update dependencies and apply security fixes

This replaces two security updates flagged by GitHub Dependabot:
* #95
* #89

All dependencies were updated, including a significant Rama upgrade.

The Rama update simplifies type erased error handling.
OpaqueError is now intended only for edge cases where
higher rank lifetime limitations require it.

In most cases BoxError should be used,
unless a strongly typed error is more appropriate.

Error context traits now make it easy to attach structured fields to errors.
This replaces manual string formatting and is both easier to use and lazier,
as formatting is deferred until the error is actually displayed.

This continues Rama’s incremental improvements driven by real world usage and feedback.
Upcoming work includes a new Uri type and follow up improvements enabled by it.

Author: GlenDC

Cargo.lock

@@ -4,4 +4,4 @@ resolver = "3"
 
 [workspace.dependencies.rama]
 git = "https://github.com/plabayo/rama"
-rev = "a87a7f9ec68e76ef12156b6278b132f847f03d56"
+rev = "79f83e843cfb45060e30ac2af44f3f3db4970ce2"

Cargo.toml

@@ -25,7 +25,7 @@ serde_test = "1"
 radix_trie = "0.3"
 serde_json = "1"
 moka = "0.12"
-rand = "0.9"
+rand = "0.10"
 parking_lot = "0.12.5"
 serde_html_form = "0.4"
 rustls-platform-verifier = "0.6"

proxy/Cargo.toml

@@ -3,7 +3,7 @@ use std::sync::{Arc, LazyLock};
 use rama::{
     Layer as _, Service,
     cli::service::echo::EchoServiceBuilder,
-    error::OpaqueError,
+    error::BoxError,
     http::{
         Request, Response,
         matcher::HttpMatcher,
@@ -24,7 +24,7 @@ static ASSERT_ENDPOINT_STATE: LazyLock<assert_endpoint::MockState> =
     LazyLock::new(assert_endpoint::MockState::new);
 
 pub fn new_mock_client()
--> Result<impl Service<Request, Output = Response, Error = OpaqueError> + Clone, OpaqueError> {
+-> Result<impl Service<Request, Output = Response, Error = BoxError> + Clone, BoxError> {
     let echo_svc_builder = EchoServiceBuilder::default();
     let echo_svc = Arc::new(echo_svc_builder.build_http(Executor::default()));
     let not_found_svc = service_fn(move |req| {
@@ -52,6 +52,6 @@ pub fn new_mock_client()
         "Mock (web) client created: do not use in production, only meant for automated testing!"
     );
     Ok(Arc::new(
-        MapErrLayer::new(OpaqueError::from_std).into_layer(mock_server),
+        MapErrLayer::into_box_error().into_layer(mock_server),
     ))
 }

proxy/src/client/mock_client/mod.rs

@@ -12,7 +12,7 @@
 #[cfg(not(test))]
 use rama::{
     Service,
-    error::{ErrorContext as _, OpaqueError},
+    error::{BoxError, ErrorContext as _},
     http::{Request, Response, Version, client::EasyHttpWebClient},
     rt::Executor,
 };
@@ -26,7 +26,7 @@ pub use self::mock_client::new_mock_client as new_web_client;
 /// Create a new web client that can be cloned and shared.
 #[cfg(not(test))]
 pub fn new_web_client()
--> Result<impl Service<Request, Output = Response, Error = OpaqueError> + Clone, OpaqueError> {
+-> Result<impl Service<Request, Output = Response, Error = BoxError> + Clone, BoxError> {
     use rama::tls::rustls::dep::rustls::ClientConfig;
     use rustls_platform_verifier::ConfigVerifierExt;
 

proxy/src/client/mod.rs

@@ -2,7 +2,7 @@ use std::path::Path;
 use std::sync::Arc;
 use std::sync::atomic::AtomicBool;
 
-use rama::error::{ErrorContext, OpaqueError};
+use rama::error::{BoxError, ErrorContext};
 use rama::graceful::ShutdownGuard;
 use rama::http::layer::har;
 use rama::http::layer::har::recorder::FileRecorder;
@@ -18,7 +18,7 @@ pub struct HarClient {
 
 impl HarClient {
     /// Toggles the har recording status and returns previous state of toggle.
-    pub async fn toggle(&self) -> Result<bool, OpaqueError> {
+    pub async fn toggle(&self) -> Result<bool, BoxError> {
         let previous = self.toggle_state.load(std::sync::atomic::Ordering::Relaxed);
         self.toggle_tx
             .send(())

proxy/src/diagnostics/har.rs

@@ -1,6 +1,6 @@
 use rama::{
     Layer, Service,
-    error::{BoxError, OpaqueError},
+    error::{BoxError, ErrorContext},
     http::{Request, Response},
     telemetry::tracing,
 };
@@ -22,15 +22,11 @@ where
     S: Service<Request, Output = Response, Error: Into<BoxError>>,
 {
     type Output = Response;
-    type Error = OpaqueError;
+    type Error = BoxError;
 
