Introduce dynamic TLS resolvers.

SergioBenitez · SergioBenitez · commit dad8312ff747 · 2024-04-16T18:52:34.000-07:00
This commit introduces the ability to dynamically select a TLS configuration based on the client's TLS hello. Added `Authority::set_port()`. Various `Config` structures for listeners removed. `UdsListener` is now `UnixListener`. `Bindable` removed in favor of new `Bind`. `Connection` requires `AsyncRead + AsyncWrite` again The `Debug` impl for `Endpoint` displays the underlying address in plaintext. `Listener` must be `Sized`. `tls` listener moved to `tls::TlsListener` The preview `quic` listener no longer implements `Listener`. All built-in listeners now implement `Bind<&Rocket>`. Clarified docs for `mtls::Certificate` guard. No reexporitng rustls from `tls`. Added `TlsConfig::server_config()`. Added some future helpers: `race()` and `race_io()`. Fix an issue where the logger wouldn't respect a configuration during error printing. Added Rocket::launch_with(), launch_on(), bind_launch(). Added a default client.pem to the TLS example. Revamped the testbench. Added tests for TLS resolvers, MTLS, listener failure output. TODO: clippy. TODO: UDS testing. Resolves #2730. Resolves #2363. Closes #2748. Closes #2683. Closes #2577.
diff --git a/core/lib/src/error.rs b/core/lib/src/error.rs
@@ -179,16 +179,16 @@ impl Error {
         match self.kind() {
             ErrorKind::Bind(ref a, ref e) => {
                 if let Some(e) = e.downcast_ref::<Self>() {
-                    e.pretty_print();
+                    e.pretty_print()
                 } else {
                     match a {
                         Some(a) => error!("Binding to {} failed.", a.primary().underline()),
                         None => error!("Binding to network interface failed."),
                     }
-                }
 
-                info_!("{}", e);
-                "aborting due to bind error"
+                    info_!("{}", e);
+                    "aborting due to bind error"
+                }
             }
             ErrorKind::Io(ref e) => {
                 error!("Rocket failed to launch due to an I/O error.");
diff --git a/core/lib/src/listener/default.rs b/core/lib/src/listener/default.rs
@@ -1,25 +1,26 @@
+use core::fmt;
+
 use serde::Deserialize;
-use tokio_util::either::{Either, Either::{Left, Right}};
-use futures::TryFutureExt;
+use tokio_util::either::Either::{Left, Right};
+use either::Either;
 
-use crate::error::ErrorKind;
 use crate::{Ignite, Rocket};
 use crate::listener::{Bind, Endpoint, tcp::TcpListener};
 
 #[cfg(unix)] use crate::listener::unix::UnixListener;
 #[cfg(feature = "tls")] use crate::tls::{TlsListener, TlsConfig};
 
 mod private {
-    use super::{Either, TcpListener};
+    use tokio_util::either::Either;
 
     #[cfg(feature = "tls")] pub type TlsListener<T> = super::TlsListener<T>;
     #[cfg(not(feature = "tls"))] pub type TlsListener<T> = T;
     #[cfg(unix)] pub type UnixListener = super::UnixListener;
     #[cfg(not(unix))] pub type UnixListener = super::TcpListener;
 
     pub type Listener = Either<
-        Either<TlsListener<TcpListener>, TlsListener<UnixListener>>,
-        Either<TcpListener, UnixListener>,
+        Either<TlsListener<super::TcpListener>, TlsListener<UnixListener>>,
+        Either<super::TcpListener, UnixListener>,
     >;
 }
 
@@ -33,48 +34,90 @@ struct Config {
 
 pub type DefaultListener = private::Listener;
 
+#[derive(Debug)]
+pub enum Error {
+    Config(figment::Error),
+    Io(std::io::Error),
+    Unsupported(Endpoint),
+    #[cfg(feature = "tls")]
+    Tls(crate::tls::Error),
+}
+
+impl From<figment::Error> for Error {
+    fn from(value: figment::Error) -> Self {
+        Error::Config(value)
+    }
+}
+
+impl From<std::io::Error> for Error {
+    fn from(value: std::io::Error) -> Self {
+        Error::Io(value)
+    }
+}
+
+#[cfg(feature = "tls")]
+impl From<crate::tls::Error> for Error {
+    fn from(value: crate::tls::Error) -> Self {
+        Error::Tls(value)
+    }
+}
+
+impl From<Either<figment::Error, std::io::Error>> for Error {
+    fn from(value: Either<figment::Error, std::io::Error>) -> Self {
+        value.either(Error::Config, Error::Io)
+    }
+}
+
+impl fmt::Display for Error {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Error::Config(e) => e.fmt(f),
+            Error::Io(e) => e.fmt(f),
+            Error::Unsupported(e) => write!(f, "unsupported endpoint: {e:?}"),
+            #[cfg(feature = "tls")]
+            Error::Tls(error) => error.fmt(f),
+        }
+    }
+}
+
+impl std::error::Error for Error {
+    fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
+        match self {
+            Error::Config(e) => Some(e),
+            Error::Io(e) => Some(e),
+            Error::Unsupported(_) => None,
+            #[cfg(feature = "tls")]
+            Error::Tls(e) => Some(e),
+        }
+    }
+}
+
 impl<'r> Bind<&'r Rocket<Ignite>> for DefaultListener {
-    type Error = crate::Error;
+    type Error = Error;
 
