siphon-server 0.1.0

Siphon tunnel server with Cloudflare DNS integration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423

use rcgen::{CertificateParams, KeyPair};
use reqwest::Client;
use serde::{Deserialize, Serialize};
use thiserror::Error;

use crate::config::{DnsTarget, ResolvedCloudflareConfig};

/// Cloudflare API client for DNS and Origin CA management
pub struct CloudflareClient {
    client: Client,
    api_token: String,
    zone_id: String,
    dns_target: DnsTarget,
    base_domain: String,
}

/// Origin CA certificate and private key
#[derive(Debug, Clone)]
pub struct OriginCertificate {
    /// PEM-encoded certificate
    pub certificate: String,
    /// PEM-encoded private key
    pub private_key: String,
    /// Certificate expiration date
    pub expires_on: String,
}

#[derive(Debug, Serialize)]
struct CreateDnsRecord {
    #[serde(rename = "type")]
    record_type: String,
    name: String,
    content: String,
    ttl: u32,
    proxied: bool,
}

#[derive(Debug, Deserialize)]
struct DnsRecordResponse {
    success: bool,
    result: Option<DnsRecord>,
    errors: Vec<CloudflareApiError>,
}

#[derive(Debug, Deserialize)]
struct DnsRecord {
    id: String,
}

#[derive(Debug, Deserialize)]
struct CloudflareApiError {
    message: String,
}

#[derive(Debug, Deserialize)]
struct DeleteResponse {
    success: bool,
}

/// Request body for creating an Origin CA certificate
#[derive(Debug, Serialize)]
struct CreateOriginCertRequest {
    /// PEM-encoded CSR
    csr: String,
    /// Hostnames to include in the certificate
    hostnames: Vec<String>,
    /// Certificate type: "origin-rsa" or "origin-ecc"
    request_type: String,
    /// Validity period in days (7, 30, 90, 365, 730, 1095, or 5475)
    requested_validity: u32,
}

/// Response from Origin CA certificate creation
#[derive(Debug, Deserialize)]
struct OriginCertResponse {
    success: bool,
    result: Option<OriginCertResult>,
    errors: Vec<CloudflareApiError>,
}

#[derive(Debug, Deserialize)]
struct OriginCertResult {
    certificate: String,
    expires_on: String,
}

/// Response from listing Origin CA certificates
#[derive(Debug, Deserialize)]
struct ListOriginCertsResponse {
    success: bool,
    result: Option<Vec<OriginCertListItem>>,
    errors: Vec<CloudflareApiError>,
}

/// An Origin CA certificate in the list response
#[derive(Debug, Deserialize)]
struct OriginCertListItem {
    id: String,
    hostnames: Vec<String>,
    expires_on: String,
}

/// Response from revoking an Origin CA certificate
#[derive(Debug, Deserialize)]
struct RevokeOriginCertResponse {
    success: bool,
    errors: Vec<CloudflareApiError>,
}

#[derive(Debug, Error)]
pub enum CloudflareError {
    #[error("HTTP request failed: {0}")]
    Request(#[from] reqwest::Error),

    #[error("API error: {0}")]
    Api(String),
}

impl CloudflareClient {
    pub fn new(config: &ResolvedCloudflareConfig, base_domain: &str) -> Self {
        Self {
            client: Client::new(),
            api_token: config.api_token.clone(),
            zone_id: config.zone_id.clone(),
            dns_target: config.dns_target.clone(),
            base_domain: base_domain.to_string(),
        }
    }

