                    _ => {
                        error!("Unsupported protocol: {}", protocol.as_str());
                    }
                }
            });
        }
    }

    /// Internal request handler that builds the context and delegates to handler module.
    async fn handle_request_internal(
        &self,
        req: hyper::Request<hyper::body::Incoming>,
    ) -> Result<hyper::Response<BoxBody<Bytes, hyper::Error>>, Infallible> {
        // Build recording signature headers from config
        let signature_headers: Vec<(String, String)> = self
            .config
            .recording
            .predicate_generators
            .iter()
            .flat_map(|pg| pg.matches.headers.iter())
            .filter_map(|header_name| {
                req.headers()
                    .get(header_name)
                    .and_then(|v| v.to_str().ok())
                    .map(|v| (header_name.clone(), v.to_string()))
            })
            .collect();

        let ctx = RequestHandlerContext {
            http_client: &self.http_client,
            compiled_rules: &self.compiled_rules,
            rule_upstreams: &self.rule_upstreams,
            upstream_uri: &self.upstream_uri,
            router: self.router.as_ref(),
            upstreams: &self.upstreams,
            flow_store: &self.flow_store,
            script_pool: self.script_pool.as_ref(),
            compiled_scripts: self.compiled_scripts.as_deref(),
            decision_cache: self.decision_cache.as_ref(),
            csv_cache: &self.csv_cache,
            recording_store: &self.recording_store,
            recording_signature_headers: &signature_headers,
            flow_state_configured: self.config.flow_state.is_some(),
        };

        handle_request(&ctx, req).await
    }
}