From ebd651386d1db311db5cd982bf717c22b7d311da Mon Sep 17 00:00:00 2001 From: Akhil Thankachan Thomas Date: Sat, 12 Aug 2023 00:37:31 +0530 Subject: [PATCH] make tls stuff optional Signed-off-by: Akhil Thankachan Thomas --- kuksa_databroker/databroker-cli/Cargo.toml | 7 +- kuksa_databroker/databroker-cli/src/client.rs | 7 ++ kuksa_databroker/databroker-cli/src/main.rs | 1 + kuksa_databroker/databroker/Cargo.toml | 10 ++- .../databroker/src/grpc/server.rs | 6 +- kuksa_databroker/databroker/src/main.rs | 67 +++++++++++-------- 6 files changed, 62 insertions(+), 36 deletions(-) diff --git a/kuksa_databroker/databroker-cli/Cargo.toml b/kuksa_databroker/databroker-cli/Cargo.toml index f75cd3307..23f351b99 100644 --- a/kuksa_databroker/databroker-cli/Cargo.toml +++ b/kuksa_databroker/databroker-cli/Cargo.toml @@ -20,7 +20,7 @@ license = "Apache-2.0" [dependencies] databroker-proto = { workspace = true } -tonic = { workspace = true, features = ["transport", "channel", "prost", "tls"] } +tonic = { workspace = true, optional = true } prost = { workspace = true } prost-types = { workspace = true } tokio = { workspace = true, features = [ @@ -39,3 +39,8 @@ clap = { workspace = true, features = [ ] } regex = "1.6.0" http = "0.2.8" + +[features] +default = ["tls"] +tls = ["tonic/transport", "tonic/channel", "tonic/prost", "tonic/tls"] +no-tls = ["tonic/transport", "tonic/channel", "tonic/prost"] diff --git a/kuksa_databroker/databroker-cli/src/client.rs b/kuksa_databroker/databroker-cli/src/client.rs index c696ebd11..1d4854c74 100644 --- a/kuksa_databroker/databroker-cli/src/client.rs +++ b/kuksa_databroker/databroker-cli/src/client.rs @@ -21,6 +21,7 @@ use tonic::transport::Channel; pub struct Client { uri: Uri, token: Option, + #[cfg(feature = "tls")] tls_config: Option, channel: Option, connection_state_subs: Option>, @@ -67,6 +68,7 @@ impl Client { Client { uri, token: None, + #[cfg(feature = "tls")] tls_config: None, channel: None, connection_state_subs: None, @@ -77,6 +79,7 @@ impl Client { self.uri.to_string() } + #[cfg(feature = "tls")] pub fn set_tls_config(&mut self, tls_config: tonic::transport::ClientTlsConfig) { self.tls_config = Some(tls_config); } @@ -107,8 +110,12 @@ impl Client { } async fn try_create_channel(&mut self) -> Result<&Channel, ClientError> { + #[cfg(feature = "tls")] let mut builder = tonic::transport::Channel::builder(self.uri.clone()); + #[cfg(not(feature = "tls"))] + let builder = tonic::transport::Channel::builder(self.uri.clone()); + #[cfg(feature = "tls")] if let Some(tls_config) = &self.tls_config { match builder.tls_config(tls_config.clone()) { Ok(new_builder) => { diff --git a/kuksa_databroker/databroker-cli/src/main.rs b/kuksa_databroker/databroker-cli/src/main.rs index c38ec1a41..7af2168d1 100644 --- a/kuksa_databroker/databroker-cli/src/main.rs +++ b/kuksa_databroker/databroker-cli/src/main.rs @@ -111,6 +111,7 @@ async fn main() -> Result<(), Box> { client.set_access_token(token)?; } + #[cfg(feature = "tls")] if let Some(ca_cert_filename) = cli.ca_cert { let pem = std::fs::read(ca_cert_filename)?; let ca_cert = tonic::transport::Certificate::from_pem(pem); diff --git a/kuksa_databroker/databroker/Cargo.toml b/kuksa_databroker/databroker/Cargo.toml index b8ab22a85..9061cee71 100644 --- a/kuksa_databroker/databroker/Cargo.toml +++ b/kuksa_databroker/databroker/Cargo.toml @@ -24,12 +24,7 @@ path = "src/lib.rs" [dependencies] databroker-proto = { workspace = true } -tonic = { workspace = true, features = [ - "transport", - "channel", - "prost", - "tls", -] } +tonic = { workspace = true, optional = true } prost = { workspace = true } prost-types = { workspace = true } tokio = { workspace = true, features = [ @@ -60,6 +55,9 @@ jemallocator = { version = "0.5.0", optional = true } lazy_static = "1.4.0" [features] +default = ["tls"] +tls = ["tonic/transport", "tonic/channel", "tonic/prost", "tonic/tls"] +no-tls = ["tonic/transport", "tonic/channel", "tonic/prost"] # to enable jemalloc use --features jemalloc jemalloc = ["dep:jemallocator"] libtest = [] diff --git a/kuksa_databroker/databroker/src/grpc/server.rs b/kuksa_databroker/databroker/src/grpc/server.rs index 12a66d0c5..0d20d4fc7 100644 --- a/kuksa_databroker/databroker/src/grpc/server.rs +++ b/kuksa_databroker/databroker/src/grpc/server.rs @@ -14,7 +14,9 @@ use std::{convert::TryFrom, future::Future, time::Duration}; use tokio_stream::wrappers::TcpListenerStream; -use tonic::transport::{Server, ServerTlsConfig}; +use tonic::transport::Server; +#[cfg(feature = "tls")] +use tonic::transport::ServerTlsConfig; use tracing::{debug, info, warn}; use databroker_proto::{kuksa, sdv}; @@ -33,6 +35,7 @@ pub enum Authorization { pub enum ServerTLS { Disabled, + #[cfg(feature = "tls")] Enabled { tls_config: ServerTlsConfig }, } @@ -110,6 +113,7 @@ where .http2_keepalive_timeout(Some(Duration::from_secs(20))); match server_tls { + #[cfg(feature = "tls")] ServerTLS::Enabled { tls_config } => { info!("Using TLS"); builder = builder.tls_config(tls_config)?; diff --git a/kuksa_databroker/databroker/src/main.rs b/kuksa_databroker/databroker/src/main.rs index 77a33d465..e6f583711 100644 --- a/kuksa_databroker/databroker/src/main.rs +++ b/kuksa_databroker/databroker/src/main.rs @@ -355,37 +355,48 @@ async fn main() -> Result<(), Box> { let tls_config = if args.get_flag("insecure") { ServerTLS::Disabled - } else { - let cert_file = args.get_one::("tls-cert"); - let key_file = args.get_one::("tls-private-key"); - match (cert_file, key_file) { - (Some(cert_file), Some(key_file)) => { - let cert = std::fs::read(cert_file)?; - let key = std::fs::read(key_file)?; - let identity = tonic::transport::Identity::from_pem(cert, key); - ServerTLS::Enabled { - tls_config: tonic::transport::ServerTlsConfig::new().identity(identity), + } else if cfg!(feature = "tls") { + #[cfg(not(feature = "no-tls"))] + { + let cert_file = args.get_one::("tls-cert"); + let key_file = args.get_one::("tls-private-key"); + match (cert_file, key_file) { + (Some(cert_file), Some(key_file)) => { + let cert = std::fs::read(cert_file)?; + let key = std::fs::read(key_file)?; + let identity = tonic::transport::Identity::from_pem(cert, key); + ServerTLS::Enabled { + tls_config: tonic::transport::ServerTlsConfig::new().identity(identity), + } + } + (Some(_), None) => { + return Err( + "TLS private key (--tls-private-key) must be set if --tls-cert is.".into(), + ); + } + (None, Some(_)) => { + return Err( + "TLS certificate (--tls-cert) must be set if --tls-private-key is.".into(), + ); + } + (None, None) => { + warn!( + "Default behavior of accepting insecure connections \ + when TLS is not configured may change in the future! \ + Please use --insecure to explicitly enable this behavior." + ); + ServerTLS::Disabled } - } - (Some(_), None) => { - return Err( - "TLS private key (--tls-private-key) must be set if --tls-cert is.".into(), - ); - } - (None, Some(_)) => { - return Err( - "TLS certificate (--tls-cert) must be set if --tls-private-key is.".into(), - ); - } - (None, None) => { - warn!( - "Default behavior of accepting insecure connections \ - when TLS is not configured may change in the future! \ - Please use --insecure to explicitly enable this behavior." - ); - ServerTLS::Disabled } } + #[cfg(feature = "no-tls")] + { + warn!("TLS feature not enabled, built with tls flag or default features. Falling back to insecure mode"); + ServerTLS::Disabled + } + }else{ + warn!("TLS feature not enabled falling back to insecure mode"); + ServerTLS::Disabled }; let jwt_public_key = match args.get_one::("jwt-public-key") {