     async fn bind(rocket: &'r Rocket<Ignite>) -> Result<Self, Self::Error> {
         let config: Config = rocket.figment().extract()?;
         match config.address {
             #[cfg(feature = "tls")]
-            endpoint@Endpoint::Tcp(_) if config.tls.is_some() => {
-                let listener = <TlsListener<TcpListener> as Bind<_>>::bind(rocket)
-                    .map_err(|e| ErrorKind::Bind(Some(endpoint), Box::new(e)))
-                    .await?;
-
+            Endpoint::Tcp(_) if config.tls.is_some() => {
+                let listener = <TlsListener<TcpListener> as Bind<_>>::bind(rocket).await?;
                 Ok(Left(Left(listener)))
             }
-            endpoint@Endpoint::Tcp(_) => {
-                let listener = <TcpListener as Bind<_>>::bind(rocket)
-                    .map_err(|e| ErrorKind::Bind(Some(endpoint), Box::new(e)))
-                    .await?;
-
+            Endpoint::Tcp(_) => {
+                let listener = <TcpListener as Bind<_>>::bind(rocket).await?;
                 Ok(Right(Left(listener)))
             }
             #[cfg(all(unix, feature = "tls"))]
-            endpoint@Endpoint::Unix(_) if config.tls.is_some() => {
-                let listener = <TlsListener<UnixListener> as Bind<_>>::bind(rocket)
-                    .map_err(|e| ErrorKind::Bind(Some(endpoint), Box::new(e)))
-                    .await?;
-
+            Endpoint::Unix(_) if config.tls.is_some() => {
+                let listener = <TlsListener<UnixListener> as Bind<_>>::bind(rocket).await?;
                 Ok(Left(Right(listener)))
             }
             #[cfg(unix)]
-            endpoint@Endpoint::Unix(_) => {
-                let listener = <UnixListener as Bind<_>>::bind(rocket)
-                    .map_err(|e| ErrorKind::Bind(Some(endpoint), Box::new(e)))
-                    .await?;
-
+            Endpoint::Unix(_) => {
+                let listener = <UnixListener as Bind<_>>::bind(rocket).await?;
                 Ok(Right(Right(listener)))
             }
-            endpoint => {
-                let msg = format!("unsupported bind endpoint: {endpoint}");
-                let error = Box::<dyn std::error::Error + Send + Sync>::from(msg);
-                Err(ErrorKind::Bind(Some(endpoint), error).into())
-            }
+            endpoint => Err(Error::Unsupported(endpoint)),
         }
     }
 
diff --git a/core/lib/src/tls/resolver.rs b/core/lib/src/tls/resolver.rs
@@ -15,6 +15,39 @@ pub(crate) struct DynResolver(Arc<dyn Resolver>);
 pub struct Fairing<T: ?Sized>(PhantomData<T>);
 
 /// A dynamic TLS configuration resolver.
+///
+/// # Example
+///
+/// This is an async trait. Implement it as follows:
+///
+/// ```rust
+/// # #[macro_use] extern crate rocket;
+/// use std::sync::Arc;
+/// use rocket::tls::{self, Resolver, TlsConfig, ClientHello, ServerConfig};
+/// use rocket::{Rocket, Build};
+///
+/// struct MyResolver(Arc<ServerConfig>);
+///
+/// #[rocket::async_trait]
+/// impl Resolver for MyResolver {
+///     async fn init(rocket: &Rocket<Build>) -> tls::Result<Self> {
+///         // This is equivalent to what the default resolver would do.
+///         let config: TlsConfig = rocket.figment().extract_inner("tls")?;
+///         let server_config = config.server_config().await?;
+///         Ok(MyResolver(Arc::new(server_config)))
+///     }
+///
+///     async fn resolve(&self, hello: ClientHello<'_>) -> Option<Arc<ServerConfig>> {
+///         // return a `ServerConfig` based on `hello`; here we ignore it
+///         Some(self.0.clone())
+///     }
+/// }
+///
+/// #[launch]
+/// fn rocket() -> _ {
+///     rocket::build().attach(MyResolver::fairing())
+/// }
+/// ```
 #[crate::async_trait]
 pub trait Resolver: Send + Sync + 'static {
     async fn init(rocket: &Rocket<Build>) -> crate::tls::Result<Self> where Self: Sized {
diff --git a/testbench/src/main.rs b/testbench/src/main.rs
@@ -1,4 +1,5 @@
 use std::process::ExitCode;
+use std::time::Duration;
 
