Implement TLS and more logging

Cargo.toml

@@ -11,7 +11,8 @@ panic = 'abort'
 strip = 'debuginfo'
 
 [dependencies]
-axum = { version = "0.6", features = [] }
+axum = { version = "0.8", features = [] }
+axum-server = { version = "0.8", features = ["tls-rustls"] }
 tokio = { version = "1", features = ["full"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
@@ -20,7 +21,9 @@ sled = { version = "0", features = ["no_logs"] }
 log = { version = "0", features = ["release_max_level_info"] }
 tracing = { version = "0", features = ["release_max_level_info"] }
 tracing-subscriber = "0"
-shadow-rs = "0"
+shadow-rs = "1"
+tower = { version = "0.5", features = ["tokio", "tracing"] }
+tower-http = { version = "0.6", features = ["tokio", "tower", "trace", "tracing"] }
 
 [build-dependencies]
-shadow-rs = "0"
+shadow-rs = "1"

README.md

@@ -30,4 +30,16 @@ for docker
 ./docker/make.sh
 ```
 
+## TLS
+
+Generate self-signed certificates:
+
+```bash
+openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -days 3650 -nodes -keyout key.pem -out cert.pem
+```
+
+## Systemd
+
+For non-Docker deployment, a systemd unit file and its matching env file are available in [contrib](contrib/).
+
 ## WIP

build.rs

@@ -1,3 +1,5 @@
-fn main() -> shadow_rs::SdResult<()> {
-    shadow_rs::new()
+use shadow_rs::ShadowBuilder;
+
+fn main() {
+    ShadowBuilder::builder().build().unwrap();
 }

contrib/kosync

@@ -0,0 +1,10 @@
+# KOSync config
+
+# Listen on IPv6 + IPv4 (Assuming /proc/sys/net/ipv6/bindv6only is at its default)
+KOSYNC_ADDR="[::]:3000"
+
+# Disable TLS if set
+#KOSYNC_NO_TLS="1"
+# Path to the TLS certs.
+KOSYNC_CERT="tls/cert.pem"
+KOSYNC_KEY="tls/key.pem"

contrib/kosync-cert-install.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# This is executed will full privileges *before* KOSync gets daemonized.
+# You can use this opportunity to install SSL certificates in the proper place,
+# as you would most likely not have permission to access them later on.

contrib/kosync.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=A KOSync server implemented in Rust
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+Type=exec
+EnvironmentFile=/etc/conf.d/kosync
+ExecStartPre=+/usr/local/bin/kosync-cert-install.sh
+ExecStart=/usr/local/bin/kosync
+WorkingDirectory=/var/lib/kosync
+User=kosync
+Group=kosync
+ProtectSystem=full
+ProtectHome=yes
+ReadWritePaths=/var/lib/kosync
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target

src/api.rs

@@ -4,8 +4,8 @@
 // 2023 (c) Lzyor
 
 use axum::{
-    extract::{Path, State},
-    http::{Request, StatusCode},
+    extract::{Path, Request, State},
+    http::StatusCode,
     middleware::Next,
     response::{IntoResponse, Response},
     Extension, Json,
@@ -17,16 +17,26 @@ use tracing::{instrument, Level};
 use crate::{
     db::DB,
     defs::{Error, ProgressState, FIELD_LEN_LIMIT},
-    utils::{is_valid_field, is_valid_key_field, now_timestamp},
+    utils::{is_valid_field, is_valid_key_field, now_timestamp, get_remote_addr},
 };
 
 #[derive(Debug, Clone)]
 pub struct Authed(pub String);
 
-pub async fn auth<B>(
+pub async fn public(
+    req: Request,
+    next: Next,
+) -> Result<Response, Error> {
+    let headers = req.headers();
+    let addr = get_remote_addr(headers, req.extensions());
+    tracing::info!("{} - {} {} {:?} {:?}", addr, req.method(), req.uri(), req.version(), headers);
+    Ok(next.run(req).await)
+}
+
+pub async fn auth(
     State(db): State<DB>,
-    mut req: Request<B>,
-    next: Next<B>,
+    mut req: Request,
+    next: Next,
 ) -> Result<Response, Error> {
     let headers = req.headers();
     let check = |name| {
@@ -35,23 +45,37 @@ pub async fn auth<B>(
             .and_then(|v| v.to_str().ok())
             .filter(|v| v.len() <= FIELD_LEN_LIMIT && is_valid_field(v))
     };
+    let addr = get_remote_addr(headers, req.extensions());
+    tracing::info!("{} - {} {} {:?}", addr, req.method(), req.uri(), req.version());
     match (check("x-auth-user"), check("x-auth-key")) {
         (Some(user), Some(key)) => match db.get_user(user) {
             Ok(Some(k)) if k == key => {
-                tracing::debug!("auth: {:?}", user);
+                tracing::debug!("{} - AUTH - ok", user);
                 let user = user.to_owned();
                 req.extensions_mut().insert(Authed(user));
