From b31803e72d4fbe80ee8e246520475ea62b14c4e8 Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Sun, 25 Oct 2020 18:42:01 +0000 Subject: [PATCH] fix populate extensions for http2 --- Cargo.toml | 11 ++-- actix-http/src/builder.rs | 3 +- actix-http/src/h2/dispatcher.rs | 8 +++ actix-http/src/h2/service.rs | 4 ++ actix-http/src/service.rs | 22 +++---- examples/certs/client-cert.pem | 26 +++++++++ examples/certs/client-key.pem | 28 +++++++++ examples/certs/rootCA-key.pem | 40 +++++++++++++ examples/certs/rootCA.pem | 27 +++++++++ examples/certs/server-cert.pem | 25 ++++++++ examples/certs/server-key.pem | 28 +++++++++ examples/on_connect.rs | 100 ++++++++++++++++++++++++++------ src/server.rs | 8 ++- 13 files changed, 295 insertions(+), 35 deletions(-) create mode 100644 examples/certs/client-cert.pem create mode 100644 examples/certs/client-key.pem create mode 100644 examples/certs/rootCA-key.pem create mode 100644 examples/certs/rootCA.pem create mode 100644 examples/certs/server-cert.pem create mode 100644 examples/certs/server-key.pem diff --git a/Cargo.toml b/Cargo.toml index 3ca8aea83..a294f0228 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -66,6 +66,12 @@ required-features = ["compress"] [[example]] name = "on_connect" +required-features = ["rustls"] + +[[example]] +name = "client" +required-features = ["rustls"] + [dependencies] actix-codec = "0.3.0" @@ -113,6 +119,7 @@ serde_derive = "1.0" brotli2 = "0.3.2" flate2 = "1.0.13" criterion = "0.3" +webpki-roots = "0.20" [profile.release] lto = true @@ -128,10 +135,6 @@ actix-files = { path = "actix-files" } actix-multipart = { path = "actix-multipart" } awc = { path = "awc" } -[[example]] -name = "client" -required-features = ["rustls"] - [[bench]] name = "server" harness = false diff --git a/actix-http/src/builder.rs b/actix-http/src/builder.rs index 807d1f7c1..b28c69761 100644 --- a/actix-http/src/builder.rs +++ b/actix-http/src/builder.rs @@ -180,7 +180,8 @@ where /// Set on-connect callback. /// /// Called once per connection. Return value of the call is stored in request extensions. - #[deprecated = "Prefer the `on_connect_ext` style callback."] + /// + /// *SOFT DEPRECATED*: Prefer the `on_connect_ext` style callback. pub fn on_connect(mut self, f: F) -> Self where F: Fn(&T) -> I + 'static, diff --git a/actix-http/src/h2/dispatcher.rs b/actix-http/src/h2/dispatcher.rs index daa651f4d..594339121 100644 --- a/actix-http/src/h2/dispatcher.rs +++ b/actix-http/src/h2/dispatcher.rs @@ -24,6 +24,7 @@ use crate::message::ResponseHead; use crate::payload::Payload; use crate::request::Request; use crate::response::Response; +use crate::Extensions; const CHUNK_SIZE: usize = 16_384; @@ -36,6 +37,7 @@ where service: CloneableService, connection: Connection, on_connect: Option>, + on_connect_data: Extensions, config: ServiceConfig, peer_addr: