From b9d41fb2a9346861ed3a8504f9678de88e4f66f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 08:22:51 +0200 Subject: [PATCH 01/17] update protos --- proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proto b/proto index 7adfe3b..7e1b829 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit 7adfe3bfd1b7b701e58d25ddadd0c0c7a4a3e046 +Subproject commit 7e1b829343832d261fcfefc4587a795a975dec7e From 78cb532b43d304564b280e7e09a1cee359cc8ab4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 08:38:10 +0200 Subject: [PATCH 02/17] update core dependencies --- Cargo.lock | 4 ++-- Cargo.toml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f57106e..82f627f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -712,7 +712,7 @@ dependencies = [ [[package]] name = "defguard_certs" version = "0.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=01957186101fc105803d56f1190efbdb5102df2f#01957186101fc105803d56f1190efbdb5102df2f" +source = "git+https://github.com/DefGuard/defguard.git?rev=564dc72c#564dc72c8c18c6b25ff1401e2e18dc40e1ff39a4" dependencies = [ "base64", "chrono", @@ -726,7 +726,7 @@ dependencies = [ [[package]] name = "defguard_version" version = "0.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=01957186101fc105803d56f1190efbdb5102df2f#01957186101fc105803d56f1190efbdb5102df2f" +source = "git+https://github.com/DefGuard/defguard.git?rev=7d28f46e#7d28f46e828a975118d4943f204614a737d1c92e" dependencies = [ "axum", "http", diff --git a/Cargo.toml b/Cargo.toml index bac56c1..0151168 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,8 +7,8 @@ homepage = "https://github.com/DefGuard/proxy" repository = "https://github.com/DefGuard/proxy" [dependencies] -defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "01957186101fc105803d56f1190efbdb5102df2f" } -defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "01957186101fc105803d56f1190efbdb5102df2f" } +defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "564dc72c" } +defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "7d28f46e" } # base `axum` deps axum = { version = "0.8", features = ["ws"] } axum-client-ip = "0.7" From ed45da36d65d372a33ce3499e8b3d0df79a0ff4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 08:59:35 +0200 Subject: [PATCH 03/17] store new certs during setup --- src/grpc.rs | 4 ++++ src/http.rs | 24 ++++++++++++++++++- src/setup.rs | 66 ++++++++++++++++++++++++++++++++++++---------------- 3 files changed, 73 insertions(+), 21 deletions(-) diff --git a/src/grpc.rs b/src/grpc.rs index b2df34d..98dd880 100644 --- a/src/grpc.rs +++ b/src/grpc.rs @@ -43,6 +43,10 @@ type ClientMap = HashMap, } pub(crate) struct ProxyServer { diff --git a/src/http.rs b/src/http.rs index 9085d54..24507db 100644 --- a/src/http.rs +++ b/src/http.rs @@ -55,6 +55,8 @@ const X_FORWARDED_FOR: &str = "x-forwarded-for"; const X_POWERED_BY: &str = "x-powered-by"; pub const GRPC_CERT_NAME: &str = "proxy_grpc_cert.pem"; pub const GRPC_KEY_NAME: &str = "proxy_grpc_key.pem"; +pub const GRPC_CA_CERT_NAME: &str = "grpc_ca_cert.pem"; +pub const CORE_CLIENT_CERT_NAME: &str = "core_client_cert.pem"; #[derive(Clone)] pub(crate) struct AppState { @@ -217,7 +219,8 @@ pub async fn run_setup( let Configuration { grpc_cert_pem, grpc_key_pem, - .. + grpc_ca_cert_pem, + core_client_cert_der, } = &configuration; let cert_path = cert_dir.join(GRPC_CERT_NAME); @@ -247,6 +250,7 @@ pub async fn run_setup( })?; // Write key to a file. options + .clone() .open(&key_path) .await? .write_all(grpc_key_pem.as_bytes()) @@ -262,6 +266,24 @@ pub async fn run_setup( err.into() } })?; + // Write CA certificate to a file. + options + .clone() + .open(cert_dir.join(GRPC_CA_CERT_NAME)) + .await? + .write_all(grpc_ca_cert_pem.as_bytes()) + .await?; + // Write Core client certificate (PEM-encoded) to a file for serial pinning on restart. + let core_client_cert_pem = + defguard_certs::der_to_pem(core_client_cert_der, defguard_certs::PemLabel::Certificate) + .map_err(|err| { + anyhow::anyhow!("Failed to PEM-encode Core client certificate: {err}") + })?; + options + .open(cert_dir.join(CORE_CLIENT_CERT_NAME)) + .await? + .write_all(core_client_cert_pem.as_bytes()) + .await?; Ok(configuration) } diff --git a/src/setup.rs b/src/setup.rs index 684639b..cd3444a 100644 --- a/src/setup.rs +++ b/src/setup.rs @@ -15,7 +15,7 @@ use crate::{ CommsChannel, LogsReceiver, MIN_CORE_VERSION, VERSION, error::ApiError, grpc::Configuration, - proto::{CertificateInfo, DerPayload, LogEntry, proxy_setup_server}, + proto::{CertBundle, CertificateInfo, DerPayload, LogEntry, proxy_setup_server}, }; static SETUP_CHANNEL: LazyLock>> = LazyLock::new(|| { @@ -291,8 +291,8 @@ impl proxy_setup_server::ProxySetup for ProxySetupServer { } #[instrument(skip(self, request))] - async fn send_cert(&self, request: Request) -> Result, Status> { - debug!("Core sending back signed certificate for installation"); + async fn send_cert(&self, request: Request) -> Result, Status> { + debug!("Core sending back signed certificate bundle for installation"); let token = request .metadata() .get(AUTH_HEADER) @@ -306,26 +306,50 @@ impl proxy_setup_server::ProxySetup for ProxySetupServer { return Err(Status::unauthenticated("Invalid session token")); } - let der_payload = request.into_inner(); - let cert_der = der_payload.der_data; + let bundle = request.into_inner(); + debug!( - "Received signed certificate from Core ({} bytes)", - cert_der.len() + "Received component certificate from Core ({} bytes)", + bundle.component_cert_der.len() ); + debug!("Parsing component certificate DER data"); + let grpc_cert_pem = match defguard_certs::der_to_pem( + &bundle.component_cert_der, + defguard_certs::PemLabel::Certificate, + ) { + Ok(pem) => pem, + Err(err) => { + error!("Failed to convert component certificate DER to PEM: {err}"); + self.clear_setup_session(); + return Err(Status::internal(format!( + "Failed to convert component certificate DER to PEM: {err}" + ))); + } + }; - debug!("Parsing received certificate DER data"); - let grpc_cert_pem = - match defguard_certs::der_to_pem(&cert_der, defguard_certs::PemLabel::Certificate) { - Ok(pem) => pem, - Err(err) => { - error!("Failed to convert certificate DER to PEM: {err}"); - self.clear_setup_session(); - return Err(Status::internal(format!( - "Failed to convert certificate DER to PEM: {err}" - ))); - } - }; - debug!("Certificate processed successfully"); + debug!( + "Received CA certificate from Core ({} bytes)", + bundle.ca_cert_der.len() + ); + debug!("Parsing CA certificate DER data"); + let grpc_ca_cert_pem = match defguard_certs::der_to_pem( + &bundle.ca_cert_der, + defguard_certs::PemLabel::Certificate, + ) { + Ok(pem) => pem, + Err(err) => { + error!("Failed to convert CA certificate DER to PEM: {err}"); + self.clear_setup_session(); + return Err(Status::internal(format!( + "Failed to convert CA certificate DER to PEM: {err}" + ))); + } + }; + + debug!( + "Received Core client certificate ({} bytes); will pin serial for mTLS", + bundle.core_client_cert_der.len() + ); let key_pair = { let key_pair = self @@ -349,6 +373,8 @@ impl proxy_setup_server::ProxySetup for ProxySetupServer { let configuration = Configuration { grpc_key_pem: key_pair.serialize_pem(), grpc_cert_pem, + grpc_ca_cert_pem, + core_client_cert_der: bundle.core_client_cert_der, }; debug!("Passing configuration to gRPC server for finalization"); From d9481afcf14f8497c5294db67e65194e979993fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 09:06:43 +0200 Subject: [PATCH 04/17] load new certs on startup --- src/main.rs | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/src/main.rs b/src/main.rs index 838d40f..407c292 100644 --- a/src/main.rs +++ b/src/main.rs @@ -4,7 +4,7 @@ use defguard_proxy::{ VERSION, config::get_env_config, grpc::Configuration, - http::{GRPC_CERT_NAME, GRPC_KEY_NAME, run_server}, + http::{CORE_CLIENT_CERT_NAME, GRPC_CA_CERT_NAME, GRPC_CERT_NAME, GRPC_KEY_NAME, run_server}, logging::init_tracing, }; use defguard_version::Version; @@ -50,18 +50,31 @@ async fn main() -> anyhow::Result<()> { let cert_dir = env_config.cert_dir.clone(); let grpc_cert_path = cert_dir.join(GRPC_CERT_NAME); let grpc_key_path = cert_dir.join(GRPC_KEY_NAME); + let grpc_ca_cert_path = cert_dir.join(GRPC_CA_CERT_NAME); + let core_client_cert_path = cert_dir.join(CORE_CLIENT_CERT_NAME); let grpc_cert = read_optional_cert_file(&grpc_cert_path, &cert_dir, "certificate")?; let grpc_key = read_optional_cert_file(&grpc_key_path, &cert_dir, "key")?; + let grpc_ca_cert = read_optional_cert_file(&grpc_ca_cert_path, &cert_dir, "CA certificate")?; + let core_client_cert_pem = + read_optional_cert_file(&core_client_cert_path, &cert_dir, "Core client certificate")?; - let proxy_configuration = if let (Some(grpc_cert), Some(grpc_key)) = (grpc_cert, grpc_key) { - Some(Configuration { - grpc_cert_pem: grpc_cert, - grpc_key_pem: grpc_key, - }) - } else { - None - }; + let proxy_configuration = + if let (Some(grpc_cert), Some(grpc_key), Some(grpc_ca_cert), Some(client_cert_pem)) = + (grpc_cert, grpc_key, grpc_ca_cert, core_client_cert_pem) + { + let core_client_cert_der = defguard_certs::parse_pem_certificate(&client_cert_pem) + .map_err(|e| anyhow::anyhow!("Failed to parse Core client cert: {e}"))? + .to_vec(); + Some(Configuration { + grpc_cert_pem: grpc_cert, + grpc_key_pem: grpc_key, + grpc_ca_cert_pem: grpc_ca_cert, + core_client_cert_der, + }) + } else { + None + }; // TODO: The channel size may need to be adjusted or some other approach should be used // to avoid dropping log messages. From 5f36a2d72f7e69c95aeadea1c540bc88b48935bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 09:22:30 +0200 Subject: [PATCH 05/17] adjust TLS config naming --- src/grpc.rs | 20 ++++++++++---------- src/http.rs | 29 +++++++++++++---------------- src/main.rs | 4 ++-- src/setup.rs | 10 +++++----- 4 files changed, 30 insertions(+), 33 deletions(-) diff --git a/src/grpc.rs b/src/grpc.rs index 98dd880..fbe51a1 100644 --- a/src/grpc.rs +++ b/src/grpc.rs @@ -40,7 +40,7 @@ use crate::{ type ClientMap = HashMap>>; #[derive(Debug, Clone, Default)] -pub struct Configuration { +pub struct TlsConfig { pub grpc_key_pem: String, pub grpc_cert_pem: String, /// PEM-encoded CA certificate used to verify Core's mTLS client certificate chain. @@ -55,7 +55,7 @@ pub(crate) struct ProxyServer { results: Arc>>>, pub(crate) connected: Arc, pub(crate) core_version: Arc>>, - config: Arc>>, + tls_config: Arc>>, cookie_key: Arc>>, cert_dir: PathBuf, reset_tx: broadcast::Sender<()>, @@ -91,7 +91,7 @@ impl ProxyServer { results: Arc::new(RwLock::new(HashMap::new())), connected: Arc::new(AtomicBool::new(false)), core_version: Arc::new(Mutex::new(None)), - config: Arc::new(Mutex::new(None)), + tls_config: Arc::new(Mutex::new(None)), cert_dir, reset_tx, https_cert_tx, @@ -102,17 +102,17 @@ impl ProxyServer { } } - pub(crate) fn configure(&self, config: Configuration) { + pub(crate) fn configure(&self, config: TlsConfig) { let mut lock = self - .config + .tls_config .lock() .expect("Failed to acquire lock on config mutex when applying proxy configuration"); *lock = Some(config); } - pub(crate) fn get_configuration(&self) -> Option { + pub(crate) fn get_configuration(&self) -> Option { let lock = self - .config + .tls_config .lock() .expect("Failed to acquire lock on config mutex when retrieving proxy configuration"); lock.clone() @@ -201,7 +201,7 @@ impl ProxyServer { pub(crate) fn setup_completed(&self) -> bool { let lock = self - .config + .tls_config .lock() .expect("Failed to acquire lock on config mutex when checking setup status"); lock.is_some() @@ -217,7 +217,7 @@ impl Clone for ProxyServer { connected: Arc::clone(&self.connected), core_version: Arc::clone(&self.core_version), cookie_key: Arc::clone(&self.cookie_key), - config: Arc::clone(&self.config), + tls_config: Arc::clone(&self.tls_config), cert_dir: self.cert_dir.clone(), reset_tx: self.reset_tx.clone(), https_cert_tx: self.https_cert_tx.clone(), @@ -366,7 +366,7 @@ impl proxy_server::Proxy for ProxyServer { } *self - .config + .tls_config .lock() .expect("Failed to lock config mutex during purge") = None; *self diff --git a/src/http.rs b/src/http.rs index 24507db..ae2d539 100644 --- a/src/http.rs +++ b/src/http.rs @@ -41,7 +41,7 @@ use crate::{ config::EnvConfig, enterprise::handlers::openid_login, error::ApiError, - grpc::{Configuration, ProxyServer}, + grpc::{ProxyServer, TlsConfig}, handlers::{desktop_client_mfa, enrollment, password_reset, polling}, setup::ProxySetupServer, }; @@ -180,10 +180,7 @@ async fn powered_by_header(mut response: Response) -> Response { response } -pub async fn run_setup( - env_config: &EnvConfig, - logs_rx: LogsReceiver, -) -> anyhow::Result { +pub async fn run_setup(env_config: &EnvConfig, logs_rx: LogsReceiver) -> anyhow::Result { let setup_server = ProxySetupServer::new(logs_rx); let cert_dir = Path::new(&env_config.cert_dir); if !cert_dir.exists() { @@ -206,7 +203,7 @@ pub async fn run_setup( "No gRPC TLS certificates found at {}, new certificates will be obtained during setup", cert_dir.display() ); - let configuration = setup_server + let tls_config = setup_server .await_initial_setup(SocketAddr::new( env_config .grpc_bind_address @@ -216,12 +213,12 @@ pub async fn run_setup( .await?; info!("Generated new gRPC TLS certificates and signed by Defguard Core"); - let Configuration { + let TlsConfig { grpc_cert_pem, grpc_key_pem, grpc_ca_cert_pem, core_client_cert_der, - } = &configuration; + } = &tls_config; let cert_path = cert_dir.join(GRPC_CERT_NAME); let key_path = cert_dir.join(GRPC_KEY_NAME); @@ -285,7 +282,7 @@ pub async fn run_setup( .write_all(core_client_cert_pem.as_bytes()) .await?; - Ok(configuration) + Ok(tls_config) } /// Middleware that gates all HTTP endpoints except health checks until the proxy @@ -328,7 +325,7 @@ async fn build_tls_config(cert_pem: &str, key_pem: &str) -> anyhow::Result, + tls_config: Option, logs_rx: Option, ) -> anyhow::Result<()> { info!("Starting Defguard Proxy server"); @@ -368,8 +365,8 @@ pub async fn run_server( // Preload existing TLS configuration so /api/v1/info can report "disconnected" // immediately on startup - if let Some(existing_configuration) = config.clone() { - grpc_server.configure(existing_configuration); + if let Some(existing_tls_config) = tls_config.clone() { + grpc_server.configure(existing_tls_config); } let server_clone = grpc_server.clone(); @@ -378,17 +375,17 @@ pub async fn run_server( // Start gRPC server. debug!