     async fn serve(&self, req: Request) -> Result<Self::Output, Self::Error> {
         match self.firewall.evaluate_request(req).await? {
-            RequestAction::Allow(req) => self
-                .inner
-                .serve(req)
-                .await
-                .map_err(|err| OpaqueError::from_boxed(err.into())),
+            RequestAction::Allow(req) => self.inner.serve(req).await.into_box_error(),
             RequestAction::Block(blocked) => {
                 tracing::trace!(
                     "EvaluateRequestService: firewall blocked request with self-generated response"

proxy/src/firewall/layer/evaluate_req.rs

@@ -1,6 +1,6 @@
 use rama::{
     Layer, Service,
-    error::{BoxError, OpaqueError},
+    error::{BoxError, ErrorContext},
     http::{Request, Response},
     telemetry::tracing,
 };
@@ -22,14 +22,10 @@ where
     S: Service<Request, Output = Response, Error: Into<BoxError>>,
 {
     type Output = Response;
-    type Error = OpaqueError;
+    type Error = BoxError;
 
     async fn serve(&self, req: Request) -> Result<Self::Output, Self::Error> {
-        let resp = self
-            .inner
-            .serve(req)
-            .await
-            .map_err(|err| OpaqueError::from_boxed(err.into()))?;
+        let resp = self.inner.serve(req).await.into_box_error()?;
 
         tracing::trace!("EvaluateResponseService: evaluating response");
         self.firewall.evaluate_response(resp).await

proxy/src/firewall/layer/evaluate_resp.rs

@@ -2,7 +2,7 @@ use std::{fmt, sync::Arc, time::Duration};
 
 use rama::{
     Service,
-    error::{ErrorContext, OpaqueError},
+    error::{BoxError, ErrorContext},
     graceful::ShutdownGuard,
     http::{
         BodyExtractExt, Request, Response, StatusCode, Uri, service::client::HttpClientExt as _,
@@ -13,7 +13,7 @@ use rama::{
 
 use arc_swap::{ArcSwap, Guard};
 use radix_trie::Trie;
-use rand::Rng;
+use rand::RngExt as _;
 use serde::{Deserialize, Serialize};
 use tokio::time::Instant;
 
@@ -55,9 +55,9 @@ impl RemoteMalwareList {
         sync_storage: SyncCompactDataStorage,
         client: C,
         formatter: Option<EntryFormatter>,
-    ) -> Result<Self, OpaqueError>
+    ) -> Result<Self, BoxError>
     where
-        C: Service<Request, Output = Response, Error = OpaqueError>,
+        C: Service<Request, Output = Response, Error = BoxError>,
     {
         let entry_formatter = formatter.unwrap_or_else(|| Arc::new(IdentityEntryFormatter));
 
@@ -132,12 +132,12 @@ struct RemoteMalwareListClient<C> {
 
 impl<C> RemoteMalwareListClient<C>
 where
-    C: Service<Request, Output = Response, Error = OpaqueError>,
+    C: Service<Request, Output = Response, Error = BoxError>,
 {
     async fn download_malware_trie(
         &self,
         e_tag: Option<&str>,
-    ) -> Result<Option<(MalwareTrie, Option<ArcStr>)>, OpaqueError> {
+    ) -> Result<Option<(MalwareTrie, Option<ArcStr>)>, BoxError> {
         let Some((malware_list, new_e_tag)) =
             self.fetch_remote_malware_list_and_e_tag(e_tag).await?
         else {
@@ -159,7 +159,7 @@ where
     async fn fetch_remote_malware_list_and_e_tag(
         &self,
         previous_e_tag: Option<&str>,
-    ) -> Result<Option<(Vec<ListDataEntry>, Option<ArcStr>)>, OpaqueError> {
+    ) -> Result<Option<(Vec<ListDataEntry>, Option<ArcStr>)>, BoxError> {
         let start = Instant::now();
 
         let req_builder = self.client.get(self.uri.clone());
@@ -170,13 +170,12 @@ where
             req_builder
         };
 
-        let resp = req_builder.send().await.with_context(|| {
-            format!(
-                "fetch malware list from remote endpoint '{}'; (tt: {:?})",
-                self.uri,
-                start.elapsed()
-            )
-        })?;
+        let resp = req_builder
+            .send()
+            .await
+            .context("fetch malware list from remote endpoint")
+            .context_debug_field("tt", start.elapsed())
+            .with_context_field("uri", || self.uri.clone())?;
 
         if resp.status() == StatusCode::NOT_MODIFIED {
             tracing::debug!(
@@ -195,13 +194,9 @@ where
         let malware_list: Vec<ListDataEntry> = resp
             .try_into_json()
             .await
-            .with_context(|| {
-                format!(
-                    "collect and json-decode malware list response payload from remote endpoint '{}'; (tt: {:?})",
-                    self.uri,
-                    start.elapsed(),
-                )
-            })?;
+            .context("collect and json-decode malware list response payload from remote endpoint")
+            .with_context_field("uri", || self.uri.clone())
+            .with_context_debug_field("tt", || start.elapsed())?;
 