    /// Create a DNS record for a subdomain (A record for IP, CNAME for hostname)
    ///
    /// # Arguments
    /// * `subdomain` - The subdomain to create (e.g., "myapp")
    /// * `proxied` - Whether to proxy through Cloudflare (true for HTTP, false for TCP)
    ///
    /// # Returns
    /// The DNS record ID for later deletion
    pub async fn create_record(
        &self,
        subdomain: &str,
        proxied: bool,
    ) -> Result<String, CloudflareError> {
        let full_name = format!("{}.{}", subdomain, self.base_domain);

        let (record_type, content) = match &self.dns_target {
            DnsTarget::Ip(ip) => ("A", ip.clone()),
            DnsTarget::Cname(hostname) => ("CNAME", hostname.clone()),
        };

        tracing::info!(
            "Creating DNS {} record: {} -> {} (proxied: {})",
            record_type,
            full_name,
            content,
            proxied
        );

        let response = self
            .client
            .post(format!(
                "https://api.cloudflare.com/client/v4/zones/{}/dns_records",
                self.zone_id
            ))
            .bearer_auth(&self.api_token)
            .json(&CreateDnsRecord {
                record_type: record_type.to_string(),
                name: full_name.clone(),
                content,
                ttl: 60, // Short TTL for dynamic records
                proxied,
            })
            .send()
            .await?;

        let result: DnsRecordResponse = response.json().await?;

        if result.success {
            let record = result
                .result
                .ok_or_else(|| CloudflareError::Api("No record in response".to_string()))?;
            tracing::info!("Created DNS record {} with ID {}", full_name, record.id);
            Ok(record.id)
        } else {
            let error_msg = result
                .errors
                .into_iter()
                .map(|e| e.message)
                .collect::<Vec<_>>()
                .join(", ");
            Err(CloudflareError::Api(error_msg))
        }
    }

    /// Delete a DNS record
    pub async fn delete_record(&self, record_id: &str) -> Result<(), CloudflareError> {
        tracing::info!("Deleting DNS record {}", record_id);

        let response = self
            .client
            .delete(format!(
                "https://api.cloudflare.com/client/v4/zones/{}/dns_records/{}",
                self.zone_id, record_id
            ))
            .bearer_auth(&self.api_token)
            .send()
            .await?;

        let result: DeleteResponse = response.json().await?;

        if result.success {
            tracing::info!("Deleted DNS record {}", record_id);
            Ok(())
        } else {
            Err(CloudflareError::Api(format!(
                "Failed to delete record {}",
                record_id
            )))
        }
    }

    /// Create an Origin CA certificate for the base domain
    ///
    /// This generates a private key and CSR locally, then requests a certificate
    /// from Cloudflare's Origin CA. The certificate is valid for HTTPS connections
    /// from Cloudflare to this origin server (Full Strict mode).
    ///
    /// # Arguments
    /// * `validity_days` - Certificate validity in days (default: 365)
    ///
    /// # Returns
    /// An OriginCertificate containing the certificate and private key in PEM format
    pub async fn create_origin_certificate(
        &self,
        validity_days: u32,
    ) -> Result<OriginCertificate, CloudflareError> {
        tracing::info!(
            "Creating Origin CA certificate for *.{} (valid for {} days)",
            self.base_domain,
            validity_days
        );

        // Generate a new key pair
        let key_pair = KeyPair::generate()
            .map_err(|e| CloudflareError::Api(format!("Failed to generate key pair: {}", e)))?;

        // Create certificate parameters for CSR
        let mut params = CertificateParams::default();
        params.distinguished_name = rcgen::DistinguishedName::new();

        // Generate CSR
        let csr = params
            .serialize_request(&key_pair)
            .map_err(|e| CloudflareError::Api(format!("Failed to generate CSR: {}", e)))?;

        let csr_pem = csr
            .pem()
            .map_err(|e| CloudflareError::Api(format!("Failed to encode CSR as PEM: {}", e)))?;

        // Hostnames: wildcard + base domain
        let hostnames = vec![format!("*.{}", self.base_domain), self.base_domain.clone()];

        tracing::debug!(
            "Requesting Origin CA certificate for hostnames: {:?}",
            hostnames
        );