("Spawning gRPC server task"); tasks.spawn(async move { - let mut proxy_configuration = config; + let mut proxy_tls_config = tls_config; loop { - let configuration = if let Some(conf) = proxy_configuration.clone() { + let configuration = if let Some(conf) = proxy_tls_config.clone() { debug!("Using existing gRPC certificates, skipping setup process"); conf } else { info!("gRPC certificates not found, running setup process"); let conf = run_setup(&env_config_clone, Arc::clone(&logs_rx)).await?; info!("Setup process completed successfully"); - proxy_configuration = Some(conf.clone()); + proxy_tls_config = Some(conf.clone()); conf }; @@ -421,7 +418,7 @@ pub async fn run_server( result = reset_rx.recv() => { if result.is_ok() { info!("Reset requested, restarting setup process"); - proxy_configuration = None; + proxy_tls_config = None; } else { error!("Reset channel closed; gRPC server will keep running"); } diff --git a/src/main.rs b/src/main.rs index 407c292..b42975e 100644 --- a/src/main.rs +++ b/src/main.rs @@ -3,7 +3,7 @@ use std::{fs::read_to_string, io::ErrorKind, path::Path, sync::Arc}; use defguard_proxy::{ VERSION, config::get_env_config, - grpc::Configuration, + grpc::TlsConfig, http::{CORE_CLIENT_CERT_NAME, GRPC_CA_CERT_NAME, GRPC_CERT_NAME, GRPC_KEY_NAME, run_server}, logging::init_tracing, }; @@ -66,7 +66,7 @@ async fn main() -> anyhow::Result<()> { let core_client_cert_der = defguard_certs::parse_pem_certificate(&client_cert_pem) .map_err(|e| anyhow::anyhow!("Failed to parse Core client cert: {e}"))? .to_vec(); - Some(Configuration { + Some(TlsConfig { grpc_cert_pem: grpc_cert, grpc_key_pem: grpc_key, grpc_ca_cert_pem: grpc_ca_cert, diff --git a/src/setup.rs b/src/setup.rs index cd3444a..accd81f 100644 --- a/src/setup.rs +++ b/src/setup.rs @@ -14,11 +14,11 @@ use tonic::{Request, Response, Status, transport::Server}; use crate::{ CommsChannel, LogsReceiver, MIN_CORE_VERSION, VERSION, error::ApiError, - grpc::Configuration, + grpc::TlsConfig, proto::{CertBundle, CertificateInfo, DerPayload, LogEntry, proxy_setup_server}, }; -static SETUP_CHANNEL: LazyLock>> = LazyLock::new(|| { +static SETUP_CHANNEL: LazyLock>> = LazyLock::new(|| { let (tx, rx) = mpsc::channel(10); ( Arc::new(tokio::sync::Mutex::new(tx)), @@ -62,13 +62,13 @@ impl ProxySetupServer { pub(crate) async fn await_initial_setup( &self, addr: SocketAddr, - ) -> Result { + ) -> Result { info!("gRPC waiting for setup connection from Core on {addr}"); let own_version = Version::parse(VERSION)?; debug!("Proxy version: {}", VERSION); - let config_slot: Arc>> = + let config_slot: Arc>> = Arc::new(tokio::sync::Mutex::new(None)); let config_slot_writer = Arc::clone(&config_slot); @@ -370,7 +370,7 @@ impl proxy_setup_server::ProxySetup for ProxySetupServer { } }; - let configuration = Configuration { + let configuration = TlsConfig { grpc_key_pem: key_pair.serialize_pem(), grpc_cert_pem, grpc_ca_cert_pem, From 289500b45e51637d1ea391fbacfa590dca39c81f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 09:32:12 +0200 Subject: [PATCH 06/17] add helper for loading tls certs --- src/main.rs | 60 +++++++++++++++++++++++++++++------------------------ 1 file changed, 33 insertions(+), 27 deletions(-) diff --git a/src/main.rs b/src/main.rs index b42975e..d674c4a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -33,6 +33,37 @@ fn read_optional_cert_file( } } +fn load_tls_config(cert_dir: &Path) -> anyhow::Result> { + let grpc_cert = + read_optional_cert_file(&cert_dir.join(GRPC_CERT_NAME), cert_dir, "certificate")?; + let grpc_key = read_optional_cert_file(&cert_dir.join(GRPC_KEY_NAME), cert_dir, "key")?; + let grpc_ca_cert = read_optional_cert_file( + &cert_dir.join(GRPC_CA_CERT_NAME), + cert_dir, + "CA certificate", + )?; + let core_client_cert_pem = read_optional_cert_file( + &cert_dir.join(CORE_CLIENT_CERT_NAME), + cert_dir, + "Core client certificate", + )?; + + match (grpc_cert, grpc_key, grpc_ca_cert, core_client_cert_pem) { + (Some(grpc_cert), Some(grpc_key), Some(grpc_ca_cert), Some(client_cert_pem)) => { + let core_client_cert_der = defguard_certs::parse_pem_certificate(&client_cert_pem) + .map_err(|e| anyhow::anyhow!("Failed to parse Core client cert: {e}"))? + .to_vec(); + Ok(Some(TlsConfig { + grpc_cert_pem: grpc_cert, + grpc_key_pem: grpc_key, + grpc_ca_cert_pem: grpc_ca_cert, + core_client_cert_der, + })) + } + _ => Ok(None), + } +} + #[tokio::main] async fn main() -> anyhow::Result<()> { // Install the aws-lc-rs CryptoProvider as the process-wide default for rustls. @@ -48,33 +79,8 @@ async fn main() -> anyhow::Result<()> { let env_config = get_env_config()?; let cert_dir = env_config.cert_dir.clone(); - let grpc_cert_path = cert_dir.join(GRPC_CERT_NAME); - let grpc_key_path = cert_dir.join(GRPC_KEY_NAME); - let grpc_ca_cert_path = cert_dir.join(GRPC_CA_CERT_NAME); - let core_client_cert_path = cert_dir.join(CORE_CLIENT_CERT_NAME); - - let grpc_cert = read_optional_cert_file(&grpc_cert_path, &cert_dir, "certificate")?; - let grpc_key = read_optional_cert_file(&grpc_key_path, &cert_dir, "key")?; - let grpc_ca_cert = read_optional_cert_file(&grpc_ca_cert_path, &cert_dir, "CA certificate")?; - let core_client_cert_pem = - read_optional_cert_file(&core_client_cert_path, &cert_dir, "Core client certificate")?; - let proxy_configuration = - if let (Some(grpc_cert), Some(grpc_key), Some(grpc_ca_cert), Some(client_cert_pem)) = - (grpc_cert, grpc_key, grpc_ca_cert, core_client_cert_pem) - { - let core_client_cert_der = defguard_certs::parse_pem_certificate(&client_cert_pem) - .map_err(|e| anyhow::anyhow!("Failed to parse Core client cert: {e}"))? - .to_vec(); - Some(TlsConfig { - grpc_cert_pem: grpc_cert, - grpc_key_pem: grpc_key, - grpc_ca_cert_pem: grpc_ca_cert, - core_client_cert_der, - }) - } else { - None - }; + let maybe_tls_config = load_tls_config(&cert_dir)?; // TODO: The channel size may need to be adjusted or some other approach should be used // to avoid dropping log messages. @@ -90,7 +96,7 @@ async fn main() -> anyhow::Result<()> { // run API web server run_server( env_config, - proxy_configuration, + maybe_tls_config, logs_rx.map(|r| Arc::new(Mutex::new(r))), ) .await?; From e91d96f05318b95eee7d45e601be1a152839aeb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 09:37:38 +0200 Subject: [PATCH 07/17] update purge handler --- src/grpc.rs | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/src/grpc.rs b/src/grpc.rs index fbe51a1..fa5e692 100644 --- a/src/grpc.rs +++ b/src/grpc.rs @@ -15,7 +15,10 @@ use defguard_version::{ ComponentInfo, DefguardComponent, Version, get_tracing_variables, server::{DefguardVersionLayer, grpc::DefguardVersionInterceptor}, }; -use tokio::sync::{broadcast, mpsc, oneshot}; +use tokio::{ + fs::remove_file, + sync::{broadcast, mpsc, oneshot}, +}; use tokio_stream::wrappers::UnboundedReceiverStream; use tonic::{ Request, Response, Status, Streaming, @@ -28,7 +31,7 @@ use crate::{ LogsReceiver, MIN_CORE_VERSION, VERSION, acme, acme::Port80Permit, error::ApiError, - http::{GRPC_CERT_NAME, GRPC_KEY_NAME}, + http::{CORE_CLIENT_CERT_NAME, GRPC_CA_CERT_NAME, GRPC_CERT_NAME, GRPC_KEY_NAME}, proto::{ AcmeCertificate, AcmeChallenge, AcmeIssueEvent, AcmeLogs, AcmeProgress, AcmeStep, CoreRequest, CoreResponse, DeviceInfo, acme_issue_event, core_request, core_response, @@ -347,8 +350,10 @@ impl proxy_server::Proxy for ProxyServer { debug!("Received purge request, removing gRPC certificate files"); let cert_path = self.cert_dir.join(GRPC_CERT_NAME); let key_path = self.cert_dir.join(GRPC_KEY_NAME); + let ca_cert_path = self.cert_dir.join(GRPC_CA_CERT_NAME); + let core_client_cert_path = self.cert_dir.join(CORE_CLIENT_CERT_NAME); - if let Err(err) = tokio::fs::remove_file(&cert_path).await + if let Err(err) = remove_file(&cert_path).await && err.kind() != std::io::ErrorKind::NotFound { error!( @@ -358,13 +363,33 @@ impl proxy_server::Proxy for ProxyServer { return Err(Status::internal("Failed to remove gRPC certificate")); } - if let Err(err) = tokio::fs::remove_file(&key_path).await + if let Err(err) = remove_file(&key_path).await && err.kind() != std::io::ErrorKind::NotFound { error!("Failed to remove gRPC key at {:?}: {err}", key_path); return Err(Status::internal("Failed to remove gRPC key")); } + if let Err(err) = remove_file(&ca_cert_path).await + && err.kind() != std::io::ErrorKind::NotFound + { + error!( + "Failed to remove CA certificate at {:?}: {err}", + ca_cert_path + ); + return Err(Status::internal("Failed to remove CA certificate")); + } + + if let Err(err) = remove_file(&core_client_cert_path).await + && err.kind() != std::io::ErrorKind::NotFound + { + error!( + "Failed to remove Core client certificate at {:?}: {err}", + core_client_cert_path + ); + return Err(Status::internal("Failed to remove Core client certificate")); + } + *self .tls_config .lock() From a5009c14b24cdcc125c4532a8ba27ad2ded65e53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 09:41:36 +0200 Subject: [PATCH 08/17] add helper for removing files --- src/grpc.rs | 49 ++++++++++++++----------------------------------- 1 file changed, 14 insertions(+), 35 deletions(-) diff --git a/src/grpc.rs b/src/grpc.rs index fa5e692..c3ab634 100644 --- a/src/grpc.rs +++ b/src/grpc.rs @@ -353,42 +353,21 @@ impl proxy_server::Proxy for ProxyServer { let ca_cert_path = self.cert_dir.join(GRPC_CA_CERT_NAME); let core_client_cert_path = self.cert_dir.join(CORE_CLIENT_CERT_NAME); - if let Err(err) = remove_file(&cert_path).await - && err.kind() != std::io::ErrorKind::NotFound - { - error!( - "Failed to remove gRPC certificate at {:?}: {err}", - cert_path - ); - return Err(Status::internal("Failed to remove gRPC certificate")); - } - - if let Err(err) = remove_file(&key_path).await - && err.kind() != std::io::ErrorKind::NotFound - { - error!("Failed to remove gRPC key at {:?}: {err}", key_path); - return Err(Status::internal("Failed to remove gRPC key")); - } - - if let Err(err) = remove_file(&ca_cert_path).await - && err.kind() != std::io::ErrorKind::NotFound - { - error!( - "Failed to remove CA certificate at {:?}: {err}", - ca_cert_path - ); - return Err(Status::internal("Failed to remove CA certificate")); - } + let remove_cert_file = async |path: &std::path::Path, label: &str| -> Result<(), Status> { + if let Err(err) = remove_file(path).await + && err.kind() != std::io::ErrorKind::NotFound + { + error!("Failed to remove {label} at {}: {err}", path.display()); + return Err(Status::internal(format!("Failed to remove {label}"))); + } + info!("Removed {label} at {}", path.display()); + Ok(()) + }; - if let Err(err) = remove_file(&core_client_cert_path).await - && err.kind() != std::io::ErrorKind::NotFound - { - error!( - "Failed to remove Core client certificate at {:?}: {err}", - core_client_cert_path - ); - return Err(Status::internal("Failed to remove Core client certificate")); - } + remove_cert_file(&cert_path, "gRPC certificate").await?; + remove_cert_file(&key_path, "gRPC key").await?; + remove_cert_file(&ca_cert_path, "CA certificate").await?; + remove_cert_file(&core_client_cert_path, "Core client certificate").await?; *self .tls_config From 5d895afd756f9dc2269684c7fb7753fe14b1b33d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 15 Apr 2026 14:09:44 +0200 Subject: [PATCH 09/17] validate received certs during setup --- Cargo.lock | 2 ++ Cargo.toml | 2 ++ src/setup.rs | 90 ++++++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 85 insertions(+), 9 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 82f627f..6ac4248 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -690,6 +690,8 @@ dependencies = [ "reqwest", "rust-embed", "rustls", + "rustls-pki-types", + "rustls-webpki", "serde", "serde_json", "thiserror 2.0.18", diff --git a/Cargo.toml b/Cargo.toml index 0151168..4054925 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,6 +9,8 @@ repository = "https://github.com/DefGuard/proxy" [dependencies] defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "564dc72c" } defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "7d28f46e" } +rustls-webpki = { version = "0.103", features = ["aws-lc-rs", "std"] } +rustls-pki-types = "1" # base `axum` deps axum = { version = "0.8", features = ["ws"] } axum-client-ip = "0.7" diff --git a/src/setup.rs b/src/setup.rs index accd81f..be83b6e 100644 --- a/src/setup.rs +++ b/src/setup.rs @@ -1,15 +1,18 @@ use std::{ net::SocketAddr, sync::{Arc, LazyLock, Mutex}, + time::{Duration, SystemTime, UNIX_EPOCH}, }; use defguard_version::{ DefguardComponent, Version, server::{DefguardVersionLayer, grpc::DefguardVersionInterceptor}, }; +use rustls_pki_types::{CertificateDer, UnixTime}; use tokio::sync::mpsc; use tokio_stream::wrappers::UnboundedReceiverStream; -use tonic::{Request, Response, Status, transport::Server}; +use tonic::{Request, Response, Status, service::InterceptorLayer, transport::Server}; +use webpki::{KeyUsage, anchor_from_trusted_cert}; use crate::{ CommsChannel, LogsReceiver, MIN_CORE_VERSION, VERSION, @@ -28,6 +31,65 @@ static SETUP_CHANNEL: LazyLock>> = LazyLock::new( const AUTH_HEADER: &str = "authorization"; +/// Verify that both `component_der` and `core_client_der` are signed by `ca_der`. +/// +/// Uses ECDSA P-256 / SHA-256 via aws-lc-rs. Returns an error message string on +/// any failure so the caller can forward it as a gRPC status. +fn validate_cert_bundle( + ca_der: &[u8], + component_der: &[u8], + core_client_der: &[u8], +) -> Result<(), String> { + let sig_algs: &[&dyn rustls_pki_types::SignatureVerificationAlgorithm] = &[ + webpki::aws_lc_rs::ECDSA_P256_SHA256, + webpki::aws_lc_rs::ECDSA_P256_SHA384, + ]; + + let ca_cert_der = CertificateDer::from(ca_der); + let trust_anchor = anchor_from_trusted_cert(&ca_cert_der) + .map_err(|e| format!("Failed to parse CA certificate as trust anchor: {e}"))?; + let trust_anchors = [trust_anchor]; + + let now = SystemTime::now() + .duration_since(UNIX_EPOCH) + .unwrap_or(Duration::ZERO); + let time = UnixTime::since_unix_epoch(now); + + // Verify component (server) certificate. + let component_cert_der = CertificateDer::from(component_der); + let component_ee = webpki::EndEntityCert::try_from(&component_cert_der) + .map_err(|e| format!