runtara_protocol/

client.rs

// Copyright (C) 2025 SyncMyOrders Sp. z o.o.
// SPDX-License-Identifier: AGPL-3.0-or-later
//! QUIC client helpers for connecting to runtara-core.

use std::net::SocketAddr;
use std::sync::Arc;
use std::time::Duration;

use quinn::{ClientConfig, Connection, Endpoint, TransportConfig};
use thiserror::Error;
use tokio::sync::Mutex;
use tracing::{debug, info, instrument};

use crate::frame::{Frame, FrameError, FramedStream};

/// Errors that can occur in the QUIC client
#[derive(Debug, Error)]
pub enum ClientError {
    #[error("connection error: {0}")]
    Connection(#[from] quinn::ConnectionError),

    #[error("connect error: {0}")]
    Connect(#[from] quinn::ConnectError),

    #[error("write error: {0}")]
    Write(#[from] quinn::WriteError),

    #[error("read error: {0}")]
    Read(#[from] quinn::ReadExactError),

    #[error("frame error: {0}")]
    Frame(#[from] FrameError),

    #[error("IO error: {0}")]
    Io(#[from] std::io::Error),

    #[error("stream closed: {0}")]
    ClosedStream(#[from] quinn::ClosedStream),

    #[error("no connection established")]
    NotConnected,

    #[error("invalid server name: {0}")]
    InvalidServerName(String),

    #[error("connection timed out after {0}ms")]
    Timeout(u64),
}

/// Configuration for the QUIC client
#[derive(Debug, Clone)]
pub struct RuntaraClientConfig {
    /// Server address to connect to
    pub server_addr: SocketAddr,
    /// Server name for TLS verification (use "localhost" for local dev)
    pub server_name: String,
    /// Enable 0-RTT for lower latency (requires server support)
    pub enable_0rtt: bool,
    /// Skip certificate verification (for development only!)
    pub dangerous_skip_cert_verification: bool,
    /// Keep-alive interval in milliseconds (0 to disable)
    pub keep_alive_interval_ms: u64,
    /// Idle timeout in milliseconds
    pub idle_timeout_ms: u64,
    /// Connection timeout in milliseconds
    pub connect_timeout_ms: u64,
}

impl Default for RuntaraClientConfig {
    fn default() -> Self {
        Self {
            server_addr: "127.0.0.1:8001".parse().unwrap(),
            server_name: "localhost".to_string(),
            enable_0rtt: true,
            dangerous_skip_cert_verification: false,
            keep_alive_interval_ms: 10_000,
            idle_timeout_ms: 30_000,
            connect_timeout_ms: 10_000,
        }
    }
}

/// QUIC client for communicating with runtara-core
pub struct RuntaraClient {
    endpoint: Endpoint,
    connection: Mutex<Option<Connection>>,
    config: RuntaraClientConfig,
}

impl RuntaraClient {
    /// Create a new client with the given configuration
    pub fn new(config: RuntaraClientConfig) -> Result<Self, ClientError> {
        let mut endpoint = Endpoint::client("0.0.0.0:0".parse().unwrap())?;

        let client_config = Self::build_client_config(&config)?;
        endpoint.set_default_client_config(client_config);

        Ok(Self {
            endpoint,
            connection: Mutex::new(None),
            config,
        })
    }

    /// Create a client with default configuration for local development
    pub fn localhost() -> Result<Self, ClientError> {
        Self::new(RuntaraClientConfig {
            dangerous_skip_cert_verification: true,
            ..Default::default()
        })
    }

    fn build_client_config(config: &RuntaraClientConfig) -> Result<ClientConfig, ClientError> {
        let crypto = if config.dangerous_skip_cert_verification {
            rustls::ClientConfig::builder()
                .dangerous()
                .with_custom_certificate_verifier(Arc::new(SkipServerVerification))
                .with_no_client_auth()
        } else {
            let mut roots = rustls::RootCertStore::empty();
            roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
            rustls::ClientConfig::builder()
                .with_root_certificates(roots)
                .with_no_client_auth()
        };

        let mut transport = TransportConfig::default();
        if config.keep_alive_interval_ms > 0 {
            transport.keep_alive_interval(Some(std::time::Duration::from_millis(
                config.keep_alive_interval_ms,
            )));
        }
        transport.max_idle_timeout(Some(
            std::time::Duration::from_millis(config.idle_timeout_ms)
                .try_into()
                .unwrap(),
        ));

        let mut client_config = ClientConfig::new(Arc::new(
            quinn::crypto::rustls::QuicClientConfig::try_from(crypto).unwrap(),
        ));
        client_config.transport_config(Arc::new(transport));

        Ok(client_config)
    }

    /// Connect to the server
    #[instrument(skip(self))]
    pub async fn connect(&self) -> Result<(), ClientError> {
        let mut conn_guard = self.connection.lock().await;

        // Check if we already have a valid connection
        if let Some(ref conn) = *conn_guard
            && conn.close_reason().is_none()
        {
            debug!("reusing existing connection");
            return Ok(());
        }

        info!(addr = %self.config.server_addr, "connecting to runtara-core");

        let timeout = Duration::from_millis(self.config.connect_timeout_ms);
        let connecting = self
            .endpoint
            .connect(self.config.server_addr, &self.config.server_name)?;

        let connection = tokio::time::timeout(timeout, connecting)
            .await
            .map_err(|_| ClientError::Timeout(self.config.connect_timeout_ms))??;

        info!("connected to runtara-core");
        *conn_guard = Some(connection);
        Ok(())
    }

