sentry - EnableTls & use in cli

Author: elpiel

sentry/src/application.rs

@@ -1,4 +1,4 @@
-use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+use std::{net::{IpAddr, Ipv4Addr, SocketAddr}, path::Path};
 
 use adapter::client::Locked;
 use hyper::{
@@ -9,6 +9,7 @@ use once_cell::sync::Lazy;
 use primitives::{config::Environment, ValidatorId};
 use redis::ConnectionInfo;
 use serde::{Deserialize, Deserializer};
+use simple_hyper_server_tls::{listener_from_pem_files, TlsListener, Protocols};
 use slog::{error, info};
 
 use crate::{
@@ -45,6 +46,7 @@ pub static DEFAULT_REDIS_URL: Lazy<ConnectionInfo> = Lazy::new(|| {
 #[derive(Debug, Deserialize, Clone)]
 pub struct EnvConfig {
     /// Defaults to `Development`: [`Environment::default()`]
+    #[serde(default)]
     pub env: Environment,
     /// The port on which the Sentry REST API will be accessible.
     ///
@@ -157,24 +159,52 @@ where
 
 impl<C: Locked + 'static> Application<C> {
     /// Starts the `hyper` `Server`.
-    pub async fn run(self, socket_addr: SocketAddr) {
+    pub async fn run(self, enable_tls: EnableTls) {
         let logger = self.logger.clone();
+        let socket_addr = match &enable_tls {
+            EnableTls::NoTls(socket_addr) => socket_addr,
+            EnableTls::Tls { socket_addr, .. } => socket_addr,
+        };
+
         info!(&logger, "Listening on socket address: {}!", socket_addr);
 
-        let make_service = make_service_fn(|_| {
-            let server = self.clone();
-            async move {
-                Ok::<_, Error>(service_fn(move |req| {
-                    let server = server.clone();
-                    async move { Ok::<_, Error>(server.handle_routing(req).await) }
-                }))
-            }
-        });
+        match enable_tls {
+            EnableTls::NoTls(socket_addr) => {
+                let make_service = make_service_fn(|_| {
+                    let server = self.clone();
+                    async move {
+                        Ok::<_, Error>(service_fn(move |req| {
+                            let server = server.clone();
+                            async move { Ok::<_, Error>(server.handle_routing(req).await) }
+                        }))
+                    }
+                });
+
+                let server = Server::bind(&socket_addr).serve(make_service);
+
+                if let Err(e) = server.await {
+                    error!(&logger, "server error: {}", e; "main" => "run");
+                }
+            },
+            EnableTls::Tls { listener, .. } => {
+                let make_service = make_service_fn(|_| {
+                    let server = self.clone();
+                    async move {
+                        Ok::<_, Error>(service_fn(move |req| {
+                            let server = server.clone();
+                            async move { Ok::<_, Error>(server.handle_routing(req).await) }
+                        }))
+                    }
+                });
 
-        let server = Server::bind(&socket_addr).serve(make_service);
+                // TODO: Find a way to redirect to HTTPS
+                let mut server = Server::builder(listener).serve(make_service);
 
-        if let Err(e) = server.await {
-            error!(&logger, "server error: {}", e; "main" => "run");
+                while let Err(e) = (&mut server).await {
+                    // This is usually caused by trying to connect on HTTP instead of HTTPS
+                    error!(&logger, "server error: {}", e; "main" => "run");
+                }
+            },
         }
     }
 }
@@ -193,6 +223,30 @@ impl<C: Locked> Clone for Application<C> {
     }
 }
 
+/// Either enable or do not the Tls support.
+pub enum EnableTls {
+    NoTls(SocketAddr),
+    Tls {
+        socket_addr: SocketAddr,
+        listener: TlsListener,
+    }
+}
+
+impl EnableTls {
+    pub fn new_tls<C: AsRef<Path>, K: AsRef<Path>>(certificates: C, private_keys: K, socket_addr: SocketAddr) -> Result<Self, Box<dyn std::error::Error>> {
+        let listener = listener_from_pem_files(certificates, private_keys, Protocols::ALL, &socket_addr)?;
+
+        Ok(Self::Tls {
+            listener,
+            socket_addr,
+        })
+    }
+
+    pub fn no_tls(socket_addr: SocketAddr) -> Self {
+        Self::NoTls(socket_addr)
+    }
+}
+
 /// Sentry [`Application`] Session
 #[derive(Debug, Clone)]
 pub struct Session {

sentry/src/db.rs

@@ -67,7 +67,7 @@ pub async fn postgres_connection(
 }
 
 /// Sets the migrations using the `POSTGRES_*` environment variables
-pub async fn setup_migrations(environment: Environment) {
+pub fn setup_migrations(environment: Environment) {
     use migrant_lib::{Config, Direction, Migrator, Settings};
 
     let settings = Settings::configure_postgres()
@@ -98,10 +98,10 @@ pub async fn setup_migrations(environment: Environment) {
     // `tests_postgres::MIGRATIONS`
     let mut migrations = vec![make_migration!("20190806011140_initial-tables")];
 
