gl_client/node/
service.rs

1use anyhow::{anyhow, Result};
2use http::{Request, Response};
3use log::{debug, trace};
4use rustls_pemfile as pemfile;
5use std::future::Future;
6use std::pin::Pin;
7use std::task::{Context, Poll};
8use tonic::body::BoxBody;
9use tonic::transport::Body;
10use tonic::transport::Channel;
11use tower::{Layer, Service};
12
13use ring::signature::KeyPair;
14use ring::{
15    rand,
16    signature::{self, EcdsaKeyPair},
17};
18
19pub struct AuthLayer {
20    key: Vec<u8>,
21    rune: String,
22}
23
24impl AuthLayer {
25    pub fn new(pem: Vec<u8>, rune: String) -> Result<Self> {
26        // Try to convert the key into a keypair to make sure it works later
27        // when we need it.
28        let key = {
29            let mut key = std::io::Cursor::new(&pem[..]);
30            match pemfile::pkcs8_private_keys(&mut key) {
31                Ok(v) => v,
32                Err(e) => {
33                    return Err(anyhow!(
34                        "Could not decode PEM string into PKCS#8 format: {}",
35                        e
36                    ))
37                }
38            }
39            .remove(0)
40        };
41
42        match EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_FIXED_SIGNING, key.as_ref()) {
43            Ok(_) => trace!("Successfully decoded keypair from PEM string"),
44            Err(e) => return Err(anyhow!("Could not decide keypair from PEM string: {}", e)),
45        };
46
47        Ok(AuthLayer { key, rune })
48    }
49}
50
51impl Layer<Channel> for AuthLayer {
52    type Service = AuthService;
53
54    fn layer(&self, inner: Channel) -> Self::Service {
55        AuthService {
56            key: self.key.clone(),
57            inner,
58            rune: self.rune.clone(),
59        }
60    }
61}
62
63#[derive(Clone)]
64pub struct AuthService {
65    // PKCS#8 formatted private key
66    key: Vec<u8>,
67    inner: Channel,
68    rune: String,
69}
70impl Service<Request<BoxBody>> for AuthService {
71    type Response = Response<Body>;
72    type Error = Box<dyn std::error::Error + Send + Sync>;
73    #[allow(clippy::type_complexity)]
74    type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send>>;
75
76    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
77        self.inner.poll_ready(cx).map_err(Into::into)
78    }
79    fn call(&mut self, request: Request<BoxBody>) -> Self::Future {
80        use base64::Engine;
81        let engine = base64::engine::general_purpose::STANDARD_NO_PAD;
82
83        // This is necessary because tonic internally uses `tower::buffer::Buffer`.
84        // See https://github.com/tower-rs/tower/issues/547#issuecomment-767629149
85        // for details on why this is necessary
86        let clone = self.inner.clone();
87        let mut inner = std::mem::replace(&mut self.inner, clone);
88
89        let keypair = EcdsaKeyPair::from_pkcs8(
90            &signature::ECDSA_P256_SHA256_FIXED_SIGNING,
91            self.key.as_ref(),
92        )
93        .unwrap();
94
95        let rune = self.rune.clone();
96
97        Box::pin(async move {
98            use bytes::BufMut;
99            use std::convert::TryInto;
100            use tonic::codegen::Body;
101
102            // Returns UTC on all platforms, no need to handle
103            // timezones.
104            let time = std::time::SystemTime::now()
105                .duration_since(std::time::SystemTime::UNIX_EPOCH)?
106                .as_millis();
107
108            let (mut parts, mut body) = request.into_parts();
109
110            let data = body.data().await.unwrap().unwrap();
111
112            // Copy used to create the signature (payload + associated data)
113            let mut buf = data.to_vec();
114
115            // Associated data that is covered by the signature
116            let mut ts = vec![];
117            ts.put_u64(time.try_into()?);
118            buf.put_u64(time.try_into()?);
119
120            let rng = rand::SystemRandom::new();
121            let pubkey = keypair.public_key().as_ref();
122            let sig = keypair.sign(&rng, &buf).unwrap();
123
124            // We use base64 encoding simply because it is
125            // slightly more compact and we already have it as
126            // a dependency from rustls. Sizes are as follows:
127            //
128            // - Pubkey: raw=65, hex=130, base64=88
129            // - Signature: raw=64, hex=128, base64=88
130            //
131            // For an overall saving of 82 bytes per request,
132            // and a total overhead of 199 bytes per request.
133            parts
134                .headers
135                .insert("glauthpubkey", engine.encode(&pubkey).parse().unwrap());
136            parts
137                .headers
138                .insert("glauthsig", engine.encode(sig).parse().unwrap());
139
140            parts
141                .headers
142                .insert("glts", engine.encode(ts).parse().unwrap());
143
144            // Runes already come base64 URL_SAFE encoded.
145            parts
146                .headers
147                .insert("glrune", rune.parse().expect("Could not parse rune"));
148
149            trace!("Payload size: {} (timestamp {})", data.len(), time);
150
151            let body = crate::node::stasher::StashBody::new(data).into();
152            let request = Request::from_parts(parts, body);
153            debug!("Sending request {:?}", request);
154            let response = inner.call(request).await?;
155            Ok(response)
156        })
157    }
158}