use HTTPS everywhere, even on localhost, using the mkcert tool

tayloraswift · tayloraswift · commit a97e6a6bfbb7 · 2023-09-21T22:26:04.000Z
diff --git a/.gitignore b/.gitignore
@@ -5,6 +5,7 @@
 .vscode
 
 Assets/secrets/
+TestCertificates/*.pem
 TestDeployment/data/
 
 node_modules/
diff --git a/Package.resolved b/Package.resolved
diff --git a/Package.swift b/Package.swift
@@ -74,12 +74,12 @@ let package:Package = .init(
         .package(url: "https://github.com/tayloraswift/swift-hash", .upToNextMinor(
             from: "0.5.0")),
         .package(url: "https://github.com/tayloraswift/swift-mongodb", .upToNextMinor(
-            from: "0.8.2")),
+            from: "0.8.3")),
 
         .package(url: "https://github.com/apple/swift-atomics", .upToNextMinor(
             from: "1.1.0")),
         .package(url: "https://github.com/apple/swift-nio", .upToNextMinor(
-            from: "2.57.0")),
+            from: "2.58.0")),
         .package(url: "https://github.com/apple/swift-nio-http2", .upToNextMinor(
             from: "1.27.0")),
         .package(url: "https://github.com/apple/swift-nio-ssl", .upToNextMinor(
@@ -177,6 +177,7 @@ let package:Package = .init(
                 .target(name: "HTML"),
                 .target(name: "HTTP"),
                 .product(name: "NIOHTTP1", package: "swift-nio"),
+                .product(name: "NIOHTTP2", package: "swift-nio-http2"),
                 .product(name: "NIOSSL", package: "swift-nio-ssl"),
                 .product(name: "TraceableErrors", package: "swift-grammar"),
             ]),
diff --git a/Sources/HTTPServer/Authorities/Localhost.swift b/Sources/HTTPServer/Authorities/Localhost.swift
@@ -1,13 +1,19 @@
+import NIOSSL
+
 @frozen public
 struct Localhost:ServerAuthority
 {
-    @inlinable internal
-    init()
+    public
+    let tls:NIOSSLContext
+
+    @inlinable public
+    init(tls:NIOSSLContext)
     {
+        self.tls = tls
     }
 
     @inlinable public static
-    var scheme:ServerScheme { .http }
+    var scheme:ServerScheme { .https }
     @inlinable public static
     var domain:String { "127.0.0.1" }
 }
diff --git a/Sources/HTTPServer/Authorities/ServerAuthority.swift b/Sources/HTTPServer/Authorities/ServerAuthority.swift
@@ -2,34 +2,24 @@ import HTML
 import NIOCore
 import NIOHTTP1
 import NIOPosix
+import NIOSSL
 import TraceableErrors
 
 public
-protocol ServerAuthority<SecurityContext>:Sendable
+protocol ServerAuthority:Sendable
 {
-    associatedtype SecurityContext = Never
-
     static
     var scheme:ServerScheme { get }
     static
     var domain:String { get }
 
-    var tls:SecurityContext? { get }
+    var tls:NIOSSLContext { get }
 
     static
     func redact(error:any Error) -> String
 }
-
-extension ServerAuthority where Self == Localhost
-{
-    @inlinable public static
-    var localhost:Self { .init() }
-}
-
-extension ServerAuthority<Never>
+extension ServerAuthority
 {
-    @inlinable public
-    var tls:SecurityContext? { nil }
     /// Dumps detailed information about the caught error. This information will be shown to
     /// *anyone* accessing the server. In production, we strongly recommend overriding this
     /// default implementation to avoid inadvertently exposing sensitive data via type
@@ -66,8 +56,6 @@ extension ServerAuthority
     {
         switch self.scheme
         {
-        case .http(port: 80):           return "http://\(self.domain)\(uri)"
-        case .http(port: let port):     return "http://\(self.domain):\(port)\(uri)"
         case .https(port: 443):         return "https://\(self.domain)\(uri)"
         case .https(port: let port):    return "https://\(self.domain):\(port)\(uri)"
         }
diff --git a/Sources/HTTPServer/Authorities/ServerScheme.swift b/Sources/HTTPServer/Authorities/ServerScheme.swift
@@ -2,15 +2,11 @@
 enum ServerScheme
 {
     case https(port:Int = 443)
-    case http(port:Int = 80)
 }
 extension ServerScheme
 {
     @inlinable public static
     var https:Self { .https() }
-
-    @inlinable public static
-    var http:Self { .http() }
 }
 extension ServerScheme
 {
@@ -19,7 +15,6 @@ extension ServerScheme
     {
         switch self
         {
-        case .http(port: let port):     return port
         case .https(port: let port):    return port
         }
     }
@@ -28,7 +23,6 @@ extension ServerScheme
     {
         switch self
         {
-        case .http:             return "http"
         case .https:            return "https"
         }
     }
diff --git a/Sources/HTTPServer/Channels/HTTPServerDelegate.swift b/Sources/HTTPServer/Channels/HTTPServerDelegate.swift
@@ -34,16 +34,9 @@ extension HTTPServerDelegate
                 address: channel.remoteAddress,
                 server: self)
 