 use rocket::listener::unix::UnixListener;
 use rocket::tokio::net::TcpListener;
@@ -163,9 +164,7 @@ fn tls_resolver() -> Result<()> {
     let server = spawn! {
         #[get("/count")]
         fn count(counter: &State<Arc<AtomicUsize>>) -> String {
-            let count = counter.load(Ordering::Acquire);
-            println!("{count}");
-            count.to_string()
+            counter.load(Ordering::Acquire).to_string()
         }
 
         let counter = Arc::new(AtomicUsize::new(0));
@@ -329,8 +328,8 @@ fn tcp_unix_listener_fail() -> Result<()> {
     };
 
     if let Err(Error::Liftoff(stdout, _)) = server {
-        assert!(stdout.contains("expected valid TCP"));
-        assert!(stdout.contains("for key default.address"));
+        assert!(stdout.contains("expected valid TCP (ip) or unix (path)"));
+        assert!(stdout.contains("default.address"));
     } else {
         panic!("unexpected result: {server:#?}");
     }
@@ -361,14 +360,17 @@ fn tcp_unix_listener_fail() -> Result<()> {
 
 macro_rules! tests {
     ($($f:ident),* $(,)?) => {[
-        $(Test { name: stringify!($f), func: $f, }),*
+        $(Test {
+            name: stringify!($f),
+            run: |_: ()| $f().map_err(|e| e.to_string()),
+        }),*
     ]};
 }
 
 #[derive(Copy, Clone)]
 struct Test {
     name: &'static str,
-    func: fn() -> Result<()>,
+    run: fn(()) -> Result<(), String>,
 }
 
 static TESTS: &[Test] = &tests![
@@ -377,37 +379,58 @@ static TESTS: &[Test] = &tests![
 ];
 
 fn main() -> ExitCode {
+    procspawn::init();
+
     let filter = std::env::args().nth(1).unwrap_or_default();
     let filtered = TESTS.into_iter().filter(|test| test.name.contains(&filter));
 
     println!("running {}/{} tests", filtered.clone().count(), TESTS.len());
-    let handles: Vec<_> = filtered
-        .map(|test| (test, std::thread::spawn(move || {
-            if let Err(e) = (test.func)() {
-                println!("test {} ... {}\n  {e}", test.name.bold(), "fail".red());
-                return Err(e);
+    let handles = filtered.map(|test| (test, std::thread::spawn(|| {
+        let name = test.name;
+        let start = std::time::SystemTime::now();
+        let mut proc = procspawn::spawn((), test.run);
+        let result = loop {
+            match proc.join_timeout(Duration::from_secs(10)) {
+                Err(e) if e.is_timeout() => {
+                    let elapsed = start.elapsed().unwrap().as_secs();
+                    println!("{name} has been running for {elapsed} seconds...");
+
+                    if elapsed >= 30 {
+                        println!("{name} timeout");
+                        break Err(e);
+                    }
+                },
+                result => break result,
             }
+        };
 
-            println!("test {} ... {}", test.name.bold(), "ok".green());
-            Ok(())
-        })))
-        .collect();
-
-    let mut failure = false;
-    for (test, handle) in handles {
-        let result = handle.join();
-        failure |= matches!(result, Err(_) | Ok(Err(_)));
-        if result.is_err() {
-            println!("test {} ... {}", test.name.bold(), "panic".red().underline());
+        match result.as_ref().map_err(|e| e.panic_info()) {
+            Ok(Ok(_)) => println!("test {name} ... {}", "ok".green()),
+            Ok(Err(e)) => println!("test {name} ... {}\n  {e}", "fail".red()),
+            Err(Some(_)) => println!("test {name} ... {}", "panic".red().underline()),
+            Err(None) => println!("test {name} ... {}", "error".magenta()),
         }
+
+        matches!(result, Ok(Ok(())))
+    })));
+
+    let mut success = true;
+    for (_, handle) in handles {
+        success &= handle.join().unwrap_or(false);
     }
 
-    match failure {
-        true => ExitCode::FAILURE,
-        false => ExitCode::SUCCESS
+    match success {
+        true => ExitCode::SUCCESS,
+        false => {
+            println!("note: use `NOCAPTURE=1` to see test output");
+            ExitCode::FAILURE
+        }
     }
 }
 
+// TODO: Implement an `UpdatingResolver`. Expose `SniResolver` and
+// `UpdatingResolver` in a `contrib` library or as part of `rocket`.
+//
 // struct UpdatingResolver {
 //     timestamp: AtomicU64,
 //     config: ArcSwap<ServerConfig>
diff --git a/testbench/src/server.rs b/testbench/src/server.rs
