network: extract tls module from connection

As the tls module got quite large, it makes sense to extract it to the
network supermodule.

Author: wprzytula

scylla/src/client/session.rs

@@ -18,7 +18,7 @@ use crate::errors::{
     RequestAttemptError, RequestError, SchemaAgreementError, TracingError, UseKeyspaceError,
 };
 use crate::frame::response::result;
-use crate::network::TlsProvider;
+use crate::network::tls::TlsProvider;
 use crate::network::{Connection, ConnectionConfig, PoolConfig, VerifiedKeyspaceName};
 use crate::observability::driver_tracing::RequestSpan;
 use crate::observability::history::{self, HistoryListener};

scylla/src/cloud/config.rs

@@ -11,7 +11,7 @@ use uuid::Uuid;
 use crate::client::session::TlsContext;
 use crate::cluster::node::resolve_hostname;
 use crate::errors::TranslationError;
-use crate::network::{TlsConfig, TlsError};
+use crate::network::tls::{TlsConfig, TlsError};
 use crate::policies::address_translator::{AddressTranslator, UntranslatedPeer};
 
 #[non_exhaustive]

scylla/src/errors.rs

@@ -22,7 +22,7 @@ pub use crate::response::query_result::{
 pub use crate::authentication::AuthError;
 
 // Re-export error type from network module.
-pub use crate::network::TlsError;
+pub use crate::network::tls::TlsError;
 
 // Re-export error types from scylla-cql.
 pub use scylla_cql::deserialize::{DeserializationError, TypeCheckError};

scylla/src/network/connection.rs

@@ -1,3 +1,4 @@
+use super::tls::{TlsConfig, TlsProvider};
 use crate::authentication::AuthenticatorProvider;
 use crate::batch::{Batch, BatchStatement};
 use crate::client::pager::{NextRowError, QueryPager};
@@ -56,8 +57,6 @@ use std::{
     cmp::Ordering,
     net::{Ipv4Addr, Ipv6Addr},
 };
-pub use tls_config::TlsError;
-pub(crate) use tls_config::{TlsConfig, TlsProvider};
 use tokio::io::{split, AsyncRead, AsyncWrite, AsyncWriteExt, BufReader, BufWriter};
 use tokio::net::{TcpSocket, TcpStream};
 use tokio::sync::{mpsc, oneshot};
@@ -206,230 +205,6 @@ struct TaskResponse {
     body: Bytes,
 }
 
