parse hosts as Authority and use that as key for client tls opts

Signed-off-by: Rajat Jindal <[email protected]>

Author: rajatjindal

Cargo.lock

@@ -18,7 +18,7 @@ use std::{
 use anyhow::{Context, Result};
 use async_trait::async_trait;
 use clap::Args;
-use http::{header::HOST, uri::Scheme, HeaderValue, StatusCode, Uri};
+use http::{header::HOST, uri::Authority, uri::Scheme, HeaderValue, StatusCode, Uri};
 use http_body_util::BodyExt;
 use hyper::{
     body::{Bytes, Incoming},
@@ -587,7 +587,7 @@ pub struct HttpRuntimeData {
     origin: Option<String>,
     chained_handler: Option<ChainedRequestHandler>,
     /// If provided, these options used for client cert auth
-    client_tls_opts: Option<HashMap<String, ParsedClientTlsOpts>>,
+    client_tls_opts: Option<HashMap<Authority, ParsedClientTlsOpts>>,
     /// The hosts this app is allowed to make outbound requests to
     allowed_hosts: AllowedHostsConfig,
 }
@@ -1018,9 +1018,9 @@ pub async fn send_request_handler(
         first_byte_timeout,
         between_bytes_timeout,
     }: wasmtime_wasi_http::types::OutgoingRequestConfig,
-    client_tls_opts: Option<HashMap<String, ParsedClientTlsOpts>>,
+    client_tls_opts: Option<HashMap<Authority, ParsedClientTlsOpts>>,
 ) -> Result<wasmtime_wasi_http::types::IncomingResponse, types::ErrorCode> {
-    let authority = if let Some(authority) = request.uri().authority() {
+    let authority_str = if let Some(authority) = request.uri().authority() {
         if authority.port().is_some() {
             authority.to_string()
         } else {
@@ -1030,7 +1030,10 @@ pub async fn send_request_handler(
     } else {
         return Err(types::ErrorCode::HttpRequestUriInvalid);
     };
-    let tcp_stream = timeout(connect_timeout, TcpStream::connect(&authority))
+
+    let authority = &authority_str.parse::<Authority>().unwrap();
+
+    let tcp_stream = timeout(connect_timeout, TcpStream::connect(&authority_str))
         .await
         .map_err(|_| types::ErrorCode::ConnectionTimeout)?
         .map_err(|e| match e.kind() {
@@ -1062,8 +1065,8 @@ pub async fn send_request_handler(
             use rustls::pki_types::ServerName;
             let config = get_client_tls_config_for_authority(&authority, client_tls_opts);
             let connector = tokio_rustls::TlsConnector::from(std::sync::Arc::new(config));
-            let mut parts = authority.split(":");
-            let host = parts.next().unwrap_or(&authority);
+            let mut parts = authority_str.split(":");
+            let host = parts.next().unwrap_or(&authority_str);
             let domain = ServerName::try_from(host)
                 .map_err(|e| {
                     tracing::warn!("dns lookup error: {e:?}");
@@ -1145,8 +1148,8 @@ pub async fn send_request_handler(
 }
 
 fn get_client_tls_config_for_authority(
-    authority: &String,
-    client_tls_opts: Option<HashMap<String, ParsedClientTlsOpts>>,
+    authority: &Authority,
+    client_tls_opts: Option<HashMap<Authority, ParsedClientTlsOpts>>,
 ) -> rustls::ClientConfig {
     // derived from https://github.com/tokio-rs/tls/blob/master/tokio-rustls/examples/client/src/main.rs
     let mut root_cert_store = rustls::RootCertStore {

crates/trigger-http/src/lib.rs

@@ -22,6 +22,7 @@ dirs = "4"
 futures = "0.3"
 indexmap = "1"
 ipnet = "2.9.0"
+http = "1.0.0"
 outbound-http = { path = "../outbound-http" }
 outbound-redis = { path = "../outbound-redis" }
 outbound-mqtt = { path = "../outbound-mqtt" }

crates/trigger/Cargo.toml

@@ -8,6 +8,7 @@ use std::{collections::HashMap, marker::PhantomData};
 
 use anyhow::{Context, Result};
 pub use async_trait::async_trait;
+use http::uri::Authority;
 use runtime_config::llm::LLmOptions;
 use serde::de::DeserializeOwned;
 
