make tls stuff optional

Signed-off-by: Akhil Thankachan Thomas <[email protected]>
eclipse · Aug 11, 2023 · ebd6513 · ebd6513
1 parent 99f2484
commit ebd6513
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 36 deletions.
diff --git a/kuksa_databroker/databroker-cli/Cargo.toml b/kuksa_databroker/databroker-cli/Cargo.toml
@@ -20,7 +20,7 @@ license = "Apache-2.0"
 
 [dependencies]
 databroker-proto = { workspace = true }
-tonic = { workspace = true, features = ["transport", "channel", "prost", "tls"] }
+tonic = { workspace = true, optional = true }
 prost = { workspace = true }
 prost-types = { workspace = true }
 tokio = { workspace = true, features = [
@@ -39,3 +39,8 @@ clap = { workspace = true, features = [
 ] }
 regex = "1.6.0"
 http = "0.2.8"
+
+[features]
+default = ["tls"]
+tls = ["tonic/transport", "tonic/channel", "tonic/prost", "tonic/tls"]
+no-tls = ["tonic/transport", "tonic/channel", "tonic/prost"]
diff --git a/kuksa_databroker/databroker-cli/src/client.rs b/kuksa_databroker/databroker-cli/src/client.rs
@@ -21,6 +21,7 @@ use tonic::transport::Channel;
 pub struct Client {
     uri: Uri,
     token: Option<tonic::metadata::AsciiMetadataValue>,
+    #[cfg(feature = "tls")]
     tls_config: Option<tonic::transport::ClientTlsConfig>,
     channel: Option<tonic::transport::Channel>,
     connection_state_subs: Option<tokio::sync::broadcast::Sender<ConnectionState>>,
@@ -67,6 +68,7 @@ impl Client {
         Client {
             uri,
             token: None,
+            #[cfg(feature = "tls")]
             tls_config: None,
             channel: None,
             connection_state_subs: None,
@@ -77,6 +79,7 @@ impl Client {
         self.uri.to_string()
     }
 
+    #[cfg(feature = "tls")]
     pub fn set_tls_config(&mut self, tls_config: tonic::transport::ClientTlsConfig) {
         self.tls_config = Some(tls_config);
     }
@@ -107,8 +110,12 @@ impl Client {
     }
 
     async fn try_create_channel(&mut self) -> Result<&Channel, ClientError> {
+        #[cfg(feature = "tls")]
         let mut builder = tonic::transport::Channel::builder(self.uri.clone());
+        #[cfg(not(feature = "tls"))]
+        let builder = tonic::transport::Channel::builder(self.uri.clone());
 
+        #[cfg(feature = "tls")]
         if let Some(tls_config) = &self.tls_config {
             match builder.tls_config(tls_config.clone()) {
                 Ok(new_builder) => {

diff --git a/kuksa_databroker/databroker-cli/src/main.rs b/kuksa_databroker/databroker-cli/src/main.rs
@@ -111,6 +111,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         client.set_access_token(token)?;
     }
 
+    #[cfg(feature = "tls")]
     if let Some(ca_cert_filename) = cli.ca_cert {
         let pem = std::fs::read(ca_cert_filename)?;
         let ca_cert = tonic::transport::Certificate::from_pem(pem);

diff --git a/kuksa_databroker/databroker/Cargo.toml b/kuksa_databroker/databroker/Cargo.toml
@@ -24,12 +24,7 @@ path = "src/lib.rs"
 
 [dependencies]
 databroker-proto = { workspace = true }
-tonic = { workspace = true, features = [
-    "transport",
-    "channel",
-    "prost",
-    "tls",
-] }
+tonic = { workspace = true, optional = true }
 prost = { workspace = true }
 prost-types = { workspace = true }
 tokio = { workspace = true, features = [
@@ -60,6 +55,9 @@ jemallocator = { version = "0.5.0", optional = true }
 lazy_static = "1.4.0"
 