-mod tls_config {
-    //! This module contains abstractions related to the TLS layer of driver connections.
-    //!
-    //! The full picture looks like this:
-    //!
-    //! ┌─←─ TlsContext (openssl::SslContext / rustls::ClientConfig)
-    //! │
-    //! ├─←─ CloudConfig (powered by either TLS backend)
-    //! │
-    //! │ gets wrapped in
-    //! │
-    //! ↳TlsProvider (same for all connections)
-    //!   │
-    //!   │ produces
-    //!   │
-    //!   ↳TlsConfig (specific for the particular connection)
-    //!     │
-    //!     │ produces
-    //!     │
-    //!     ↳Tls (wrapper over TCP stream which adds encryption)
-
-    use std::io;
-    #[cfg(feature = "unstable-cloud")]
-    use std::sync::Arc;
-
-    #[cfg(feature = "unstable-cloud")]
-    use tracing::warn;
-    #[cfg(feature = "unstable-cloud")]
-    use uuid::Uuid;
-
-    use crate::client::session::TlsContext;
-    #[cfg(feature = "unstable-cloud")]
-    use crate::cloud::CloudConfig;
-    #[cfg(feature = "unstable-cloud")]
-    use crate::cluster::metadata::PeerEndpoint;
-    use crate::cluster::metadata::UntranslatedEndpoint;
-    #[cfg(feature = "unstable-cloud")]
-    use crate::cluster::node::ResolvedContactPoint;
-
-    /// Abstraction capable of producing [TlsConfig] for connections on-demand.
-    #[derive(Clone)] // Cheaply clonable (reference-counted)
-    pub(crate) enum TlsProvider {
-        GlobalContext(TlsContext),
-        #[cfg(feature = "unstable-cloud")]
-        ScyllaCloud(Arc<CloudConfig>),
-    }
-
-    impl TlsProvider {
-        /// Used in case when the user provided their own [TlsContext] to be used in all connections.
-        pub(crate) fn new_with_global_context(context: TlsContext) -> Self {
-            Self::GlobalContext(context)
-        }
-
-        /// Used in the cloud case.
-        #[cfg(feature = "unstable-cloud")]
-        pub(crate) fn new_cloud(cloud_config: Arc<CloudConfig>) -> Self {
-            Self::ScyllaCloud(cloud_config)
-        }
-
-        /// Produces a [TlsConfig] that is specific for the given endpoint.
-        pub(crate) fn make_tls_config(
-            &self,
-            // Currently, this is only used for cloud; but it makes abstract sense to pass endpoint here
-            // also for non-cloud cases, so let's just allow(unused).
-            #[allow(unused)] endpoint: &UntranslatedEndpoint,
-        ) -> Option<TlsConfig> {
-            match self {
-                TlsProvider::GlobalContext(context) => {
-                    Some(TlsConfig::new_with_global_context(context.clone()))
-                }
-                #[cfg(feature = "unstable-cloud")]
-                TlsProvider::ScyllaCloud(cloud_config) => {
-                    let (host_id, address, dc) = match *endpoint {
-                        UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
-                            address,
-                            ref datacenter,
-                        }) => (None, address, datacenter.as_deref()), // FIXME: Pass DC in ContactPoint
-                        UntranslatedEndpoint::Peer(PeerEndpoint {
-                            host_id,
-                            address,
-                            ref datacenter,
-                            ..
-                        }) => (Some(host_id), address.into_inner(), datacenter.as_deref()),
-                    };
-
-                    cloud_config.make_tls_config_for_scylla_cloud_host(host_id, dc, address)
-                        // inspect_err() is stable since 1.76.
-                        // TODO: use inspect_err once we bump MSRV to at least 1.76.
-                        .map_err(|err| {
-                            warn!(
-                                "TlsProvider for SNI connection to Scylla Cloud node {{ host_id={:?}, dc={:?} at {} }} could not be set up: {}\n Proceeding with attempting probably nonworking connection",
-                                host_id,
-                                dc,
-                                address,
-                                err
-                            );
-                        }).ok().flatten()
-                }
-            }
-        }
-    }
-
-    /// Encapsulates TLS-regarding configuration that is specific for a particular endpoint.
-    ///
-    /// Both use cases are supported:
-    /// 1. User-provided global TlsContext. Then, the global TlsContext is simply cloned here.
-    /// 2. Serverless Cloud. Then the TlsContext is customized for the given endpoint,
-    ///    and its SNI information is stored alongside.
-    #[derive(Clone)]
-    pub(crate) struct TlsConfig {
-        context: TlsContext,
-        #[cfg(feature = "unstable-cloud")]
-        sni: Option<String>,
-    }
-
-    /// An abstraction over connection's TLS layer which holds its state and configuration.
-    pub(crate) enum Tls {
-        #[cfg(feature = "openssl-010")]
-        OpenSsl010(openssl::ssl::Ssl),
-        #[cfg(feature = "rustls-023")]
-        Rustls023 {
-            connector: tokio_rustls::TlsConnector,
-            #[cfg(feature = "unstable-cloud")]
-            sni: Option<rustls::pki_types::ServerName<'static>>,
-        },
-    }
-
-    /// A wrapper around a TLS error.
-    ///
-    /// The original error came from one of the supported TLS backends.
-    #[derive(Debug, thiserror::Error)]
-    #[error(transparent)]