("Failed to parse component certificate: {e}"))?; + component_ee + .verify_for_usage( + sig_algs, + &trust_anchors, + &[], + time, + KeyUsage::server_auth(), + None, + None, + ) + .map_err(|e| format!("Component certificate failed chain validation: {e}"))?; + + // Verify Core client certificate. + let core_client_cert_der = CertificateDer::from(core_client_der); + let core_client_ee = webpki::EndEntityCert::try_from(&core_client_cert_der) + .map_err(|e| format!("Failed to parse Core client certificate: {e}"))?; + core_client_ee + .verify_for_usage( + sig_algs, + &trust_anchors, + &[], + time, + KeyUsage::client_auth(), + None, + None, + ) + .map_err(|e| format!("Core client certificate failed chain validation: {e}"))?; + + Ok(()) +} + pub(crate) struct ProxySetupServer { key_pair: Arc>>, logs_rx: LogsReceiver, @@ -73,14 +135,12 @@ impl ProxySetupServer { let config_slot_writer = Arc::clone(&config_slot); Server::builder() - .layer(tonic::service::InterceptorLayer::new( - DefguardVersionInterceptor::new( - own_version.clone(), - DefguardComponent::Core, - MIN_CORE_VERSION, - false, - ), - )) + .layer(InterceptorLayer::new(DefguardVersionInterceptor::new( + own_version.clone(), + DefguardComponent::Core, + MIN_CORE_VERSION, + false, + ))) .layer(DefguardVersionLayer::new(own_version.clone())) .add_service(proxy_setup_server::ProxySetupServer::new(self.clone())) .serve_with_shutdown(addr, async move { @@ -308,6 +368,18 @@ impl proxy_setup_server::ProxySetup for ProxySetupServer { let bundle = request.into_inner(); + debug!("Validating certificate bundle received from Core"); + if let Err(reason) = validate_cert_bundle( + &bundle.ca_cert_der, + &bundle.component_cert_der, + &bundle.core_client_cert_der, + ) { + error!("Certificate bundle validation failed: {reason}"); + self.clear_setup_session(); + return Err(Status::invalid_argument(reason)); + } + debug!("Certificate bundle validated successfully against CA"); + debug!( "Received component certificate from Core ({} bytes)", bundle.component_cert_der.len() From 348c0bf6453b977ff7a1005772d2be5ddbd51818 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 16 Apr 2026 09:26:39 +0200 Subject: [PATCH 10/17] add interceptor to validate core cert serial --- Cargo.lock | 1789 +++++++++++++++++++++++++++++++++++++++++++++++++-- Cargo.toml | 1 + src/grpc.rs | 31 +- 3 files changed, 1765 insertions(+), 56 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6ac4248..0dc5bee 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -145,13 +145,41 @@ dependencies = [ "rustversion", ] +[[package]] +name = "argon2" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072" +dependencies = [ + "base64ct", + "blake2", + "cpufeatures", + "password-hash", +] + +[[package]] +name = "asn1-rs" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048" +dependencies = [ + "asn1-rs-derive 0.5.1", + "asn1-rs-impl", + "displaydoc", + "nom", + "num-traits", + "rusticata-macros", + "thiserror 1.0.69", + "time", +] + [[package]] name = "asn1-rs" version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60" dependencies = [ - "asn1-rs-derive", + "asn1-rs-derive 0.6.0", "asn1-rs-impl", "displaydoc", "nom", @@ -161,6 +189,18 @@ dependencies = [ "time", ] +[[package]] +name = "asn1-rs-derive" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + [[package]] name = "asn1-rs-derive" version = "0.6.0" @@ -195,6 +235,15 @@ dependencies = [ "syn", ] +[[package]] +name = "atoi" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f28d99ec8bfea296261ca1af174f24225171fea9664ba9003cbebee704810528" +dependencies = [ + "num-traits", +] + [[package]] name = "atomic-waker" version = "1.1.2" @@ -237,7 +286,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b52af3cb4058c895d37317bb27508dccc8e5f2d39454016b297bf4a400597b8" dependencies = [ "axum-core", - "base64", + "base64 0.22.1", "bytes", "form_urlencoded", "futures-util", @@ -342,17 +391,64 @@ dependencies = [ "tower-service", ] +[[package]] +name = "base16ct" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf" + +[[package]] +name = "base32" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "022dfe9eb35f19ebbcb51e0b40a5ab759f46ad60cadf7297e0bd085afb50e076" + +[[package]] +name = "base64" +version = "0.21.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" + [[package]] name = "base64" version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" +[[package]] +name = "base64ct" +version = "1.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" + +[[package]] +name = "base64urlsafedata" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42f7f6be94fa637132933fd0a68b9140bcb60e3d46164cb68e82a2bb8d102b3a" +dependencies = [ + "base64 0.21.7", + "pastey", + "serde", +] + [[package]] name = "bitflags" version = "2.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af" +dependencies = [ + "serde_core", +] + +[[package]] +name = "blake2" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe" +dependencies = [ + "digest", +] [[package]] name = "block-buffer" @@ -388,6 +484,12 @@ version = "3.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb" +[[package]] +name = "byteorder" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" + [[package]] name = "bytes" version = "1.11.1" @@ -448,6 +550,12 @@ dependencies = [ "inout", ] +[[package]] +name = "claims" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bba18ee93d577a8428902687bcc2b6b45a56b1981a1f6d779731c86cc4c5db18" + [[package]] name = "clap" version = "4.6.0" @@ -513,6 +621,21 @@ dependencies = [ "memchr", ] +[[package]] +name = "concurrent-queue" +version = "2.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973" +dependencies = [ + "crossbeam-utils", +] + +[[package]] +name = "const-oid" +version = "0.9.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" + [[package]] name = "cookie" version = "0.18.1" @@ -520,7 +643,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747" dependencies = [ "aes-gcm", - "base64", + "base64 0.22.1", "percent-encoding", "rand 0.8.5", "subtle", @@ -528,6 +651,16 @@ dependencies = [ "version_check", ] +[[package]] +name = "core-foundation" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation" version = "0.10.1" @@ -553,6 +686,21 @@ dependencies = [ "libc", ] +[[package]] +name = "crc" +version = "3.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5eb8a2a1cd12ab0d987a5d5e825195d372001a4094a0376319d5a0ad71c1ba0d" +dependencies = [ + "crc-catalog", +] + +[[package]] +name = "crc-catalog" +version = "2.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5" + [[package]] name = "crc32fast" version = "1.5.0" @@ -562,12 +710,39 @@ dependencies = [ "cfg-if", ] +[[package]] +name = "crossbeam-queue" +version = "0.3.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f58bbc28f91df819d0aa2a2c00cd19754769c2fad90579b3592b1c9ba7a3115" +dependencies = [ + "crossbeam-utils", +] + [[package]] name = "crossbeam-utils" version = "0.8.21" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" +[[package]] +name = "crunchy" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5" + +[[package]] +name = "crypto-bigint" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76" +dependencies = [ + "generic-array", + "rand_core 0.6.4", + "subtle", + "zeroize", +] + [[package]] name = "crypto-common" version = "0.1.7" @@ -611,14 +786,51 @@ dependencies = [ "cipher", ] +[[package]] +name = "curve25519-dalek" +version = "4.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be" +dependencies = [ + "cfg-if", + "cpufeatures", + "curve25519-dalek-derive", + "digest", + "fiat-crypto", + "rustc_version", + "subtle", + "zeroize", +] + +[[package]] +name = "curve25519-dalek-derive" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "darling" version = "0.20.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee" dependencies = [ - "darling_core", - "darling_macro", + "darling_core 0.20.11", + "darling_macro 0.20.11", +] + +[[package]] +name = "darling" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25ae13da2f202d56bd7f91c25fba009e7717a1e4a1cc98a76d844b65ae912e9d" +dependencies = [ + "darling_core 0.23.0", + "darling_macro 0.23.0", ] [[package]] @@ -635,13 +847,37 @@ dependencies = [ "syn", ] +[[package]] +name = "darling_core" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9865a50f7c335f53564bb694ef660825eb8610e0a53d3e11bf1b0d3df31e03b0" +dependencies = [ + "ident_case", + "proc-macro2", + "quote", + "strsim", + "syn", +] + [[package]] name = "darling_macro" version = "0.20.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead" dependencies = [ - "darling_core", + "darling_core 0.20.11", + "quote", + "syn", +] + +[[package]] +name = "darling_macro" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d" +dependencies = [ + "darling_core 0.23.0", "quote", "syn", ] @@ -676,10 +912,11 @@ dependencies = [ "axum-client-ip", "axum-extra", "axum-server", - "base64", + "base64 0.22.1", "chrono", "clap", "defguard_certs", + "defguard_grpc_tls", "defguard_version", "dotenvy", "futures-util", @@ -716,13 +953,69 @@ name = "defguard_certs" version = "0.0.0" source = "git+https://github.com/DefGuard/defguard.git?rev=564dc72c#564dc72c8c18c6b25ff1401e2e18dc40e1ff39a4" dependencies = [ - "base64", + "base64 0.22.1", "chrono", "rcgen", "rustls-pki-types", "thiserror 2.0.18", "time", - "x509-parser", + "x509-parser 0.18.1", +] + +[[package]] +name = "defguard_common" +version = "2.0.0" +source = "git+https://github.com/DefGuard/defguard.git?rev=9e1054e3#9e1054e34b479dd978baec19bb8024ee15865f22" +dependencies = [ + "anyhow", + "argon2", + "base32", + "base64 0.22.1", + "chrono", + "claims", + "clap", + "ed25519-dalek", + "humantime", + "ipnetwork", + "jsonwebtoken", + "model_derive", + "openidconnect", + "rand 0.8.5", + "reqwest", + "rsa", + "secrecy", + "serde", + "serde_cbor_2", + "serde_json", + "sqlx", + "struct-patch", + "thiserror 2.0.18", + "tokio", + "tonic", + "totp-lite", + "tracing", + "url", + "utoipa", + "uuid", + "vergen-git2", + "webauthn-rs", + "x25519-dalek", +] + +[[package]] +name = "defguard_grpc_tls" +version = "0.0.0" +source = "git+https://github.com/DefGuard/defguard.git?rev=9e1054e3#9e1054e34b479dd978baec19bb8024ee15865f22" +dependencies = [ + "defguard_common", + "http", + "rustls", + "thiserror 2.0.18", + "tokio", + "tonic", + "tower-service", + "tracing", + "x509-parser 0.18.1", ] [[package]] @@ -742,13 +1035,38 @@ dependencies = [ "tracing-subscriber", ] +[[package]] +name = "der" +version = "0.7.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb" +dependencies = [ + "const-oid", + "pem-rfc7468", + "zeroize", +] + +[[package]] +name = "der-parser" +version = "9.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553" +dependencies = [ + "asn1-rs 0.6.2", + "displaydoc", + "nom", + "num-bigint", + "num-traits", + "rusticata-macros", +] + [[package]] name = "der-parser" version = "10.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6" dependencies = [ - "asn1-rs", + "asn1-rs 0.7.1", "displaydoc", "nom", "num-bigint", @@ -763,6 +1081,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c" dependencies = [ "powerfmt", + "serde_core", ] [[package]] @@ -780,7 +1099,7 @@ version = "0.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8" dependencies = [ - "darling", + "darling 0.20.11", "proc-macro2", "quote", "syn", @@ -803,7 +1122,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ "block-buffer", + "const-oid", "crypto-common", + "subtle", ] [[package]] @@ -854,11 +1175,89 @@ version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813" +[[package]] +name = "dyn-clone" +version = "1.0.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555" + +[[package]] +name = "ecdsa" +version = "0.16.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca" +dependencies = [ + "der", + "digest", + "elliptic-curve", + "rfc6979", + "signature", + "spki", +] + +[[package]] +name = "ed25519" +version = "2.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53" +dependencies = [ + "pkcs8", + "signature", +] + +[[package]] +name = "ed25519-dalek" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9" +dependencies = [ + "curve25519-dalek", + "ed25519", + "rand_core 0.6.4", + "serde", + "sha2", + "subtle", + "zeroize", +] + [[package]] name = "either" version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719" +dependencies = [ + "serde", +] + +[[package]] +name = "elliptic-curve" +version = "0.13.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47" +dependencies = [ + "base16ct", + "crypto-bigint", + "digest", + "ff", + "generic-array", + "group", + "hkdf", + "pem-rfc7468", + "pkcs8", + "rand_core 0.6.4", + "sec1", + "subtle", + "zeroize", +] + +[[package]] +name = "encoding_rs" +version = "0.8.35" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3" +dependencies = [ + "cfg-if", +] [[package]] name = "equivalent" @@ -876,12 +1275,50 @@ dependencies = [ "windows-sys 0.61.2", ] +[[package]] +name = "etcetera" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "136d1b5283a1ab77bd9257427ffd09d8667ced0570b6f938942bc7568ed5b943" +dependencies = [ + "cfg-if", + "home", + "windows-sys 0.48.0", +] + +[[package]] +name = "event-listener" +version = "5.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e13b66accf52311f30a0db42147dadea9850cb48cd070028831ae5f5d4b856ab" +dependencies = [ + "concurrent-queue", + "parking", + "pin-project-lite", +] + [[package]] name = "fastrand" version = "2.