Merged swimos_tls into swimos_remote.

Author: horned-sphere

client/swimos_client/Cargo.toml

@@ -5,12 +5,11 @@ edition = "2021"
 
 [features]
 default = []
-tls = ["swimos_tls"]
+tls = ["swimos_remote/tls"]
 deflate = ["runtime/deflate"]
 trust_dns = ["swimos_runtime/trust_dns"]
 
 [dependencies]
-swimos_tls = { path = "../../runtime/swimos_tls", optional = true }
 runtime = { path = "../runtime" }
 swimos_utilities = { path = "../../swimos_utilities", features = ["trigger"] }
 swimos_downlink = { path = "../../swimos_downlink" }

runtime/swimos_remote/Cargo.toml

@@ -4,6 +4,10 @@ version = "0.1.0"
 authors = ["Swim Inc. developers info@swim.ai"]
 edition = "2021"
 
+[features]
+default = []
+tls = ["rustls", "webpki", "webpki-roots", "tokio-rustls", "rustls-pemfile"]
+
 [dependencies]
 ratchet = { workspace = true, features = ["deflate", "split"] }
 ratchet_fixture = { workspace = true }
@@ -28,5 +32,11 @@ smallvec = { workspace = true }
 url = { workspace = true }
 pin-project = { workspace = true }
 
+rustls = { workspace = true, optional = true }
+webpki = { workspace = true, optional = true }
+webpki-roots = { workspace = true, optional = true }
+tokio-rustls = { workspace = true, optional = true }
+rustls-pemfile = { workspace = true, optional = true }
+
 [dev-dependencies]
 tokio = { workspace = true, features = ["macros", "rt"] }

runtime/swimos_remote/src/lib.rs

@@ -17,7 +17,8 @@ pub mod net;
 mod task;
 pub mod ws;
 
-pub use self::{
-    error::{AgentResolutionError, NoSuchAgent},
-    task::{AttachClient, FindNode, LinkError, NodeConnectionRequest, RemoteTask},
-};
+pub use error::{AgentResolutionError, NoSuchAgent};
+pub use task::{AttachClient, FindNode, LinkError, NodeConnectionRequest, RemoteTask};
+
+#[cfg(feature = "tls")]
+pub mod tls;

runtime/swimos_remote/src/tls/config/mod.rs

@@ -0,0 +1,114 @@
+// Copyright 2015-2023 Swim Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/// Supported certificate formats for TLS connections.
+pub enum CertFormat {
+    Pem,
+    Der,
+}
+
+/// An (unvalidated)) TLS certificate (or list of certificates for a PEM file).
+pub struct CertificateFile {
+    pub format: CertFormat,
+    pub body: Vec<u8>,
+}
+
+impl CertificateFile {
+    pub fn new(format: CertFormat, body: Vec<u8>) -> Self {
+        CertificateFile { format, body }
+    }
+
+    pub fn der(body: Vec<u8>) -> Self {
+        Self::new(CertFormat::Der, body)
+    }
+
+    pub fn pem(body: Vec<u8>) -> Self {
+        Self::new(CertFormat::Pem, body)
+    }
+}
+
+/// A chain of TLS certificates (starting with the server certificate and ending with the CA).
+pub struct CertChain(pub Vec<CertificateFile>);
+
+/// An (unvalidated) private key for a server.
+pub struct PrivateKey {
+    pub format: CertFormat,
+    pub body: Vec<u8>,
+}
+
+impl PrivateKey {
+    pub fn new(format: CertFormat, body: Vec<u8>) -> Self {
+        PrivateKey { format, body }
+    }
+
+    pub fn der(body: Vec<u8>) -> Self {
+        Self::new(CertFormat::Der, body)
+    }
+
+    pub fn pem(body: Vec<u8>) -> Self {
+        Self::new(CertFormat::Pem, body)
+    }
+}
+/// Combined TLS configuration (both server and client)/
+pub struct TlsConfig {
+    pub client: ClientConfig,
+    pub server: ServerConfig,
+}
+
+impl TlsConfig {
+    pub fn new(client: ClientConfig, server: ServerConfig) -> Self {
+        TlsConfig { client, server }
+    }
+}
+
+/// Configuration parameters for a TLS server.
+pub struct ServerConfig {
+    pub chain: CertChain,
+    pub key: PrivateKey,
+    pub enable_log_file: bool,
+}
+
+impl ServerConfig {
+    pub fn new(chain: CertChain, key: PrivateKey) -> Self {
+        ServerConfig {
+            chain,
+            key,
+            enable_log_file: false,
+        }
+    }
+}
+
+/// Configuration parameters for a TLS client.
+pub struct ClientConfig {
+    pub use_webpki_roots: bool,
+    pub custom_roots: Vec<CertificateFile>,
+}
+
+impl ClientConfig {
+    pub fn new(custom_roots: Vec<CertificateFile>) -> Self {
+        ClientConfig {
+            use_webpki_roots: true,
+            custom_roots,
+        }
+    }
+}
+
+impl Default for ClientConfig {
+    fn default() -> Self {
+        Self {
+            use_webpki_roots: true,
+            custom_roots: vec![],
+        }
+    }
+}

