feat: SSL support to the Rust server

This commit adds support for the Rust server to be configured at runtime to accept websocket connections over TLS rather than plaintext. This basically just boils down to reading and respecting the already-present options in the configuration.
mozilla-services · Sep 14, 2017 · 59d1c89 · 59d1c89
1 parent 2850928
commit 59d1c89
Show file tree

Hide file tree

Showing 7 changed files with 226 additions and 15 deletions.
diff --git a/autopush_rs/Cargo.lock b/autopush_rs/Cargo.lock
diff --git a/autopush_rs/Cargo.toml b/autopush_rs/Cargo.toml
@@ -15,12 +15,14 @@ httparse = "1.0"
 hyper = "0.11"
 libc = "0.2"
 log = "0.3"
+openssl = "0.9"
 serde = "1.0"
 serde_derive = "1.0"
 serde_json = "1.0"
 time = "0.1"
 tokio-core = "0.1"
 tokio-io = "0.1"
+tokio-openssl = "0.1"
 tokio-service = "0.1"
 tokio-tungstenite = { version = "0.3", default-features = false }
 tungstenite = { version = "0.4", default-features = false }

diff --git a/autopush_rs/src/lib.rs b/autopush_rs/src/lib.rs
@@ -69,6 +69,7 @@ extern crate hyper;
 extern crate libc;
 #[macro_use]
 extern crate log;
+extern crate openssl;
 extern crate serde;
 #[macro_use]
 extern crate serde_derive;
@@ -77,6 +78,7 @@ extern crate serde_json;
 extern crate time;
 extern crate tokio_core;
 extern crate tokio_io;
+extern crate tokio_openssl;
 extern crate tokio_service;
 extern crate tokio_tungstenite;
 extern crate tungstenite;

diff --git a/autopush_rs/src/server/dispatch.rs b/autopush_rs/src/server/dispatch.rs
@@ -29,9 +29,10 @@ use tokio_io::AsyncRead;
 
 use errors::*;
 use server::webpush_io::WebpushIo;
+use server::tls::MaybeTlsStream;
 
 pub struct Dispatch {
-    socket: Option<TcpStream>,
+    socket: Option<MaybeTlsStream<TcpStream>>,
     data: BytesMut,
 }
 
@@ -41,7 +42,7 @@ pub enum RequestType {
 }
 
 impl Dispatch {
-    pub fn new(socket: TcpStream) -> Dispatch {
+    pub fn new(socket: MaybeTlsStream<TcpStream>) -> Dispatch {
         Dispatch {
             socket: Some(socket),
             data: BytesMut::new(),

diff --git a/autopush_rs/src/server/mod.rs b/autopush_rs/src/server/mod.rs
@@ -14,6 +14,7 @@ use futures::sync::oneshot;
 use futures::task;
 use futures::{Stream, Future, Sink, Async, Poll, AsyncSink, StartSend};
 use libc::c_char;
+use openssl::ssl::SslAcceptor;
 use serde_json;
 use time;
 use tokio_core::net::TcpListener;
@@ -28,11 +29,12 @@ use errors::*;
 use protocol::{ClientMessage, ServerMessage, ServerNotification, Notification};
 use queue::{self, AutopushQueue};
 use rt::{self, AutopushError, UnwindGuard};
-use server::webpush_io::WebpushIo;
 use server::dispatch::{Dispatch, RequestType};
+use server::webpush_io::WebpushIo;
 use util::{self, RcObject, timeout};
 
 mod dispatch;
+mod tls;
 mod webpush_io;
 
 #[repr(C)]
@@ -69,6 +71,7 @@ pub struct AutopushServerOptions {
 pub struct Server {
     uaids: RefCell<HashMap<Uuid, RegisteredClient>>,
     open_connections: Cell<u32>,
+    tls_acceptor: Option<SslAcceptor>,
     pub tx: queue::Sender,
     pub opts: Arc<ServerOptions>,
     pub handle: Handle,
@@ -234,10 +237,6 @@ impl Server {
         let (inittx, initrx) = oneshot::channel();
 
         let opts = opts.clone();
-        assert!(opts.ssl_key.is_none(), "ssl not supported");
-        assert!(opts.ssl_cert.is_none(), "ssl not supported");
-        assert!(opts.ssl_dh_param.is_none(), "ssl not supported");
-
         let thread = thread::spawn(move || {
             let (srv, mut core) = match Server::new(&opts, tx) {
                 Ok(core) => {
@@ -287,15 +286,12 @@ impl Server {
             open_connections: Cell::new(0),
             handle: core.handle(),
             tx: tx,
+            tls_acceptor: tls::configure(opts),
         });
         let host_ip = resolve(&srv.opts.host_ip);
         let addr = format!("{}:{}", host_ip, srv.opts.port);
         let ws_listener = TcpListener::bind(&addr.parse().unwrap(), &srv.handle)?;
 
-        assert!(srv.opts.ssl_key.is_none(), "ssl not supported yet");
-        assert!(srv.opts.ssl_cert.is_none(), "ssl not supported yet");
-        assert!(srv.opts.ssl_dh_param.is_none(), "ssl not supported yet");
-
         let handle = core.handle();
         let srv2 = srv.clone();
         let ws_srv = ws_listener
@@ -317,9 +313,14 @@ impl Server {
 
                 // TODO: TCP socket options here?
 
+                // Process TLS (if configured)
+                let socket = tls::accept(&srv, socket);
+
                 // Figure out if this is a websocket or a `/status` request,
-                // without letting it take too long.
-                let request = Dispatch::new(socket);
+                let request = socket.and_then(Dispatch::new);
+
+                // Time out both the TLS accept (if any) along with the dispatch
+                // to figure out where we're going.
                 let request = timeout(request, srv.opts.open_handshake_timeout, &handle);
                 let srv2 = srv.clone();
                 let handle2 = handle.clone();