         tracing::debug!(
             "fetched and decoded and new malware list from remote endpoint '{}', with {} entries (tt: {:?})",
@@ -239,34 +234,24 @@ where
 
     async fn load_cached_malware_trie(
         &self,
-    ) -> Result<Option<(MalwareTrie, Option<ArcStr>)>, OpaqueError> {
+    ) -> Result<Option<(MalwareTrie, Option<ArcStr>)>, BoxError> {
         tokio::task::spawn_blocking({
             let storage = self.sync_storage.clone();
             let filename = self.filename.clone();
             let formatter = self.formatter.clone();
             move || load_cached_malware_trie_sync_inner(storage, filename, formatter.as_ref())
         })
         .await
-        .with_context(|| {
-            format!(
-                "wait for blocking task to use cached malware list for creating new remote malware list (failure endpoint: {})",
-                self.uri
-            )
-        })?
-        .with_context(|| {
-            format!(
-                "try to use cached malware list for creating new remote malware list (failure endpoint: {})",
-                self.uri
-            )
-        })
+        .context("wait for blocking task to use cached malware list for creating new remote malware list")
+        .with_context_field("uri", || self.uri.clone())?
     }
 }
 
 fn load_cached_malware_trie_sync_inner(
     storage: SyncCompactDataStorage,
     filename: ArcStr,
     formatter: &dyn MalwareListEntryFormatter,
-) -> Result<Option<(MalwareTrie, Option<ArcStr>)>, OpaqueError> {
+) -> Result<Option<(MalwareTrie, Option<ArcStr>)>, BoxError> {
     let cached_malware_trie: Option<CachedMalwareTrie> =
         storage.load(&filename).context("storage failure")?;
 
@@ -285,7 +270,7 @@ async fn remote_list_update_loop<C>(
     e_tag: Option<ArcStr>,
     shared_malware_trie: Arc<ArcSwap<MalwareTrie>>,
 ) where
-    C: Service<Request, Output = Response, Error = OpaqueError>,
+    C: Service<Request, Output = Response, Error = BoxError>,
 {
     tracing::debug!(
         "remote malware list (uri = {}), update loop task up and running",

proxy/src/firewall/malware_list.rs

@@ -2,10 +2,10 @@ use std::{sync::Arc, time::Duration};
 
 use rama::{
     Layer as _, Service as _,
-    error::{ErrorContext as _, OpaqueError},
+    error::{BoxError, ErrorContext as _},
     graceful::ShutdownGuard,
     http::{
-        Body, HeaderValue, Request, Response,
+        HeaderValue, Request, Response,
         header::CONTENT_TYPE,
         layer::{
             decompression::DecompressionLayer,
@@ -52,13 +52,13 @@ impl Firewall {
         guard: ShutdownGuard,
         data: SyncCompactDataStorage,
         reporting_endpoint: Option<rama::http::Uri>,
-    ) -> Result<Self, OpaqueError> {
+    ) -> Result<Self, BoxError> {
         let inner_https_client = crate::client::new_web_client()?;
 
         let shared_remote_malware_client = (
-            MapResponseBodyLayer::new(Body::new),
+            MapResponseBodyLayer::new_boxed_streaming_body(),
             DecompressionLayer::new(),
-            MapErrLayer::new(OpaqueError::from_std),
+            MapErrLayer::into_box_error(),
             TimeoutLayer::new(Duration::from_secs(60)), // NOTE: if you have slow servers this might need to be more
             RetryLayer::new(
                 ManagedPolicy::default().with_backoff(
@@ -74,7 +74,7 @@ impl Firewall {
             AddRequiredRequestHeadersLayer::new().with_user_agent_header_value(
                 HeaderValue::from_static(network_service_identifier()),
             ),
-            MapRequestBodyLayer::new(Body::new),
+            MapRequestBodyLayer::new_boxed_streaming_body(),
         )
             .into_layer(inner_https_client)
             .boxed();
@@ -153,7 +153,7 @@ impl Firewall {
         self::layer::evaluate_resp::EvaluateResponseLayer(self)
     }
 
-    async fn evaluate_request(&self, req: Request) -> Result<RequestAction, OpaqueError> {
+    async fn evaluate_request(&self, req: Request) -> Result<RequestAction, BoxError> {
         let mut mod_req = req;
 
         for rule in self.block_rules.iter() {
@@ -169,7 +169,7 @@ impl Firewall {
         Ok(RequestAction::Allow(mod_req))
     }
 
-    async fn evaluate_response(&self, resp: Response) -> Result<Response, OpaqueError> {
+    async fn evaluate_response(&self, resp: Response) -> Result<Response, BoxError> {
         let mut mod_resp = resp;
 
         // Iterate rules in reverse order for symmetry with request evaluation