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6" +[[package]] +name = "ff" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393" +dependencies = [ + "rand_core 0.6.4", + "subtle", +] + +[[package]] +name = "fiat-crypto" +version = "0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d" + [[package]] name = "find-msvc-tools" version = "0.1.9" @@ -904,6 +1341,17 @@ dependencies = [ "miniz_oxide", ] +[[package]] +name = "flume" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da0e4dd2a88388a1f4ccc7c9ce104604dab68d9f408dc34cd45823d5a9069095" +dependencies = [ + "futures-core", + "futures-sink", + "spin", +] + [[package]] name = "fnv" version = "1.0.7" @@ -922,6 +1370,21 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "form_urlencoded" version = "1.2.2" @@ -974,6 +1437,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" dependencies = [ "futures-core", + "futures-sink", ] [[package]] @@ -982,6 +1446,34 @@ version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" +[[package]] +name = "futures-executor" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d" +dependencies = [ + "futures-core", + "futures-task", + "futures-util", +] + +[[package]] +name = "futures-intrusive" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d930c203dd0b6ff06e0201a4a2fe9149b43c684fd4420555b26d21b1a02956f" +dependencies = [ + "futures-core", + "lock_api", + "parking_lot", +] + +[[package]] +name = "futures-io" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718" + [[package]] name = "futures-macro" version = "0.3.32" @@ -1018,9 +1510,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" dependencies = [ "futures-core", + "futures-io", "futures-macro", "futures-sink", "futures-task", + "memchr", "pin-project-lite", "slab", ] @@ -1033,6 +1527,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" dependencies = [ "typenum", "version_check", + "zeroize", ] [[package]] @@ -1134,6 +1629,17 @@ dependencies = [ "web-time", ] +[[package]] +name = "group" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" +dependencies = [ + "ff", + "rand_core 0.6.4", + "subtle", +] + [[package]] name = "h2" version = "0.4.13" @@ -1146,13 +1652,30 @@ dependencies = [ "futures-core", "futures-sink", "http", - "indexmap", + "indexmap 2.14.0", "slab", "tokio", "tokio-util", "tracing", ] +[[package]] +name = "half" +version = "2.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b" +dependencies = [ + "cfg-if", + "crunchy", + "zerocopy", +] + +[[package]] +name = "hashbrown" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" + [[package]] name = "hashbrown" version = "0.14.5" @@ -1165,6 +1688,8 @@ version = "0.15.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" dependencies = [ + "allocator-api2", + "equivalent", "foldhash 0.1.5", ] @@ -1183,7 +1708,16 @@ dependencies = [ name = "hashbrown" version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51" +checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51" + +[[package]] +name = "hashlink" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1" +dependencies = [ + "hashbrown 0.15.5", +] [[package]] name = "headers" @@ -1191,7 +1725,7 @@ version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b3314d5adb5d94bcdf56771f2e50dbbc80bb4bdf88967526706205ac9eff24eb" dependencies = [ - "base64", + "base64 0.22.1", "bytes", "headers-core", "http", @@ -1215,6 +1749,39 @@ version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" +[[package]] +name = "hex" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" + +[[package]] +name = "hkdf" +version = "0.12.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7" +dependencies = [ + "hmac", +] + +[[package]] +name = "hmac" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e" +dependencies = [ + "digest", +] + +[[package]] +name = "home" +version = "0.5.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cc627f471c528ff0c4a49e1d5e60450c8f6461dd6d10ba9dcd3a61d3dff7728d" +dependencies = [ + "windows-sys 0.61.2", +] + [[package]] name = "html5ever" version = "0.35.0" @@ -1277,6 +1844,12 @@ version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9" +[[package]] +name = "humantime" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424" + [[package]] name = "hyper" version = "1.9.0" @@ -1330,13 +1903,29 @@ dependencies = [ "tower-service", ] +[[package]] +name = "hyper-tls" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" +dependencies = [ + "bytes", + "http-body-util", + "hyper", + "hyper-util", + "native-tls", + "tokio", + "tokio-native-tls", + "tower-service", +] + [[package]] name = "hyper-util" version = "0.1.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0" dependencies = [ - "base64", + "base64 0.22.1", "bytes", "futures-channel", "futures-util", @@ -1348,9 +1937,11 @@ dependencies = [ "percent-encoding", "pin-project-lite", "socket2", + "system-configuration", "tokio", "tower-service", "tracing", + "windows-registry", ] [[package]] @@ -1492,6 +2083,17 @@ dependencies = [ "icu_properties", ] +[[package]] +name = "indexmap" +version = "1.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99" +dependencies = [ + "autocfg", + "hashbrown 0.12.3", + "serde", +] + [[package]] name = "indexmap" version = "2.14.0" @@ -1521,7 +2123,7 @@ checksum = "9f05ad37c421b962354c358d347d4a6130151df9407978372d3ad7f0c8f71a64" dependencies = [ "async-trait", "aws-lc-rs", - "base64", + "base64 0.22.1", "bytes", "http", "http-body", @@ -1545,6 +2147,15 @@ version = "2.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" +[[package]] +name = "ipnetwork" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bf466541e9d546596ee94f9f69590f89473455f88372423e0008fc1a7daf100e" +dependencies = [ + "serde", +] + [[package]] name = "iri-string" version = "0.7.12" @@ -1561,6 +2172,15 @@ version = "1.70.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695" +[[package]] +name = "itertools" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" +dependencies = [ + "either", +] + [[package]] name = "itertools" version = "0.14.0" @@ -1642,11 +2262,37 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "jsonwebtoken" +version = "10.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0529410abe238729a60b108898784df8984c87f6054c9c4fcacc47e4803c1ce1" +dependencies = [ + "base64 0.22.1", + "ed25519-dalek", + "getrandom 0.2.17", + "hmac", + "js-sys", + "p256", + "p384", + "pem", + "rand 0.8.5", + "rsa", + "serde", + "serde_json", + "sha2", + "signature", + "simple_asn1", +] + [[package]] name = "lazy_static" version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" +dependencies = [ + "spin", +] [[package]] name = "leb128fmt" @@ -1672,6 +2318,34 @@ dependencies = [ "pkg-config", ] +[[package]] +name = "libm" +version = "0.2.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" + +[[package]] +name = "libredox" +version = "0.1.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e02f3bb43d335493c96bf3fd3a321600bf6bd07ed34bc64118e9293bdffea46c" +dependencies = [ + "bitflags", + "libc", + "plain", + "redox_syscall 0.7.4", +] + +[[package]] +name = "libsqlite3-sys" +version = "0.30.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e99fb7a497b1e3339bc746195567ed8d3e24945ecd636e3619d20b9de9e9149" +dependencies = [ + "pkg-config", + "vcpkg", +] + [[package]] name = "libz-sys" version = "1.1.28" @@ -1769,6 +2443,16 @@ version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3" +[[package]] +name = "md-5" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf" +dependencies = [ + "cfg-if", + "digest", +] + [[package]] name = "memchr" version = "2.8.0" @@ -1818,12 +2502,38 @@ dependencies = [ "windows-sys 0.61.2", ] +[[package]] +name = "model_derive" +version = "0.0.0" +source = "git+https://github.com/DefGuard/defguard.git?rev=9e1054e3#9e1054e34b479dd978baec19bb8024ee15865f22" +dependencies = [ + "quote", + "syn", +] + [[package]] name = "multimap" version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084" +[[package]] +name = "native-tls" +version = "0.2.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2" +dependencies = [ + "libc", + "log", + "openssl", + "openssl-probe", + "openssl-sys", + "schannel", + "security-framework", + "security-framework-sys", + "tempfile", +] + [[package]] name = "new_debug_unreachable" version = "1.0.6" @@ -1883,6 +2593,22 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-bigint-dig" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7" +dependencies = [ + "lazy_static", + "libm", + "num-integer", + "num-iter", + "num-traits", + "rand 0.8.5", + "smallvec", + "zeroize", +] + [[package]] name = "num-conv" version = "0.2.1" @@ -1898,6 +2624,17 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-iter" +version = "0.1.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" +dependencies = [ + "autocfg", + "num-integer", + "num-traits", +] + [[package]] name = "num-traits" version = "0.2.19" @@ -1905,6 +2642,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", + "libm", ] [[package]] @@ -1916,6 +2654,26 @@ dependencies = [ "libc", ] +[[package]] +name = "oauth2" +version = "5.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d" +dependencies = [ + "base64 0.22.1", + "chrono", + "getrandom 0.2.17", + "http", + "rand 0.8.5", + "reqwest", + "serde", + "serde_json", + "serde_path_to_error", + "sha2", + "thiserror 1.0.69", + "url", +] + [[package]] name = "objc2" version = "0.6.4" @@ -2075,13 +2833,22 @@ dependencies = [ "objc2-foundation", ] +[[package]] +name = "oid-registry" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9" +dependencies = [ + "asn1-rs 0.6.2", +] + [[package]] name = "oid-registry" version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7" dependencies = [ - "asn1-rs", + "asn1-rs 0.7.1", ] [[package]] @@ -2102,12 +2869,90 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" +[[package]] +name = "openidconnect" +version = "4.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0d8c6709ba2ea764bbed26bce1adf3c10517113ddea6f2d4196e4851757ef2b2" +dependencies = [ + "base64 0.21.7", + "chrono", + "dyn-clone", + "ed25519-dalek", + "hmac", + "http", + "itertools 0.10.5", + "log", + "oauth2", + "p256", + "p384", + "rand 0.8.5", + "rsa", + "serde", + "serde-value", + "serde_json", + "serde_path_to_error", + "serde_plain", + "serde_with", + "sha2", + "subtle", + "thiserror 1.0.69", + "url", +] + +[[package]] +name = "openssl" +version = "0.10.77" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfe4646e360ec77dff7dde40ed3d6c5fee52d156ef4a62f53973d38294dad87f" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "openssl-probe" version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" +[[package]] +name = "openssl-sys" +version = "0.9.113" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ad2f2c0eba47118757e4c6d2bff2838f3e0523380021356e7875e858372ce644" +dependencies = [ + "cc", + "libc", + "pkg-config", + "vcpkg", +] + +[[package]] +name = "ordered-float" +version = "2.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c" +dependencies = [ + "num-traits", +] + [[package]] name = "os_info" version = "3.14.0" @@ -2124,6 +2969,36 @@ dependencies = [ "windows-sys 0.61.2", ] +[[package]] +name = "p256" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b" +dependencies = [ + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2", +] + +[[package]] +name = "p384" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6" +dependencies = [ + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2", +] + +[[package]] +name = "parking" +version = "2.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba" + [[package]] name = "parking_lot" version = "0.12.5" @@ -2142,21 +3017,47 @@ checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1" dependencies = [ "cfg-if", "libc", - "redox_syscall", + "redox_syscall 0.5.18", "smallvec", "windows-link", ] +[[package]] +name = "password-hash" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166" +dependencies = [ + "base64ct", + "rand_core 0.6.4", + "subtle", +] + +[[package]] +name = "pastey" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35fb2e5f958ec131621fdd531e9fc186ed768cbe395337403ae56c17a74c68ec" + [[package]] name = "pem" version = "3.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be" dependencies = [ - "base64", + "base64 0.22.1", "serde_core", ] +[[package]] +name = "pem-rfc7468" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" +dependencies = [ + "base64ct", +] + [[package]] name = "percent-encoding" version = "2.3.2" @@ -2171,7 +3072,7 @@ checksum = "8701b58ea97060d5e5b155d383a69952a60943f0e6dfe30b04c287beb0b27455" dependencies = [ "fixedbitset", "hashbrown 0.15.5", - "indexmap", + "indexmap 2.14.0", ] [[package]] @@ -2252,12 +3153,39 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd" +[[package]] +name = "pkcs1" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" +dependencies = [ + "der", + "pkcs8", + "spki", +] + +[[package]] +name = "pkcs8" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" +dependencies = [ + "der", + "spki", +] + [[package]] name = "pkg-config" version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" +[[package]] +name = "plain" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6" + [[package]] name = "polyval" version = "0.6.2" @@ -2316,6 +3244,15 @@ dependencies = [ "syn", ] +[[package]] +name = "primeorder" +version = "0.13.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6" +dependencies = [ + "elliptic-curve", +] + [[package]] name = "proc-macro2" version = "1.0.106" @@ -2342,7 +3279,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "343d3bd7056eda839b03204e68deff7d1b13aba7af2b2fd16890697274262ee7" dependencies = [ "heck", - "itertools", + "itertools 0.14.0", "log", "multimap", "petgraph", @@ -2363,7 +3300,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "27c6023962132f4b30eb4c172c91ce92d933da334c59c23cddee82358ddafb0b" dependencies = [ "anyhow", - "itertools", + "itertools 0.14.0", "proc-macro2", "quote", "syn", @@ -2568,7 +3505,7 @@ dependencies = [ "ring", "rustls-pki-types", "time", - "x509-parser", + "x509-parser 0.18.1", "yasna", ] @@ -2581,6 +3518,35 @@ dependencies = [ "bitflags", ] +[[package]] +name = "redox_syscall" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f450ad9c3b1da563fb6948a8e0fb0fb9269711c9c73d9ea1de5058c79c8d643a" +dependencies = [ + "bitflags", +] + +[[package]] +name = "ref-cast" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d" +dependencies = [ + "ref-cast-impl", +] + +[[package]] +name = "ref-cast-impl" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "regex" version = "1.12.3" @@ -2616,17 +3582,22 @@ version = "0.12.28" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147" dependencies = [ - "base64", + "base64 0.22.1", "bytes", + "encoding_rs", "futures-core", + "h2", "http", "http-body", "http-body-util", "hyper", "hyper-rustls", + "hyper-tls", "hyper-util", "js-sys", "log", + "mime", + "native-tls", "percent-encoding", "pin-project-lite", "quinn", @@ -2638,6 +3609,7 @@ dependencies = [ "serde_urlencoded", "sync_wrapper", "tokio", + "tokio-native-tls", "tokio-rustls", "tower", "tower-http", @@ -2648,6 +3620,16 @@ dependencies = [ "web-sys", ] +[[package]] +name = "rfc6979" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2" +dependencies = [ + "hmac", + "subtle", +] + [[package]] name = "ring" version = "0.17.14" @@ -2662,6 +3644,26 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "rsa" +version = "0.9.