@@ -291,8 +292,8 @@ pub struct TriggerAppEngine<Executor: TriggerExecutor> {
     component_instance_pres: HashMap<String, Executor::InstancePre>,
     // Resolver for value template expressions
     resolver: std::sync::Arc<spin_expressions::PreparedResolver>,
-    // Map of { Component ID -> Map of { Host -> ParsedClientTlsOpts} }
-    client_tls_opts: HashMap<String, HashMap<String, ParsedClientTlsOpts>>,
+    // Map of { Component ID -> Map of { Authority -> ParsedClientTlsOpts} }
+    client_tls_opts: HashMap<String, HashMap<Authority, ParsedClientTlsOpts>>,
 }
 
 impl<Executor: TriggerExecutor> TriggerAppEngine<Executor> {
@@ -304,7 +305,7 @@ impl<Executor: TriggerExecutor> TriggerAppEngine<Executor> {
         app: OwnedApp,
         hooks: Vec<Box<dyn TriggerHooks>>,
         resolver: &std::sync::Arc<spin_expressions::PreparedResolver>,
-        client_tls_opts: HashMap<String, HashMap<String, ParsedClientTlsOpts>>,
+        client_tls_opts: HashMap<String, HashMap<Authority, ParsedClientTlsOpts>>,
     ) -> Result<Self>
     where
         <Executor as TriggerExecutor>::TriggerConfig: DeserializeOwned,
@@ -440,7 +441,7 @@ impl<Executor: TriggerExecutor> TriggerAppEngine<Executor> {
     pub fn get_client_tls_opts(
         &self,
         component_id: &str,
-    ) -> Option<HashMap<String, ParsedClientTlsOpts>> {
+    ) -> Option<HashMap<Authority, ParsedClientTlsOpts>> {
         self.client_tls_opts.get(component_id).cloned()
     }
 

crates/trigger/src/lib.rs

@@ -12,6 +12,7 @@ use std::{
 };
 
 use anyhow::{Context, Result};
+use http::uri::Authority;
 use serde::Deserialize;
 use spin_common::ui::quoted_path;
 use spin_sqlite::Connection;
@@ -185,16 +186,18 @@ impl RuntimeConfig {
 
     // returns the client tls options in form of nested
     // HashMap of { Component ID -> HashMap of { Host -> ParsedClientTlsOpts} }
-    pub fn client_tls_opts(&self) -> Result<HashMap<String, HashMap<String, ParsedClientTlsOpts>>> {
-        let mut components_map: HashMap<String, HashMap<String, ParsedClientTlsOpts>> =
+    pub fn client_tls_opts(
+        &self,
+    ) -> Result<HashMap<String, HashMap<Authority, ParsedClientTlsOpts>>> {
+        let mut components_map: HashMap<String, HashMap<Authority, ParsedClientTlsOpts>> =
             HashMap::new();
 
         for opt_layer in self.opts_layers() {
             for opts in &opt_layer.client_tls_opts {
                 let parsed = parse_client_tls_opts(opts).context("parsing client tls options")?;
                 for component_id in &opts.component_ids {
-                    let mut hostmap: HashMap<String, ParsedClientTlsOpts> = HashMap::new();
-                    for host in &opts.hosts {
+                    let mut hostmap: HashMap<Authority, ParsedClientTlsOpts> = HashMap::new();
+                    for host in &parsed.hosts {
                         hostmap.insert(host.to_owned(), parsed.clone());
                     }
 
@@ -547,7 +550,7 @@ mod tests {
 #[derive(Debug, Clone)]
 pub struct ParsedClientTlsOpts {
     pub components: Vec<String>,
-    pub hosts: Vec<String>,
+    pub hosts: Vec<Authority>,
     pub custom_root_ca: Option<Vec<rustls_pki_types::CertificateDer<'static>>>,
     pub cert_chain: Option<Vec<rustls_pki_types::CertificateDer<'static>>>,
     pub private_key: Option<Arc<rustls_pki_types::PrivateKeyDer<'static>>>,
@@ -572,8 +575,18 @@ fn parse_client_tls_opts(inp: &ClientTlsOpts) -> Result<ParsedClientTlsOpts, any
         None => None,
     };
 
+    let parsed_hosts: Vec<Authority> = inp
+        .hosts
+        .clone()
+        .into_iter()
+        .map(|s| {
+            s.parse::<Authority>()
+                .map_err(|e| anyhow::anyhow!("failed to parse uri {:?}", e))
+        })
+        .collect::<Result<Vec<Authority>, anyhow::Error>>()?;
+
     Ok(ParsedClientTlsOpts {
-        hosts: inp.hosts.clone(),
+        hosts: parsed_hosts,
         components: inp.component_ids.clone(),
         custom_root_ca,
         cert_chain,

crates/trigger/src/runtime_config.rs

@@ -2,7 +2,10 @@ use anyhow::Context;
 use rustls_pemfile::private_key;
 use std::io;
 use std::io::Cursor;
-use std::{fs, path::{Path, PathBuf}};
+use std::{
+    fs,
+    path::{Path, PathBuf},
+};
 
 #[derive(Debug, serde::Deserialize)]
 #[serde(rename_all = "snake_case", tag = "type")]
@@ -36,4 +39,4 @@ pub fn load_key(
     ))
     .map_err(|_| anyhow::anyhow!("invalid input"))
     .map(|keys| keys.unwrap())
-}
+}