Option, ka_expire: Instant, @@ -56,6 +58,7 @@ where service: CloneableService, connection: Connection, on_connect: Option>, + on_connect_data: Extensions, config: ServiceConfig, timeout: Option, peer_addr: Option, @@ -82,6 +85,7 @@ where peer_addr, connection, on_connect, + on_connect_data, ka_expire, ka_timer, _t: PhantomData, @@ -130,11 +134,15 @@ where head.headers = parts.headers.into(); head.peer_addr = this.peer_addr; + // DEPRECATED // set on_connect data if let Some(ref on_connect) = this.on_connect { on_connect.set(&mut req.extensions_mut()); } + // merge on_connect_ext data into request extensions + req.extensions_mut().drain_from(&mut this.on_connect_data); + actix_rt::spawn(ServiceResponse::< S::Future, S::Response, diff --git a/actix-http/src/h2/service.rs b/actix-http/src/h2/service.rs index 428f6c4a4..3103127b4 100644 --- a/actix-http/src/h2/service.rs +++ b/actix-http/src/h2/service.rs @@ -326,6 +326,7 @@ where Some(self.cfg.clone()), addr, deprecated_on_connect, + Some(connect_extensions), server::handshake(io), ), } @@ -343,6 +344,7 @@ where Option, Option, Option>, + Option, Handshake, ), } @@ -378,6 +380,7 @@ where ref mut config, ref peer_addr, ref mut on_connect, + ref mut on_connect_data, ref mut handshake, ) => match Pin::new(handshake).poll(cx) { Poll::Ready(Ok(conn)) => { @@ -385,6 +388,7 @@ where srv.take().unwrap(), conn, on_connect.take(), + on_connect_data.take().unwrap(), config.take().unwrap(), None, *peer_addr, diff --git a/actix-http/src/service.rs b/actix-http/src/service.rs index cf7b67dc3..8393f1080 100644 --- a/actix-http/src/service.rs +++ b/actix-http/src/service.rs @@ -20,7 +20,7 @@ use crate::error::{DispatchError, Error}; use crate::helpers::DataFactory; use crate::request::Request; use crate::response::Response; -use crate::{h1, h2::Dispatcher, ConnectCallback, Protocol}; +use crate::{h1, h2::Dispatcher, ConnectCallback, Extensions, Protocol}; /// A `ServiceFactory` for HTTP/1.1 or HTTP/2 protocol. pub struct HttpService> { @@ -562,12 +562,12 @@ where } fn call(&mut self, (io, proto, peer_addr): Self::Request) -> Self::Future { - let mut connect_extensions = crate::Extensions::new(); + let mut connect_extensions = Extensions::new(); - let legacy_on_connect = self.on_connect.as_ref().map(|handler| handler(&io)); - self.on_connect_ext - .as_ref() - .map(|handler| handler(&io, &mut connect_extensions)); + let deprecated_on_connect = self.on_connect.as_ref().map(|handler| handler(&io)); + if let Some(ref handler) = self.on_connect_ext { + handler(&io, &mut connect_extensions); + } match proto { Protocol::Http2 => HttpServiceHandlerResponse { @@ -575,7 +575,8 @@ where server::handshake(io), self.cfg.clone(), self.srv.clone(), - legacy_on_connect, + deprecated_on_connect, + connect_extensions, peer_addr, ))), }, @@ -587,7 +588,7 @@ where self.srv.clone(), self.expect.clone(), self.upgrade.clone(), - legacy_on_connect, + deprecated_on_connect, connect_extensions, peer_addr, )), @@ -617,6 +618,7 @@ where ServiceConfig, CloneableService, Option>, + Extensions, Option, )>, ), @@ -692,9 +694,9 @@ where } else { panic!