runtime/swimos_remote/src/tls/errors.rs

@@ -0,0 +1,30 @@
+// Copyright 2015-2023 Swim Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use rustls::client::InvalidDnsNameError;
+use thiserror::Error;
+
+#[derive(Debug, Error)]
+pub enum TlsError {
+    #[error("Error reading PEM file: {0}")]
+    InvalidPem(std::io::Error),
+    #[error("The provided input did not contain a valid private key.")]
+    InvalidPrivateKey,
+    #[error("Invalid certificate: {0}")]
+    BadCertificate(#[from] webpki::Error),
+    #[error("Invalid DNS host name: {0}")]
+    BadHostName(#[from] InvalidDnsNameError),
+    #[error("TLS handshake failed: {0}")]
+    HandshakeFailed(std::io::Error),
+}

runtime/swimos_remote/src/tls/maybe/mod.rs

@@ -0,0 +1,73 @@
+// Copyright 2015-2023 Swim Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use std::{
+    io,
+    pin::Pin,
+    task::{Context, Poll},
+};
+
+use pin_project::pin_project;
+use tokio::{
+    io::{AsyncRead, AsyncWrite, ReadBuf},
+    net::TcpStream,
+};
+use tokio_rustls::TlsStream;
+
+/// Either a simple, unencrypted [`tokio::TcpStream`] or a [`TlsStream`].
+#[pin_project(project = MaybeTlsProj)]
+pub enum MaybeTlsStream {
+    Plain(#[pin] TcpStream),
+    Tls(#[pin] TlsStream<TcpStream>),
+}
+
+impl AsyncRead for MaybeTlsStream {
+    fn poll_read(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut ReadBuf<'_>,
+    ) -> Poll<io::Result<()>> {
+        match self.project() {
+            MaybeTlsProj::Plain(s) => s.poll_read(cx, buf),
+            MaybeTlsProj::Tls(s) => s.poll_read(cx, buf),
+        }
+    }
+}
+
+impl AsyncWrite for MaybeTlsStream {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<Result<usize, io::Error>> {
+        match self.project() {
+            MaybeTlsProj::Plain(s) => s.poll_write(cx, buf),
+            MaybeTlsProj::Tls(s) => s.poll_write(cx, buf),
+        }
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> {
+        match self.project() {
+            MaybeTlsProj::Plain(s) => s.poll_flush(cx),
+            MaybeTlsProj::Tls(s) => s.poll_flush(cx),
+        }
+    }
+
+    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> {
+        match self.project() {
+            MaybeTlsProj::Plain(s) => s.poll_shutdown(cx),
+            MaybeTlsProj::Tls(s) => s.poll_shutdown(cx),
+        }
+    }
+}

runtime/swimos_remote/src/tls/mod.rs

@@ -0,0 +1,25 @@
+// Copyright 2015-2023 Swim Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+mod config;
+mod errors;
+mod maybe;
+mod net;
+
+pub use config::{
+    CertChain, CertFormat, CertificateFile, ClientConfig, PrivateKey, ServerConfig, TlsConfig,
+};
+pub use errors::TlsError;
+pub use maybe::MaybeTlsStream;
+pub use net::{RustlsClientNetworking, RustlsListener, RustlsNetworking, RustlsServerNetworking};