vidi 0.1.0

Fast, robust, flexible, lightweight web framework for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

use std::{
    io::{Error as IoError, ErrorKind, Result as IoResult},
    net::SocketAddr,
};

use tokio::net::{TcpListener, TcpStream};
use tokio_rustls::{
    rustls::{RootCertStore, ServerConfig, pki_types::PrivateKeyDer, server::WebPkiClientVerifier},
    server::TlsStream,
};

use crate::{Error, Result};

pub use tokio_rustls::TlsAcceptor;

/// Tls client authentication configuration.
#[derive(Debug)]
pub(crate) enum ClientAuth {
    /// No client auth.
    Off,
    /// Allow any anonymous or authenticated client.
    Optional(Vec<u8>),
    /// Allow any authenticated client.
    Required(Vec<u8>),
}

/// `rustls`'s config.
#[derive(Debug)]
pub struct Config {
    cert: Vec<u8>,
    key: Vec<u8>,
    ocsp_resp: Vec<u8>,
    client_auth: ClientAuth,
}

impl Default for Config {
    fn default() -> Self {
        Self::new()
    }
}

impl Config {
    /// Create a new Tls config
    #[must_use]
    pub fn new() -> Self {
        Self {
            cert: Vec::new(),
            key: Vec::new(),
            client_auth: ClientAuth::Off,
            ocsp_resp: Vec::new(),
        }
    }

    /// sets the Tls certificate
    #[must_use]
    pub fn cert(mut self, cert: impl Into<Vec<u8>>) -> Self {
        self.cert = cert.into();
        self
    }

    /// sets the Tls key
    #[must_use]
    pub fn key(mut self, key: impl Into<Vec<u8>>) -> Self {
        self.key = key.into();
        self
    }

    /// Sets the trust anchor for optional Tls client authentication
    #[must_use]
    pub fn client_auth_optional(mut self, trust_anchor: impl Into<Vec<u8>>) -> Self {
        self.client_auth = ClientAuth::Optional(trust_anchor.into());
        self
    }

    /// Sets the trust anchor for required Tls client authentication
    #[must_use]
    pub fn client_auth_required(mut self, trust_anchor: impl Into<Vec<u8>>) -> Self {
        self.client_auth = ClientAuth::Required(trust_anchor.into());
        self
    }

    /// sets the DER-encoded OCSP response
    #[must_use]
    pub fn ocsp_resp(mut self, ocsp_resp: impl Into<Vec<u8>>) -> Self {
        self.ocsp_resp = ocsp_resp.into();
        self
    }

    /// builds the Tls `ServerConfig`
    ///
    /// # Errors
    pub fn build(self) -> Result<ServerConfig> {
        fn read_trust_anchor(mut trust_anchor: &[u8]) -> Result<RootCertStore> {
            let certs = rustls_pemfile::certs(&mut trust_anchor)
                .collect::<IoResult<Vec<_>>>()
                .map_err(Error::boxed)?;
            let mut store = RootCertStore::empty();
            for cert in certs {
                store.add(cert).map_err(Error::boxed)?;
            }
            Ok(store)
        }

        let certs = rustls_pemfile::certs(&mut self.cert.as_slice())
            .collect::<Result<Vec<_>, _>>()
            .map_err(Error::boxed)?;

        let keys = {
            let mut pkcs8 = rustls_pemfile::pkcs8_private_keys(&mut self.key.as_slice())
                .collect::<Result<Vec<_>, _>>()
                .map_err(Error::boxed)?;
            if pkcs8.is_empty() {
                let mut rsa = rustls_pemfile::rsa_private_keys(&mut self.key.as_slice())
                    .collect::<Result<Vec<_>, _>>()
                    .map_err(Error::boxed)?;

                if rsa.is_empty() {
                    return Err(Error::boxed(IoError::new(
                        ErrorKind::InvalidData,
                        "failed to parse tls private keys",
                    )));
                }
                PrivateKeyDer::Pkcs1(rsa.remove(0))
            } else {
                PrivateKeyDer::Pkcs8(pkcs8.remove(0))
            }
        };

        let client_auth = match self.client_auth {
            ClientAuth::Off => WebPkiClientVerifier::no_client_auth(),
            ClientAuth::Optional(trust_anchor) => {
                WebPkiClientVerifier::builder(read_trust_anchor(&trust_anchor)?.into())
                    .allow_unauthenticated()
                    .build()
                    .map_err(Error::boxed)?
            }
            ClientAuth::Required(trust_anchor) => {
                WebPkiClientVerifier::builder(read_trust_anchor(&trust_anchor)?.into())
                    .build()
                    .map_err(Error::boxed)?
            }
        };

        ServerConfig::builder()
            .with_client_cert_verifier(client_auth)
            .with_single_cert_with_ocsp(certs, keys, self.ocsp_resp)
            .map_err(Error::boxed)
    }
}

impl crate::Listener for crate::tls::TlsListener<TcpListener, TlsAcceptor> {
    type Io = TlsStream<TcpStream>;
    type Addr = SocketAddr;

    async fn accept(&self) -> IoResult<(Self::Io, Self::Addr)> {
        let (stream, addr) = self.inner.accept().await?;
        let stream = self.acceptor.accept(stream).await?;
        Ok((stream, addr))
    }

    fn local_addr(&self) -> IoResult<Self::Addr> {
        self.inner.local_addr()
    }
}