        // Request certificate from Cloudflare Origin CA
        // Use origin-ecc since rcgen generates ECDSA keys by default
        let response = self
            .client
            .post("https://api.cloudflare.com/client/v4/certificates")
            .bearer_auth(&self.api_token)
            .json(&CreateOriginCertRequest {
                csr: csr_pem,
                hostnames,
                request_type: "origin-ecc".to_string(),
                requested_validity: validity_days,
            })
            .send()
            .await?;

        let result: OriginCertResponse = response.json().await?;

        if result.success {
            let cert_result = result
                .result
                .ok_or_else(|| CloudflareError::Api("No certificate in response".to_string()))?;

            let private_key_pem = key_pair.serialize_pem();

            tracing::info!(
                "Created Origin CA certificate for *.{}, expires: {}",
                self.base_domain,
                cert_result.expires_on
            );
            tracing::debug!(
                "Certificate length: {} bytes, Key length: {} bytes",
                cert_result.certificate.len(),
                private_key_pem.len()
            );

            Ok(OriginCertificate {
                certificate: cert_result.certificate,
                private_key: private_key_pem,
                expires_on: cert_result.expires_on,
            })
        } else {
            let error_msg = result
                .errors
                .into_iter()
                .map(|e| e.message)
                .collect::<Vec<_>>()
                .join(", ");
            Err(CloudflareError::Api(format!(
                "Failed to create Origin CA certificate: {}",
                error_msg
            )))
        }
    }

    /// List all Origin CA certificates for the zone
    async fn list_origin_certificates(&self) -> Result<Vec<OriginCertListItem>, CloudflareError> {
        let response = self
            .client
            .get(format!(
                "https://api.cloudflare.com/client/v4/certificates?zone_id={}",
                self.zone_id
            ))
            .bearer_auth(&self.api_token)
            .send()
            .await?;

        let result: ListOriginCertsResponse = response.json().await?;

        if result.success {
            Ok(result.result.unwrap_or_default())
        } else {
            let error_msg = result
                .errors
                .into_iter()
                .map(|e| e.message)
                .collect::<Vec<_>>()
                .join(", ");
            Err(CloudflareError::Api(format!(
                "Failed to list Origin CA certificates: {}",
                error_msg
            )))
        }
    }

    /// Revoke an Origin CA certificate by its ID
    async fn revoke_origin_certificate(&self, cert_id: &str) -> Result<(), CloudflareError> {
        tracing::info!("Revoking Origin CA certificate {}", cert_id);

        let response = self
            .client
            .delete(format!(
                "https://api.cloudflare.com/client/v4/certificates/{}",
                cert_id
            ))
            .bearer_auth(&self.api_token)
            .send()
            .await?;

        let result: RevokeOriginCertResponse = response.json().await?;

        if result.success {
            tracing::info!("Revoked Origin CA certificate {}", cert_id);
            Ok(())
        } else {
            let error_msg = result
                .errors
                .into_iter()
                .map(|e| e.message)
                .collect::<Vec<_>>()
                .join(", ");
            Err(CloudflareError::Api(format!(
                "Failed to revoke certificate {}: {}",
                cert_id, error_msg
            )))
        }
    }

    /// Clean up old Origin CA certificates for this domain
    ///
    /// This revokes any existing Origin CA certificates that match our base domain
    /// (either *.base_domain or base_domain). Should be called before creating
    /// a new certificate to avoid accumulating old ones.
    pub async fn cleanup_old_origin_certificates(&self) -> Result<u32, CloudflareError> {
        let wildcard = format!("*.{}", self.base_domain);
        let certs = self.list_origin_certificates().await?;

        let mut revoked = 0;
        for cert in certs {
            // Check if this certificate is for our domain
            let matches = cert
                .hostnames
                .iter()
                .any(|h| h == &self.base_domain || h == &wildcard);

            if matches {
                tracing::info!(
                    "Found old Origin CA certificate {} for {:?}, expires {}",
                    cert.id,
                    cert.hostnames,
                    cert.expires_on
                );

                if let Err(e) = self.revoke_origin_certificate(&cert.id).await {
                    tracing::warn!("Failed to revoke certificate {}: {}", cert.id, e);
                } else {
                    revoked += 1;
                }
            }
        }

        if revoked > 0 {
            tracing::info!("Revoked {} old Origin CA certificate(s)", revoked);
        }

        Ok(revoked)
    }
}