use crate::RustlsTransport;
use async_rustls::TlsConnector;
use rustls::{Certificate, ClientConfig, OwnedTrustAnchor, RootCertStore, ServerName};
use std::{
fmt::{self, Debug, Formatter},
future::Future,
io::{Error, ErrorKind, Result},
sync::Arc,
};
use trillium_server_common::{async_trait, Connector, Url};
#[derive(Clone, Debug)]
pub struct RustlsClientConfig(Arc<ClientConfig>);
#[derive(Clone, Default)]
pub struct RustlsConfig<Config> {
pub rustls_config: RustlsClientConfig,
pub tcp_config: Config,
}
impl<C: Connector> RustlsConfig<C> {
pub fn new(rustls_config: impl Into<RustlsClientConfig>, tcp_config: C) -> Self {
Self {
rustls_config: rustls_config.into(),
tcp_config,
}
}
}
impl Default for RustlsClientConfig {
fn default() -> Self {
Self(Arc::new(default_client_config()))
}
}
#[cfg(feature = "native-roots")]
fn get_rustls_native_roots() -> Result<impl Iterator<Item = Certificate>> {
let roots = rustls_native_certs::load_native_certs()
.map(|certs| certs.into_iter().map(|cert| Certificate(cert.0)));
if let Err(ref e) = roots {
log::warn!("rustls native certs hard error, falling back to webpki roots: {e:?}");
}
roots
}
#[cfg(not(feature = "native-roots"))]
fn get_rustls_native_roots() -> Result<impl Iterator<Item = Certificate>> {
Err::<std::iter::Empty<_>, _>(Error::new(ErrorKind::Unsupported, "unimplemented"))
}
fn default_client_config() -> ClientConfig {
let mut root_store = RootCertStore::empty();
match get_rustls_native_roots() {
Ok(certs) => {
for cert in certs {
if let Err(e) = root_store.add(&cert) {
log::debug!("unable to add certificate {:?}, skipping", e);
}
}
}
Err(_) => {
root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(
|c: &webpki::TrustAnchor| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
c.subject,
c.spki,
c.name_constraints,
)
},
));
}
};
ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_store)
.with_no_client_auth()
}
impl From<ClientConfig> for RustlsClientConfig {
fn from(rustls_config: ClientConfig) -> Self {
Self(Arc::new(rustls_config))
}
}
impl From<Arc<ClientConfig>> for RustlsClientConfig {
fn from(rustls_config: Arc<ClientConfig>) -> Self {
Self(rustls_config)
}
}
impl<C: Connector> RustlsConfig<C> {
pub fn with_tcp_config(mut self, config: C) -> Self {
self.tcp_config = config;
self
}
}
impl<Config: Debug> Debug for RustlsConfig<Config> {
fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
f.debug_struct("RustlsConfig")
.field("rustls_config", &"..")
.field("tcp_config", &self.tcp_config)
.finish()
}
}
#[async_trait]
impl<C: Connector> Connector for RustlsConfig<C> {
type Transport = RustlsTransport<C::Transport>;
async fn connect(&self, url: &Url) -> Result<Self::Transport> {
match url.scheme() {
"https" => {
let mut http = url.clone();
http.set_scheme("http").ok();
http.set_port(url.port_or_known_default()).ok();
let connector: TlsConnector = Arc::clone(&self.rustls_config.0).into();
let domain = url
.domain()
.and_then(|dns_name| ServerName::try_from(dns_name).ok())
.ok_or_else(|| Error::new(ErrorKind::Other, "missing domain"))?;
connector
.connect(domain, self.tcp_config.connect(&http).await?)
.await
.map_err(|e| Error::new(ErrorKind::Other, e.to_string()))
.map(RustlsTransport::from)
}
"http" => self
.tcp_config
.connect(url)
.await
.map(RustlsTransport::from),
unknown => Err(Error::new(
ErrorKind::InvalidInput,
format!("unknown scheme {unknown}"),
)),
}
}
fn spawn<Fut: Future<Output = ()> + Send + 'static>(&self, fut: Fut) {
self.tcp_config.spawn(fut)
}
}