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d" +dependencies = [ + "const-oid", + "digest", + "num-bigint-dig", + "num-integer", + "num-traits", + "pkcs1", + "pkcs8", + "rand_core 0.6.4", + "signature", + "spki", + "subtle", + "zeroize", +] + [[package]] name = "rust-embed" version = "8.11.0" @@ -2703,6 +3705,15 @@ version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe" +[[package]] +name = "rustc_version" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92" +dependencies = [ + "semver", +] + [[package]] name = "rusticata-macros" version = "4.1.0" @@ -2769,7 +3780,7 @@ version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784" dependencies = [ - "core-foundation", + "core-foundation 0.10.1", "core-foundation-sys", "jni", "log", @@ -2832,12 +3843,60 @@ dependencies = [ "windows-sys 0.61.2", ] +[[package]] +name = "schemars" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4cd191f9397d57d581cddd31014772520aa448f65ef991055d7f61582c65165f" +dependencies = [ + "dyn-clone", + "ref-cast", + "serde", + "serde_json", +] + +[[package]] +name = "schemars" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc" +dependencies = [ + "dyn-clone", + "ref-cast", + "serde", + "serde_json", +] + [[package]] name = "scopeguard" version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" +[[package]] +name = "sec1" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc" +dependencies = [ + "base16ct", + "der", + "generic-array", + "pkcs8", + "subtle", + "zeroize", +] + +[[package]] +name = "secrecy" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a" +dependencies = [ + "serde", + "zeroize", +] + [[package]] name = "security-framework" version = "3.7.0" @@ -2845,7 +3904,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d" dependencies = [ "bitflags", - "core-foundation", + "core-foundation 0.10.1", "core-foundation-sys", "libc", "security-framework-sys", @@ -2881,6 +3940,26 @@ dependencies = [ "serde_derive", ] +[[package]] +name = "serde-value" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c" +dependencies = [ + "ordered-float", + "serde", +] + +[[package]] +name = "serde_cbor_2" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "34aec2709de9078e077090abd848e967abab63c9fb3fdb5d4799ad359d8d482c" +dependencies = [ + "half", + "serde", +] + [[package]] name = "serde_core" version = "1.0.228" @@ -2925,6 +4004,15 @@ dependencies = [ "serde_core", ] +[[package]] +name = "serde_plain" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ce1fc6db65a611022b23a0dec6975d63fb80a302cb3388835ff02c097258d50" +dependencies = [ + "serde", +] + [[package]] name = "serde_spanned" version = "1.1.1" @@ -2946,6 +4034,37 @@ dependencies = [ "serde", ] +[[package]] +name = "serde_with" +version = "3.18.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dd5414fad8e6907dbdd5bc441a50ae8d6e26151a03b1de04d89a5576de61d01f" +dependencies = [ + "base64 0.22.1", + "chrono", + "hex", + "indexmap 1.9.3", + "indexmap 2.14.0", + "schemars 0.9.0", + "schemars 1.2.1", + "serde_core", + "serde_json", + "serde_with_macros", + "time", +] + +[[package]] +name = "serde_with_macros" +version = "3.18.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3db8978e608f1fe7357e211969fd9abdcae80bac1ba7a3369bb7eb6b404eb65" +dependencies = [ + "darling 0.23.0", + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "sha1" version = "0.10.6" @@ -2983,12 +4102,34 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" +[[package]] +name = "signature" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de" +dependencies = [ + "digest", + "rand_core 0.6.4", +] + [[package]] name = "simd-adler32" version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "703d5c7ef118737c72f1af64ad2f6f8c5e1921f818cdcb97b8fe6fc69bf66214" +[[package]] +name = "simple_asn1" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d" +dependencies = [ + "num-bigint", + "num-traits", + "thiserror 2.0.18", + "time", +] + [[package]] name = "siphasher" version = "1.0.2" @@ -3006,24 +4147,245 @@ name = "smallvec" version = "1.15.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03" +dependencies = [ + "serde", +] + +[[package]] +name = "socket2" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e" +dependencies = [ + "libc", + "windows-sys 0.61.2", +] + +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" +dependencies = [ + "lock_api", +] + +[[package]] +name = "spinning_top" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d96d2d1d716fb500937168cc09353ffdc7a012be8475ac7308e1bdf0e3923300" +dependencies = [ + "lock_api", +] + +[[package]] +name = "spki" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" +dependencies = [ + "base64ct", + "der", +] + +[[package]] +name = "sqlx" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1fefb893899429669dcdd979aff487bd78f4064e5e7907e4269081e0ef7d97dc" +dependencies = [ + "sqlx-core", + "sqlx-macros", + "sqlx-mysql", + "sqlx-postgres", + "sqlx-sqlite", +] + +[[package]] +name = "sqlx-core" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee6798b1838b6a0f69c007c133b8df5866302197e404e8b6ee8ed3e3a5e68dc6" +dependencies = [ + "base64 0.22.1", + "bytes", + "chrono", + "crc", + "crossbeam-queue", + "either", + "event-listener", + "futures-core", + "futures-intrusive", + "futures-io", + "futures-util", + "hashbrown 0.15.5", + "hashlink", + "indexmap 2.14.0", + "ipnetwork", + "log", + "memchr", + "native-tls", + "once_cell", + "percent-encoding", + "serde", + "serde_json", + "sha2", + "smallvec", + "thiserror 2.0.18", + "tokio", + "tokio-stream", + "tracing", + "url", + "uuid", +] + +[[package]] +name = "sqlx-macros" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2d452988ccaacfbf5e0bdbc348fb91d7c8af5bee192173ac3636b5fb6e6715d" +dependencies = [ + "proc-macro2", + "quote", + "sqlx-core", + "sqlx-macros-core", + "syn", +] + +[[package]] +name = "sqlx-macros-core" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19a9c1841124ac5a61741f96e1d9e2ec77424bf323962dd894bdb93f37d5219b" +dependencies = [ + "dotenvy", + "either", + "heck", + "hex", + "once_cell", + "proc-macro2", + "quote", + "serde", + "serde_json", + "sha2", + "sqlx-core", + "sqlx-mysql", + "sqlx-postgres", + "sqlx-sqlite", + "syn", + "tokio", + "url", +] + +[[package]] +name = "sqlx-mysql" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa003f0038df784eb8fecbbac13affe3da23b45194bd57dba231c8f48199c526" +dependencies = [ + "atoi", + "base64 0.22.1", + "bitflags", + "byteorder", + "bytes", + "chrono", + "crc", + "digest", + "dotenvy", + "either", + "futures-channel", + "futures-core", + "futures-io", + "futures-util", + "generic-array", + "hex", + "hkdf", + "hmac", + "itoa", + "log", + "md-5", + "memchr", + "once_cell", + "percent-encoding", + "rand 0.8.5", + "rsa", + "serde", + "sha1", + "sha2", + "smallvec", + "sqlx-core", + "stringprep", + "thiserror 2.0.18", + "tracing", + "uuid", + "whoami", +] [[package]] -name = "socket2" -version = "0.6.3" +name = "sqlx-postgres" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e" +checksum = "db58fcd5a53cf07c184b154801ff91347e4c30d17a3562a635ff028ad5deda46" dependencies = [ - "libc", - "windows-sys 0.61.2", + "atoi", + "base64 0.22.1", + "bitflags", + "byteorder", + "chrono", + "crc", + "dotenvy", + "etcetera", + "futures-channel", + "futures-core", + "futures-util", + "hex", + "hkdf", + "hmac", + "home", + "ipnetwork", + "itoa", + "log", + "md-5", + "memchr", + "once_cell", + "rand 0.8.5", + "serde", + "serde_json", + "sha2", + "smallvec", + "sqlx-core", + "stringprep", + "thiserror 2.0.18", + "tracing", + "uuid", + "whoami", ] [[package]] -name = "spinning_top" -version = "0.3.0" +name = "sqlx-sqlite" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d96d2d1d716fb500937168cc09353ffdc7a012be8475ac7308e1bdf0e3923300" +checksum = "c2d12fe70b2c1b4401038055f90f151b78208de1f9f89a7dbfd41587a10c3eea" dependencies = [ - "lock_api", + "atoi", + "chrono", + "flume", + "futures-channel", + "futures-core", + "futures-executor", + "futures-intrusive", + "futures-util", + "libsqlite3-sys", + "log", + "percent-encoding", + "serde", + "serde_urlencoded", + "sqlx-core", + "thiserror 2.0.18", + "tracing", + "url", + "uuid", ] [[package]] @@ -3057,12 +4419,43 @@ dependencies = [ "quote", ] +[[package]] +name = "stringprep" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b4df3d392d81bd458a8a621b8bffbd2302a12ffe288a9d931670948749463b1" +dependencies = [ + "unicode-bidi", + "unicode-normalization", + "unicode-properties", +] + [[package]] name = "strsim" version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" +[[package]] +name = "struct-patch" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "16d4caaaccd69c9b56c5f5b33d4dca462464d3275230e4d2d3739ba6d4bf5bcb" +dependencies = [ + "struct-patch-derive", +] + +[[package]] +name = "struct-patch-derive" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1671c6f0992b1b4cb4f5f8ea4a58f9a5f7f895a7638ef9690633dcec0aa67944" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "subtle" version = "2.6.1" @@ -3100,6 +4493,27 @@ dependencies = [ "syn", ] +[[package]] +name = "system-configuration" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b" +dependencies = [ + "bitflags", + "core-foundation 0.9.4", + "system-configuration-sys", +] + +[[package]] +name = "system-configuration-sys" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "tempfile" version = "3.27.0" @@ -3240,6 +4654,7 @@ dependencies = [ "bytes", "libc", "mio", + "parking_lot", "pin-project-lite", "socket2", "tokio-macros", @@ -3257,6 +4672,16 @@ dependencies = [ "syn", ] +[[package]] +name = "tokio-native-tls" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" +dependencies = [ + "native-tls", + "tokio", +] + [[package]] name = "tokio-rustls" version = "0.26.4" @@ -3342,7 +4767,7 @@ checksum = "fec7c61a0695dc1887c1b53952990f3ad2e3a31453e1f49f10e75424943a93ec" dependencies = [ "async-trait", "axum", - "base64", + "base64 0.22.1", "bytes", "flate2", "h2", @@ -3405,6 +4830,18 @@ dependencies = [ "tonic-build", ] +[[package]] +name = "totp-lite" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8e43134db17199f7f721803383ac5854edd0d3d523cc34dba321d6acfbe76c3" +dependencies = [ + "digest", + "hmac", + "sha1", + "sha2", +] + [[package]] name = "tower" version = "0.5.3" @@ -3413,7 +4850,7 @@ checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4" dependencies = [ "futures-core", "futures-util", - "indexmap", + "indexmap 2.14.0", "pin-project-lite", "slab", "sync_wrapper", @@ -3578,12 +5015,33 @@ version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dbc4bc3a9f746d862c45cb89d705aa10f187bb96c76001afab07a0d35ce60142" +[[package]] +name = "unicode-bidi" +version = "0.3.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5" + [[package]] name = "unicode-ident" version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" +[[package]] +name = "unicode-normalization" +version = "0.1.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fd4f6878c9cb28d874b009da9e8d183b5abc80117c40bbd187a1fde336be6e8" +dependencies = [ + "tinyvec", +] + +[[package]] +name = "unicode-properties" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7df058c713841ad818f1dc5d3fd88063241cc61f49f5fbea4b951e8cf5a8d71d" + [[package]] name = "unicode-xid" version = "0.2.6" @@ -3643,6 +5101,43 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" +[[package]] +name = "utoipa" +version = "5.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2fcc29c80c21c31608227e0912b2d7fddba57ad76b606890627ba8ee7964e993" +dependencies = [ + "indexmap 2.14.0", + "serde", + "serde_json", + "utoipa-gen", +] + +[[package]] +name = "utoipa-gen" +version = "5.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d79d08d92ab8af4c5e8a6da20c47ae3f61a0f1dabc1997cdf2d082b757ca08b" +dependencies = [ + "proc-macro2", + "quote", + "regex", + "syn", + "uuid", +] + +[[package]] +name = "uuid" +version = "1.23.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ddd74a9687298c6858e9b88ec8935ec45d22e8fd5e6394fa1bd4e99a87789c76" +dependencies = [ + "getrandom 0.4.2", + "js-sys", + "serde_core", + "wasm-bindgen", +] + [[package]] name = "valuable" version = "0.1.1" @@ -3743,6 +5238,12 @@ dependencies = [ "wit-bindgen", ] +[[package]] +name = "wasite" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b" + [[package]] name = "wasm-bindgen" version = "0.2.117" @@ -3815,7 +5316,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909" dependencies = [ "anyhow", - "indexmap", + "indexmap 2.14.0", "wasm-encoder", "wasmparser", ] @@ -3828,7 +5329,7 @@ checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe" dependencies = [ "bitflags", "hashbrown 0.15.5", - "indexmap", + "indexmap 2.14.0", "semver", ] @@ -3864,6 +5365,74 @@ dependencies = [ "string_cache_codegen", ] +[[package]] +name = "webauthn-attestation-ca" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fafcf13f7dc1fb292ed4aea22cdd3757c285d7559e9748950ee390249da4da6b" +dependencies = [ + "base64urlsafedata", + "openssl", + "openssl-sys", + "serde", + "tracing", + "uuid", +] + +[[package]] +name = "webauthn-rs" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1b24d082d3360258fefb6ffe56123beef7d6868c765c779f97b7a2fcf06727f8" +dependencies = [ + "base64urlsafedata", + "serde", + "tracing", + "url", + "uuid", + "webauthn-rs-core", +] + +[[package]] +name = "webauthn-rs-core" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "15784340a24c170ce60567282fb956a0938742dbfbf9eff5df793a686a009b8b" +dependencies = [ + "base64 0.21.7", + "base64urlsafedata", + "der-parser 9.0.0", + "hex", + "nom", + "openssl", + "openssl-sys", + "rand 0.9.2", + "rand_chacha 0.9.0", + "serde", + "serde_cbor_2", + "serde_json", + "thiserror 1.0.69", + "tracing", + "url", + "uuid", + "webauthn-attestation-ca", + "webauthn-rs-proto", + "x509-parser 0.16.0", +] + +[[package]] +name = "webauthn-rs-proto" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "16a1fb2580ce73baa42d3011a24de2ceab0d428de1879ece06e02e8c416e497c" +dependencies = [ + "base64 0.21.7", + "base64urlsafedata", + "serde", + "serde_json", + "url", +] + [[package]] name = "webpki-root-certs" version = "1.0.6" @@ -3873,6 +5442,16 @@ dependencies = [ "rustls-pki-types", ] +[[package]] +name = "whoami" +version = "1.