palladium_cli/

client.rs

use std::io::{BufRead, BufReader, Write};
use std::net::ToSocketAddrs;
use std::os::unix::net::UnixStream;
use std::path::{Path, PathBuf};
use std::sync::Arc;
use std::sync::Once;

use rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
use rustls::{ClientConfig, RootCertStore};
use rustls_platform_verifier::BuilderVerifierExt;
use serde_json::Value;
use tokio::io::{AsyncReadExt, AsyncWriteExt};

/// Error type for CLI operations.
#[derive(Debug)]
pub enum CliError {
    /// Engine is not running at the given socket path.
    NotRunning(PathBuf),
    /// IO error communicating with the engine.
    Io(std::io::Error),
    /// Unexpected protocol response.
    Protocol(String),
    /// Engine returned a JSON-RPC error.
    Rpc { code: i64, message: String },
    /// Feature not implemented.
    NotImplemented(String),
}

impl std::fmt::Display for CliError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            CliError::NotRunning(p) => write!(
                f,
                "could not connect to engine at {}. Is the engine running?",
                p.display()
            ),
            CliError::Io(e) => write!(f, "IO error: {e}"),
            CliError::Protocol(msg) => write!(f, "protocol error: {msg}"),
            CliError::Rpc { code, message } => write!(f, "engine error ({code}): {message}"),
            CliError::NotImplemented(msg) => write!(f, "{msg}"),
        }
    }
}

impl std::error::Error for CliError {}

impl From<std::io::Error> for CliError {
    fn from(e: std::io::Error) -> Self {
        CliError::Io(e)
    }
}

/// Synchronous JSON-RPC 2.0 client over a Unix domain socket.
///
/// Each `call` opens a fresh connection, sends one newline-terminated request,
/// and reads one newline-terminated response.
#[derive(Debug)]
pub struct ControlPlaneClient {
    endpoint: Endpoint,
    next_id: u64,
}

#[derive(Debug, Clone)]
pub enum Endpoint {
    Unix(PathBuf),
    Tcp {
        host: String,
        port: u16,
        tls: TlsClientConfig,
    },
    Quic {
        host: String,
        port: u16,
        tls: TlsClientConfig,
    },
}

#[derive(Debug, Clone)]
pub struct TlsClientConfig {
    pub cert: PathBuf,
    pub key: PathBuf,
    pub ca: Option<PathBuf>,
    pub sni: Option<String>,
}

impl ControlPlaneClient {
    /// Create a client for the given socket path.
    ///
    /// Returns `CliError::NotRunning` if the socket file does not exist.
    pub fn connect(socket_path: &Path) -> Result<Self, CliError> {
        if !socket_path.exists() {
            return Err(CliError::NotRunning(socket_path.to_owned()));
        }
        Ok(Self {
            endpoint: Endpoint::Unix(socket_path.to_owned()),
            next_id: 0,
        })
    }

    pub fn connect_endpoint(endpoint: &Endpoint) -> Result<Self, CliError> {
        match endpoint {
            Endpoint::Unix(path) => Self::connect(path),
            Endpoint::Tcp { .. } | Endpoint::Quic { .. } => Ok(Self {
                endpoint: endpoint.clone(),
                next_id: 0,
            }),
        }
    }

    /// Send a JSON-RPC request and return the `result` field on success.
    ///
    /// Returns `CliError::Rpc` if the server sends an `error` object.
    pub fn call(&mut self, method: &str, params: Value) -> Result<Value, CliError> {
        self.next_id += 1;
        let req = serde_json::json!({
            "id": self.next_id,
            "method": method,
            "params": params,
        });

        match &self.endpoint {
            Endpoint::Unix(path) => call_unix(path, &req),
            Endpoint::Tcp { host, port, tls } => call_tcp(host, *port, tls, &req),
            Endpoint::Quic { host, port, tls } => call_quic(host, *port, tls, &req),
        }
    }
}

fn call_unix(path: &Path, req: &Value) -> Result<Value, CliError> {
    let mut stream =
        UnixStream::connect(path).map_err(|_| CliError::NotRunning(path.to_owned()))?;
    let mut body = req.to_string();
    body.push('\n');
    stream.write_all(body.as_bytes())?;
    let mut reader = BufReader::new(stream);
    let mut line = String::new();
    reader.read_line(&mut line)?;
    parse_response(&line)
}

fn call_tcp(host: &str, port: u16, tls: &TlsClientConfig, req: &Value) -> Result<Value, CliError> {
    let addr = format!("{host}:{port}");
    let stream = std::net::TcpStream::connect(addr)?;
    stream.set_nodelay(true).ok();
    let server_name = tls.sni.clone().unwrap_or_else(|| host.to_string());
    let config = build_client_config(tls, &server_name)?;
    let name = ServerName::try_from(server_name)
        .map_err(|_| CliError::Protocol("invalid TLS server name".to_string()))?;
    let conn = rustls::ClientConnection::new(Arc::new(config), name)
        .map_err(|e| CliError::Protocol(e.to_string()))?;
    let mut tls_stream = rustls::StreamOwned::new(conn, stream);

