scl_lib/

client.rs

// SPDX-License-Identifier: EUPL-1.2
pub use async_trait::async_trait;

use reqwest::{
    header::{self, HeaderMap, HeaderValue},
    Client, Response,
};
pub use reqwest::{Error, StatusCode};

use std::ops::Deref;

use crate::{
    api_objects::{SclEvent, SclObject},
    tls_config::TlsConfig,
};

use crate::LogError;

use self::error::ClientError;

/// This module contains a SclClient-specific error type and associated trait implementations.
pub mod error {
    /// A specialized `Result` type for SclClient operations.
    pub type Result<T> = std::result::Result<T, ClientError>;

    /// General error type for any SclClient errors.
    #[derive(Debug)]
    pub enum ClientError {
        /// Custom error that does not belong to any other category.
        Custom(String),
        /// Wrapper for a `reqwest::Error`.
        Http(reqwest::Error),
        /// Wrapper for a `serde_json::Error`.
        Decode(serde_json::Error),
    }

    impl std::fmt::Display for ClientError {
        fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
            use ClientError::*;
            match self {
                Custom(e) => e.fmt(f),
                Http(e) => e.fmt(f),
                Decode(e) => e.fmt(f),
            }
        }
    }

    impl std::error::Error for ClientError {}

    impl From<reqwest::Error> for ClientError {
        fn from(e: reqwest::Error) -> Self {
            Self::Http(e)
        }
    }

    impl From<serde_json::Error> for ClientError {
        fn from(e: serde_json::Error) -> Self {
            Self::Decode(e)
        }
    }
}

/// A trait for objects which can be passed as [EventHandler] to the `watch` function of a
/// [SclClient].
#[async_trait]
pub trait EventHandler {
    type Item: SclObject;
    async fn handle_event(&mut self, event: SclEvent<Self::Item>);
}

/// A builder to construct a request object that can be used with the SclClient.
///
/// All members are optional and can be omitted. Specify them to create more complex requests.
///
/// # Examples
///
/// ```
/// use scl_lib::api_objects::VirtualMachine;
/// use scl_lib::client::SclRequest;
///
/// let req = SclRequest::<VirtualMachine>::new()
///     .obj_name("vm-01")
///     .sc("sc-01")
///     .query(&[("node", "node-01")]);
/// ```
#[derive(Clone, Debug, Default)]
pub struct SclRequest<'a, T: SclObject> {
    pub obj_name: Option<String>,
    pub sc_name: Option<String>,
    pub body: Option<&'a T>,
    pub query: &'a [(&'a str, &'a str)],
}

impl<'a, T: SclObject> SclRequest<'a, T> {
    /// Creates and initializes a new [SclRequest] object.
    pub fn new() -> Self {
        Self {
            obj_name: None,
            body: None,
            sc_name: None,
            query: &[],
        }
    }

    /// Sets the name of the request object to use as `T::path()/<name>` when constructing the URL.
    pub fn obj_name(mut self, name: &str) -> Self {
        self.obj_name = Some(name.into());
        self
    }

    /// Adds a [SclObject] as body data to the request object.
    pub fn body(mut self, obj: &'a T) -> Self {
        self.body = Some(obj);
        self
    }

    /// Sets the name of the the separation context to use as `/scs/<sc_name>` when constructing
    /// the URL.
    pub fn sc(mut self, sc_name: &str) -> Self {
        self.sc_name = Some(sc_name.into());
        self
    }

    /// Specify query parameters for the request.
    pub fn query(mut self, query: &'a [(&'a str, &'a str)]) -> Self {
        self.query = query;
        self
    }

    /// Constructs a URL path from all member variables and returns it as [String].
    pub fn url_path(&self) -> String {
        T::api_endpoint(self.sc_name.as_deref(), self.obj_name.as_deref())
    }
}