    /// Get the current connection, connecting if necessary
    async fn get_connection(&self) -> Result<Connection, ClientError> {
        self.connect().await?;
        let conn_guard = self.connection.lock().await;
        conn_guard.clone().ok_or(ClientError::NotConnected)
    }

    /// Open a new bidirectional stream for a request/response
    pub async fn open_stream(
        &self,
    ) -> Result<FramedStream<(quinn::SendStream, quinn::RecvStream)>, ClientError> {
        let conn = self.get_connection().await?;
        let (send, recv) = conn.open_bi().await?;
        Ok(FramedStream::new((send, recv)))
    }

    /// Open a unidirectional stream for sending (e.g., events)
    pub async fn open_uni_send(&self) -> Result<FramedStream<quinn::SendStream>, ClientError> {
        let conn = self.get_connection().await?;
        let send = conn.open_uni().await?;
        Ok(FramedStream::new(send))
    }

    /// Send a request and receive a response using a new stream
    #[instrument(skip(self, request))]
    pub async fn request<Req: prost::Message, Resp: prost::Message + Default>(
        &self,
        request: &Req,
    ) -> Result<Resp, ClientError> {
        let conn = self.get_connection().await?;
        let (mut send, mut recv) = conn.open_bi().await?;

        // Send request
        let frame = Frame::request(request)?;
        crate::frame::write_frame(&mut send, &frame).await?;
        send.finish()?;

        // Read response
        let response_frame = crate::frame::read_frame(&mut recv).await?;
        Ok(response_frame.decode()?)
    }

    /// Send a fire-and-forget request (no response expected).
    ///
    /// Use this for events that don't require acknowledgement.
    #[instrument(skip(self, request))]
    pub async fn send_fire_and_forget<Req: prost::Message>(
        &self,
        request: &Req,
    ) -> Result<(), ClientError> {
        let conn = self.get_connection().await?;
        let (mut send, _recv) = conn.open_bi().await?;

        // Send request
        let frame = Frame::request(request)?;
        crate::frame::write_frame(&mut send, &frame).await?;
        send.finish()?;

        // No response expected - just return
        Ok(())
    }

    /// Open a raw bidirectional stream for streaming operations.
    ///
    /// This returns the raw QUIC streams for advanced use cases like
    /// streaming large data that doesn't fit in a single frame.
    pub async fn open_raw_stream(
        &self,
    ) -> Result<(quinn::SendStream, quinn::RecvStream), ClientError> {
        let conn = self.get_connection().await?;
        Ok(conn.open_bi().await?)
    }

    /// Close the connection gracefully
    pub async fn close(&self) {
        let mut conn_guard = self.connection.lock().await;
        if let Some(conn) = conn_guard.take() {
            conn.close(0u32.into(), b"client closing");
        }
    }

    /// Check if the client is currently connected
    pub async fn is_connected(&self) -> bool {
        let conn_guard = self.connection.lock().await;
        if let Some(ref conn) = *conn_guard {
            conn.close_reason().is_none()
        } else {
            false
        }
    }
}

impl Drop for RuntaraClient {
    fn drop(&mut self) {
        // Close connection on drop (non-async, best effort)
        if let Ok(mut guard) = self.connection.try_lock()
            && let Some(conn) = guard.take()
        {
            conn.close(0u32.into(), b"client dropped");
        }
    }
}

/// Certificate verifier that skips all verification (for development only!)
#[derive(Debug)]
struct SkipServerVerification;

impl rustls::client::danger::ServerCertVerifier for SkipServerVerification {
    fn verify_server_cert(
        &self,
        _end_entity: &rustls::pki_types::CertificateDer<'_>,
        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
        _server_name: &rustls::pki_types::ServerName<'_>,
        _ocsp_response: &[u8],
        _now: rustls::pki_types::UnixTime,
    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
        Ok(rustls::client::danger::ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &rustls::pki_types::CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &rustls::pki_types::CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }

    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        vec![
            rustls::SignatureScheme::RSA_PKCS1_SHA256,
            rustls::SignatureScheme::RSA_PKCS1_SHA384,
            rustls::SignatureScheme::RSA_PKCS1_SHA512,
            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
            rustls::SignatureScheme::ECDSA_NISTP521_SHA512,
            rustls::SignatureScheme::RSA_PSS_SHA256,
            rustls::SignatureScheme::RSA_PSS_SHA384,
            rustls::SignatureScheme::RSA_PSS_SHA512,
            rustls::SignatureScheme::ED25519,
        ]
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_default_config() {
        let config = RuntaraClientConfig::default();
        assert_eq!(config.server_addr, "127.0.0.1:8001".parse().unwrap());
        assert_eq!(config.server_name, "localhost");
    }

    #[tokio::test]
    async fn test_client_creation() {
        let mut config = RuntaraClientConfig::default();
        config.dangerous_skip_cert_verification = true;
        let client = RuntaraClient::new(config);
        assert!(
            client.is_ok(),
            "Failed to create client: {:?}",
            client.err()
        );
    }
}