feat: wip - configuration design

2024-07-12 23:50:37 +09:00 · 2024-07-12 23:50:37 +09:00 · 887e6b64b0
commit 887e6b64b0
parent 63ee953912
13 changed files with 173 additions and 11 deletions
--- a/rpxy-bin/Cargo.toml
+++ b/rpxy-bin/Cargo.toml
@ -13,14 +13,15 @@ publish.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [features]
-default = ["http3-quinn", "cache", "rustls-backend"]
-# default = ["http3-s2n", "cache", "rustls-backend"]
+default = ["http3-quinn", "cache", "rustls-backend", "acme"]
+# default = ["http3-s2n", "cache", "rustls-backend", "acme"]
 http3-quinn = ["rpxy-lib/http3-quinn"]
 http3-s2n = ["rpxy-lib/http3-s2n"]
 native-tls-backend = ["rpxy-lib/native-tls-backend"]
 rustls-backend = ["rpxy-lib/rustls-backend"]
 webpki-roots = ["rpxy-lib/webpki-roots"]
 cache = ["rpxy-lib/cache"]
+acme = ["rpxy-lib/acme", "rpxy-acme"]

 [dependencies]
 rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [
@ -56,4 +57,6 @@ rpxy-certs = { path = "../rpxy-certs/", default-features = false, features = [
  "http3",
 ] }

+rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true }
+
 [dev-dependencies]
--- a/rpxy-bin/src/config/mod.rs
+++ b/rpxy-bin/src/config/mod.rs
@ -3,7 +3,10 @@ mod service;
 mod toml;

 pub use {
-  self::toml::ConfigToml,
  parse::{build_cert_manager, build_settings, parse_opts},
  service::ConfigTomlReloader,
+  toml::ConfigToml,
 };
+
+#[cfg(feature = "acme")]
+pub use parse::build_acme_manager;
--- a/rpxy-bin/src/config/parse.rs
+++ b/rpxy-bin/src/config/parse.rs
@ -6,6 +6,9 @@ use rpxy_certs::{build_cert_reloader, CryptoFileSourceBuilder, CryptoReloader, S
 use rpxy_lib::{AppConfig, AppConfigList, ProxyConfig};
 use rustc_hash::FxHashMap as HashMap;

+#[cfg(feature = "acme")]
+use rpxy_acme::{AcmeTargets, ACME_CERTIFICATE_FILE_NAME, ACME_PRIVATE_KEY_FILE_NAME, ACME_REGISTRY_PATH};
+
 /// Parsed options
 pub struct Opts {
  pub config_file_path: String,
@ -103,11 +106,34 @@ pub async fn build_cert_manager(
  if config.listen_port_tls.is_none() {
    return Ok(None);
  }
+
+  #[cfg(feature = "acme")]
+  let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone());
+  #[cfg(feature = "acme")]
+  let registry_path = acme_option
+    .as_ref()
+    .and_then(|v| v.registry_path.as_deref())
+    .unwrap_or(ACME_REGISTRY_PATH);
+
  let mut crypto_source_map = HashMap::default();
  for app in apps.0.values() {
    if let Some(tls) = app.tls.as_ref() {
-      ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
      let server_name = app.server_name.as_ref().ok_or(anyhow!("No server name"))?;
+
+      #[cfg(not(feature = "acme"))]
+      ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
+
+      #[cfg(feature = "acme")]
+      let tls = {
+        let mut tls = tls.clone();
+        if let Some(true) = tls.acme {
+          ensure!(acme_option.is_some() && tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none());
+          tls.tls_cert_key_path = Some(format!("{registry_path}/{server_name}/{ACME_CERTIFICATE_FILE_NAME}"));
+          tls.tls_cert_path = Some(format!("{registry_path}/{server_name}/{ACME_PRIVATE_KEY_FILE_NAME}"));
+        }
+        tls
+      };
+
      let crypto_file_source = CryptoFileSourceBuilder::default()
        .tls_cert_path(tls.tls_cert_path.as_ref().unwrap())
        .tls_cert_key_path(tls.tls_cert_key_path.as_ref().unwrap())
@ -119,3 +145,33 @@ pub async fn build_cert_manager(
  let res = build_cert_reloader(&crypto_source_map, None).await?;
  Ok(Some(res))
 }
+
+/* ----------------------- */
+#[cfg(feature = "acme")]
+/// Build acme manager and dummy cert and key as initial states if not exists
+/// TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING
+pub async fn build_acme_manager(config: &ConfigToml) -> Result<(), anyhow::Error> {
+  let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone());
+  if acme_option.is_none() {
+    return Ok(());
+  }
+  let acme_option = acme_option.unwrap();
+  let mut acme_targets = AcmeTargets::try_new(
+    acme_option.email.as_ref(),
+    acme_option.dir_url.as_deref(),
+    acme_option.registry_path.as_deref(),
+  )
+  .map_err(|e| anyhow!("Invalid acme configuration: {e}"))?;
+
+  let apps = config.apps.as_ref().unwrap();
+  for app in apps.0.values() {
+    if let Some(tls) = app.tls.as_ref() {
+      if tls.acme.unwrap_or(false) {
+        acme_targets.add_target(app.server_name.as_ref().unwrap())?;
+      }
+    }
+  }
+  // TODO: remove later
+  println!("ACME targets: {:#?}", acme_targets);
+  Ok(())
+}
--- a/rpxy-bin/src/config/toml.rs
+++ b/rpxy-bin/src/config/toml.rs
@ -41,12 +41,25 @@ pub struct CacheOption {
  pub max_cache_each_size_on_memory: Option<usize>,
 }