-    if let Environment::Development = environment {
-        // seeds database tables for testing
-        migrations.push(make_migration!("20190806011140_initial-tables/seed"));
-    }
+    // if let Environment::Development = environment {
+    //     // seeds database tables for testing
+    //     migrations.push(make_migration!("20190806011140_initial-tables/seed"));
+    // }
 
     // Define Migrations
     config

sentry/src/main.rs

@@ -2,20 +2,20 @@
 #![deny(rust_2018_idioms)]
 
 use adapter::{primitives::AdapterTypes, Adapter};
-use clap::{crate_version, Arg, Command};
+use clap::{crate_version, Arg, Command, value_parser};
 
 use primitives::{
     config::configuration, postgres::POSTGRES_CONFIG, test_util::DUMMY_AUTH,
     util::logging::new_logger, ValidatorId,
 };
 use sentry::{
+    application::EnableTls,
     db::{postgres_connection, redis_connection, setup_migrations, CampaignRemaining},
     platform::PlatformApi,
-    // tls::{load_certs, load_keys, tls_acceptor},
     Application,
 };
 use slog::info;
-use std::{env, net::SocketAddr /* , path::PathBuf */};
+use std::{env, net::SocketAddr, path::PathBuf};
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
@@ -53,13 +53,15 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         .arg(
             Arg::new("certificates")
                 .long("certificates")
-                .help("Certificates file for TLS")
+                .help("Certificates .pem file for TLS")
+                .value_parser(value_parser!(PathBuf))
                 .takes_value(true),
         )
         .arg(
             Arg::new("privateKeys")
                 .long("privateKeys")
-                .help("The Private keys file for TLS")
+                .help("The Private keys .pem file for TLS (PKCS8)")
+                .value_parser(value_parser!(PathBuf))
                 .takes_value(true),
         )
         .get_matches();
@@ -106,11 +108,29 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         _ => panic!("You can only use `ethereum` & `dummy` adapters!"),
     };
 
+    let enable_tls = match (
+        cli.get_one::<PathBuf>("certificates"),
+        cli.get_one::<PathBuf>("privateKeys"),
+    ) {
+        (Some(certs_path), Some(private_keys)) => {
+            EnableTls::new_tls(certs_path, private_keys, socket_addr)
+                .expect("Failed to load certificates & private key files")
+        }
+        (None, None) => EnableTls::no_tls(socket_addr),
+        _ => panic!(
+            "You should pass both --certificates & --privateKeys options to enable TLS or neither"
+        ),
+    };
+
     let logger = new_logger("sentry");
     let redis = redis_connection(env_config.redis_url).await?;
     info!(&logger, "Checking connection and applying migrations...");
     // Check connection and setup migrations before setting up Postgres
-    setup_migrations(env_config.env).await;
+    tokio::task::block_in_place(|| {
+        // Migrations are blocking, so we need to wrap it with block_in_place
+        // otherwise we get a tokio error
+        setup_migrations(env_config.env)
+    });
 
     // use the environmental variables to setup the Postgres connection
     let postgres = match postgres_connection(42, POSTGRES_CONFIG.clone()).await {
@@ -137,7 +157,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
                 campaign_remaining,
                 platform_api,
             )
-            .run(socket_addr)
+            .run(enable_tls)
             .await
         }
         AdapterTypes::Dummy(adapter) => {
@@ -150,7 +170,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
                 campaign_remaining,
                 platform_api,
             )
-            .run(socket_addr)
+            .run(enable_tls)
             .await
         }
     };

test_harness/src/lib.rs

@@ -2812,6 +2812,7 @@ pub mod run {
         ToETHChecksum, ValidatorId,
     };
     use sentry::{
+        application::EnableTls,
         db::{
             postgres_connection, redis_connection, redis_pool::Manager,
             tests_postgres::setup_test_migrations, CampaignRemaining,
@@ -2882,7 +2883,7 @@ pub mod run {
             .expect("Should run migrations");
 
         info!(&app.logger, "Spawn sentry Hyper server");
-        tokio::spawn(app.run(socket_addr));
+        tokio::spawn(app.run(EnableTls::NoTls(socket_addr)));
 
         Ok(())
     }