/// A wrapper object for a [Client] to provide convenient functions for interacting with the SCL
/// API.
///
/// It implements the [Deref] trait so that custom requests can still be made directly via the
/// wrapped client object.
///
/// # Examples
///
/// ```no_run
/// use scl_lib::api_objects::VirtualMachine;
/// use scl_lib::client::error::ClientError;
/// use scl_lib::client::{reqwest_client, SclClient, SclRequest};
///
/// #[tokio::main]
/// async fn main() -> Result<(), ClientError> {
///     // Create client instance
///     let client = {
///         let reqwest_client = reqwest_client(None, None)
///             .map_err(|e| ClientError::Custom(e.to_string()))?;
///         SclClient::new("https://127.0.0.1:8008/api/v1".to_string(), reqwest_client)
///     };
///     // List all VMs of node "node-01"
///     let vms: Vec<VirtualMachine> = client.list(
///         &SclRequest::new().query(&[("node", "node-01")])
///     ).await.unwrap();
///     // Get the VM with the name "vm-01" of separation context "sc-01"
///     let vm: VirtualMachine = client.show(
///         &SclRequest::new().obj_name("vm-01").sc("sc-01")
///     ).await.unwrap();
///     // Update the virtual machine
///     let _ = client.update(
///         &SclRequest::new().obj_name(vm.metadata.name()).sc(&vm.separation_context).body(&vm)
///     ).await.unwrap();
///     // Delete the VM
///     let _ = client.delete(
///         &SclRequest::<VirtualMachine>::new().obj_name(vm.metadata.name())
///     ).await.unwrap();
///     Ok(())
/// }
/// ```
#[derive(Clone)]
pub struct SclClient {
    pub api_url: String,
    client: Client,
}

impl SclClient {
    /// Creates a new [SclClient] from a URL string and an preconfigured [Client].
    pub fn new(api_url: String, client: Client) -> Self {
        Self { api_url, client }
    }

    /// Performs a HTTP GET request to the SCL API to fetch and return all [SclObject]s of type
    /// `T`.
    pub async fn list<T: SclObject>(&self, req: &SclRequest<'_, T>) -> Result<Vec<T>, Error> {
        let url = format!("{}{}", self.api_url, req.url_path());
        self.client
            .get(url)
            .query(req.query)
            .send()
            .await
            .log_err()?
            .error_for_status()
            .log_err()?
            .json::<Vec<T>>()
            .await
    }

    /// Performs a HTTP GET request to the SCL API to fetch and return a object of type `T`.
    pub async fn show<T: SclObject>(&self, req: &SclRequest<'_, T>) -> Result<T, Error> {
        let url = format!("{}{}", self.api_url, req.url_path());
        self.client
            .get(url)
            .send()
            .await
            .log_err()?
            .error_for_status()
            .log_err()?
            .json::<T>()
            .await
    }

    /// Performs a HTTP DELETE request to the SCL API to delete a object of type `T`.
    pub async fn delete<T: SclObject>(&self, req: &SclRequest<'_, T>) -> Result<(), Error> {
        let url = format!("{}{}", self.api_url, req.url_path());
        self.client
            .delete(url)
            .send()
            .await
            .log_err()?
            .error_for_status()
            .log_err()?;
        Ok(())
    }

    /// Performs a HTTP POST request to the SCL API to create a object of type `T`.
    pub async fn create<T: SclObject>(&self, req: &SclRequest<'_, T>) -> Result<(), Error> {
        let url = format!("{}{}", self.api_url, req.url_path());
        match req.body {
            Some(body) => self.client.post(url).json(body),
            None => self.client.post(url),
        }
        .send()
        .await
        .log_err()?
        .error_for_status()
        .log_err()?;
        Ok(())
    }

    /// Performs a HTTP PUT request to the SCL API to update a object of type `T`.
    pub async fn update<T: SclObject>(&self, req: &SclRequest<'_, T>) -> Result<(), Error> {
        let url = format!("{}{}", self.api_url, req.url_path());
        match req.body {
            Some(body) => self.client.put(url).json(body),
            None => self.client.put(url),
        }
        .send()
        .await
        .log_err()?
        .error_for_status()
        .log_err()?;
        Ok(())
    }

    /// Performs an HTTP GET request to the watch endpoint of the item associated with the
    /// EventHandler and calls the `handle` function for every received SclEvent.
    ///
    /// Invalid events are logged and then the function waits for further data. The function either
    /// returns `Ok(())` when the bytestream ends, or returns an [reqwest::Error] if the connection
    /// fails or breaks. For an automatic reconnect the function call should be executed in a
    /// `loop{ }`.
    pub async fn watch<T: EventHandler>(&self, mut handler: T) -> Result<(), reqwest::Error> {
        let url = format!(
            "{}/watch{}",
            self.api_url,
            T::Item::api_endpoint(None, None)
        );
        let mut resp = self.client.get(url).send().await?.error_for_status()?;
        while let Some(bytes) = resp.chunk().await.log_err()? {
            match serde_json::from_slice::<SclEvent<T::Item>>(&bytes) {
                Ok(event) => handler.handle_event(event).await,
                Err(err) => log::error!("{}", err),
            };
        }
        Ok(())
    }

