forked from swift-server/swift-http-server
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathNIOHTTPServer+SwiftConfiguration.swift
More file actions
365 lines (336 loc) · 16.4 KB
/
NIOHTTPServer+SwiftConfiguration.swift
File metadata and controls
365 lines (336 loc) · 16.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
//===----------------------------------------------------------------------===//
//
// This source file is part of the Swift HTTP Server open source project
//
// Copyright (c) 2026 Apple Inc. and the Swift HTTP Server project authors
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
// See CONTRIBUTORS.txt for the list of Swift HTTP Server project authors
//
// SPDX-License-Identifier: Apache-2.0
//
//===----------------------------------------------------------------------===//
#if Configuration
public import Configuration
import NIOCore
import NIOCertificateReloading
import NIOHTTP2
import SwiftASN1
public import X509
enum NIOHTTPServerConfigurationError: Error, CustomStringConvertible {
case customVerificationCallbackProvidedWhenNotUsingMTLS
var description: String {
switch self {
case .customVerificationCallbackProvidedWhenNotUsingMTLS:
"Invalid configuration. A custom certificate verification callback was provided despite the server not being configured for mTLS."
}
}
}
@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
extension NIOHTTPServerConfiguration {
/// Initialize the server configuration from a config reader.
///
/// ## Configuration keys:
///
/// ``NIOHTTPServerConfiguration`` is comprised of four types. Provide configuration for each type under the
/// specified key:
/// - ``BindTarget`` - Provide under key `"bindTarget"` (keys listed in ``BindTarget/init(config:)``).
/// - ``TransportSecurity`` - Provide under key `"transportSecurity"` (keys listed in
/// ``TransportSecurity/init(config:customCertificateVerificationCallback:)``).
/// - ``BackPressureStrategy`` - Provide under key `"backpressureStrategy"` (keys listed in
/// ``BackPressureStrategy/init(config:)``).
/// - ``HTTP2`` - Provide under key `"http2"` (keys listed in ``HTTP2/init(config:)``).
///
/// - Parameters:
/// - config: The configuration reader to read configuration values from.
/// - customCertificateVerificationCallback: An optional client certificate verification callback to use when
/// mTLS is configured (i.e., when `"transportSecurity.security"` is `"mTLS"` or `"reloadingMTLS"`). If provided
/// when mTLS is *not* configured, this initializer throws
/// ``NIOHTTPServerConfigurationError/customVerificationCallbackProvidedWhenNotUsingMTLS``. If set to `nil` when
/// mTLS *is* configured, the default client certificate verification logic of the underlying SSL implementation
/// is used.
public init(
config: ConfigReader,
customCertificateVerificationCallback: (
@Sendable ([Certificate]) async throws -> CertificateVerificationResult
)? = nil
) throws {
let snapshot = config.snapshot()
self.init(
bindTarget: try .init(config: snapshot.scoped(to: "bindTarget")),
transportSecurity: try .init(
config: snapshot.scoped(to: "transportSecurity"),
customCertificateVerificationCallback: customCertificateVerificationCallback
),
backpressureStrategy: .init(config: snapshot.scoped(to: "backpressureStrategy")),
http2: .init(config: snapshot.scoped(to: "http2"))
)
}
}
@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
extension NIOHTTPServerConfiguration.BindTarget {
/// Initialize a bind target configuration from a config reader.
///
/// ## Configuration keys:
/// - `host` (string, required): The hostname or IP address the server will bind to (e.g., "localhost", "0.0.0.0").
/// - `port` (int, required): The port number the server will listen on (e.g., 8080, 443).
///
/// - Parameter config: The configuration reader.
public init(config: ConfigSnapshotReader) throws {
self.init(
backing: .hostAndPort(
host: try config.requiredString(forKey: "host"),
port: try config.requiredInt(forKey: "port")
)
)
}
}
@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
extension NIOHTTPServerConfiguration.TransportSecurity {
/// Initialize a transport security configuration from a config reader.
///
/// ## Configuration keys:
/// - `security` (string, required): The transport security for the server (permitted values: `"plaintext"`,
/// `"tls"`, `"reloadingTLS"`, `"mTLS"`, `"reloadingMTLS"`).
///
/// ### Configuration keys for `"tls"`:
/// - `certificateChainPEMString` (string, required): PEM-formatted certificate chain content.
/// - `privateKeyPEMString` (string, required, secret): PEM-formatted private key content.
///
/// ### Configuration keys for `"reloadingTLS"`:
/// - `refreshInterval` (int, optional, default: 30): The interval (in seconds) at which the certificate chain and
/// private key will be reloaded.
/// - `certificateChainPEMPath` (string, required): Path to the certificate chain PEM file.
/// - `privateKeyPEMPath` (string, required): Path to the private key PEM file.
///
/// ### Configuration keys for `"mTLS"`:
/// - `certificateChainPEMString` (string, required): PEM-formatted certificate chain content.