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5d4a4db5077702ca3015d3d02d74974948aba2ad9e12ab7df718ee64ccd7e97d" +dependencies = [ + "libredox", + "wasite", +] + [[package]] name = "winapi" version = "0.3.9" @@ -3945,6 +5524,17 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5" +[[package]] +name = "windows-registry" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720" +dependencies = [ + "windows-link", + "windows-result", + "windows-strings", +] + [[package]] name = "windows-result" version = "0.4.1" @@ -3972,6 +5562,15 @@ dependencies = [ "windows-targets 0.42.2", ] +[[package]] +name = "windows-sys" +version = "0.48.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" +dependencies = [ + "windows-targets 0.48.5", +] + [[package]] name = "windows-sys" version = "0.52.0" @@ -4014,6 +5613,21 @@ dependencies = [ "windows_x86_64_msvc 0.42.2", ] +[[package]] +name = "windows-targets" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +dependencies = [ + "windows_aarch64_gnullvm 0.48.5", + "windows_aarch64_msvc 0.48.5", + "windows_i686_gnu 0.48.5", + "windows_i686_msvc 0.48.5", + "windows_x86_64_gnu 0.48.5", + "windows_x86_64_gnullvm 0.48.5", + "windows_x86_64_msvc 0.48.5", +] + [[package]] name = "windows-targets" version = "0.52.6" @@ -4053,6 +5667,12 @@ version = "0.42.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" + [[package]] name = "windows_aarch64_gnullvm" version = "0.52.6" @@ -4071,6 +5691,12 @@ version = "0.42.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" +[[package]] +name = "windows_aarch64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" + [[package]] name = "windows_aarch64_msvc" version = "0.52.6" @@ -4089,6 +5715,12 @@ version = "0.42.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" +[[package]] +name = "windows_i686_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" + [[package]] name = "windows_i686_gnu" version = "0.52.6" @@ -4119,6 +5751,12 @@ version = "0.42.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" +[[package]] +name = "windows_i686_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" + [[package]] name = "windows_i686_msvc" version = "0.52.6" @@ -4137,6 +5775,12 @@ version = "0.42.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" +[[package]] +name = "windows_x86_64_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" + [[package]] name = "windows_x86_64_gnu" version = "0.52.6" @@ -4155,6 +5799,12 @@ version = "0.42.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" + [[package]] name = "windows_x86_64_gnullvm" version = "0.52.6" @@ -4173,6 +5823,12 @@ version = "0.42.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" +[[package]] +name = "windows_x86_64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" + [[package]] name = "windows_x86_64_msvc" version = "0.52.6" @@ -4219,7 +5875,7 @@ checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21" dependencies = [ "anyhow", "heck", - "indexmap", + "indexmap 2.14.0", "prettyplease", "syn", "wasm-metadata", @@ -4250,7 +5906,7 @@ checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2" dependencies = [ "anyhow", "bitflags", - "indexmap", + "indexmap 2.14.0", "log", "serde", "serde_derive", @@ -4269,7 +5925,7 @@ checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736" dependencies = [ "anyhow", "id-arena", - "indexmap", + "indexmap 2.14.0", "log", "semver", "serde", @@ -4285,19 +5941,48 @@ version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1ffae5123b2d3fc086436f8834ae3ab053a283cfac8fe0a0b8eaae044768a4c4" +[[package]] +name = "x25519-dalek" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277" +dependencies = [ + "curve25519-dalek", + "rand_core 0.6.4", + "serde", + "zeroize", +] + +[[package]] +name = "x509-parser" +version = "0.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69" +dependencies = [ + "asn1-rs 0.6.2", + "data-encoding", + "der-parser 9.0.0", + "lazy_static", + "nom", + "oid-registry 0.7.1", + "rusticata-macros", + "thiserror 1.0.69", + "time", +] + [[package]] name = "x509-parser" version = "0.18.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202" dependencies = [ - "asn1-rs", + "asn1-rs 0.7.1", "aws-lc-rs", "data-encoding", - "der-parser", + "der-parser 10.0.0", "lazy_static", "nom", - "oid-registry", + "oid-registry 0.8.1", "ring", "rusticata-macros", "thiserror 2.0.18", @@ -4382,6 +6067,20 @@ name = "zeroize" version = "1.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" +dependencies = [ + "zeroize_derive", +] + +[[package]] +name = "zeroize_derive" +version = "1.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] [[package]] name = "zerotrie" diff --git a/Cargo.toml b/Cargo.toml index 4054925..6d495f7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,6 +8,7 @@ repository = "https://github.com/DefGuard/proxy" [dependencies] defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "564dc72c" } +defguard_grpc_tls = { git = "https://github.com/DefGuard/defguard.git", rev = "9e1054e3" } defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "7d28f46e" } rustls-webpki = { version = "0.103", features = ["aws-lc-rs", "std"] } rustls-pki-types = "1" diff --git a/src/grpc.rs b/src/grpc.rs index c3ab634..6a50274 100644 --- a/src/grpc.rs +++ b/src/grpc.rs @@ -11,6 +11,8 @@ use std::{ }; use axum_extra::extract::cookie::Key; +use defguard_certs::CertificateInfo; +use defguard_grpc_tls::server::certificate_serial_interceptor; use defguard_version::{ ComponentInfo, DefguardComponent, Version, get_tracing_variables, server::{DefguardVersionLayer, grpc::DefguardVersionInterceptor}, @@ -22,7 +24,8 @@ use tokio::{ use tokio_stream::wrappers::UnboundedReceiverStream; use tonic::{ Request, Response, Status, Streaming, - transport::{Identity, Server, ServerTlsConfig}, + service::InterceptorLayer, + transport::{Certificate, Identity, Server, ServerTlsConfig}, }; use tower::ServiceBuilder; use tracing::Instrument; @@ -113,7 +116,7 @@ impl ProxyServer { *lock = Some(config); } - pub(crate) fn get_configuration(&self) -> Option { + pub(crate) fn get_tls_config(&self) -> Option { let lock = self .tls_config .lock() @@ -126,19 +129,25 @@ impl ProxyServer { F: Future + Send + 'static, { info!("Starting gRPC server on {addr}"); - let config = self.get_configuration(); - let (grpc_cert, grpc_key) = if let Some(cfg) = config { - (cfg.grpc_cert_pem, cfg.grpc_key_pem) - } else { - return Err(anyhow::anyhow!("gRPC server configuration is missing")); - }; + let tls_config = self + .get_tls_config() + .ok_or_else(|| anyhow::anyhow!("gRPC server TLS configuration is missing"))?; + + // Extract Core client cert serial for pinning (None in no-TLS mode). + let expected_serial = CertificateInfo::from_der(&tls_config.core_client_cert_der) + .expect("core client cert DER stored in TlsConfig must be valid") + .serial; - let identity = Identity::from_pem(grpc_cert, grpc_key); - let mut builder = - Server::builder().tls_config(ServerTlsConfig::new().identity(identity))?; + let identity = Identity::from_pem(&tls_config.grpc_cert_pem, &tls_config.grpc_key_pem); + let ca = Certificate::from_pem(&tls_config.grpc_ca_cert_pem); + let mut builder = Server::builder() + .tls_config(ServerTlsConfig::new().identity(identity).client_ca_root(ca))?; let own_version = Version::parse(VERSION)?; let versioned_service = ServiceBuilder::new() + .layer(InterceptorLayer::new(certificate_serial_interceptor(Some( + expected_serial, + )))) .layer(tonic::service::InterceptorLayer::new( DefguardVersionInterceptor::new( own_version.clone(), From 390bfbb5a194b39e4d0240b44627c24c2ef2b804 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 16 Apr 2026 09:59:38 +0200 Subject: [PATCH 11/17] update interceptor signature --- Cargo.lock | 6 +++--- Cargo.toml | 2 +- src/grpc.rs | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0dc5bee..a46935d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -965,7 +965,7 @@ dependencies = [ [[package]] name = "defguard_common" version = "2.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=9e1054e3#9e1054e34b479dd978baec19bb8024ee15865f22" +source = "git+https://github.com/DefGuard/defguard.git?rev=cb7231f5#cb7231f5f0e72ddead5aa162e09047939fa1939f" dependencies = [ "anyhow", "argon2", @@ -1005,7 +1005,7 @@ dependencies = [ [[package]] name = "defguard_grpc_tls" version = "0.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=9e1054e3#9e1054e34b479dd978baec19bb8024ee15865f22" +source = "git+https://github.com/DefGuard/defguard.git?rev=cb7231f5#cb7231f5f0e72ddead5aa162e09047939fa1939f" dependencies = [ "defguard_common", "http", @@ -2505,7 +2505,7 @@ dependencies = [ [[package]] name = "model_derive" version = "0.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=9e1054e3#9e1054e34b479dd978baec19bb8024ee15865f22" +source = "git+https://github.com/DefGuard/defguard.git?rev=cb7231f5#cb7231f5f0e72ddead5aa162e09047939fa1939f" dependencies = [ "quote", "syn", diff --git a/Cargo.toml b/Cargo.toml index 6d495f7..bd581d7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,7 +8,7 @@ repository = "https://github.com/DefGuard/proxy" [dependencies] defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "564dc72c" } -defguard_grpc_tls = { git = "https://github.com/DefGuard/defguard.git", rev = "9e1054e3" } +defguard_grpc_tls = { git = "https://github.com/DefGuard/defguard.git", rev = "cb7231f5" } defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "7d28f46e" } rustls-webpki = { version = "0.103", features = ["aws-lc-rs", "std"] } rustls-pki-types = "1" diff --git a/src/grpc.rs b/src/grpc.rs index 6a50274..d9fca12 100644 --- a/src/grpc.rs +++ b/src/grpc.rs @@ -145,9 +145,9 @@ impl ProxyServer { let own_version = Version::parse(VERSION)?; let versioned_service = ServiceBuilder::new() - .layer(InterceptorLayer::new(certificate_serial_interceptor(Some( + .layer(InterceptorLayer::new(certificate_serial_interceptor( expected_serial, - )))) + ))) .layer(tonic::service::InterceptorLayer::new( DefguardVersionInterceptor::new( own_version.clone(), From 98044103a31717ae1713a4a8c6e60ed13a13f944 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 16 Apr 2026 13:45:53 +0200 Subject: [PATCH 12/17] add basic mtls tests --- Cargo.lock | 11 ++ Cargo.toml | 3 + src/lib.rs | 3 + src/tests/mod.rs | 1 + src/tests/mtls.rs | 337 ++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 355 insertions(+) create mode 100644 src/tests/mod.rs create mode 100644 src/tests/mtls.rs diff --git a/Cargo.lock b/Cargo.lock index a46935d..670a7f7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4102,6 +4102,16 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" +[[package]] +name = "signal-hook-registry" +version = "1.4.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b" +dependencies = [ + "errno", + "libc", +] + [[package]] name = "signature" version = "2.2.0" @@ -4656,6 +4666,7 @@ dependencies = [ "mio", "parking_lot", "pin-project-lite", + "signal-hook-registry", "socket2", "tokio-macros", "windows-sys 0.61.2", diff --git a/Cargo.toml b/Cargo.toml index bd581d7..3ed1cd0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -64,6 +64,9 @@ rustls = { version = "0.23", default-features = false, features = [ instant-acme = { version = "0.8", features = ["hyper-rustls", "aws-lc-rs"] } reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "json"] } +[dev-dependencies] +tokio = { version = "1", features = ["full"] } + [build-dependencies] tonic-prost-build = "0.14" vergen-git2 = { version = "9.1", features = ["build"] } diff --git a/src/lib.rs b/src/lib.rs index fd8db9f..dd35f8d 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -16,6 +16,9 @@ pub mod http; pub mod logging; mod setup; +#[cfg(test)] +mod tests; + pub(crate) mod generated { pub(crate) mod defguard { pub(crate) mod proxy { diff --git a/src/tests/mod.rs b/src/tests/mod.rs new file mode 100644 index 0000000..cd5c868 --- /dev/null +++ b/src/tests/mod.rs @@ -0,0 +1 @@ +mod mtls; diff --git a/src/tests/mtls.rs b/src/tests/mtls.rs new file mode 100644 index 0000000..413d92b --- /dev/null +++ b/src/tests/mtls.rs @@ -0,0 +1,337 @@ +use std::{ + env::temp_dir, + net::{SocketAddr, TcpListener}, + sync::{Arc, RwLock}, + time::Duration, +}; + +use axum_extra::extract::cookie::Key; +use defguard_certs::{ + CertificateAuthority, Csr, PemLabel, cert_der_to_pem, der_to_pem, generate_key_pair, +}; +use futures_util::stream; +use rustls::crypto::aws_lc_rs; +use tokio::{ + spawn, + sync::{Mutex, broadcast, mpsc, oneshot}, + time::sleep, +}; +use tonic::{ + Code, Request, Status, + transport::{Certificate, Channel, ClientTlsConfig, Endpoint, Identity}, +}; + +use crate::grpc::{ProxyServer, TlsConfig}; +use crate::proto::{CoreResponse, proxy_client::ProxyClient}; + +struct TestCerts { + /// PEM-encoded CA certificate (used as the trust root for both server and client validation). + ca_cert_pem: String, + /// PEM-encoded proxy gRPC server certificate (ServerAuth EKU, IP SAN 127.0.0.1). + proxy_cert_pem: String, + /// PEM-encoded proxy gRPC server private key. + proxy_key_pem: String, + /// DER-encoded Core client certificate (serial A — matches what the server pins). + core_client_cert_der: Vec, + /// PEM-encoded Core client certificate (serial A). + core_client_cert_pem: String, + /// PEM-encoded Core client private key (serial A). + core_client_key_pem: String, + /// PEM-encoded client cert with serial B — valid CA but different serial. + wrong_serial_cert_pem: String, + /// PEM-encoded private key for the serial-B cert. + wrong_serial_key_pem: String, + /// PEM-encoded client cert signed by a completely different (rogue) CA. + rogue_client_cert_pem: String, + /// PEM-encoded private key for the rogue cert. + rogue_client_key_pem: String, +} + +impl TestCerts { + fn generate() -> Self { + // Trust-anchor CA + let ca = CertificateAuthority::new("Test CA", "test@test.local", 365).unwrap(); + let ca_cert_pem = ca.cert_pem().unwrap(); + + // Proxy server cert: ServerAuth EKU, IP SAN 127.0.0.1 + let proxy_key = generate_key_pair().unwrap(); + let