Skip to main content

Crate tf_proxy

Crate tf_proxy 

Source
Expand description

tf-proxy: TrustForge enforcement reverse proxy.

Sits in front of an upstream HTTP service (TLS termination happens at the proxy’s own listener; a TLS upstream is out of scope for this first cut, in both the buffered and raw-splice paths). For every request it consults tf-daemon’s /v1/decide endpoint and either forwards, denies, or surfaces an approval-required handoff based on the daemon’s verdict.

This crate is structured as a library so that the binary entry point in src/main.rs is a thin wrapper and the proxy logic can be exercised by integration tests.

Structs§

DecideRequest
Decide-request body sent to tf-daemon.
DecideResponse
Decide-response body returned by tf-daemon.
ProxyConfig
Runtime configuration for the proxy server.
ProxyState
Shared state used by every connection handler.

Enums§

Mode
Operating mode for the proxy.

Functions§

action_for
Build the action string for a request. We split on /, drop empty segments, lowercase the method, and join with ..
call_decide
Call tf-daemon’s /v1/decide. Returns Err when the daemon is unreachable or returns a malformed body.
extract_host_token
Pull a host token out of either an Authorization: Bearer ... header or a session cookie. Returns the token plus a heuristic kind: "jwt" if it looks like a JWT (three dot-separated segments), otherwise "opaque".
forward_to_upstream
Forward an HTTP request to the upstream service and copy the response back as a hyper response.
handle_request
Top-level request handler. Returns a hyper response wrapping a buffered body. Websocket upgrades are handled out of band by the connection driver (see serve_connection).
is_websocket_upgrade
Detect a websocket upgrade request.
run
Run the proxy until cancelled. Returns when the listener is dropped.
serve_connection
Drive a single connection. If the request is a websocket upgrade (and the daemon allows it), we transparently splice the client and upstream TCP streams together. Otherwise we fall through to handle_request.