    /// Reads chunks of bytes from an open HTTP stream, parses them into an `SclEvent<T>` object
    /// and then returns the result. Returns a `client::error::Error` if the stream fails to read
    /// or the response body has been exhausted.
    pub async fn recv_event<T: SclObject>(resp: &mut Response) -> error::Result<SclEvent<T>> {
        if let Some(bytes) = resp.chunk().await.log_err()? {
            Ok(serde_json::from_slice::<SclEvent<T>>(&bytes)?)
        } else {
            Err(error::ClientError::Custom(
                "Empty Chunk: Response body has been exhausted.".to_string(),
            ))
        }
    }
}

impl Deref for SclClient {
    type Target = Client;

    fn deref(&self) -> &Self::Target {
        &self.client
    }
}

pub fn reqwest_client(
    additional_headers: Option<HeaderMap<HeaderValue>>,
    tls: Option<&TlsConfig>,
) -> Result<reqwest::Client, Box<dyn std::error::Error>> {
    let mut headers = HeaderMap::new();
    // Set ACCEPT and CONTENT_TYPE headers to application/json
    headers.insert(header::ACCEPT, HeaderValue::from_static("application/json"));
    headers.insert(
        header::CONTENT_TYPE,
        HeaderValue::from_static("application/json"),
    );
    // Add additional headers
    if let Some(additional_headers) = additional_headers {
        for (key, value) in additional_headers.iter() {
            headers.insert(key, value.clone());
        }
    }

    let mut client_builder = Client::builder().default_headers(headers);

    if let Some(tls) = tls {
        use rustls::{
            client::{ClientConfig, ServerCertVerifier},
            Certificate, PrivateKey,
        };
        use std::sync::Arc;
        // rustls wants all certificates and keys in DER format, but we generate them in PEM format.
        // For this reason we have to convert them into DER.
        //
        // Parse CA certificate.
        let ca_certs: Vec<Certificate> = rustls_pemfile::certs(&mut tls.ca_cert.as_ref())?
            .into_iter()
            .map(Certificate)
            .collect();

        // Parse client certificate.
        let client_cert = rustls_pemfile::certs(&mut tls.client_cert.as_ref())?
            .into_iter()
            .map(Certificate)
            .collect();
        // Parse client key.
        let client_key = PrivateKey(
            rustls_pemfile::pkcs8_private_keys(&mut tls.client_key.as_ref())?
                .first()
                .ok_or("No PKCS8-encoded private key found.".to_string())?
                .to_vec(),
        );
        // Parse certificate revocation list.
        let crls = {
            use rustls::{server::UnparsedCertRevocationList, CertRevocationListError};

            rustls_pemfile::crls(&mut tls.crl.as_ref())
                .map_err(|e| ClientError::Custom(format!("Failed to parse CRL file: {e:?}")))?
                .into_iter()
                .map(|crl| UnparsedCertRevocationList(crl).parse())
                .collect::<Result<Vec<webpki::OwnedCertRevocationList>, CertRevocationListError>>()
                .map_err(|e| format!("Failed to parse one or more CRL: {e:?}"))?
        };

        // Use the custom ServerCertCrlVerifier.
        let custom_verifier = verify::WebPkiVerifierWithCrl::new(ca_certs, crls);
        let verifier: Arc<dyn ServerCertVerifier> = Arc::new(custom_verifier);

        // Explicitly want this type annotation here as a compile-time check because
        // `use_preconfigured_tls()` below accepts the `Any` type as an argument
        // and downcasts to a ClientConfig at runtime.
        let tls_config: ClientConfig = ClientConfig::builder()
            .with_safe_defaults()
            .with_custom_certificate_verifier(verifier)
            .with_client_auth_cert(client_cert, client_key)?;

        client_builder = client_builder.use_preconfigured_tls(tls_config);
    }

    Ok(client_builder.build()?)
}

mod verify {
    use rustls::{
        client::{verify_server_name, ServerCertVerified, ServerCertVerifier},
        server::ParsedCertificate,
        Certificate, Error,
    };