proxy_csr = Csr::new(&proxy_key, &["127.0.0.1".to_string()], vec![]).unwrap(); + let proxy_server_cert = ca.sign_server_cert(&proxy_csr).unwrap(); + let proxy_cert_pem = cert_der_to_pem(proxy_server_cert.der()).unwrap(); + let proxy_key_pem = der_to_pem(proxy_key.serialized_der(), PemLabel::PrivateKey).unwrap(); + + // Core client cert A — the "good" serial that the server will pin + let client_a = ca.issue_core_client_cert("core-client-a").unwrap(); + let core_client_cert_der = client_a.cert_der.clone(); + let core_client_cert_pem = cert_der_to_pem(&client_a.cert_der).unwrap(); + let core_client_key_pem = der_to_pem(&client_a.key_der, PemLabel::PrivateKey).unwrap(); + + // Core client cert B — different cert (different serial) but same CA + let client_b = ca.issue_core_client_cert("core-client-b").unwrap(); + let wrong_serial_cert_pem = cert_der_to_pem(&client_b.cert_der).unwrap(); + let wrong_serial_key_pem = der_to_pem(&client_b.key_der, PemLabel::PrivateKey).unwrap(); + + // Rogue CA + client cert — different trust chain entirely + let rogue_ca = CertificateAuthority::new("Rogue CA", "rogue@rogue.local", 365).unwrap(); + let rogue_client = rogue_ca.issue_core_client_cert("rogue-core").unwrap(); + let rogue_client_cert_pem = cert_der_to_pem(&rogue_client.cert_der).unwrap(); + let rogue_client_key_pem = der_to_pem(&rogue_client.key_der, PemLabel::PrivateKey).unwrap(); + + Self { + ca_cert_pem, + proxy_cert_pem, + proxy_key_pem, + core_client_cert_der, + core_client_cert_pem, + core_client_key_pem, + wrong_serial_cert_pem, + wrong_serial_key_pem, + rogue_client_cert_pem, + rogue_client_key_pem, + } + } +} + +fn make_tls_config(certs: &TestCerts) -> TlsConfig { + TlsConfig { + grpc_key_pem: certs.proxy_key_pem.clone(), + grpc_cert_pem: certs.proxy_cert_pem.clone(), + grpc_ca_cert_pem: certs.ca_cert_pem.clone(), + core_client_cert_der: certs.core_client_cert_der.clone(), + } +} + +fn build_proxy_server() -> ProxyServer { + let (reset_tx, _) = broadcast::channel(1); + let (https_cert_tx, _) = broadcast::channel(1); + let (clear_https_tx, _) = broadcast::channel(1); + let (_, logs_rx) = mpsc::channel(1); + let cookie_key = Arc::new(RwLock::new(Some(Key::generate()))); + ProxyServer::new( + cookie_key, + temp_dir(), + reset_tx, + https_cert_tx, + clear_https_tx, + None, + Arc::new(Mutex::new(logs_rx)), + false, + ) +} + +/// Install the rustls AWS-LC crypto provider for the process. +/// +/// Must be called before any TLS code runs. Safe to call from multiple tests — +/// subsequent calls after the first succeed-or-fail are silently ignored. +fn init_crypto() { + let _ = aws_lc_rs::default_provider().install_default(); +} + +/// Spawn a configured `ProxyServer` on an OS-assigned port. +/// +/// Returns `(bound_addr, shutdown_tx)`. Drop / send `shutdown_tx` to stop the server. +async fn spawn_test_proxy(certs: &TestCerts) -> (SocketAddr, oneshot::Sender<()>) { + let server = build_proxy_server(); + server.configure(make_tls_config(certs)); + + // Find a free port, drop the listener, pass the addr to run(). + // The small race window is acceptable in test context. + let addr = TcpListener::bind("127.0.0.1:0") + .unwrap() + .local_addr() + .unwrap(); + + let (shutdown_tx, shutdown_rx) = oneshot::channel::<()>(); + spawn(async move { + let _ = server + .run(addr, async move { + let _ = shutdown_rx.await; + }) + .await; + }); + + // Give tonic time to bind and start serving. + sleep(Duration::from_millis(150)).await; + + (addr, shutdown_tx) +} + +/// Build a tonic `ProxyClient` using the given CA and optional client identity. +/// +/// `client_identity` is `Some((cert_pem, key_pem))` for mTLS; `None` for no client cert. +async fn connect( + addr: SocketAddr, + ca_cert_pem: &str, + client_identity: Option<(&str, &str)>, +) -> Result, tonic::transport::Error> { + let mut tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca_cert_pem)); + + if let Some((cert_pem, key_pem)) = client_identity { + tls = tls.identity(Identity::from_pem(cert_pem, key_pem)); + } + + let channel = Endpoint::from_shared(format!("https://127.0.0.1:{}", addr.port())) + .unwrap() + .tls_config(tls)? + .connect() + .await?; + + Ok(ProxyClient::new(channel)) +} + +/// Open a `bidi` streaming call with an empty request stream and return the status code. +/// +/// The stream body is irrelevant — we only care whether the mTLS + serial-pin interceptors +/// accept or reject the connection. +async fn call_bidi(client: &mut ProxyClient) -> Status { + let empty: Vec = vec![]; + match client.bidi(Request::new(stream::iter(empty))).await { + Ok(_) => Status::ok("accepted"), + Err(status) => status, + } +} + +/// `run()` must return `Err` immediately when no `TlsConfig` has been set. +#[tokio::test] +async fn run_errors_without_tls_config() { + let server = build_proxy_server(); + // configure() is deliberately NOT called. + let addr: SocketAddr = "127.0.0.1:0".parse().unwrap(); + let result = server + .run(addr, futures_util::future::pending::<()>()) + .await; + assert!(result.is_err(), "expected Err, got Ok"); + assert!( + result + .unwrap_err() + .to_string() + .contains("TLS configuration is missing"), + "unexpected error message", + ); +} + +/// A client presenting the correct CA-signed cert with the expected serial must be accepted. +/// +/// The `bidi` call may be rejected by the version interceptor (no version headers are sent), +/// but it must NOT be rejected with `Unauthenticated` — that would indicate the mTLS layer +/// or serial-pin interceptor wrongly rejected the cert. +#[tokio::test] +async fn valid_mtls_client_accepted() { + init_crypto(); + let certs = TestCerts::generate(); + let (addr, shutdown_tx) = spawn_test_proxy(&certs).await; + + let mut client = connect( + addr, + &certs.ca_cert_pem, + Some((&certs.core_client_cert_pem, &certs.core_client_key_pem)), + ) + .await + .expect("TLS handshake should succeed with valid client cert"); + + let status = call_bidi(&mut client).await; + + assert_ne!( + status.code(), + Code::Unauthenticated, + "valid client cert should not be rejected; got: {status}", + ); + + let _ = shutdown_tx.send(()); +} + +/// A client that presents no certificate must be rejected at the TLS layer. +#[tokio::test] +async fn no_client_cert_rejected() { + init_crypto(); + let certs = TestCerts::generate(); + let (addr, shutdown_tx) = spawn_test_proxy(&certs).await; + + // connect() is lazy in tonic — it doesn't perform the TLS handshake until the first RPC. + // We must make an RPC call to actually trigger the handshake and observe the rejection. + let Ok(mut client) = connect(addr, &certs.ca_cert_pem, None).await else { + // If connect() fails eagerly, that also counts as rejection. + let _ = shutdown_tx.send(()); + return; + }; + + let empty: Vec = vec![]; + let result = client.bidi(Request::new(stream::iter(empty))).await; + + assert!( + result.is_err(), + "connecting without a client cert should be rejected", + ); + + let _ = shutdown_tx.send(()); +} + +/// A client presenting a cert from the correct CA but with the wrong serial must be rejected +/// by the serial-pin interceptor with `Unauthenticated`. +#[tokio::test] +async fn wrong_serial_rejected() { + init_crypto(); + let certs = TestCerts::generate(); + let (addr, shutdown_tx) = spawn_test_proxy(&certs).await; + + // This cert is valid (signed by the CA the server trusts) but has a different serial. + let mut client = connect( + addr, + &certs.ca_cert_pem, + Some((&certs.wrong_serial_cert_pem, &certs.wrong_serial_key_pem)), + ) + .await + .expect("TLS handshake should succeed; the serial check runs as a gRPC interceptor"); + + let status = call_bidi(&mut client).await; + + assert_eq!( + status.code(), + Code::Unauthenticated, + "wrong-serial cert must be rejected with Unauthenticated; got: {status}", + ); + + let _ = shutdown_tx.send(()); +} + +/// A client presenting a cert signed by a different (rogue) CA must be rejected at the TLS +/// layer because the server does not trust that CA. +#[tokio::test] +async fn rogue_ca_client_rejected() { + init_crypto(); + let certs = TestCerts::generate(); + let (addr, shutdown_tx) = spawn_test_proxy(&certs).await; + + // connect() is lazy in tonic — the TLS handshake happens on the first RPC. + let Ok(mut client) = connect( + addr, + &certs.ca_cert_pem, + Some((&certs.rogue_client_cert_pem, &certs.rogue_client_key_pem)), + ) + .await + else { + // Eager rejection also counts. + let _ = shutdown_tx.send(()); + return; + }; + + let empty: Vec = vec![]; + let result = client.bidi(Request::new(stream::iter(empty))).await; + + assert!( + result.is_err(), + "rogue-CA client cert must be rejected; got Ok", + ); + // Must NOT be a successful gRPC-level response — the error must be transport-level or + // Unauthenticated, not FailedPrecondition (which would indicate the cert was accepted). + if let Err(ref status) = result { + assert_ne!( + status.code(), + Code::FailedPrecondition, + "rogue-CA cert reached the gRPC handler — server-side CA verification is missing; \ + got: {status}", + ); + } + + let _ = shutdown_tx.send(()); +} From e9b0dfc253beff4f559e2a210d606a4e4e231a5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 16 Apr 2026 13:50:27 +0200 Subject: [PATCH 13/17] limit tokio features --- Cargo.lock | 11 ----------- Cargo.toml | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 670a7f7..a46935d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4102,16 +4102,6 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" -[[package]] -name = "signal-hook-registry" -version = "1.4.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b" -dependencies = [ - "errno", - "libc", -] - [[package]] name = "signature" version = "2.2.0" @@ -4666,7 +4656,6 @@ dependencies = [ "mio", "parking_lot", "pin-project-lite", - "signal-hook-registry", "socket2", "tokio-macros", "windows-sys 0.61.2", diff --git a/Cargo.toml b/Cargo.toml index 3ed1cd0..244b5d4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -65,7 +65,7 @@ instant-acme = { version = "0.8", features = ["hyper-rustls", "aws-lc-rs"] } reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "json"] } [dev-dependencies] -tokio = { version = "1", features = ["full"] } +tokio = { version = "1", features = ["sync", "time"] } [build-dependencies] tonic-prost-build = "0.14" From 9a7e399141d060c016a0ba1ebb5ece8038f4d0c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 16 Apr 2026 14:08:51 +0200 Subject: [PATCH 14/17] review cleanup --- src/tests/mtls.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/tests/mtls.rs b/src/tests/mtls.rs index 413d92b..a0a8935 100644 --- a/src/tests/mtls.rs +++ b/src/tests/mtls.rs @@ -22,7 +22,7 @@ use tonic::{ }; use crate::grpc::{ProxyServer, TlsConfig}; -use crate::proto::{CoreResponse, proxy_client::ProxyClient}; +use crate::proto::proxy_client::ProxyClient; struct TestCerts { /// PEM-encoded CA certificate (used as the trust root for both server and client validation). @@ -55,7 +55,7 @@ impl TestCerts { // Proxy server cert: ServerAuth EKU, IP SAN 127.0.0.1 let proxy_key = generate_key_pair().unwrap(); - let proxy_csr = Csr::new(&proxy_key, &["127.0.0.1".to_string()], vec![]).unwrap(); + let proxy_csr = Csr::new(&proxy_key, &["127.0.0.1".to_string()], Vec::new()).unwrap(); let proxy_server_cert = ca.sign_server_cert(&proxy_csr).unwrap(); let proxy_cert_pem = cert_der_to_pem(proxy_server_cert.der()).unwrap(); let proxy_key_pem = der_to_pem(proxy_key.serialized_der(), PemLabel::PrivateKey).unwrap(); @@ -184,7 +184,7 @@ async fn connect( /// The stream body is irrelevant — we only care whether the mTLS + serial-pin interceptors /// accept or reject the connection. async fn call_bidi(client: &mut ProxyClient) -> Status { - let empty: Vec = vec![]; + let empty = Vec::new(); match client.bidi(Request::new(stream::iter(empty))).await { Ok(_) => Status::ok("accepted"), Err(status) => status, @@ -255,7 +255,7 @@ async fn no_client_cert_rejected() { return; }; - let empty: Vec = vec![]; + let empty = Vec::new(); let result = client.bidi(Request::new(stream::iter(empty))).await; assert!( @@ -315,7 +315,7 @@ async fn rogue_ca_client_rejected() { return; }; - let empty: Vec = vec![]; + let empty = Vec::new(); let result = client.bidi(Request::new(stream::iter(empty))).await; assert!( From e80a08e0ff6b87dbd4688fbd2204ce2d153e80a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 17 Apr 2026 11:50:14 +0200 Subject: [PATCH 15/17] use shared setup function --- Cargo.lock | 6 +++--- Cargo.toml | 2 +- src/grpc.rs | 22 ++++++++++------------ 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a46935d..07cd256 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -965,7 +965,7 @@ dependencies = [ [[package]] name = "defguard_common" version = "2.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=cb7231f5#cb7231f5f0e72ddead5aa162e09047939fa1939f" +source = "git+https://github.com/DefGuard/defguard.git?rev=710b1bfd#710b1bfd5c10328b201bcf43ed9b99483d462012" dependencies = [ "anyhow", "argon2", @@ -1005,7 +1005,7 @@ dependencies = [ [[package]] name = "defguard_grpc_tls" version = "0.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=cb7231f5#cb7231f5f0e72ddead5aa162e09047939fa1939f" +source = "git+https://github.com/DefGuard/defguard.git?rev=710b1bfd#710b1bfd5c10328b201bcf43ed9b99483d462012" dependencies = [ "defguard_common", "http", @@ -2505,7 +2505,7 @@ dependencies = [ [[package]] name = "model_derive" version = "0.