-            guard let tls:NIOSSLContext = authority.tls as? NIOSSLContext
-            else
-            {
-                return channel.pipeline.configureHTTPServerPipeline(withErrorHandling: true)
-                    .flatMap
-                {
-                    channel.pipeline.addHandler(endpoint)
-                }
-            }
-            return  channel.pipeline.addHandler(NIOSSLServerHandler.init(context: tls))
+
+            return  channel.pipeline.addHandler(NIOSSLServerHandler.init(
+                context: authority.tls))
                     .flatMap
             {
                     channel.pipeline.configureHTTPServerPipeline(withErrorHandling: true)
diff --git a/Sources/UnidocServer/Authorities/ServerAuthority (ext).swift b/Sources/UnidocServer/Authorities/ServerAuthority (ext).swift
diff --git a/Sources/UnidocServer/Authorities/Swiftinit.swift b/Sources/UnidocServer/Authorities/Swiftinit.swift
@@ -3,12 +3,11 @@ import NIOSSL
 
 struct Swiftinit
 {
-    private
-    let context:NIOSSLContext
+    let tls:NIOSSLContext
 
-    init(context:NIOSSLContext)
+    init(tls:NIOSSLContext)
     {
-        self.context = context
+        self.tls = tls
     }
 }
 extension Swiftinit:ServerAuthority
@@ -19,8 +18,6 @@ extension Swiftinit:ServerAuthority
     static
     var domain:String { "swiftinit.org" }
 
-    var tls:NIOSSLContext? { self.context }
-
     static
     func redact(error _:any Error) -> String
     {
diff --git a/Sources/UnidocServer/Authorities/SwiftinitTest.swift b/Sources/UnidocServer/Authorities/SwiftinitTest.swift
@@ -3,12 +3,11 @@ import NIOSSL
 
 struct SwiftinitTest
 {
-    private
-    let context:NIOSSLContext
+    let tls:NIOSSLContext
 
-    init(context:NIOSSLContext)
+    init(tls:NIOSSLContext)
     {
-        self.context = context
+        self.tls = tls
     }
 }
 extension SwiftinitTest:ServerAuthority
@@ -19,8 +18,6 @@ extension SwiftinitTest:ServerAuthority
     static
     var domain:String { "test.swiftinit.org" }
 
-    var tls:NIOSSLContext? { self.context }
-
     static
     func redact(error _:any Error) -> String
     {
diff --git a/Sources/UnidocServer/Server/Server.Options.Authority.swift b/Sources/UnidocServer/Server/Server.Options.Authority.swift
@@ -16,37 +16,28 @@ extension Server.Options.Authority
     {
         switch self
         {
+        case .localhost:    return Localhost.self
         case .production:   return Swiftinit.self
         case .testing:      return SwiftinitTest.self
-        case .localhost:    return Localhost.self
         }
     }
 
-    func load(certificates:String?) throws -> any ServerAuthority
+    func load(certificates directory:String) throws -> any ServerAuthority
     {
-        func context() throws -> NIOSSLContext
-        {
-            guard let directory:String = certificates
-            else
-            {
-                throw Server.CertificateError.directoryRequired
-            }
+        let certificates:[NIOSSLCertificate] =
+            try NIOSSLCertificate.fromPEMFile("\(directory)/fullchain.pem")
+        let privateKey:NIOSSLPrivateKey =
+            try .init(file: "\(directory)/privkey.pem", format: .pem)
 
-            let certificates:[NIOSSLCertificate] =
-                try NIOSSLCertificate.fromPEMFile("\(directory)/fullchain.pem")
-            let privateKey:NIOSSLPrivateKey =
-                try .init(file: "\(directory)/privkey.pem", format: .pem)
-
-            return try .init(configuration: .makeServerConfiguration(
-                certificateChain: certificates.map(NIOSSLCertificateSource.certificate(_:)),
-                privateKey: .privateKey(privateKey)))
-        }
+        let niossl:NIOSSLContext = try .init(configuration: .makeServerConfiguration(
+            certificateChain: certificates.map(NIOSSLCertificateSource.certificate(_:)),
+            privateKey: .privateKey(privateKey)))
 
         switch self
         {
-        case .production:   return .swiftinit(try context())
-        case .testing:      return .swiftinitTest(try context())
-        case .localhost:    return .localhost
+        case .localhost:    return Localhost.init(tls: niossl)
+        case .production:   return Swiftinit.init(tls: niossl)
+        case .testing:      return SwiftinitTest.init(tls: niossl)
         }
     }
 }
diff --git a/Sources/UnidocServer/Server/Server.Options.swift b/Sources/UnidocServer/Server/Server.Options.swift
@@ -5,7 +5,7 @@ extension Server
     struct Options
     {
         var authority:Authority
-        var certificates:String?
+        var certificates:String
         var redirect:Bool
         var mongo:String
         /// This is the port that the server binds to. It is not necessarily
@@ -15,10 +15,10 @@ extension Server
         init()
         {
             self.authority = .localhost
-            self.certificates = nil
+            self.certificates = "TestCertificates"
             self.redirect = false
             self.mongo = "unidoc-mongod"
-            self.port = 8080
+            self.port = 8443
         }
     }
 }
diff --git a/Sources/UnidocServer/Server/Server.swift b/Sources/UnidocServer/Server/Server.swift
@@ -67,16 +67,16 @@ extension Server
         let cache:Cache<Site.Asset.Get>
         let mode:ServerMode
 
