Skip to main content

microsandbox_network/tls/
config.rs

1use std::path::PathBuf;
2
3use serde::{Deserialize, Serialize};
4
5//--------------------------------------------------------------------------------------------------
6// Types
7//--------------------------------------------------------------------------------------------------
8
9/// TLS interception configuration.
10///
11/// When `enabled` is true, msbnet installs kernel-level redirect rules for
12/// `intercepted_ports` and runs a transparent TLS proxy that terminates guest
13/// connections with per-domain certificates signed by a microsandbox CA.
14#[derive(Debug, Clone, Serialize, Deserialize)]
15pub struct TlsConfig {
16    /// Whether TLS interception is active.
17    #[serde(default)]
18    pub enabled: bool,
19
20    /// TCP ports to intercept (default: `[443]`).
21    #[serde(default = "default_intercepted_ports")]
22    pub intercepted_ports: Vec<u16>,
23
24    /// Domains to bypass (no interception). Supports exact match and
25    /// `*.suffix` wildcard patterns.
26    #[serde(default)]
27    pub bypass: Vec<String>,
28
29    /// Whether to verify upstream server certificates against the host's
30    /// system trust store (default: true). Disable only for testing or
31    /// internal services with self-signed certs.
32    #[serde(default = "default_true")]
33    pub verify_upstream: bool,
34
35    /// CA certificate configuration.
36    #[serde(default)]
37    pub ca: CaConfig,
38
39    /// Certificate cache configuration.
40    #[serde(default)]
41    pub cache: CertCacheConfig,
42}
43
44/// CA certificate configuration.
45///
46/// By default, msbnet generates a self-signed P-256 EC CA on first use and
47/// persists it to `~/.microsandbox/tls/`. User-provided CA paths override
48/// generation for corporate PKI integration.
49#[derive(Debug, Clone, Serialize, Deserialize)]
50pub struct CaConfig {
51    /// Subject CN for the generated CA certificate.
52    #[serde(default = "default_ca_cn")]
53    pub cn: String,
54
55    /// Validity period in days for the generated CA certificate.
56    #[serde(default = "default_ca_validity_days")]
57    pub validity_days: u32,
58
59    /// Path to a user-provided CA certificate (PEM). When set together with
60    /// `key`, msbnet uses these directly instead of generating a CA.
61    #[serde(default)]
62    pub cert: Option<PathBuf>,
63
64    /// Path to a user-provided CA private key (PEM).
65    #[serde(default)]
66    pub key: Option<PathBuf>,
67}
68
69/// Certificate cache configuration.
70#[derive(Debug, Clone, Serialize, Deserialize)]
71pub struct CertCacheConfig {
72    /// Maximum number of cached per-domain certificates.
73    #[serde(default = "default_cache_max_entries")]
74    pub max_entries: usize,
75
76    /// TTL in seconds for cached certificates.
77    #[serde(default = "default_cache_ttl_secs")]
78    pub ttl_secs: u64,
79}
80
81//--------------------------------------------------------------------------------------------------
82// Trait Implementations
83//--------------------------------------------------------------------------------------------------
84
85impl Default for TlsConfig {
86    fn default() -> Self {
87        Self {
88            enabled: false,
89            intercepted_ports: default_intercepted_ports(),
90            bypass: Vec::new(),
91            verify_upstream: true,
92            ca: CaConfig::default(),
93            cache: CertCacheConfig::default(),
94        }
95    }
96}
97
98impl Default for CaConfig {
99    fn default() -> Self {
100        Self {
101            cn: default_ca_cn(),
102            validity_days: default_ca_validity_days(),
103            cert: None,
104            key: None,
105        }
106    }
107}
108
109impl Default for CertCacheConfig {
110    fn default() -> Self {
111        Self {
112            max_entries: default_cache_max_entries(),
113            ttl_secs: default_cache_ttl_secs(),
114        }
115    }
116}
117
118//--------------------------------------------------------------------------------------------------
119// Functions
120//--------------------------------------------------------------------------------------------------
121
122fn default_intercepted_ports() -> Vec<u16> {
123    vec![443]
124}
125
126fn default_true() -> bool {
127    true
128}
129
130fn default_ca_cn() -> String {
131    "Microsandbox CA".to_string()
132}
133
134fn default_ca_validity_days() -> u32 {
135    365
136}
137
138fn default_cache_max_entries() -> usize {
139    1000
140}
141
142fn default_cache_ttl_secs() -> u64 {
143    86400
144}