signal-fish-server 0.1.0

A lightweight, in-memory WebSocket signaling server for peer-to-peer game networking
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

use std::sync::Arc;

#[cfg(feature = "tls")]
use std::fs;

#[cfg(feature = "tls")]
use anyhow::{anyhow, Context, Result};

#[cfg(feature = "tls")]
use axum_server::tls_rustls::RustlsConfig;

#[cfg(feature = "tls")]
use rustls::{
    server::{danger::ClientCertVerifier, WebPkiClientVerifier},
    RootCertStore, ServerConfig as RustlsServerConfig,
};

#[cfg(feature = "tls")]
use rustls_pemfile::{certs, read_one, Item};

#[cfg(feature = "tls")]
use rustls_pki_types::{CertificateDer, PrivateKeyDer};

#[cfg(feature = "tls")]
use crate::config::{ClientAuthMode, TlsServerConfig};

/// Header names that may carry a precomputed client certificate SHA-256 fingerprint.
pub const CLIENT_FINGERPRINT_HEADER_CANDIDATES: &[&str] = &[
    "x-signalfish-client-cert-sha256",
    "x-forwarded-client-cert-sha256",
    "x-amzn-mtls-clientcert",
];

/// Captured client certificate fingerprint metadata propagated through request extensions.
#[derive(Debug, Clone)]
pub struct ClientCertificateFingerprint {
    pub fingerprint: Arc<str>,
    pub source_header: &'static str,
}

#[cfg(feature = "tls")]
/// Build an [`axum_server`] TLS configuration based on the user-provided config.
pub fn build_rustls_config(tls: &TlsServerConfig) -> Result<RustlsConfig> {
    let server = Arc::new(build_server_config(tls)?);
    Ok(RustlsConfig::from_config(server))
}

#[cfg(feature = "tls")]
fn build_server_config(tls: &TlsServerConfig) -> Result<RustlsServerConfig> {
    let cert_chain = load_cert_chain(tls)?;
    let private_key = load_private_key(tls)?;
    let verifier = build_client_verifier(tls)?;

    let mut config = RustlsServerConfig::builder()
        .with_client_cert_verifier(verifier)
        .with_single_cert(cert_chain, private_key)
        .map_err(|err| anyhow!("invalid TLS certificate/private key pair: {err}"))?;

    // HTTP/1.1 + HTTP/2 are enabled so reverse proxies can continue to negotiate either protocol.
    config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];

    Ok(config)
}

#[cfg(feature = "tls")]
fn load_cert_chain(tls: &TlsServerConfig) -> Result<Vec<CertificateDer<'static>>> {
    let cert_path = tls
        .certificate_path
        .as_ref()
        .ok_or_else(|| anyhow!("security.transport.tls.certificate_path must be set"))?;
    let data = fs::read(cert_path)
        .with_context(|| format!("failed to read TLS certificate chain at {cert_path}"))?;
    let mut reader = data.as_slice();
    let certs: Vec<CertificateDer<'static>> = certs(&mut reader)
        .collect::<Result<Vec<_>, _>>()
        .with_context(|| format!("failed to parse TLS certificate chain at {cert_path}"))?;

    if certs.is_empty() {
        anyhow::bail!(
            "no certificates were found in security.transport.tls.certificate_path ({cert_path})"
        );
    }

    Ok(certs)
}

#[cfg(feature = "tls")]
fn load_private_key(tls: &TlsServerConfig) -> Result<PrivateKeyDer<'static>> {
    let key_path = tls
        .private_key_path
        .as_ref()
        .ok_or_else(|| anyhow!("security.transport.tls.private_key_path must be set"))?;
    let key_bytes = fs::read(key_path)
        .with_context(|| format!("failed to read TLS private key at {key_path}"))?;

    let mut reader = key_bytes.as_slice();
    while let Some(item) = read_one(&mut reader)
        .with_context(|| format!("failed to parse PEM entry inside TLS private key ({key_path})"))?
    {
        let der: PrivateKeyDer<'static> = match item {
            Item::Pkcs8Key(key) => key.into(),
            Item::Pkcs1Key(key) => key.into(),
            Item::Sec1Key(key) => key.into(),
            _ => continue,
        };
        return Ok(der);
    }

    anyhow::bail!(
        "no supported private key (pkcs8/pkcs1/sec1) was found in security.transport.tls.private_key_path ({key_path})"
    );
}

#[cfg(feature = "tls")]
fn build_client_verifier(tls: &TlsServerConfig) -> Result<Arc<dyn ClientCertVerifier>> {
    if matches!(tls.client_auth, ClientAuthMode::None) {
        return Ok(WebPkiClientVerifier::no_client_auth());
    }

    let ca_path = tls.client_ca_cert_path.as_ref().ok_or_else(|| {
        anyhow!(
            "security.transport.tls.client_ca_cert_path must be set when client_auth is {:?}",
            tls.client_auth
        )
    })?;
    let ca_bytes = fs::read(ca_path)
        .with_context(|| format!("failed to read client CA bundle at {ca_path}"))?;
    let mut reader = ca_bytes.as_slice();
    let mut store = RootCertStore::empty();
    let mut loaded = 0usize;
    for cert in certs(&mut reader) {
        let cert = cert.with_context(|| {
            format!("failed to parse a certificate from {ca_path} for client auth")
        })?;
        store
            .add(cert)
            .map_err(|err| anyhow!("invalid client CA certificate in {ca_path}: {err}"))?;
        loaded += 1;
    }

    if loaded == 0 {
        anyhow::bail!(
            "no certificates were loaded from security.transport.tls.client_ca_cert_path ({ca_path})"
        );
    }

    let builder = WebPkiClientVerifier::builder(Arc::new(store));
    let builder = if matches!(tls.client_auth, ClientAuthMode::Optional) {
        builder.allow_unauthenticated()
    } else {
        builder
    };
    let verifier = builder
        .build()
        .map_err(|err| anyhow!("failed to initialize client certificate verifier: {err}"))?;

    Ok(verifier)
}