() }; - let (_, cfg, srv, on_connect, peer_addr) = data.take().unwrap(); + let (_, cfg, srv, on_connect, on_connect_data, peer_addr) = data.take().unwrap(); self.set(State::H2(Dispatcher::new( - srv, conn, on_connect, cfg, None, peer_addr, + srv, conn, on_connect, on_connect_data, cfg, None, peer_addr, ))); self.poll(cx) } diff --git a/examples/certs/client-cert.pem b/examples/certs/client-cert.pem new file mode 100644 index 000000000..106317626 --- /dev/null +++ b/examples/certs/client-cert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEVDCCArygAwIBAgIRAOAgy58Y3ViVpV9G8DTyKzMwDQYJKoZIhvcNAQELBQAw +bTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMSEwHwYDVQQLDBhyb2JA +c29tYnJhLng1Mi5kZXYgKFJvYikxKDAmBgNVBAMMH21rY2VydCByb2JAc29tYnJh +Lng1Mi5kZXYgKFJvYikwHhcNMTkwNjAxMDAwMDAwWhcNMzAxMDI1MTczODMxWjBM +MScwJQYDVQQKEx5ta2NlcnQgZGV2ZWxvcG1lbnQgY2VydGlmaWNhdGUxITAfBgNV +BAsMGHJvYkBzb21icmEueDUyLmRldiAoUm9iKTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAJsp9QFEpfEWFB3CyFTA2Rv2tUMwnpQcDtiB1hwH03EYcMlG +pEkMh1tPTK8WZo2igMJrBtP2Vf2AN0/hmFWUZV1ZEUUNXXW0QD2mHS8Rgz7nAgmq +V5XvmLLeeo2vMdw1B2qsRxCPTjbInDsZsBqv2GyXWo5/9o3PD32h4LNk3w0VyA47 +f/jdpMWlcIXQoyJJV1U1FPLf92xYZvWc9Vf/+K6mStESEpoFll+b4uqjPpwrEz9Q +KBY4eyXwhGCrjQC0+jJFNlIcbV5FgQSYd4DVMcw6SWdMeV/+VtQs+JQrENjNB3am +nJ5xpoZ7mmNDOkWg4zvoYRL6o7LtqT+8EXptzMMCAwEAAaOBjzCBjDAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB +/wQCMAAwHwYDVR0jBBgwFoAUfpWkO5lYpQJz4omoVdVzuuZnn80wLAYDVR0RBCUw +I4IJbG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEB +CwUAA4IBgQB8ulsrStRha8SRxoPRlTNIb9WMjNl5KdZF+ePpUctBX0lFmxqn0upu +l3BoZkhMrpPRRcGlDPImuL7tfxk/IuTA6S1AEQtEHCC8WyZbq3RODPzVY6J/IOUv +H2ZwZYo0c714FyNx8igBpVSjHT6yCIeQkSQlTXsWxddToSeKYvXg8VI+M5L0DH1Y +jRb2u3GpMPdLhMqGNZPcwbLkVyMe5aj4hx334fa3uLf/CK6/5ev4+ozSNz3Qr8S7 +iPE8WXrny/qEJmTEme7eq6K/QPTC9ly3j+5Ms3Uepnk0Jez9/ksOrlbYrWXhwD0P +Nwvn3HtiYy8q1HwRw5U+LMNyh6lIyfJUsu2tRmYz1fiH74tMDFb2pjDpcmvgaSJY +eSwKksOiX1No6K980ECEkCX9iQFwD5edTCnD2lz+AVGDzZPkY/551Ohl+KMh/mFG +uZNtgjUeMh0btfc9D+PLLLHjpSMVkRMEEmtm/Zi2nKeVCAdIomFfk+EFIEOdaMyk +SUZMUFzBP+4= +-----END CERTIFICATE----- diff --git a/examples/certs/client-key.pem b/examples/certs/client-key.pem new file mode 100644 index 000000000..5ce3576fb --- /dev/null +++ b/examples/certs/client-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCbKfUBRKXxFhQd +wshUwNkb9rVDMJ6UHA7YgdYcB9NxGHDJRqRJDIdbT0yvFmaNooDCawbT9lX9gDdP +4ZhVlGVdWRFFDV11tEA9ph0vEYM+5wIJqleV75iy3nqNrzHcNQdqrEcQj042yJw7 +GbAar9hsl1qOf/aNzw99oeCzZN8NFcgOO3/43aTFpXCF0KMiSVdVNRTy3/dsWGb1 +nPVX//iupkrREhKaBZZfm+Lqoz6cKxM/UCgWOHsl8IRgq40AtPoyRTZSHG1eRYEE +mHeA1THMOklnTHlf/lbULPiUKxDYzQd2ppyecaaGe5pjQzpFoOM76GES+qOy7ak/ +vBF6bczDAgMBAAECggEAOAzN/mlH8HDjT2TfbQ5E3z8dd2oGvsXr7vXn3DRPgxkr +FOo5ylGGS8u3jb/vx9Yd4R08WDEyGuLIGEkL+E4k17Wm8WTEkBJO6nYpMKmI2Z4l +NEyeWwE0DdkkOC5DOqLFTRlyil7aCBwro4XCAcHn0kJSagt7ivpzRBTH0MXtdRIL +L37nOInga2puSeHLOGj9W1Q0AX0EIiecqLPpCLmz+xotlevFBmlQ4iFT7xkoKH+s +NeqWEd0HTNYkYQZtZ9husDzNK4x59MKUYS1oWB8A8JKu5E4ovdb6R6LjyN/Y5lNl +3Z4Mg2DJ4iBN4DRnEBwiY8bdeqYboMNNyAbCU+nPYQKBgQDLP0lEYsdcSNF5Uv0c +fe5pUvAzyTUzVhP7LLOk2jdRxs85MNbYJkays40rROqm2+StSFgih3NpA9D1pl7f +ucJABlK9OkTtOshFSR6Q+0NomKLHhBGvYpouC2tIHjGsE/KjiQa4I1Pia72xpIWT +QK3isM2c11924RqdoJ0mpBKpOwKBgQDDb8k4U512u+exVvFQ8JEbro4oy4jsc74L +BZG6PbHZcIADKANmB15ahN3tCkDwJQ8iJYX7bmzn+8jR2HtznchgJwWN9aGtEP4C +qTmmyrJd09pMMs5W4/BucD7wJ7s32PwVUwj0nvW+BHE4LQk5td4a3VE1wj1EZ8bR ++JCK081yGQKBgQCG1vKtuvbWY70NR6CCwY1lNNAFG0z/RPE2pz57dQZUa5hZMeyn +NCWdMv/KIAupLaN1ztQh/Ej198Eu5/RzaxLTVR6ZScomtOPfC5aKyxe6keEUiqsM +91agi5TeIKIFrqpAEo1xpoZlZeNQsnyn57Y0+eU/U6eS/96fisoXs6xptwKBgQCy +loDqnsXCTR0AmbE0RFBlWlH/h1Ycs/tSeQlchanyR3JC8BqC7nLTBp0BUaBbkZHN +ozpWsuaD6jntQAQ3d1Q2QRI7Ud0ml+N1rQvIlWr+gGv3u2mATxRS5vEsZTIYa4iX +N+R0HJn0xHxtWAIZIU7Pf7QJCvEPhEFTd+8lXTxcaQKBgG5d4vG5AyYXuiKKmm+d +MM4PPMJNw3+u5G50hgI4D/1WlirP9m6HIpFouNNGoggxpBBUeokIBPsXbq/fnkq2 +uZmkAkWZeMeWHbI0lHSsE98ZTQHg36dNJ9hRHVRJ9PA2/YTSnr3WzDaaA1v5aoTv +xJyGdLlEy+RiIZCPk9RKtVc4 +-----END PRIVATE KEY----- diff --git a/examples/certs/rootCA-key.pem b/examples/certs/rootCA-key.pem new file mode 100644 index 000000000..eadccba17 --- /dev/null +++ b/examples/certs/rootCA-key.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQCrw0DmUZg1hTEK +SekUpDXhEEmVsSCNx8ciLyGn1OhvNSKDI5Chn1bnRaYKFG64A799cgaLyKh6Oi14 +09VsmPuCAwrHXfbnpy8MpVHv00p6gcFJhRSOzY3JlnfM9R5R7S1c8dEnhExYualg +p0jo0JiMNfqi4Ih6HqyKdM5JX7R1ud8e8UYRIWlR6JR2ycJGiuxr+gGf6Eifl29+ +27FINgNsAOxIsOqHFjjGxAko/TS43Kws/S97AGpNJQs14cw1/RiGmLKi3+1txGpA +DNLNEi9Z4KDDQZyOo9bbv+n/H/hKHdfONPrDXFW0XtmeJbfsziBCS00ecxZWBx6q +jRNoLCj4Hftclr98FEfTHwecx1rUl5ntfz9LPJztgRrUzpmQo414ISALv7yOn9pM +z/QO68giHEfAr/08a9ZgMUmfLYl/ymrWMnroavS5bFEkeht/aQH5oXcpSzmcrj0r +D5OZlwH5JtTbnp7bA+G6zGrFediL1aN0jIKoXcHWFjESJpGIVFMCAwEAAQKCAYAk +tysTUJPBtQPjmCL7p5Jg1rN0DRXRWMgHVZ3TG17IDsqez6Zl9gKEk03Hz9BPA3YW +YZ5mmPDyl6cKsfVoLlds1iuirEJQCFu1T01xf2/nOf9QMONRFz1cvw5CwI7HonRU +7tfvo4cSXDWJlJiwM464Qf2efXKO8CmfuxIxewS/OYkpOxfoJ4U03guGTOB7Zczd +0+YvAV8sxhkuO9Xsgqc+mf/oFfE8CRL/4f23RlDTx1ACmehhWZhffzCjRu35CG2w +8wI7UpKQvnVaQJ8hpnwYpv5lFlTvh7lYHz97VdRSGs3k3szqFbuPzRyGgnwMwRbQ +W323XuSI6euAzc9aaUP4yo56CmYP+vngn/MIAXQj3YO1snMTf+RUg4AA44r8Lemw +It8dhGA3m48eVckQv5qGlCFlAwTUhdQiuEaDRymf037sNmQLcMAXp8YXDJRpGR4F +v5bgVXrFdQlg1Q54TB58G4DOtuz9J8TyKgvhQvjFS0BC2HVWCCPR+KCxKqncF/kC +gcEA20IpdVOeuJQxr6MvhUgFPD2hrKzDdAdFL28YSSSg2vOdbdavxOQ66WpUREx5 +G1o4KUdf7Ex/z/XI0HRzZfjxAIKdpEcCebVa5HceOQsqb5RulLaflGc1sL8Lkc0c +sAsyj8QtCuYege/GgM3srF1V7Nu2oSMR2W9ZZuyDPzuwAyTkbQNsND/W2Y6REnSL +qlz2aK4BkkHHQqpjlmR/n8ejX00O1CERNUF6uRXi9ZN+wsMhBeuCRHf2bZHSD2aE +kNjnAoHBAMiLmaL/mZa0+sRPqdqldO1IOpGIn1L+NYngcQfqpTpLzB4FaYzZG/02 +7CrPrYkojXy7Fc2dUM/i4BTOAnJIAeS9DvLA/5xmv9bid76e91+8zdXGU1R3JjYN ++n7TJbcwLXpJ6+M8vX/WDj5ZknVZHiBMWqVc+LLQLhfeupP1V3fD5qWcL1NuBrbF +P+G6y230NraoRNFzx+4E97eG7TXUSgnjeoRqiRiGOW7BAC1WWe1BHcJULKi6Gq2/ +uyuMqe0ftQKBwCBwSXHyTSlBw5gYrI8reJrRA3polQI1kSbTaORpZuL95+y4NokK +uyyNbqosJj7FuklhJe/v4XkDBBLTJ7+OdRl+OZR0bQlUq33hobcOz9hyPWoDGtj5 +7BeaLDwF/JiPD4v1mjRil2Dh+JxV2w4lQPEqEHsGlT12G+P+WeyhCAlvC9yVBQ01 +5LOLRCtW0tMBrfMOy2y4DqLuUo2NkNQy1Rjkba00tzcJ2P5JHqr2h2qJM/mMPlmi +5fKQAGQG5tYHQQKBwG24cwZK8a0St2BQdY26mI55xhF5vjGaA5C7yxuZtWx/q92A ++I6m+jk/o1aI6VjxZvenI/aq61vRtOetDomX+/E5vsPx8+eOD8dxgDI6pv0qPzOG +nnDH/4/zdemNfEUNhtQxPW3F/afDZWeXehnZ+DGTlMSEaUzruUw1/76TrJdKBxb0 +rK/osqOsp5bIrCQsSQMGbSBrSCdhcGZo279ntlpSquVnpDpWtXVzArXLWMgFqFJ5 +2zU1HQOSssTQ4OdrQQKBwEjUyeaG/exb/vNzHHGTpm0qti7BEezji+nlNvSUN38u +9/eKK3m70FGhBrdB44jAtmLp4cyjQVmdluRYkZL5s4NbP+bAEAbyzCozfaU0ontJ +YTSE5W8CzQo5ayA/m4SA9uV0h8MijeItxNyveLsi2OlA04m9/peq45IGNdLHzHjm +xvm40ENrToQsRH8p8PjREipl45/xjrDG+zhGCH87+C+WOLF4BWTP0VzkTym8fX9K +nctls65dJGslcxgwD6O1rA== +-----END PRIVATE KEY----- diff --git a/examples/certs/rootCA.pem b/examples/certs/rootCA.pem new file mode 100644 index 000000000..8a3a2fd1f --- /dev/null +++ b/examples/certs/rootCA.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEqTCCAxGgAwIBAgIQL82W4ilLJ4cs8zMbhJ+7aTANBgkqhkiG9w0BAQsFADBt +MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExITAfBgNVBAsMGHJvYkBz +b21icmEueDUyLmRldiAoUm9iKTEoMCYGA1UEAwwfbWtjZXJ0IHJvYkBzb21icmEu +eDUyLmRldiAoUm9iKTAeFw0yMDEwMjUxNzIyMzlaFw0zMDEwMjUxNjIyMzlaMG0x +HjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTEhMB8GA1UECwwYcm9iQHNv +bWJyYS54NTIuZGV2IChSb2IpMSgwJgYDVQQDDB9ta2NlcnQgcm9iQHNvbWJyYS54 +NTIuZGV2IChSb2IpMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAq8NA +5lGYNYUxCknpFKQ14RBJlbEgjcfHIi8hp9TobzUigyOQoZ9W50WmChRuuAO/fXIG +i8ioejoteNPVbJj7ggMKx13256cvDKVR79NKeoHBSYUUjs2NyZZ3zPUeUe0tXPHR +J4RMWLmpYKdI6NCYjDX6ouCIeh6sinTOSV+0dbnfHvFGESFpUeiUdsnCRorsa/oB +n+hIn5dvftuxSDYDbADsSLDqhxY4xsQJKP00uNysLP0vewBqTSULNeHMNf0Yhpiy +ot/tbcRqQAzSzRIvWeCgw0GcjqPW27/p/x/4Sh3XzjT6w1xVtF7ZniW37M4gQktN +HnMWVgceqo0TaCwo+B37XJa/fBRH0x8HnMda1JeZ7X8/Szyc7YEa1M6ZkKONeCEg +C7+8jp/aTM/0DuvIIhxHwK/9PGvWYDFJny2Jf8pq1jJ66Gr0uWxRJHobf2kB+aF3 +KUs5nK49Kw+TmZcB+SbU256e2wPhusxqxXnYi9WjdIyCqF3B1hYxEiaRiFRTAgMB +AAGjRTBDMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud +DgQWBBR+laQ7mVilAnPiiahV1XO65mefzTANBgkqhkiG9w0BAQsFAAOCAYEAe3A5 +5z5JWHSXEcQI/LstAVJfiloehyhvYgcNpImlsm5A41VzMd1iWdpLY+WSKWjHKFs0 +u5Id+sGEZRHBicYDts0azH3Sklj0FrNrpRdvf8jJuMvVC1EoUFijG+V/RdL14bxq +kyp5dtxVcvtvULT+ID5vSVYBwGOBp36Fg5Qs4QOuSPkVGwjaEdJvzqb1XDLncsve +ap6ALzwOXUsN8Icrq4/GlVDX11rOnfWhNQRiWKJtin4vzxL002rPWwSsekcuLEFQ +NCBYaBBDlp4fLh2XVuB7xvKXTPm8K9hIxrTBEh8kj8p5p95DOTWpLgXuBcdXmNDV +/4NBzsWwuO3I7/ilHbH+gEsM390p056Bmv2cF0bWb+xT2vyNymhmSCn77QEmcsOF +LDqsjDc7JsQGUVIAgtM50md/QvaXxTVoAMXtSWeyK8QsC2syZqWlXiYkrwYjp+KI +6jX4EpLwKdQOzZdjgnIZvG94o5lR8cPyZlaUKVunOTvAXiT3AWeBppCk6SEH +-----END CERTIFICATE----- diff --git a/examples/certs/server-cert.pem b/examples/certs/server-cert.pem new file mode 100644 index 000000000..f0b8d19c4 --- /dev/null +++ b/examples/certs/server-cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIESjCCArKgAwIBAgIRAKNTHdWsrKKCpKt19C/sI4UwDQYJKoZIhvcNAQELBQAw +bTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMSEwHwYDVQQLDBhyb2JA +c29tYnJhLng1Mi5kZXYgKFJvYikxKDAmBgNVBAMMH21rY2VydCByb2JAc29tYnJh +Lng1Mi5kZXYgKFJvYikwHhcNMTkwNjAxMDAwMDAwWhcNMzAxMDI1MTczODM4WjBM +MScwJQYDVQQKEx5ta2NlcnQgZGV2ZWxvcG1lbnQgY2VydGlmaWNhdGUxITAfBgNV +BAsMGHJvYkBzb21icmEueDUyLmRldiAoUm9iKTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANDv0oRupAGtAl9ZZTeTwdToYh/Gtaj3bAyhQQz+dQ5GzLS3 ++Zvo3daepwnoNABoxuPwptb/jJ6Ec8rdvUiJkKb+jAuZ0vSuEqPTcgvbnqsV+7UT +8WleCUnOIY6FB+uTaLEptu5k+Pf7i3m1RqW1gRVlYcHsLuv3NBQW0bz+XUZvcirW +KVCxz2ex2aFzWXrAZEuOwMX+x+Wicd4tRfcio4mOI+jCRCsbwW0TsyWStrimcbl0 +ldbRi8DeADf3VPQCMYmcJARYsTfRwK75OFMgmD0GTi8WURWQCbTJnwzop7Famno0 +/I/Ef65Dngleb6HwG91EtEVU7QHqSXlUK41Au9kCAwEAAaOBhTCBgjAOBgNVHQ8B +Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNV +HSMEGDAWgBR+laQ7mVilAnPiiahV1XO65mefzTAsBgNVHREEJTAjgglsb2NhbGhv +c3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADggGBAJJ0 +7oDkVmdB/P0PX0vIn+CPmiE8IrO8stItOGlVRy9TDWFRdMpY13BOjlNY2efNU2Tz +or+lyfV7D8PiCk5q3e8sLtOlIAT32IRIrGXl5E4q7zDnOckQjZIUZwSFAFVygy4F +rPgJCS9uqz9vz086SyRD0krTM5u9yMAvG2uJLEk5oaVWAKdDRplStmMx7QQHMZ4G +iNYMDpj4dU4gkrvZeC+JKwjbSJ3hje8CZCA1atzz/5WWEt2D8Yf9tw27T/hinrMi +rrjPpEcA6C8wvHxqYpiptQC1FF5vaUyRqjF+irHgQdNUCE0nJSwAsIDW0TDiVGDD +OJKs6EYuzJ8OcWw6IFx8YNvdxZJSr8SaavrH76myHieTkqhWvjSQERUw71iUwe0q +5Nev+J2N9U7oZBTCIsD/qKOQTD9mRjJpYLnXNqEyJhzRgCA5+TQIXbTa10eo9Svg +CTkqxsixmdTKD8ZIlUPhLI9ehr0Spbt+2Xh3yAtlSrfAt5p2hgVCoxalEwWpwA== +-----END CERTIFICATE----- diff --git a/examples/certs/server-key.pem b/examples/certs/server-key.pem new file mode 100644 index 000000000..729f0d91e --- /dev/null +++ b/examples/certs/server-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQ79KEbqQBrQJf +WWU3k8HU6GIfxrWo92wMoUEM/nUORsy0t/mb6N3WnqcJ6DQAaMbj8KbW/4yehHPK +3b1IiZCm/owLmdL0rhKj03IL256rFfu1E/FpXglJziGOhQfrk2ixKbbuZPj3+4t5 +tUaltYEVZWHB7C7r9zQUFtG8/l1Gb3Iq1ilQsc9nsdmhc1l6wGRLjsDF/sflonHe +LUX3IqOJjiPowkQrG8FtE7Mlkra4pnG5dJXW0YvA3gA391T0AjGJnCQEWLE30cCu ++ThTIJg9Bk4vFlEVkAm0yZ8M6KexWpp6NPyPxH+uQ54JXm+h8BvdRLRFVO0B6kl5 +VCuNQLvZAgMBAAECggEAZ8PzZVodkcd+uiQHpMZ5KWgP84AYkEXxH4SmbfGh6Ok4 +mTgVe1z3b7NzefQcf2eJ/4JxGa3pBID7kPD3JKNNd+JLYyeOIX6iO0K0DTeRYZ6V +V6UD7DSLoGADQmjHOjQHdpUlCNiU3XPMHTHuWDYAWcPz/P9zfjVTY/bBS394i5W/ +nFLHMEGD/9KETUm2Wdmu+84fhAg+gSbDOHKOmrqiRoSmBInfUEjTL22gU1hPkjWY +17i9veMGVPQeA89XYmFavgWIMHwiOD0Fom2y26OIDWDXAJf7oOoONElWF2OjiSAa +7IHl8EED/aDIt9Xyv8J9qXzkAtLPXO8vFG2Uq0/BQQKBgQD1MlCsnMVf3dck8yg6 +YwFkFHZxnFBzBPwuDoMD2OBIZcrwcBhUQo0u8M0NohgjvBB7XUrW+/5ucF9BaecC +3Rz/JwPk7oPafYVbEFGv+CeGJFKL/lq7NwF62N7EYo3N2ijYjGYiZFmxgOVEfzSd +WRSH+b6Q923lEpWoFaeFww+5HQKBgQDaJIRTr1stXXFXVj/ETJG4uT3I7qlfR7zp +/t/YHX6QnV5dFdBCEXSW41YoqvUn12Ox28nvQMDFWVkQGfAELYqkf/ozBQ9d6ee8 +3bU9V14YWaGSK1RT83cgWUtDnUjtLuk9MG+5x3EQcfq5ng6ud+Hr8ut+gz0PbLcK +gR3uTQkM7QKBgENUSarccaZdeFKBIq7FuQAOTmfsEHtFBypuebN4vj2jFhLn9QZO +MA6PuP7hX9eQMMZvW7mlALy6xq1jszeqF+hIgl0+0Z4Rkajr1kKH1fKTzsb6VVfL +RvDA1IsAtQetvEGabAFNpQOE7W/drkj2yRh9j8Km7tpUPBwnthSY95xRAoGAL5uu +oZDwxjrRhK0XJ6FKYFVVTagAoQHIEg2FDuaI+8jMkmYzWGf02QVuhVuiO3q/kE6W +iLfKGogAbwoqHs9Npc8kbMQa8XUeFVMRvfx2VbwiDgOU2OmWwyGZ0nzeMJ1/W9JZ +X+NOIretb5s2Ow+A5/zRNoAv8FDatdkuDhcT9ZUCgYBtEI9pmWYXxGfaVQErJcsS +3a8PU875sE06DiEcvooljcLp6dCmGocRQOGpSXfy3zjX4F/HZjDK+GKPg2bCirKr +nRPWf0t3DSeSyDINj+a0fg4KvYR4FcocJDzTFJh/9CrtNktqwHAqrQUSokBbW8n6 +Kj/AYLWOIXATfCrOgdoAAg== +-----END PRIVATE KEY----- diff --git a/examples/on_connect.rs b/examples/on_connect.rs index 20c2585de..74dd0636d 100644 --- a/examples/on_connect.rs +++ b/examples/on_connect.rs @@ -1,37 +1,103 @@ -//! This example shows how to use `actix_web::HttpServer::on_connect` +//! This example shows how to use `actix_web::HttpServer::on_connect` to access a lower-level socket +//! properties and pass them to a handler through request-local data. +//! +//! For an example of extracting a client TLS certificate, see: +//! -use std::any::Any; +use std::{any::Any, env, fs::File, io::BufReader}; -use actix_rt::net; -use actix_web::{dev::Extensions, web, App, HttpRequest, HttpServer}; +use actix_tls::rustls::{ServerConfig, TlsStream}; +use actix_web::{ + dev::Extensions, rt::net::TcpStream, web, App, HttpResponse, HttpServer, Responder, +}; +use log::info; +use rust_tls::{ + internal::pemfile::{certs, pkcs8_private_keys}, + AllowAnyAnonymousOrAuthenticatedClient, Certificate, RootCertStore, Session, +}; + +const CA_CERT: &str = "examples/certs/rootCA.pem"; +const SERVER_CERT: &str = "examples/certs/server-cert.pem"; +const SERVER_KEY: &str = "examples/certs/server-key.pem"; #[derive(Debug, Clone)] struct ConnectionInfo(String); -async fn route_whoami(conn_info: web::ReqData) -> String { - format!("Here is some info about you:\n{}", &conn_info.0) +async fn route_whoami( + conn_info: web::ReqData, + client_cert: Option>, +) -> impl Responder { + if let Some(cert) = client_cert { + HttpResponse::Ok().body(format!("{:?}\n\n{:?}", &conn_info, &cert)) + } else { + HttpResponse::Unauthorized().body("No client certificate provided.") + } } -fn on_connect(connection: &dyn Any, data: &mut Extensions) { - let sock = connection.downcast_ref::().unwrap(); +fn get_client_cert(connection: &dyn Any, data: &mut Extensions) { + if let Some(tls_socket) = connection.downcast_ref::>() { + info!