-    #[non_exhaustive]
-    pub enum TlsError {
-        #[cfg(feature = "openssl-010")]
-        OpenSsl010(#[from] openssl::error::ErrorStack),
-        #[cfg(feature = "rustls-023")]
-        InvalidName(#[from] rustls::pki_types::InvalidDnsNameError),
-        #[cfg(feature = "rustls-023")]
-        PemParse(#[from] rustls::pki_types::pem::Error),
-        #[cfg(feature = "rustls-023")]
-        Rustls023(#[from] rustls::Error),
-    }
-
-    impl From<TlsError> for io::Error {
-        fn from(value: TlsError) -> Self {
-            match value {
-                #[cfg(feature = "openssl-010")]
-                TlsError::OpenSsl010(e) => e.into(),
-                #[cfg(feature = "rustls-023")]
-                TlsError::InvalidName(e) => io::Error::new(io::ErrorKind::Other, e),
-                #[cfg(feature = "rustls-023")]
-                TlsError::PemParse(e) => io::Error::new(io::ErrorKind::Other, e),
-                #[cfg(feature = "rustls-023")]
-                TlsError::Rustls023(e) => io::Error::new(io::ErrorKind::Other, e),
-            }
-        }
-    }
-
-    impl TlsConfig {
-        /// Used in case when the user provided their own TlsContext to be used in all connections.
-        pub(crate) fn new_with_global_context(context: TlsContext) -> Self {
-            Self {
-                context,
-                #[cfg(feature = "unstable-cloud")]
-                sni: None,
-            }
-        }
-
-        /// Used in case of Serverless Cloud connections.
-        #[cfg(feature = "unstable-cloud")]
-        pub(crate) fn new_for_sni(
-            context: TlsContext,
-            domain_name: &str,
-            host_id: Option<Uuid>,
-        ) -> Self {
-            Self {
-                context,
-                #[cfg(feature = "unstable-cloud")]
-                sni: Some(if let Some(host_id) = host_id {
-                    format!("{}.{}", host_id, domain_name)
-                } else {
-                    domain_name.into()
-                }),
-            }
-        }
-
-        /// Produces a new Tls object that is able to wrap a TCP stream.
-        pub(crate) fn new_tls(&self) -> Result<Tls, TlsError> {
-            // To silence warnings when TlsContext is an empty enum (tls features are disabled).
-            #[allow(unreachable_code)]
-            match self.context {
-                #[cfg(feature = "openssl-010")]
-                TlsContext::OpenSsl010(ref context) => {
-                    #[allow(unused_mut)]
-                    let mut ssl = openssl::ssl::Ssl::new(context)?;
-                    #[cfg(feature = "unstable-cloud")]
-                    if let Some(sni) = self.sni.as_ref() {
-                        ssl.set_hostname(sni)?;
-                    }
-                    Ok(Tls::OpenSsl010(ssl))
-                }
-                #[cfg(feature = "rustls-023")]
-                TlsContext::Rustls023(ref config) => {
-                    let connector = tokio_rustls::TlsConnector::from(config.clone());
-                    #[cfg(feature = "unstable-cloud")]
-                    let sni = self
-                        .sni
-                        .as_deref()
-                        .map(rustls::pki_types::ServerName::try_from)
-                        .transpose()?
-                        .map(|s| s.to_owned());
-
-                    Ok(Tls::Rustls023 {
-                        connector,
-                        #[cfg(feature = "unstable-cloud")]
-                        sni,
-                    })
-                }
-            }
-        }
-    }
-}
-
 impl<'id: 'map, 'map> SelfIdentity<'id> {
     fn add_startup_options(&'id self, options: &'map mut HashMap<Cow<'id, str>, Cow<'id, str>>) {
         /* Driver identity. */
@@ -1598,9 +1373,9 @@ impl Connection {
             #[allow(unreachable_code)]
             match tls_config.new_tls()? {
                 #[cfg(feature = "openssl-010")]
-                tls_config::Tls::OpenSsl010(ssl) => {
-                    let mut stream =
-                        tokio_openssl::SslStream::new(ssl, stream).map_err(TlsError::OpenSsl010)?;
+                crate::network::tls::Tls::OpenSsl010(ssl) => {
+                    let mut stream = tokio_openssl::SslStream::new(ssl, stream)
+                        .map_err(crate::network::tls::TlsError::OpenSsl010)?;
                     std::pin::Pin::new(&mut stream)
                         .connect()
                         .await
@@ -1617,7 +1392,7 @@ impl Connection {
                     .await);
                 }
                 #[cfg(feature = "rustls-023")]
-                tls_config::Tls::Rustls023 {
+                crate::network::tls::Tls::Rustls023 {
                     connector,
                     #[cfg(feature = "unstable-cloud")]
                     sni,

scylla/src/network/mod.rs

@@ -5,13 +5,11 @@
 //! - NodeConnectionPool - a manager that keeps a desired number of connections opened to each shard.
 
 mod connection;
-#[cfg(feature = "unstable-cloud")]
-pub(crate) use connection::TlsConfig;
-pub use connection::TlsError;
-pub(crate) use connection::TlsProvider;
 pub(crate) use connection::{Connection, ConnectionConfig, VerifiedKeyspaceName};
 
 mod connection_pool;
 
 pub use connection_pool::PoolSize;
 pub(crate) use connection_pool::{NodeConnectionPool, PoolConfig};
+
+pub(crate) mod tls;