diff --git a/crates/notary/server/src/config.rs b/crates/notary/server/src/config.rs index b5181fb699..4e753aca76 100644 --- a/crates/notary/server/src/config.rs +++ b/crates/notary/server/src/config.rs @@ -21,7 +21,7 @@ pub struct AuthorizationProperties { /// Switch to turn on or off auth middleware pub enabled: bool, /// File path of the whitelist API key csv - pub whitelist_csv_path: String, + pub whitelist_csv_path: Option, } #[derive(Clone, Debug, Deserialize, Default)] @@ -53,8 +53,8 @@ pub struct TLSProperties { /// turned on unless TLS is handled by external setup e.g. reverse proxy, /// cloud) pub enabled: bool, - pub private_key_pem_path: String, - pub certificate_pem_path: String, + pub private_key_pem_path: Option, + pub certificate_pem_path: Option, } #[derive(Clone, Debug, Deserialize, Default)] diff --git a/crates/notary/server/src/server.rs b/crates/notary/server/src/server.rs index 5a93463a1b..745bad1fec 100644 --- a/crates/notary/server/src/server.rs +++ b/crates/notary/server/src/server.rs @@ -61,11 +61,19 @@ pub async fn run_server(config: &NotaryServerProperties) -> Result<(), NotarySer debug!("Skipping TLS setup as it is turned off."); None } else { - let (tls_private_key, tls_certificates) = load_tls_key_and_cert( - &config.tls.private_key_pem_path, - &config.tls.certificate_pem_path, - ) - .await?; + let private_key_pem_path = config + .tls + .private_key_pem_path + .as_deref() + .ok_or_else(|| eyre!("TLS is enabled but private key PEM path is not set"))?; + let certificate_pem_path = config + .tls + .certificate_pem_path + .as_deref() + .ok_or_else(|| eyre!("TLS is enabled but certificate PEM path is not set"))?; + + let (tls_private_key, tls_certificates) = + load_tls_key_and_cert(private_key_pem_path, certificate_pem_path).await?; let mut server_config = ServerConfig::builder() .with_safe_defaults() @@ -293,11 +301,17 @@ fn load_authorization_whitelist( debug!("Skipping authorization as it is turned off."); None } else { + // Check if whitelist_csv_path is Some and convert to &str + let whitelist_csv_path = config + .authorization + .whitelist_csv_path + .as_deref() + .ok_or_else(|| { + eyre!("Authorization whitelist csv path is not provided in the config") + })?; // Load the csv - let whitelist_csv = parse_csv_file::( - &config.authorization.whitelist_csv_path, - ) - .map_err(|err| eyre!("Failed to parse authorization whitelist csv: {:?}", err))?; + let whitelist_csv = parse_csv_file::(whitelist_csv_path) + .map_err(|err| eyre!("Failed to parse authorization whitelist csv: {:?}", err))?; // Convert the whitelist record into hashmap for faster lookup let whitelist_hashmap = authorization_whitelist_vec_into_hashmap(whitelist_csv); Some(whitelist_hashmap) @@ -347,12 +361,18 @@ fn watch_and_reload_authorization_whitelist( ) .map_err(|err| eyre!("Error occured when setting up watcher for hot reload: {err}"))?; + // Check if whitelist_csv_path is Some and convert to &str + let whitelist_csv_path = config + .authorization + .whitelist_csv_path + .as_deref() + .ok_or_else(|| { + eyre!("Authorization whitelist csv path is not provided in the config") + })?; + // Start watcher to listen to any changes on the whitelist file watcher - .watch( - Path::new(&config.authorization.whitelist_csv_path), - RecursiveMode::Recursive, - ) + .watch(Path::new(whitelist_csv_path), RecursiveMode::Recursive) .map_err(|err| eyre!("Error occured when starting up watcher for hot reload: {err}"))?; Some(watcher) @@ -404,7 +424,7 @@ mod test { let config = NotaryServerProperties { authorization: AuthorizationProperties { enabled: true, - whitelist_csv_path, + whitelist_csv_path: Some(whitelist_csv_path.clone()), }, ..Default::default() }; @@ -428,16 +448,16 @@ mod test { api_key: "unit-test-api-key".to_string(), created_at: "unit-test-created-at".to_string(), }; - let file = OpenOptions::new() - .append(true) - .open(&config.authorization.whitelist_csv_path) - .unwrap(); - let mut wtr = WriterBuilder::new() - .has_headers(false) // Set to false to avoid writing header again - .from_writer(file); - wtr.serialize(new_record).unwrap(); - wtr.flush().unwrap(); - + if let Some(ref path) = config.authorization.whitelist_csv_path { + let file = OpenOptions::new().append(true).open(path).unwrap(); + let mut wtr = WriterBuilder::new() + .has_headers(false) // Set to false to avoid writing header again + .from_writer(file); + wtr.serialize(new_record).unwrap(); + wtr.flush().unwrap(); + } else { + panic!("Whitelist CSV path should be provided in the config"); + } // Sleep to buy a bit of time for updated whitelist to be hot reloaded tokio::time::sleep(Duration::from_millis(50)).await; @@ -448,6 +468,6 @@ mod test { .contains_key("unit-test-api-key")); // Delete the cloned whitelist - std::fs::remove_file(&config.authorization.whitelist_csv_path).unwrap(); + std::fs::remove_file(&whitelist_csv_path).unwrap(); } } diff --git a/crates/notary/tests-integration/tests/notary.rs b/crates/notary/tests-integration/tests/notary.rs index 4476e3b8ab..199ecb19ee 100644 --- a/crates/notary/tests-integration/tests/notary.rs +++ b/crates/notary/tests-integration/tests/notary.rs @@ -52,8 +52,8 @@ fn get_server_config(port: u16, tls_enabled: bool, auth_enabled: bool) -> Notary }, tls: TLSProperties { enabled: tls_enabled, - private_key_pem_path: "../server/fixture/tls/notary.key".to_string(), - certificate_pem_path: "../server/fixture/tls/notary.crt".to_string(), + private_key_pem_path: Some("../server/fixture/tls/notary.key".to_string()), + certificate_pem_path: Some("../server/fixture/tls/notary.crt".to_string()), }, notary_key: NotarySigningKeyProperties { private_key_pem_path: "../server/fixture/notary/notary.key".to_string(), @@ -65,7 +65,7 @@ fn get_server_config(port: u16, tls_enabled: bool, auth_enabled: bool) -> Notary }, authorization: AuthorizationProperties { enabled: auth_enabled, - whitelist_csv_path: "../server/fixture/auth/whitelist.csv".to_string(), + whitelist_csv_path: Some("../server/fixture/auth/whitelist.csv".to_string()), }, } }