("TLS on_connect"); - let msg = format!( - "local_addr={:?}; peer_addr={:?}", - sock.local_addr(), - sock.peer_addr() - ); + let (socket, tls_session) = tls_socket.get_ref(); - data.insert(ConnectionInfo(msg)); + let msg = format!( + "local_addr={:?}; peer_addr={:?}", + socket.local_addr(), + socket.peer_addr() + ); + + data.insert(ConnectionInfo(msg)); + + if let Some(mut certs) = tls_session.get_peer_certificates() { + info!("client certificate found"); + + // insert a `rustls::Certificate` into request data + data.insert(certs.pop().unwrap()); + } + } else if let Some(socket) = connection.downcast_ref::() { + info!("plaintext on_connect"); + + let msg = format!( + "local_addr={:?}; peer_addr={:?}", + socket.local_addr(), + socket.peer_addr() + ); + + data.insert(ConnectionInfo(msg)); + } else { + unreachable!("socket should be TLS or plaintext"); + } } #[actix_web::main] async fn main() -> std::io::Result<()> { - std::env::set_var("RUST_LOG", "actix_server=info,actix_web=info"); + if env::var("RUST_LOG").is_err() { + env::set_var("RUST_LOG", "info"); + } + env_logger::init(); + let ca_cert = &mut BufReader::new(File::open(CA_CERT)?); + + let mut cert_store = RootCertStore::empty(); + cert_store + .add_pem_file(ca_cert) + .expect("root CA not added to store"); + let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store); + + let mut config = ServerConfig::new(client_auth); + + let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?); + let key_file = &mut BufReader::new(File::open(SERVER_KEY)?); + + let cert_chain = certs(cert_file).unwrap(); + let mut keys = pkcs8_private_keys(key_file).unwrap(); + config.set_single_cert(cert_chain, keys.remove(0)).unwrap(); + HttpServer::new(|| App::new().route("/", web::get().to(route_whoami))) - .on_connect(on_connect) - .bind(("127.0.0.1", 8080))? + .on_connect(get_client_cert) + .bind(("localhost", 8080))? + .bind_rustls(("localhost", 8443), config)? .workers(1) .run() .await diff --git a/src/server.rs b/src/server.rs index 5aed2b834..86aaf4265 100644 --- a/src/server.rs +++ b/src/server.rs @@ -105,10 +105,12 @@ where /// Sets function that will be called once for each connection. /// It will receive &Any, which contains underlying connection type. + /// /// For example: - /// - `actix_tls::openssl::SslStream` when using openssl. - /// - `actix_tls::rustls::TlsStream` when using rustls. - /// - `tokio::net::TcpStream` when no encryption is used. + /// - `actix_tls::openssl::SslStream` when using openssl. + /// - `actix_tls::rustls::TlsStream` when using rustls. + /// - `actix_web::rt::net::TcpStream` when no encryption is used. + /// /// See `on_connect` example for additional details. pub fn on_connect(self, f: CB) -> HttpServer where