/// - `privateKeyPEMString` (string, required, secret): PEM-formatted private key content.
/// - `trustRoots` (string array, optional, default: system trust roots): The root certificates to trust when
/// verifying client certificates.
/// - `certificateVerificationMode` (string, required): The client certificate validation behavior (permitted
/// values: "optionalVerification" or "noHostnameVerification").
///
/// ### Configuration keys for `"reloadingMTLS"`:
/// - `refreshInterval` (int, optional, default: 30): The interval (in seconds) at which the certificate chain and
/// private key will be reloaded.
/// - `certificateChainPEMPath` (string, required): Path to the certificate chain PEM file.
/// - `privateKeyPEMPath` (string, required): Path to the private key PEM file.
/// - `trustRoots` (string array, optional, default: system trust roots): The root certificates to trust when
/// verifying client certificates.
/// - `certificateVerificationMode` (string, required): The client certificate validation behavior (permitted
/// values: "optionalVerification" or "noHostnameVerification").
///
/// - Parameters:
/// - config: The configuration reader.
/// - customCertificateVerificationCallback: An optional client certificate verification callback to use when
/// mTLS is configured (i.e., when `"transportSecurity.security"` is `"mTLS"` or `"reloadingMTLS"`). If provided
/// when mTLS is *not* configured, this initializer throws
/// ``NIOHTTPServerConfigurationError/customVerificationCallbackProvidedWhenNotUsingMTLS``. If set to `nil` when
/// mTLS *is* configured, the default client certificate verification logic of the underlying SSL implementation
/// is used.
public init(
config: ConfigSnapshotReader,
customCertificateVerificationCallback: (
@Sendable ([Certificate]) async throws -> CertificateVerificationResult
)? = nil
) throws {
let security = try config.requiredString(forKey: "security", as: TransportSecurityKind.self)
// A custom verification callback can only be used when the server is configured for mTLS.
if let _ = customCertificateVerificationCallback, !security.isMTLS() {
throw NIOHTTPServerConfigurationError.customVerificationCallbackProvidedWhenNotUsingMTLS
}
switch security {
case .plaintext:
self = .plaintext
case .tls:
self = try .tls(config: config)
case .reloadingTLS:
self = try .reloadingTLS(config: config)
case .mTLS:
self = try .mTLS(
config: config,
customCertificateVerificationCallback: customCertificateVerificationCallback
)
case .reloadingMTLS:
self = try .reloadingMTLS(
config: config,
customCertificateVerificationCallback: customCertificateVerificationCallback
)
}
}
private static func tls(config: ConfigSnapshotReader) throws -> Self {
let certificateChainPEMString = try config.requiredString(forKey: "certificateChainPEMString")
let privateKeyPEMString = try config.requiredString(forKey: "privateKeyPEMString", isSecret: true)
return Self.tls(
certificateChain: try PEMDocument.parseMultiple(pemString: certificateChainPEMString)
.map { try Certificate(pemEncoded: $0.pemString) },
privateKey: try .init(pemEncoded: privateKeyPEMString)
)
}
private static func reloadingTLS(config: ConfigSnapshotReader) throws -> Self {
let refreshInterval = config.int(forKey: "refreshInterval", default: 30)
let certificateChainPEMPath = try config.requiredString(forKey: "certificateChainPEMPath")
let privateKeyPEMPath = try config.requiredString(forKey: "privateKeyPEMPath")
return try Self.tls(
certificateReloader: TimedCertificateReloader(
refreshInterval: .seconds(refreshInterval),
certificateSource: .init(location: .file(path: certificateChainPEMPath), format: .pem),
privateKeySource: .init(location: .file(path: privateKeyPEMPath), format: .pem)
)
)
}
private static func mTLS(
config: ConfigSnapshotReader,
customCertificateVerificationCallback: (
@Sendable ([X509.Certificate]) async throws -> CertificateVerificationResult
)? = nil
) throws -> Self {
let certificateChainPEMString = try config.requiredString(forKey: "certificateChainPEMString")
let privateKeyPEMString = try config.requiredString(forKey: "privateKeyPEMString", isSecret: true)
let trustRoots = config.stringArray(forKey: "trustRoots")
let verificationMode = try config.requiredString(
forKey: "certificateVerificationMode",
as: VerificationMode.self
)
return Self.mTLS(
certificateChain: try PEMDocument.parseMultiple(pemString: certificateChainPEMString)
.map { try Certificate(pemEncoded: $0.pemString) },
privateKey: try .init(pemEncoded: privateKeyPEMString),
trustRoots: try trustRoots?.map { try Certificate(pemEncoded: $0) },
certificateVerification: .init(verificationMode),
customCertificateVerificationCallback: customCertificateVerificationCallback
)
}
private static func reloadingMTLS(
config: ConfigSnapshotReader,
customCertificateVerificationCallback: (
@Sendable ([X509.Certificate]) async throws -> CertificateVerificationResult
)? = nil
) throws -> Self {
let refreshInterval = config.int(forKey: "refreshInterval", default: 30)
let certificateChainPEMPath = try config.requiredString(forKey: "certificateChainPEMPath")
let privateKeyPEMPath = try config.requiredString(forKey: "privateKeyPEMPath")
let trustRoots = config.stringArray(forKey: "trustRoots")
let verificationMode = try config.requiredString(
forKey: "certificateVerificationMode",
as: VerificationMode.self
)
return try Self.mTLS(
certificateReloader: TimedCertificateReloader(
refreshInterval: .seconds(refreshInterval),
certificateSource: .init(location: .file(path: certificateChainPEMPath), format: .pem),
privateKeySource: .init(location: .file(path: privateKeyPEMPath), format: .pem)
),
trustRoots: try trustRoots?.map { try Certificate(pemEncoded: $0) },
certificateVerification: .init(verificationMode),
customCertificateVerificationCallback: customCertificateVerificationCallback
)
}
}
@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
extension NIOHTTPServerConfiguration.BackPressureStrategy {
/// Initialize the backpressure strategy configuration from a config reader.
