zlayer-overlay 0.13.0

Encrypted overlay networking for containers using boringtun userspace WireGuard
Documentation
//! NAT traversal for `ZLayer` overlay networking.
//!
//! Provides STUN endpoint discovery, UDP hole punching, and TURN relay
//! fallback for establishing overlay connections through NAT.

pub mod candidate;
pub mod config;
pub mod discovery;
pub mod relay;
pub mod runtime;
pub mod stun;
pub mod traversal;
pub mod turn;

pub use candidate::{Candidate, CandidateType, ConnectionType};
pub use config::{NatConfig, RelayServerConfig, StunServerConfig, TurnServerConfig};
pub use discovery::RelayDiscovery;
pub use relay::RelayServer;
pub use runtime::{NatPeerSnapshot, NatStatusSnapshot};
pub use stun::StunClient;
pub use traversal::NatTraversal;
pub use turn::RelayClient;

/// Convert a base64 `WireGuard` public key into the lowercase-hex form the
/// boringtun UAPI status dump uses for its `public_key=` lines.
///
/// overlayd keeps its peer maps keyed by base64 (the form peers exchange on the
/// wire) but the live device only ever surfaces hex keys, so any code that
/// joins a base64-keyed map against a parsed UAPI dump (e.g. mapping a peer's
/// recorded NAT [`ConnectionType`] back to its current remote endpoint) needs
/// this bridge. Returns `None` when `b64` is not a valid 32-byte base64 key.
#[must_use]
pub fn pubkey_b64_to_hex(b64: &str) -> Option<String> {
    use base64::{engine::general_purpose::STANDARD, Engine as _};
    let bytes = STANDARD.decode(b64).ok()?;
    if bytes.len() != 32 {
        return None;
    }
    Some(hex::encode(bytes))
}

#[cfg(test)]
mod mod_tests {
    use super::pubkey_b64_to_hex;
    use base64::{engine::general_purpose::STANDARD, Engine as _};

    #[test]
    fn pubkey_b64_to_hex_matches_known_vector() {
        // 32 zero bytes → base64 "AAAA…AAA=" → 64 hex zeros.
        let b64 = STANDARD.encode([0u8; 32]);
        assert_eq!(pubkey_b64_to_hex(&b64), Some("0".repeat(64)));
    }

    #[test]
    fn pubkey_b64_to_hex_rejects_bad_input() {
        assert_eq!(pubkey_b64_to_hex("not-base64!!!"), None);
        // Valid base64 but wrong length (4 bytes).
        let short = STANDARD.encode([1u8, 2, 3, 4]);
        assert_eq!(pubkey_b64_to_hex(&short), None);
    }
}