add policy module and some other stuff

dfinity · Apr 24, 2024 · b632e59 · b632e59
1 parent d02e72e
commit b632e59
Show file tree

Hide file tree

Showing 12 changed files with 664 additions and 43 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,6 +10,7 @@ arc-swap = "1"
 async-scoped = { version = "0.8", features = ["use-tokio"] }
 async-trait = "0.1"
 axum = "0.7"
+axum-extra = "0.9"
 axum-server = { version = "0.6", features = ["tls-rustls"] }
 candid = "0.10"
 clap = { version = "4.5", features = ["derive", "string"] }
@@ -83,3 +84,4 @@ x509-parser = "0.16"
 [dev-dependencies]
 criterion = { version = "0.5", features = ["async_tokio"] }
 tempfile = "3.10"
+httptest = "0.16"
diff --git a/src/cli.rs b/src/cli.rs
@@ -8,6 +8,7 @@ use clap::{Args, Parser};
 use fqdn::FQDN;
 use hickory_resolver::config::CLOUDFLARE_IPS;
 use humantime::parse_duration;
+use regex::Regex;
 use reqwest::Url;
 
 use crate::{
@@ -34,6 +35,12 @@ pub struct Cli {
 
     #[command(flatten, next_help_heading = "Domains")]
     pub domain: Domain,
+
+    #[command(flatten, next_help_heading = "Policy")]
+    pub policy: Policy,
+
+    #[command(flatten, next_help_heading = "Misc")]
+    pub misc: Misc,
 }
 
 // Clap does not support prefixes due to macro limitations
@@ -133,11 +140,41 @@ pub struct Cert {
 
 #[derive(Args)]
 pub struct Domain {
-    /// List of canister aliases in format 'alias:<canister_id>'
+    /// List of domains that we serve
     #[clap(long = "domain")]
     pub domains: Vec<FQDN>,
 
     /// List of canister aliases in format 'alias:<canister_id>'
-    #[clap(long = "domain-canister-alias")]
+    #[clap(long = "domain-alias")]
     pub canister_aliases: Vec<CanisterAlias>,
 }
+
+#[derive(Args)]
+pub struct Policy {
+    /// Regex to match domains that are allowed to serve system subnets
+    #[clap(long = "policy-domain-system")]
+    pub domains_system: Vec<Regex>,
+
+    /// Regex to match domains that are allowed to serve app subnets
+    #[clap(long = "policy-domain-app")]
+    pub domains_app: Vec<Regex>,
+
+    /// Path to a list of pre-isolation canisters, one canister per line
+    #[clap(long = "policy-pre-isolation-canisters")]
+    pub pre_isolation_canisters: Option<PathBuf>,
+
+    /// Denylist URL
+    #[clap(long = "policy-denylist-url")]
+    pub denylist_url: Option<Url>,
+
+    /// Path to a local denylist cache for initial seeding
+    #[clap(long = "policy-denylist-seed")]
+    pub denylist_seed: Option<PathBuf>,
+}
+
+#[derive(Args)]
+pub struct Misc {
+    /// Path to a GeoIP database
+    #[clap(long = "geoip-db")]
+    pub geoip_db: Option<PathBuf>,
+}
diff --git a/src/core.rs b/src/core.rs
@@ -45,7 +45,10 @@ pub async fn main(cli: Cli) -> Result<(), Error> {
         cli.domain.canister_aliases.clone(),
         storage.clone() as Arc<dyn LooksupCustomDomain>,
     )?;
-    let router = routing::setup_router(Arc::new(canister_resolver) as Arc<dyn ResolvesCanister>);
+    let router = routing::setup_router(
+        &cli,
+        Arc::new(canister_resolver) as Arc<dyn ResolvesCanister>,
+    )?;
 
     let mut runners: Vec<(String, Arc<dyn Run>)> = vec![];
 

diff --git a/src/http/server.rs b/src/http/server.rs
@@ -62,35 +62,39 @@ pub struct TlsInfo {
     pub cipher: CipherSuite,
 }
 
-#[derive(Clone, Debug)]
-pub struct ConnInfo {
-    pub local_addr: SocketAddr,
-    pub remote_addr: SocketAddr,
-    pub tls: Option<TlsInfo>,
-}
-
 impl TryFrom<&ServerConnection> for TlsInfo {
     type Error = Error;
 
     fn try_from(c: &ServerConnection) -> Result<Self, Self::Error> {
         Ok(Self {
             sni: c
                 .server_name()
-                .ok_or(anyhow!("No SNI found"))
+                .ok_or_else(|| anyhow!("No SNI found"))
                 .and_then(|x| {
                     FQDN::from_str(x).map_err(|_| anyhow!("unable to parse SNI as FQDN"))
                 })?,
-            alpn: c
-                .alpn_protocol()
-                .map_or("unknown".into(), |x| String::from_utf8_lossy(x).to_string()),
-            protocol: c.protocol_version().unwrap_or(ProtocolVersion::Unknown(0)),
+            alpn: String::from_utf8_lossy(
+                c.alpn_protocol().ok_or_else(|| anyhow!("No SNI found"))?,
+            )
+            .to_string(),
+            protocol: c
+                .protocol_version()
+                .ok_or_else(|| anyhow!("No TLS protocol found"))?,
             cipher: c
                 .negotiated_cipher_suite()
-                .map_or(rustls::CipherSuite::Unknown(0), |x| x.suite()),
+                .map(|x| x.suite())
+                .ok_or_else(|| anyhow!("No TLS ciphersuite found"))?,
         })
     }
 }
 
+#[derive(Clone, Debug)]
+pub struct ConnInfo {
+    pub local_addr: SocketAddr,
+    pub remote_addr: SocketAddr,
+    pub tls: Option<TlsInfo>,
+}
+
 struct Conn {
     addr: SocketAddr,
     remote_addr: SocketAddr,