Add Rust scaffolding

This adds all the various configuration and tooling to have a
proxy written in Rust, some of which is copied from SecureDrop server.

.cargo/audit.toml

@@ -0,0 +1,13 @@
+[advisories]
+# advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
+ignore = []
+
+# Output Configuration
+[output]
+deny = ["warnings"]
+quiet = false
+
+# Target Configuration
+[target]
+arch = "x86_64" # Ignore advisories for CPU architectures other than this one
+os = "linux" # Ignore advisories for operating systems other than this one

.github/workflows/cargo-vet.yml

@@ -0,0 +1,26 @@
+# Roughly based off of https://mozilla.github.io/cargo-vet/configuring-ci.html
+
+name: cargo vet
+
+on: [push, pull_request]
+
+jobs:
+  cargo-vet:
+    name: Vet Dependencies
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    env:
+      CARGO_VET_VERSION: 0.9.0
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/cache@v2
+      id: cache-vet
+      with:
+        path: /usr/local/cargo/bin/cargo-vet
+        key: cargo-vet-${{ env.CARGO_VET_VERSION }}
+    - name: Install the cargo-vet binary, if needed
+      if: ${{ steps.cache-vet.outputs.cache-hit != 'true' }}
+      run: cargo install --version ${{ env.CARGO_VET_VERSION }} cargo-vet
+    - name: Invoke cargo-vet
+      run: cargo vet --locked

.github/workflows/ci.yml

@@ -21,3 +21,18 @@ jobs:
       - name: Lint .desktop files
         run: |
           make lint-desktop
+
+  rust:
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+          rustup component add rustfmt
+          rustup component add clippy
+      - name: Lint and test Rust code
+        run: |
+          make rust-lint
+          make rust-test

.github/workflows/security.yml

@@ -0,0 +1,16 @@
+name: Security (cron)
+on:
+  schedule:
+    - cron: '0 3 * * *'
+
+jobs:
+  rust-audit:
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check Rust dependencies
+        run: |
+          cargo install cargo-audit
+          cargo audit

Cargo.toml

@@ -0,0 +1,5 @@
+[workspace]
+members = [
+    "proxy"
+]
+resolver = "2"

Makefile

@@ -10,6 +10,14 @@ lint-desktop: ## Lint .desktop files
 	# See: https://www.freedesktop.org/wiki/Software/desktop-file-utils/
 	find . -name *.desktop -type f -not -path '*/\.git/*' | xargs desktop-file-validate
 
+.PHONY: rust-lint
+rust-lint: ## Lint Rust code
+	cargo fmt --check
+	cargo clippy
+
+.PHONY: rust-test
+rust-test: ## Run Rust tests
+	cargo test
 
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##

proxy/Cargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "securedrop-proxy"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]

proxy/src/main.rs

@@ -0,0 +1,5 @@
+#![deny(clippy::all)]
+
+fn main() {
+    println!("Hello, world!");
+}

rust-toolchain.toml

@@ -0,0 +1,2 @@
+[toolchain]
+channel = "1.74.1"

rustfmt.toml

@@ -0,0 +1 @@
+max_width = 80

supply-chain/audits.toml

@@ -0,0 +1,4 @@
+
+# cargo-vet audits file
+
+[audits]

supply-chain/config.toml

@@ -0,0 +1,26 @@
+
+# cargo-vet config file
+
+[cargo-vet]
+version = "0.9"
+
+[imports.bytecode-alliance]
+url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
+
+[imports.google]
+url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
+
+[imports.isrg]
+url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
+
+[imports.mozilla]
+url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
+
+[imports.securedrop]
+url = "https://raw.githubusercontent.com/freedomofpress/securedrop-supply-chain/main/audits.toml"
+
+[imports.zcash]
+url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml"
+
+[policy.securedrop-proxy]
+criteria = "safe-to-run"

supply-chain/imports.lock

@@ -0,0 +1,14 @@
+
+# cargo-vet imports lock
+
+[audits.bytecode-alliance.audits]
+
+[audits.google.audits]
+
+[audits.isrg.audits]
+
+[audits.mozilla.audits]
+
+[audits.securedrop.audits]
+
+[audits.zcash.audits]