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=cb7231f5#cb7231f5f0e72ddead5aa162e09047939fa1939f" +source = "git+https://github.com/DefGuard/defguard.git?rev=710b1bfd#710b1bfd5c10328b201bcf43ed9b99483d462012" dependencies = [ "quote", "syn", diff --git a/Cargo.toml b/Cargo.toml index 244b5d4..eb7714c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,7 +8,7 @@ repository = "https://github.com/DefGuard/proxy" [dependencies] defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "564dc72c" } -defguard_grpc_tls = { git = "https://github.com/DefGuard/defguard.git", rev = "cb7231f5" } +defguard_grpc_tls = { git = "https://github.com/DefGuard/defguard.git", rev = "710b1bfd" } defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "7d28f46e" } rustls-webpki = { version = "0.103", features = ["aws-lc-rs", "std"] } rustls-pki-types = "1" diff --git a/src/grpc.rs b/src/grpc.rs index d9fca12..402200d 100644 --- a/src/grpc.rs +++ b/src/grpc.rs @@ -11,8 +11,8 @@ use std::{ }; use axum_extra::extract::cookie::Key; -use defguard_certs::CertificateInfo; -use defguard_grpc_tls::server::certificate_serial_interceptor; +use defguard_certs::{CertificateError, CertificateInfo}; +use defguard_grpc_tls::{certs::server_tls_config, server::certificate_serial_interceptor}; use defguard_version::{ ComponentInfo, DefguardComponent, Version, get_tracing_variables, server::{DefguardVersionLayer, grpc::DefguardVersionInterceptor}, @@ -22,11 +22,7 @@ use tokio::{ sync::{broadcast, mpsc, oneshot}, }; use tokio_stream::wrappers::UnboundedReceiverStream; -use tonic::{ - Request, Response, Status, Streaming, - service::InterceptorLayer, - transport::{Certificate, Identity, Server, ServerTlsConfig}, -}; +use tonic::{Request, Response, Status, Streaming, service::InterceptorLayer, transport::Server}; use tower::ServiceBuilder; use tracing::Instrument; @@ -135,13 +131,15 @@ impl ProxyServer { // Extract Core client cert serial for pinning (None in no-TLS mode). let expected_serial = CertificateInfo::from_der(&tls_config.core_client_cert_der) - .expect("core client cert DER stored in TlsConfig must be valid") + .map_err(|e: CertificateError| anyhow::anyhow!("invalid core client cert DER: {e}"))? .serial; - let identity = Identity::from_pem(&tls_config.grpc_cert_pem, &tls_config.grpc_key_pem); - let ca = Certificate::from_pem(&tls_config.grpc_ca_cert_pem); - let mut builder = Server::builder() - .tls_config(ServerTlsConfig::new().identity(identity).client_ca_root(ca))?; + let tls_config = server_tls_config( + &tls_config.grpc_cert_pem, + &tls_config.grpc_key_pem, + &tls_config.grpc_ca_cert_pem, + )?; + let mut builder = Server::builder().tls_config(tls_config)?; let own_version = Version::parse(VERSION)?; let versioned_service = ServiceBuilder::new() From 592fba383b6fa3e5c4d1c0bfbaae746c22947967 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 17 Apr 2026 21:54:51 +0200 Subject: [PATCH 16/17] cleanup --- src/tests/mtls.rs | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/tests/mtls.rs b/src/tests/mtls.rs index a0a8935..0169705 100644 --- a/src/tests/mtls.rs +++ b/src/tests/mtls.rs @@ -31,13 +31,13 @@ struct TestCerts { proxy_cert_pem: String, /// PEM-encoded proxy gRPC server private key. proxy_key_pem: String, - /// DER-encoded Core client certificate (serial A — matches what the server pins). + /// DER-encoded Core client certificate (serial A - matches what the server pins). core_client_cert_der: Vec, /// PEM-encoded Core client certificate (serial A). core_client_cert_pem: String, /// PEM-encoded Core client private key (serial A). core_client_key_pem: String, - /// PEM-encoded client cert with serial B — valid CA but different serial. + /// PEM-encoded client cert with serial B - valid CA but different serial. wrong_serial_cert_pem: String, /// PEM-encoded private key for the serial-B cert. wrong_serial_key_pem: String, @@ -60,18 +60,18 @@ impl TestCerts { let proxy_cert_pem = cert_der_to_pem(proxy_server_cert.der()).unwrap(); let proxy_key_pem = der_to_pem(proxy_key.serialized_der(), PemLabel::PrivateKey).unwrap(); - // Core client cert A — the "good" serial that the server will pin + // Core client cert A - the "good" serial that the server will pin let client_a = ca.issue_core_client_cert("core-client-a").unwrap(); let core_client_cert_der = client_a.cert_der.clone(); let core_client_cert_pem = cert_der_to_pem(&client_a.cert_der).unwrap(); let core_client_key_pem = der_to_pem(&client_a.key_der, PemLabel::PrivateKey).unwrap(); - // Core client cert B — different cert (different serial) but same CA + // Core client cert B - different cert (different serial) but same CA let client_b = ca.issue_core_client_cert("core-client-b").unwrap(); let wrong_serial_cert_pem = cert_der_to_pem(&client_b.cert_der).unwrap(); let wrong_serial_key_pem = der_to_pem(&client_b.key_der, PemLabel::PrivateKey).unwrap(); - // Rogue CA + client cert — different trust chain entirely + // Rogue CA + client cert - different trust chain entirely let rogue_ca = CertificateAuthority::new("Rogue CA", "rogue@rogue.local", 365).unwrap(); let rogue_client = rogue_ca.issue_core_client_cert("rogue-core").unwrap(); let rogue_client_cert_pem = cert_der_to_pem(&rogue_client.cert_der).unwrap(); @@ -121,7 +121,7 @@ fn build_proxy_server() -> ProxyServer { /// Install the rustls AWS-LC crypto provider for the process. /// -/// Must be called before any TLS code runs. Safe to call from multiple tests — +/// Must be called before any TLS code runs. Safe to call from multiple tests - /// subsequent calls after the first succeed-or-fail are silently ignored. fn init_crypto() { let _ = aws_lc_rs::default_provider().install_default(); @@ -181,7 +181,7 @@ async fn connect( /// Open a `bidi` streaming call with an empty request stream and return the status code. /// -/// The stream body is irrelevant — we only care whether the mTLS + serial-pin interceptors +/// The stream body is irrelevant - we only care whether the mTLS + serial-pin interceptors /// accept or reject the connection. async fn call_bidi(client: &mut ProxyClient) -> Status { let empty = Vec::new(); @@ -213,7 +213,7 @@ async fn run_errors_without_tls_config() { /// A client presenting the correct CA-signed cert with the expected serial must be accepted. /// /// The `bidi` call may be rejected by the version interceptor (no version headers are sent), -/// but it must NOT be rejected with `Unauthenticated` — that would indicate the mTLS layer +/// but it must NOT be rejected with `Unauthenticated` - that would indicate the mTLS layer /// or serial-pin interceptor wrongly rejected the cert. #[tokio::test] async fn valid_mtls_client_accepted() { @@ -247,7 +247,7 @@ async fn no_client_cert_rejected() { let certs = TestCerts::generate(); let (addr, shutdown_tx) = spawn_test_proxy(&certs).await; - // connect() is lazy in tonic — it doesn't perform the TLS handshake until the first RPC. + // connect() is lazy in tonic - it doesn't perform the TLS handshake until the first RPC. // We must make an RPC call to actually trigger the handshake and observe the rejection. let Ok(mut client) = connect(addr, &certs.ca_cert_pem, None).await else { // If connect() fails eagerly, that also counts as rejection. @@ -302,7 +302,7 @@ async fn rogue_ca_client_rejected() { let certs = TestCerts::generate(); let (addr, shutdown_tx) = spawn_test_proxy(&certs).await; - // connect() is lazy in tonic — the TLS handshake happens on the first RPC. + // connect() is lazy in tonic - the TLS handshake happens on the first RPC. let Ok(mut client) = connect( addr, &certs.ca_cert_pem, @@ -322,13 +322,13 @@ async fn rogue_ca_client_rejected() { result.is_err(), "rogue-CA client cert must be rejected; got Ok", ); - // Must NOT be a successful gRPC-level response — the error must be transport-level or + // Must NOT be a successful gRPC-level response - the error must be transport-level or // Unauthenticated, not FailedPrecondition (which would indicate the cert was accepted). if let Err(ref status) = result { assert_ne!( status.code(), Code::FailedPrecondition, - "rogue-CA cert reached the gRPC handler — server-side CA verification is missing; \ + "rogue-CA cert reached the gRPC handler - server-side CA verification is missing; \ got: {status}", ); } From 4c24cec843f4b14cc53d16912c3db22d963309b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 17 Apr 2026 22:04:48 +0200 Subject: [PATCH 17/17] align setup channel approach with gateway --- src/lib.rs | 5 ---- src/setup.rs | 84 +++++++++++++++++++++++++++------------------------- 2 files changed, 43 insertions(+), 46 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index dd35f8d..c8af819 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -51,9 +51,4 @@ extern crate tracing; pub static VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), "+", env!("VERGEN_GIT_SHA")); pub const MIN_CORE_VERSION: Version = Version::new(2, 0, 0); -type CommsChannel = ( - Arc>>, - Arc>>, -); - type LogsReceiver = Arc>>; diff --git a/src/setup.rs b/src/setup.rs index be83b6e..c43f10b 100644 --- a/src/setup.rs +++ b/src/setup.rs @@ -1,6 +1,6 @@ use std::{ net::SocketAddr, - sync::{Arc, LazyLock, Mutex}, + sync::{Arc, Mutex}, time::{Duration, SystemTime, UNIX_EPOCH}, }; @@ -9,32 +9,26 @@ use defguard_version::{ server::{DefguardVersionLayer, grpc::DefguardVersionInterceptor}, }; use rustls_pki_types::{CertificateDer, UnixTime}; -use tokio::sync::mpsc; +use tokio::sync::{mpsc, oneshot}; use tokio_stream::wrappers::UnboundedReceiverStream; use tonic::{Request, Response, Status, service::InterceptorLayer, transport::Server}; use webpki::{KeyUsage, anchor_from_trusted_cert}; use crate::{ - CommsChannel, LogsReceiver, MIN_CORE_VERSION, VERSION, + LogsReceiver, MIN_CORE_VERSION, VERSION, error::ApiError, grpc::TlsConfig, proto::{CertBundle, CertificateInfo, DerPayload, LogEntry, proxy_setup_server}, }; -static SETUP_CHANNEL: LazyLock>> = LazyLock::new(|| { - let (tx, rx) = mpsc::channel(10); - ( - Arc::new(tokio::sync::Mutex::new(tx)), - Arc::new(tokio::sync::Mutex::new(rx)), - ) -}); - const AUTH_HEADER: &str = "authorization"; /// Verify that both `component_der` and `core_client_der` are signed by `ca_der`. /// -/// Uses ECDSA P-256 / SHA-256 via aws-lc-rs. Returns an error message string on -/// any failure so the caller can forward it as a gRPC status. +/// Uses ECDSA P-256 via `aws-lc-rs` (Linux-only deployment; FIPS-capable). +/// The gateway counterpart uses `ring` for FreeBSD/OPNsense compatibility. +/// Both verify the same algorithm set: `ECDSA_P256_SHA256` and `ECDSA_P256_SHA384`. +/// Returns an error message string on any failure so the caller can forward it as a gRPC status. fn validate_cert_bundle( ca_der: &[u8], component_der: &[u8], @@ -94,6 +88,8 @@ pub(crate) struct ProxySetupServer { key_pair: Arc>>, logs_rx: LogsReceiver, current_session_token: Arc>>, + setup_tx: Arc>>>, + setup_rx: Arc>>, } impl Clone for ProxySetupServer { @@ -102,24 +98,29 @@ impl Clone for ProxySetupServer { key_pair: Arc::clone(&self.key_pair), logs_rx: Arc::clone(&self.logs_rx), current_session_token: Arc::clone(&self.current_session_token), + setup_tx: Arc::clone(&self.setup_tx), + setup_rx: Arc::clone(&self.setup_rx), } } } impl ProxySetupServer { pub fn new(logs_rx: LogsReceiver) -> Self { + let (setup_tx, setup_rx) = oneshot::channel(); Self { key_pair: Arc::new(Mutex::new(None)), logs_rx, current_session_token: Arc::new(Mutex::new(None)), + setup_tx: Arc::new(tokio::sync::Mutex::new(Some(setup_tx))), + setup_rx: Arc::new(tokio::sync::Mutex::new(setup_rx)), } } /// Await setup connection from Defguard Core and process it. /// /// Spins up a plain HTTP gRPC server on `addr` to handle the initial handshake: `Start`, - /// `GetCsr`, `SendCert`. The server shuts down as soon as `SendCert` deposits a - /// `Configuration` into `SETUP_CHANNEL`, after which this function returns the received + /// `GetCsr`, `SendCert`. The server shuts down as soon as `SendCert` delivers a + /// `TlsConfig` through the oneshot channel, after which this function returns the received /// gRPC configuration (locally generated key pair and remotely signed certificate). pub(crate) async fn await_initial_setup( &self, @@ -130,9 +131,8 @@ impl ProxySetupServer { let own_version = Version::parse(VERSION)?; debug!("Proxy version: {}", VERSION); - let config_slot: Arc>> = - Arc::new(tokio::sync::Mutex::new(None)); - let config_slot_writer = Arc::clone(&config_slot); + let setup_rx = Arc::clone(&self.setup_rx); + let mut server_config = None; Server::builder() .layer(InterceptorLayer::new(DefguardVersionInterceptor::new( @@ -143,15 +143,17 @@ impl ProxySetupServer { ))) .layer(DefguardVersionLayer::new(own_version.clone())) .add_service(proxy_setup_server::ProxySetupServer::new(self.clone())) - .serve_with_shutdown(addr, async move { + .serve_with_shutdown(addr, async { debug!("Waiting for SendCert to deliver configuration"); - // SETUP_CHANNEL is CommsChannel>, so recv() returns - // Option>. send_cert always sends Some(cfg). - if let Some(Some(cfg)) = SETUP_CHANNEL.1.lock().await.recv().await { - debug!("Configuration received from SendCert"); - *config_slot_writer.lock().await = Some(cfg); - } else { - error!("SETUP_CHANNEL closed unexpectedly without configuration"); + let mut rx_guard = setup_rx.lock().await; + match (&mut *rx_guard).await { + Ok(cfg) => { + debug!("Configuration received from SendCert"); + server_config = Some(cfg); + } + Err(err) => { + error!("Setup communication channel closed unexpectedly: {err}"); + } } debug!("Plain-HTTP server will now shut down"); }) @@ -162,12 +164,10 @@ impl ProxySetupServer { })?; debug!("Plain-HTTP setup server shut down on {addr}"); - let configuration = config_slot.lock().await.take().ok_or_else(|| { + server_config.ok_or_else(|| { error!("No configuration received after setup"); - ApiError::Unexpected("No configuration received after setup".into()) - })?; - - Ok(configuration) + ApiError::Unexpected("No configuration received after setup".into()).into() + }) } fn is_setup_in_progress(&self) -> bool { @@ -450,16 +450,18 @@ impl proxy_setup_server::ProxySetup for ProxySetupServer { }; debug!("Passing configuration to gRPC server for finalization"); - match SETUP_CHANNEL.0.lock().await.send(Some(configuration)).await { - Ok(()) => info!("Proxy configuration passed to gRPC server successfully"), - Err(err) => { - error!("Failed to send configuration to gRPC server: {err}"); - self.clear_setup_session(); - return Err(Status::internal( - "Failed to send configuration to gRPC server", - )); - } - } + let Some(sender) = self.setup_tx.lock().await.take() else { + error!("Setup channel sender already consumed"); + self.clear_setup_session(); + return Err(Status::internal("Setup already completed")); + }; + sender.send(configuration).map_err(|_| { + let msg = "Failed to send setup configuration through channel"; + error!(msg); + self.clear_setup_session(); + Status::internal(msg) + })?; + info!("Proxy configuration passed to gRPC server successfully"); self.clear_setup_session(); debug!("SendCert completed; setup session cleared");