    // The elements of this module are a 1:1 copy of the upstream
    // [rustls::verify module](https://github.com/rustls/rustls/blob/v/0.21.7/rustls/src/verify.rs),
    // but needs to be redifined because they are not public but required to implement a custom
    // ServerCertVerifier.
    //
    // Copyright (c) 2016 Joseph Birr-Pixton <jpixton@gmail.com>
    // https://github.com/rustls/rustls/blob/v/0.21.7/LICENSE-MIT
    mod rustls_verifier {
        type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm];
        /// Which signature verification mechanisms we support.  No particular
        /// order.
        pub(super) static SUPPORTED_SIG_ALGS: SignatureAlgorithms = &[
            &webpki::ECDSA_P256_SHA256,
            &webpki::ECDSA_P256_SHA384,
            &webpki::ECDSA_P384_SHA256,
            &webpki::ECDSA_P384_SHA384,
            &webpki::ED25519,
            &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
            &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
            &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
            &webpki::RSA_PKCS1_2048_8192_SHA256,
            &webpki::RSA_PKCS1_2048_8192_SHA384,
            &webpki::RSA_PKCS1_2048_8192_SHA512,
            &webpki::RSA_PKCS1_3072_8192_SHA384,
        ];

        pub(super) fn pki_error(error: webpki::Error) -> rustls::Error {
            use rustls::{CertRevocationListError, CertificateError};
            use std::sync::Arc;
            use webpki::Error::*;
            match error {
                BadDer | BadDerTime => CertificateError::BadEncoding.into(),
                CertNotValidYet => CertificateError::NotValidYet.into(),
                CertExpired | InvalidCertValidity => CertificateError::Expired.into(),
                UnknownIssuer => CertificateError::UnknownIssuer.into(),
                CertNotValidForName => CertificateError::NotValidForName.into(),
                CertRevoked => CertificateError::Revoked.into(),
                IssuerNotCrlSigner => CertRevocationListError::IssuerInvalidForCrl.into(),

                InvalidSignatureForPublicKey
                | UnsupportedSignatureAlgorithm
                | UnsupportedSignatureAlgorithmForPublicKey => {
                    CertificateError::BadSignature.into()
                }

                InvalidCrlSignatureForPublicKey
                | UnsupportedCrlSignatureAlgorithm
                | UnsupportedCrlSignatureAlgorithmForPublicKey => {
                    CertRevocationListError::BadSignature.into()
                }

                _ => CertificateError::Other(Arc::new(error)).into(),
            }
        }
    }
    /// Basicly the same as the [upstream WebPkiVerifier](https://github.com/rustls/rustls/blob/v/0.21.7/rustls/src/verify.rs#L387),
    /// but instead of passing a empty vector to the [`verify_for_usage()` function](https://github.com/rustls/rustls/blob/v/0.21.7/rustls/src/verify.rs#L352)
    /// the content of the specfied certificate revocation list file is provided as input.
    pub struct WebPkiVerifierWithCrl {
        roots: Vec<Certificate>,
        crls: Vec<webpki::OwnedCertRevocationList>,
    }

    impl WebPkiVerifierWithCrl {
        pub fn new(roots: Vec<Certificate>, crls: Vec<webpki::OwnedCertRevocationList>) -> Self {
            Self { roots, crls }
        }
    }

    impl ServerCertVerifier for WebPkiVerifierWithCrl {
        fn verify_server_cert(
            &self,
            end_entity: &Certificate,
            intermediates: &[Certificate],
            server_name: &rustls::ServerName,
            _scts: &mut dyn Iterator<Item = &[u8]>,
            ocsp_response: &[u8],
            now: std::time::SystemTime,
        ) -> Result<ServerCertVerified, Error> {
            let cert = webpki::EndEntityCert::try_from(end_entity.0.as_ref()).unwrap();

            let chain: Vec<&[u8]> = intermediates.iter().map(|cert| cert.0.as_ref()).collect();
            let trust_roots: Vec<webpki::TrustAnchor> = self
                .roots
                .iter()
                .map(|crt| webpki::TrustAnchor::try_from_cert_der(&crt.0).unwrap())
                .collect();
            let webpki_now =
                webpki::Time::try_from(now).map_err(|_| Error::FailedToGetCurrentTime)?;

            #[allow(trivial_casts)] // Cast to &dyn trait is required.
            let crls = self
                .crls
                .iter()
                .map(|crl| crl as &dyn webpki::CertRevocationList)
                .collect::<Vec<_>>();

            cert.verify_for_usage(
                rustls_verifier::SUPPORTED_SIG_ALGS,
                &trust_roots,
                &chain,
                webpki_now,
                webpki::KeyUsage::server_auth(),
                crls.as_slice(),
            )
            .map_err(rustls_verifier::pki_error)?;

            if !ocsp_response.is_empty() {
                log::trace!("Unvalidated OCSP response: {:?}", ocsp_response.to_vec());
            }
            let cert = ParsedCertificate::try_from(end_entity)?;

            verify_server_name(&cert, server_name)?;
            Ok(ServerCertVerified::assertion())
        }
    }
}