From 60b799409508496fbeb425cc532fea09dff42d31 Mon Sep 17 00:00:00 2001 From: Nikhil Sinha Date: Wed, 14 Aug 2024 14:08:34 +0530 Subject: [PATCH 1/2] enhancement: accept other certificates env var P_OTHER_CERT_PATH accepts a directory path where user can keep all the certificates intended to be accepted by the server --- server/src/cli.rs | 13 ++++++++++ .../src/handlers/http/modal/ingest_server.rs | 1 + .../src/handlers/http/modal/query_server.rs | 1 + server/src/handlers/http/modal/server.rs | 1 + .../src/handlers/http/modal/ssl_acceptor.rs | 25 +++++++++++++++++-- 5 files changed, 39 insertions(+), 2 deletions(-) diff --git a/server/src/cli.rs b/server/src/cli.rs index d479ab9b6..7efbb3afb 100644 --- a/server/src/cli.rs +++ b/server/src/cli.rs @@ -34,6 +34,9 @@ pub struct Cli { /// The location of TLS Private Key file pub tls_key_path: Option, + /// The location of other certificates to accept + pub other_cert_path: Option, + /// The address on which the http server will listen. pub address: String, @@ -122,6 +125,7 @@ impl Cli { // identifiers for arguments pub const TLS_CERT: &'static str = "tls-cert-path"; pub const TLS_KEY: &'static str = "tls-key-path"; + pub const OTHER_CERT: &'static str = "other-cert-path"; pub const ADDRESS: &'static str = "address"; pub const DOMAIN_URI: &'static str = "origin"; pub const STAGING: &'static str = "local-staging-path"; @@ -224,6 +228,14 @@ impl Cli { .value_parser(validation::file_path) .help("Local path on this device where private key file is located. Required to enable TLS"), ) + .arg( + Arg::new(Self::OTHER_CERT) + .long(Self::OTHER_CERT) + .env("P_OTHER_CERT_PATH") + .value_name("DIR") + .value_parser(validation::canonicalize_path) + .help("Local path on this device where other certificate files are located.") + ) .arg( Arg::new(Self::ADDRESS) .long(Self::ADDRESS) @@ -509,6 +521,7 @@ impl FromArgMatches for Cli { self.query_cache_path = m.get_one::(Self::QUERY_CACHE).cloned(); self.tls_cert_path = m.get_one::(Self::TLS_CERT).cloned(); self.tls_key_path = m.get_one::(Self::TLS_KEY).cloned(); + self.other_cert_path = m.get_one::(Self::OTHER_CERT).cloned(); self.domain_address = m.get_one::(Self::DOMAIN_URI).cloned(); self.address = m diff --git a/server/src/handlers/http/modal/ingest_server.rs b/server/src/handlers/http/modal/ingest_server.rs index c19517899..cda4253b8 100644 --- a/server/src/handlers/http/modal/ingest_server.rs +++ b/server/src/handlers/http/modal/ingest_server.rs @@ -83,6 +83,7 @@ impl ParseableServer for IngestServer { let ssl = get_ssl_acceptor( &CONFIG.parseable.tls_cert_path, &CONFIG.parseable.tls_key_path, + &CONFIG.parseable.other_cert_path, )?; // fn that creates the app diff --git a/server/src/handlers/http/modal/query_server.rs b/server/src/handlers/http/modal/query_server.rs index 9861990de..0221ccacb 100644 --- a/server/src/handlers/http/modal/query_server.rs +++ b/server/src/handlers/http/modal/query_server.rs @@ -65,6 +65,7 @@ impl ParseableServer for QueryServer { let ssl = get_ssl_acceptor( &CONFIG.parseable.tls_cert_path, &CONFIG.parseable.tls_key_path, + &CONFIG.parseable.other_cert_path, )?; let create_app_fn = move || { diff --git a/server/src/handlers/http/modal/server.rs b/server/src/handlers/http/modal/server.rs index cd469acee..7e8dd1d48 100644 --- a/server/src/handlers/http/modal/server.rs +++ b/server/src/handlers/http/modal/server.rs @@ -96,6 +96,7 @@ impl ParseableServer for Server { let ssl = get_ssl_acceptor( &CONFIG.parseable.tls_cert_path, &CONFIG.parseable.tls_key_path, + &CONFIG.parseable.other_cert_path, )?; // Create a channel to trigger server shutdown diff --git a/server/src/handlers/http/modal/ssl_acceptor.rs b/server/src/handlers/http/modal/ssl_acceptor.rs index 84b27ebf8..850b4868b 100644 --- a/server/src/handlers/http/modal/ssl_acceptor.rs +++ b/server/src/handlers/http/modal/ssl_acceptor.rs @@ -16,13 +16,18 @@ * */ -use std::{fs::File, io::BufReader, path::PathBuf}; +use std::{ + fs::{self, File}, + io::BufReader, + path::PathBuf, +}; use rustls::ServerConfig; pub fn get_ssl_acceptor( tls_cert: &Option, tls_key: &Option, + other_certs: &Option, ) -> anyhow::Result> { match (tls_cert, tls_key) { (Some(cert), Some(key)) => { @@ -30,7 +35,23 @@ pub fn get_ssl_acceptor( let cert_file = &mut BufReader::new(File::open(cert)?); let key_file = &mut BufReader::new(File::open(key)?); - let certs = rustls_pemfile::certs(cert_file).collect::, _>>()?; + + let mut certs = rustls_pemfile::certs(cert_file).collect::, _>>()?; + // Load CA certificates from the directory + if let Some(other_cert_dir) = other_certs { + if other_cert_dir.is_dir() { + for entry in fs::read_dir(other_cert_dir)? { + let path = entry.unwrap().path(); + + if path.is_file() { + let other_cert_file = &mut BufReader::new(File::open(&path)?); + let mut other_certs = rustls_pemfile::certs(other_cert_file) + .collect::, _>>()?; + certs.append(&mut other_certs); + } + } + } + } let private_key = rustls_pemfile::private_key(key_file)? .ok_or(anyhow::anyhow!