-        switch type(of: authority).scheme
+        if  authority is Localhost
         {
-        case .https:
-            cache = .init(reload: false)
-            mode = .secured
-
-        case .http:
             cache = .init(reload: true)
             mode = .unsecured
         }
+        else
+        {
+            cache = .init(reload: false)
+            mode = .secured
+        }
 
         let github:GitHubPlugin?
         if  let secret:(oauth:String, app:String) = try?

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,19 @@`
	`1`	`+import NIOSSL`
	`2`	`+`
`1`	`3`	`@frozen public`
`2`	`4`	`struct Localhost:ServerAuthority`
`3`	`5`	`{`
`4`		`- @inlinable internal`
`5`		`- init()`
	`6`	`+ public`
	`7`	`+ let tls:NIOSSLContext`
	`8`	`+`
	`9`	`+ @inlinable public`
	`10`	`+ init(tls:NIOSSLContext)`
`6`	`11`	`{`
	`12`	`+ self.tls = tls`
`7`	`13`	`}`
`8`	`14`
`9`	`15`	`@inlinable public static`
`10`		`- var scheme:ServerScheme { .http }`
	`16`	`+ var scheme:ServerScheme { .https }`
`11`	`17`	`@inlinable public static`
`12`	`18`	`var domain:String { "127.0.0.1" }`
`13`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,15 +2,11 @@`
`2`	`2`	`enum ServerScheme`
`3`	`3`	`{`
`4`	`4`	`case https(port:Int = 443)`
`5`		`- case http(port:Int = 80)`
`6`	`5`	`}`
`7`	`6`	`extension ServerScheme`
`8`	`7`	`{`
`9`	`8`	`@inlinable public static`
`10`	`9`	`var https:Self { .https() }`
`11`		`-`
`12`		`- @inlinable public static`
`13`		`- var http:Self { .http() }`
`14`	`10`	`}`
`15`	`11`	`extension ServerScheme`
`16`	`12`	`{`
`@@ -19,7 +15,6 @@ extension ServerScheme`
`19`	`15`	`{`
`20`	`16`	`switch self`
`21`	`17`	`{`
`22`		`- case .http(port: let port): return port`
`23`	`18`	`case .https(port: let port): return port`
`24`	`19`	`}`
`25`	`20`	`}`
`@@ -28,7 +23,6 @@ extension ServerScheme`
`28`	`23`	`{`
`29`	`24`	`switch self`
`30`	`25`	`{`
`31`		`- case .http: return "http"`
`32`	`26`	`case .https: return "https"`
`33`	`27`	`}`
`34`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,12 +3,11 @@ import NIOSSL`
`3`	`3`
`4`	`4`	`struct Swiftinit`
`5`	`5`	`{`
`6`		`- private`
`7`		`- let context:NIOSSLContext`
	`6`	`+ let tls:NIOSSLContext`
`8`	`7`
`9`		`- init(context:NIOSSLContext)`
	`8`	`+ init(tls:NIOSSLContext)`
`10`	`9`	`{`
`11`		`- self.context = context`
	`10`	`+ self.tls = tls`
`12`	`11`	`}`
`13`	`12`	`}`
`14`	`13`	`extension Swiftinit:ServerAuthority`
`@@ -19,8 +18,6 @@ extension Swiftinit:ServerAuthority`
`19`	`18`	`static`
`20`	`19`	`var domain:String { "swiftinit.org" }`
`21`	`20`
`22`		`- var tls:NIOSSLContext? { self.context }`
`23`		`-`
`24`	`21`	`static`
`25`	`22`	`func redact(error _:any Error) -> String`
`26`	`23`	`{`
Original file line number	Diff line number	Diff line change
`@@ -3,12 +3,11 @@ import NIOSSL`
`3`	`3`
`4`	`4`	`struct SwiftinitTest`
`5`	`5`	`{`
`6`		`- private`
`7`		`- let context:NIOSSLContext`
	`6`	`+ let tls:NIOSSLContext`
`8`	`7`
`9`		`- init(context:NIOSSLContext)`
	`8`	`+ init(tls:NIOSSLContext)`
`10`	`9`	`{`
`11`		`- self.context = context`
	`10`	`+ self.tls = tls`
`12`	`11`	`}`
`13`	`12`	`}`
`14`	`13`	`extension SwiftinitTest:ServerAuthority`
`@@ -19,8 +18,6 @@ extension SwiftinitTest:ServerAuthority`
`19`	`18`	`static`
`20`	`19`	`var domain:String { "test.swiftinit.org" }`
`21`	`20`
`22`		`- var tls:NIOSSLContext? { self.context }`
`23`		`-`
`24`	`21`	`static`
`25`	`22`	`func redact(error _:any Error) -> String`
`26`	`23`	`{`