///
/// ## Configuration keys:
/// - `low` (int, optional, default: 2): The threshold below which the consumer will ask the producer to produce
/// more elements.
/// - `high` (int, optional, default: 10): The threshold above which the producer will stop producing elements.
///
/// - Parameter config: The configuration reader.
public init(config: ConfigSnapshotReader) {
self.init(
backing: .watermark(
low: config.int(
forKey: "low",
default: NIOHTTPServerConfiguration.BackPressureStrategy.defaultWatermarkLow
),
high: config.int(
forKey: "high",
default: NIOHTTPServerConfiguration.BackPressureStrategy.defaultWatermarkHigh
)
)
)
}
}
@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
extension NIOHTTPServerConfiguration.HTTP2 {
/// Initialize a HTTP/2 configuration from a config reader.
///
/// ## Configuration keys:
/// - `maxFrameSize` (int, optional, default: 2^14): The maximum frame size to be used in an HTTP/2 connection.
/// - `targetWindowSize` (int, optional, default: 2^16 - 1): The target window size to be used in an HTTP/2
/// connection.
/// - `maxConcurrentStreams` (int, optional, default: 100): The maximum number of concurrent streams in an HTTP/2
/// connection.
///
/// - Parameter config: The configuration reader.
public init(config: ConfigSnapshotReader) {
self.init(
maxFrameSize: config.int(
forKey: "maxFrameSize",
default: NIOHTTPServerConfiguration.HTTP2.defaultMaxFrameSize
),
targetWindowSize: config.int(
forKey: "targetWindowSize",
default: NIOHTTPServerConfiguration.HTTP2.defaultTargetWindowSize
),
/// The default value, ``NIOHTTPServerConfiguration.HTTP2.DEFAULT_TARGET_WINDOW_SIZE``, is `nil`. However,
/// we can only specify a non-nil `default` argument to `config.int(...)`. But `config.int(...)` already
/// defaults to `nil` if it can't find the `"maxConcurrentStreams"` key, so that works for us.
maxConcurrentStreams: config.int(forKey: "maxConcurrentStreams"),
gracefulShutdown: .init(config: config)
)
}
}
@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
extension NIOHTTPServerConfiguration.HTTP2.GracefulShutdownConfiguration {
/// Initialize a HTTP/2 graceful shutdown configuration from a config reader.
///
/// ## Configuration keys:
/// - `maximumGracefulShutdownDuration` (int, optional, default: nil): The maximum amount of time (in seconds) that
/// the connection has to close gracefully.
///
/// - Parameter config: The configuration reader.
public init(config: ConfigSnapshotReader) {
self.init(
maximumGracefulShutdownDuration: config.int(forKey: "maximumGracefulShutdownDuration").map { .seconds($0) }
)
}
}
@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
extension NIOHTTPServerConfiguration.TransportSecurity {
fileprivate enum TransportSecurityKind: String {
case plaintext
case tls
case reloadingTLS
case mTLS
case reloadingMTLS
func isMTLS() -> Bool {
switch self {
case .mTLS, .reloadingMTLS:
return true
default:
return false
}
}
}
/// A wrapper over ``CertificateVerificationMode``.
fileprivate enum VerificationMode: String {
case optionalVerification
case noHostnameVerification
}
}
@available(macOS 26.2, iOS 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, *)
extension CertificateVerificationMode {
fileprivate init(_ mode: NIOHTTPServerConfiguration.TransportSecurity.VerificationMode) {
switch mode {
case .optionalVerification:
self.init(mode: .optionalVerification)
case .noHostnameVerification:
self.init(mode: .noHostnameVerification)
}
}
}
#endif // Configuration