("Could not parse private key."))?; From 08bd59e23a8ad999f28cc4691a460c79ff784967 Mon Sep 17 00:00:00 2001 From: Nikhil Sinha Date: Mon, 16 Sep 2024 14:24:46 +0530 Subject: [PATCH 2/2] renamed env var to P_TRUSTED_CA_CERTS_DIR --- server/src/cli.rs | 14 +++++++------- server/src/handlers/http/modal/ingest_server.rs | 2 +- server/src/handlers/http/modal/query_server.rs | 2 +- server/src/handlers/http/modal/server.rs | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/server/src/cli.rs b/server/src/cli.rs index 7efbb3afb..d5efaac30 100644 --- a/server/src/cli.rs +++ b/server/src/cli.rs @@ -35,7 +35,7 @@ pub struct Cli { pub tls_key_path: Option, /// The location of other certificates to accept - pub other_cert_path: Option, + pub trusted_ca_certs_path: Option, /// The address on which the http server will listen. pub address: String, @@ -125,7 +125,7 @@ impl Cli { // identifiers for arguments pub const TLS_CERT: &'static str = "tls-cert-path"; pub const TLS_KEY: &'static str = "tls-key-path"; - pub const OTHER_CERT: &'static str = "other-cert-path"; + pub const TRUSTED_CA_CERTS_PATH: &'static str = "trusted-ca-certs-path"; pub const ADDRESS: &'static str = "address"; pub const DOMAIN_URI: &'static str = "origin"; pub const STAGING: &'static str = "local-staging-path"; @@ -229,12 +229,12 @@ impl Cli { .help("Local path on this device where private key file is located. Required to enable TLS"), ) .arg( - Arg::new(Self::OTHER_CERT) - .long(Self::OTHER_CERT) - .env("P_OTHER_CERT_PATH") + Arg::new(Self::TRUSTED_CA_CERTS_PATH) + .long(Self::TRUSTED_CA_CERTS_PATH) + .env("P_TRUSTED_CA_CERTS_DIR") .value_name("DIR") .value_parser(validation::canonicalize_path) - .help("Local path on this device where other certificate files are located.") + .help("Local path on this device where all trusted certificates are located.") ) .arg( Arg::new(Self::ADDRESS) @@ -521,7 +521,7 @@ impl FromArgMatches for Cli { self.query_cache_path = m.get_one::(Self::QUERY_CACHE).cloned(); self.tls_cert_path = m.get_one::(Self::TLS_CERT).cloned(); self.tls_key_path = m.get_one::(Self::TLS_KEY).cloned(); - self.other_cert_path = m.get_one::(Self::OTHER_CERT).cloned(); + self.trusted_ca_certs_path = m.get_one::(Self::TRUSTED_CA_CERTS_PATH).cloned(); self.domain_address = m.get_one::(Self::DOMAIN_URI).cloned(); self.address = m diff --git a/server/src/handlers/http/modal/ingest_server.rs b/server/src/handlers/http/modal/ingest_server.rs index cda4253b8..6789819fc 100644 --- a/server/src/handlers/http/modal/ingest_server.rs +++ b/server/src/handlers/http/modal/ingest_server.rs @@ -83,7 +83,7 @@ impl ParseableServer for IngestServer { let ssl = get_ssl_acceptor( &CONFIG.parseable.tls_cert_path, &CONFIG.parseable.tls_key_path, - &CONFIG.parseable.other_cert_path, + &CONFIG.parseable.trusted_ca_certs_path, )?; // fn that creates the app diff --git a/server/src/handlers/http/modal/query_server.rs b/server/src/handlers/http/modal/query_server.rs index 0221ccacb..28c39a63e 100644 --- a/server/src/handlers/http/modal/query_server.rs +++ b/server/src/handlers/http/modal/query_server.rs @@ -65,7 +65,7 @@ impl ParseableServer for QueryServer { let ssl = get_ssl_acceptor( &CONFIG.parseable.tls_cert_path, &CONFIG.parseable.tls_key_path, - &CONFIG.parseable.other_cert_path, + &CONFIG.parseable.trusted_ca_certs_path, )?; let create_app_fn = move || { diff --git a/server/src/handlers/http/modal/server.rs b/server/src/handlers/http/modal/server.rs index 7e8dd1d48..d3d56eb90 100644 --- a/server/src/handlers/http/modal/server.rs +++ b/server/src/handlers/http/modal/server.rs @@ -96,7 +96,7 @@ impl ParseableServer for Server { let ssl = get_ssl_acceptor( &CONFIG.parseable.tls_cert_path, &CONFIG.parseable.tls_key_path, - &CONFIG.parseable.other_cert_path, + &CONFIG.parseable.trusted_ca_certs_path, )?; // Create a channel to trigger server shutdown