+#[cfg(feature = "acme")]
+#[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
+pub struct AcmeOption {
+  pub dir_url: Option<String>,
+  pub email: String,
+  pub registry_path: Option<String>,
+}
+
 #[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
 pub struct Experimental {
  #[cfg(any(feature = "http3-quinn", feature = "http3-s2n"))]
  pub h3: Option<Http3Option>,
+
  #[cfg(feature = "cache")]
  pub cache: Option<CacheOption>,
+
+  #[cfg(feature = "acme")]
+  pub acme: Option<AcmeOption>,
+
  pub ignore_sni_consistency: Option<bool>,
  pub connection_handling_timeout: Option<u64>,
 }
@ -67,6 +80,8 @@ pub struct TlsOption {
  pub tls_cert_key_path: Option<String>,
  pub https_redirection: Option<bool>,
  pub client_ca_cert_path: Option<String>,
+  #[cfg(feature = "acme")]
+  pub acme: Option<bool>,
 }

 #[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
@ -222,8 +237,19 @@ impl Application {
    // tls settings
    let tls_config = if self.tls.is_some() {
      let tls = self.tls.as_ref().unwrap();
+
+      #[cfg(not(feature = "acme"))]
      ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());

+      #[cfg(feature = "acme")]
+      {
+        if tls.acme.unwrap_or(false) {
+          ensure!(tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none());
+        } else {
+          ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
+        }
+      }
+
      let https_redirection = if tls.https_redirection.is_none() {
        true // Default true
      } else {
@ -233,6 +259,8 @@ impl Application {
      Some(TlsConfig {
        mutual_tls: tls.client_ca_cert_path.is_some(),
        https_redirection,
+        #[cfg(feature = "acme")]
+        acme: tls.acme.unwrap_or(false),
      })
    } else {
      None
--- a/rpxy-bin/src/main.rs
+++ b/rpxy-bin/src/main.rs
@ -6,6 +6,8 @@ mod constants;
 mod error;
 mod log;

+#[cfg(feature = "acme")]
+use crate::config::build_acme_manager;
 use crate::{
  config::{build_cert_manager, build_settings, parse_opts, ConfigToml, ConfigTomlReloader},
  constants::CONFIG_WATCH_DELAY_SECS,
@ -66,6 +68,9 @@ async fn rpxy_service_without_watcher(
  let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?;
  let (proxy_conf, app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;

+  #[cfg(feature = "acme")] // TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING
+  let acme_manager = build_acme_manager(&config_toml).await;
+
  let cert_service_and_rx = build_cert_manager(&config_toml)
    .await
    .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?;
@ -88,6 +93,9 @@ async fn rpxy_service_with_watcher(
    .ok_or(anyhow!("Something wrong in config reloader receiver"))?;
  let (mut proxy_conf, mut app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;

+  #[cfg(feature = "acme")] // TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING
+  let acme_manager = build_acme_manager(&config_toml).await;
+
  let mut cert_service_and_rx = build_cert_manager(&config_toml)
    .await
    .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?;