 [features]
+default = ["tls"]
+tls = ["tonic/transport", "tonic/channel", "tonic/prost", "tonic/tls"]
+no-tls = ["tonic/transport", "tonic/channel", "tonic/prost"]
 # to enable jemalloc use --features jemalloc
 jemalloc = ["dep:jemallocator"]
 libtest = []

diff --git a/kuksa_databroker/databroker/src/grpc/server.rs b/kuksa_databroker/databroker/src/grpc/server.rs
@@ -14,7 +14,9 @@
 use std::{convert::TryFrom, future::Future, time::Duration};
 
 use tokio_stream::wrappers::TcpListenerStream;
-use tonic::transport::{Server, ServerTlsConfig};
+use tonic::transport::Server;
+#[cfg(feature = "tls")]
+use tonic::transport::ServerTlsConfig;
 use tracing::{debug, info, warn};
 
 use databroker_proto::{kuksa, sdv};
@@ -33,6 +35,7 @@ pub enum Authorization {
 
 pub enum ServerTLS {
     Disabled,
+    #[cfg(feature = "tls")]
     Enabled { tls_config: ServerTlsConfig },
 }
 
@@ -110,6 +113,7 @@ where
         .http2_keepalive_timeout(Some(Duration::from_secs(20)));
 
     match server_tls {
+        #[cfg(feature = "tls")]
         ServerTLS::Enabled { tls_config } => {
             info!("Using TLS");
             builder = builder.tls_config(tls_config)?;

diff --git a/kuksa_databroker/databroker/src/main.rs b/kuksa_databroker/databroker/src/main.rs
@@ -355,37 +355,48 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 
     let tls_config = if args.get_flag("insecure") {
         ServerTLS::Disabled
-    } else {
-        let cert_file = args.get_one::<String>("tls-cert");
-        let key_file = args.get_one::<String>("tls-private-key");
-        match (cert_file, key_file) {
-            (Some(cert_file), Some(key_file)) => {
-                let cert = std::fs::read(cert_file)?;
-                let key = std::fs::read(key_file)?;
-                let identity = tonic::transport::Identity::from_pem(cert, key);
-                ServerTLS::Enabled {
-                    tls_config: tonic::transport::ServerTlsConfig::new().identity(identity),
+    } else if cfg!(feature = "tls") {
+        #[cfg(not(feature = "no-tls"))]
+        {
+            let cert_file = args.get_one::<String>("tls-cert");
+            let key_file = args.get_one::<String>("tls-private-key");
+            match (cert_file, key_file) {
+                (Some(cert_file), Some(key_file)) => {
+                    let cert = std::fs::read(cert_file)?;
+                    let key = std::fs::read(key_file)?;
+                    let identity = tonic::transport::Identity::from_pem(cert, key);
+                    ServerTLS::Enabled {
+                        tls_config: tonic::transport::ServerTlsConfig::new().identity(identity),
+                    }
+                }
+                (Some(_), None) => {
+                    return Err(
+                        "TLS private key (--tls-private-key) must be set if --tls-cert is.".into(),
+                    );
+                }
+                (None, Some(_)) => {
+                    return Err(
+                        "TLS certificate (--tls-cert) must be set if --tls-private-key is.".into(),
+                    );
+                }
+                (None, None) => {
+                    warn!(
+                        "Default behavior of accepting insecure connections \
+                        when TLS is not configured may change in the future! \
+                        Please use --insecure to explicitly enable this behavior."
+                    );
+                    ServerTLS::Disabled
                 }
-            }
-            (Some(_), None) => {
-                return Err(
-                    "TLS private key (--tls-private-key) must be set if --tls-cert is.".into(),
-                );
-            }
-            (None, Some(_)) => {
-                return Err(
-                    "TLS certificate (--tls-cert) must be set if --tls-private-key is.".into(),
-                );
-            }
-            (None, None) => {
-                warn!(
-                    "Default behavior of accepting insecure connections \
-                    when TLS is not configured may change in the future! \
-                    Please use --insecure to explicitly enable this behavior."
-                );
-                ServerTLS::Disabled
             }
         }
+        #[cfg(feature = "no-tls")]
+        {
+            warn!("TLS feature not enabled, built with tls flag or default features. Falling back to insecure mode");
+            ServerTLS::Disabled
+        }
+    }else{
+        warn!("TLS feature not enabled falling back to insecure mode");
+        ServerTLS::Disabled
     };
 
     let jwt_public_key = match args.get_one::<String>("jwt-public-key") {