    let mut body = req.to_string();
    body.push('\n');
    tls_stream.write_all(body.as_bytes())?;
    let mut reader = BufReader::new(tls_stream);
    let mut line = String::new();
    reader.read_line(&mut line)?;
    parse_response(&line)
}

fn call_quic(host: &str, port: u16, tls: &TlsClientConfig, req: &Value) -> Result<Value, CliError> {
    let host = host.to_string();
    let server_name = tls.sni.clone().unwrap_or_else(|| host.clone());
    let config = build_client_config(tls, &server_name)?;
    let mut client_crypto = config;
    client_crypto.alpn_protocols = vec![b"pd-control".to_vec()];

    let client_tls: s2n_quic::provider::tls::rustls::Client = client_crypto.into();

    let rt = tokio::runtime::Builder::new_current_thread()
        .enable_all()
        .build()
        .map_err(CliError::Io)?;

    rt.block_on(async move {
        let addr = (host.as_str(), port)
            .to_socket_addrs()
            .map_err(|e| CliError::Protocol(e.to_string()))?
            .next()
            .ok_or_else(|| CliError::Protocol("invalid host:port".to_string()))?;

        let client = s2n_quic::Client::builder()
            .with_tls(client_tls)
            .map_err(|e| CliError::Protocol(e.to_string()))?
            .with_io("0.0.0.0:0")
            .map_err(|e| CliError::Protocol(e.to_string()))?
            .start()
            .map_err(|e| CliError::Protocol(e.to_string()))?;

        let connect = s2n_quic::client::Connect::new(addr).with_server_name(server_name);
        let mut conn = client
            .connect(connect)
            .await
            .map_err(|e| CliError::Protocol(e.to_string()))?;

        let mut stream = conn
            .open_bidirectional_stream()
            .await
            .map_err(|e| CliError::Protocol(e.to_string()))?;

        let mut body = req.to_string();
        body.push('\n');
        stream
            .write_all(body.as_bytes())
            .await
            .map_err(|e| CliError::Protocol(e.to_string()))?;
        stream
            .close()
            .await
            .map_err(|e| CliError::Protocol(e.to_string()))?;

        let mut buf = Vec::new();
        stream
            .read_to_end(&mut buf)
            .await
            .map_err(|e| CliError::Protocol(e.to_string()))?;

        let line = String::from_utf8_lossy(&buf);
        parse_response(&line)
    })
}

fn parse_response(line: &str) -> Result<Value, CliError> {
    let resp: Value =
        serde_json::from_str(line.trim()).map_err(|e| CliError::Protocol(e.to_string()))?;
    if let Some(err) = resp.get("error") {
        let code = err["code"].as_i64().unwrap_or(-1);
        let message = err["message"]
            .as_str()
            .unwrap_or("unknown error")
            .to_string();
        return Err(CliError::Rpc { code, message });
    }
    Ok(resp["result"].clone())
}

fn build_client_config(
    tls: &TlsClientConfig,
    _server_name: &str,
) -> Result<ClientConfig, CliError> {
    ensure_rustls_provider();
    let cert_chain = read_certs(&tls.cert)?;
    let key = read_key(&tls.key)?;

    let builder = if let Some(ca_path) = &tls.ca {
        let mut roots = RootCertStore::empty();
        for cert in read_certs(ca_path)? {
            roots
                .add(cert)
                .map_err(|_| CliError::Protocol("invalid CA cert".to_string()))?;
        }
        ClientConfig::builder().with_root_certificates(roots)
    } else {
        ClientConfig::builder()
            .with_platform_verifier()
            .map_err(|e| CliError::Protocol(e.to_string()))?
    };

    builder
        .with_client_auth_cert(cert_chain, key)
        .map_err(|e| CliError::Protocol(e.to_string()))
}

fn ensure_rustls_provider() {
    static INIT: Once = Once::new();
    INIT.call_once(|| {
        #[cfg(feature = "aws-lc-rs")]
        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
        #[cfg(all(not(feature = "aws-lc-rs"), feature = "ring"))]
        let _ = rustls::crypto::ring::default_provider().install_default();
    });
}

fn read_certs(path: &Path) -> Result<Vec<CertificateDer<'static>>, CliError> {
    let file = std::fs::File::open(path)?;
    let mut reader = BufReader::new(file);
    let certs = rustls_pemfile::certs(&mut reader)
        .collect::<Result<Vec<_>, std::io::Error>>()
        .map_err(CliError::Io)?;
    if certs.is_empty() {
        return Err(CliError::Protocol("no certificates found".to_string()));
    }
    Ok(certs.into_iter().map(|c| c.into_owned()).collect())
}

fn read_key(path: &Path) -> Result<PrivateKeyDer<'static>, CliError> {
    let file = std::fs::File::open(path)?;
    let mut reader = BufReader::new(file);
    let key = rustls_pemfile::private_key(&mut reader)
        .map_err(|_| CliError::Protocol("invalid private key".to_string()))?;
    match key {
        Some(k) => Ok(k),
        None => Err(CliError::Protocol("no private key found".to_string())),
    }
}