Expand description
tf-proxy: TrustForge enforcement reverse proxy.
Sits in front of an upstream HTTP service (TLS termination happens at
the proxy’s own listener; a TLS upstream is out of scope for this first
cut, in both the buffered and raw-splice paths). For every request it
consults tf-daemon’s /v1/decide endpoint and either forwards, denies,
or surfaces an approval-required handoff based on the daemon’s verdict.
This crate is structured as a library so that the binary entry point in
src/main.rs is a thin wrapper and the proxy logic can be exercised by
integration tests.
Structs§
- Decide
Request - Decide-request body sent to tf-daemon.
- Decide
Response - Decide-response body returned by tf-daemon.
- Proxy
Config - Runtime configuration for the proxy server.
- Proxy
State - Shared state used by every connection handler.
Enums§
- Mode
- Operating mode for the proxy.
Functions§
- action_
for - Build the
actionstring for a request. We split on/, drop empty segments, lowercase the method, and join with.. - call_
decide - Call tf-daemon’s
/v1/decide. ReturnsErrwhen the daemon is unreachable or returns a malformed body. - extract_
host_ token - Pull a host token out of either an
Authorization: Bearer ...header or a session cookie. Returns the token plus a heuristic kind:"jwt"if it looks like a JWT (three dot-separated segments), otherwise"opaque". - forward_
to_ upstream - Forward an HTTP request to the upstream service and copy the response back as a hyper response.
- handle_
request - Top-level request handler. Returns a hyper response wrapping a buffered
body. Websocket upgrades are handled out of band by the connection driver
(see
serve_connection). - is_
websocket_ upgrade - Detect a websocket upgrade request.
- run
- Run the proxy until cancelled. Returns when the listener is dropped.
- serve_
connection - Drive a single connection. If the request is a websocket upgrade (and the
daemon allows it), we transparently splice the client and upstream TCP
streams together. Otherwise we fall through to
handle_request.