velesdb-server 1.17.0

REST API server for VelesDB vector database
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

//! TLS configuration and server support via rustls.
//!
//! When TLS cert and key paths are provided, the server binds with HTTPS.
//! Otherwise, plain HTTP is used (default for local dev).

use std::io::BufReader;
use std::sync::Arc;

use rustls::ServerConfig as TlsServerConfig;
use tokio_rustls::TlsAcceptor;

fn load_certs(cert_path: &str) -> anyhow::Result<Vec<rustls::pki_types::CertificateDer<'static>>> {
    let cert_file = std::fs::File::open(cert_path)
        .map_err(|e| anyhow::anyhow!("failed to open TLS cert file '{cert_path}': {e}"))?;
    let certs: Vec<_> = rustls_pemfile::certs(&mut BufReader::new(cert_file))
        .collect::<Result<Vec<_>, _>>()
        .map_err(|e| anyhow::anyhow!("failed to parse TLS certificates from '{cert_path}': {e}"))?;
    if certs.is_empty() {
        anyhow::bail!("no certificates found in '{cert_path}'");
    }
    Ok(certs)
}

fn load_private_key(key_path: &str) -> anyhow::Result<rustls::pki_types::PrivateKeyDer<'static>> {
    let key_file = std::fs::File::open(key_path)
        .map_err(|e| anyhow::anyhow!("failed to open TLS key file '{key_path}': {e}"))?;
    rustls_pemfile::private_key(&mut BufReader::new(key_file))
        .map_err(|e| anyhow::anyhow!("failed to parse TLS private key from '{key_path}': {e}"))?
        .ok_or_else(|| anyhow::anyhow!("no private key found in '{key_path}'"))
}

/// Load TLS configuration from PEM certificate and private key files.
///
/// Returns a [`TlsAcceptor`] ready for use with `tokio` TCP streams.
///
/// # Errors
///
/// Returns an error if the certificate or key files cannot be read,
/// contain no valid PEM items, or if rustls rejects the configuration.
pub fn load_tls_config(cert_path: &str, key_path: &str) -> anyhow::Result<TlsAcceptor> {
    let certs = load_certs(cert_path)?;
    let key = load_private_key(key_path)?;

    let config = TlsServerConfig::builder()
        .with_no_client_auth()
        .with_single_cert(certs, key)
        .map_err(|e| anyhow::anyhow!("invalid TLS configuration: {e}"))?;

    Ok(TlsAcceptor::from(Arc::new(config)))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_load_tls_config_missing_cert_file() {
        match load_tls_config("/nonexistent/cert.pem", "/nonexistent/key.pem") {
            Err(e) => assert!(e.to_string().contains("cert")),
            Ok(_) => panic!("should fail for missing files"),
        }
    }

    #[test]
    fn test_load_tls_config_empty_cert_file() {
        let dir = tempfile::tempdir().unwrap();
        let cert_path = dir.path().join("cert.pem");
        let key_path = dir.path().join("key.pem");
        std::fs::write(&cert_path, "").unwrap();
        std::fs::write(&key_path, "").unwrap();

        match load_tls_config(&cert_path.to_string_lossy(), &key_path.to_string_lossy()) {
            Err(e) => assert!(e.to_string().contains("no certificates")),
            Ok(_) => panic!("should fail for empty cert"),
        }
    }

    #[test]
    fn test_load_tls_config_invalid_pem() {
        let dir = tempfile::tempdir().unwrap();
        let cert_path = dir.path().join("cert.pem");
        let key_path = dir.path().join("key.pem");
        std::fs::write(&cert_path, "not a real cert").unwrap();
        std::fs::write(&key_path, "not a real key").unwrap();

        assert!(
            load_tls_config(&cert_path.to_string_lossy(), &key_path.to_string_lossy(),).is_err(),
            "should fail for invalid PEM"
        );
    }
}