                 Ok(next.run(req).await)
             }
-            Ok(_) => Err(Error::Unauthorized),
-            Err(_) => Err(Error::Internal),
+            Ok(_) => {
+                tracing::warn!("{} - AUTH - unauthorized: {:?}", user, headers);
+                Err(Error::Unauthorized)
+            },
+            Err(_) => {
+                tracing::error!("{} - AUTH - tripped an internal server error: {:?}", user, headers);
+                Err(Error::Internal)
+            },
+        },
+        _ => {
+            tracing::warn!("N/A - AUTH - no tokens in headers {:?}", headers);
+            Err(Error::Unauthorized)
         },
-        _ => Err(Error::Unauthorized),
     }
 }
 
 #[instrument(level = Level::DEBUG)]
-pub async fn auth_user() -> impl IntoResponse {
+pub async fn auth_user(
+    Extension(Authed(user)): Extension<Authed>,
+) -> impl IntoResponse {
+    tracing::info!("{} - LOGIN", user);
     (StatusCode::OK, Json(json!({"authorized": "OK"})))
 }
 
@@ -67,17 +91,25 @@ pub async fn create_user(
     Json(data): Json<CreateUser>,
 ) -> Result<impl IntoResponse, Error> {
     if !is_valid_key_field(&data.username) || !is_valid_field(&data.password) {
+        tracing::error!("N/A - REGISTER - invalid request: {:?}", data);
         return Err(Error::InvalidRequest);
     }
     if let Ok(Some(_)) = db.get_user(&data.username) {
+        tracing::warn!("{} - REGISTER - user already exists", data.username);
         return Err(Error::UserExists);
     }
     match db.put_user(&data.username, &data.password) {
-        Ok(_) => Ok((
-            StatusCode::CREATED,
-            Json(json!({"username": data.username})),
-        )),
-        Err(_) => Err(Error::Internal),
+        Ok(_) => {
+            tracing::info!("{} - REGISTER - ok", data.username);
+            Ok((
+                StatusCode::CREATED,
+                Json(json!({"username": data.username})),
+            ))
+        },
+        Err(_) => {
+            tracing::error!("{} - REGISTER - tripped an internal server error", data.username);
+            Err(Error::Internal)
+        },
     }
 }
 
@@ -90,12 +122,22 @@ pub async fn get_progress(
     Extension(Authed(user)): Extension<Authed>,
 ) -> Result<impl IntoResponse, Error> {
     if !is_valid_key_field(&doc) {
+        tracing::error!("{} - PULL - 'document' field not provided", user);
         return Err(Error::DocumentFieldMissing);
     }
     match db.get_doc(&user, &doc) {
-        Ok(Some(value)) => Ok(Json(value).into_response()),
-        Ok(None) => Ok(Json(json!({ "document": doc })).into_response()),
-        Err(_) => Err(Error::Internal),
+        Ok(Some(value)) => {
+            tracing::info!("{} - PULL - {} <= {} on {}", user, doc, value.percentage, value.device);
+            Ok(Json(value).into_response())
+        },
+        Ok(None) => {
+            tracing::info!("{} - PULL - {} <= None", user, doc);
+            Ok(Json(json!({ "document": doc })).into_response())
+        },
+        Err(_) => {
+            tracing::error!("{} - PULL - tripped an internal server error", user);
+            Err(Error::Internal)
+        },
     }
 }
 
@@ -107,15 +149,30 @@ pub async fn update_progress(
 ) -> impl IntoResponse {
     data.timestamp = Some(now_timestamp());
     match db.put_doc(&user, &data.document, &data) {
-        Ok(_) => Ok(Json(json!({
-            "document": data.document,
-            "timestamp": data.timestamp
-        }))),
-        Err(_) => Err(Error::Internal),
+        Ok(_) => {
+            tracing::info!("{} - PUSH - {} => {} on {}", user, data.document, data.percentage, data.device);
+            Ok(Json(json!({
+                "document": data.document,
+                "timestamp": data.timestamp
+            })))
+        },
+        Err(_) => {
+            tracing::error!("{} - PUSH - tripped an internal server error", user);
+            Err(Error::Internal)
+        },
     }
 }
 
 #[instrument(level = Level::DEBUG)]
-pub async fn healthcheck() -> impl IntoResponse {
+pub async fn healthcheck(
+    Extension(Authed(user)): Extension<Authed>,
+) -> impl IntoResponse {
+    tracing::info!("{} - HEALTH CHECK", user);
     (StatusCode::OK, Json(json!({"state": "OK"})))
 }
+
+#[instrument(level = Level::DEBUG)]
+pub async fn robots(
+) -> &'static str {
+    "User-agent: *\nDisallow: /\n"
+}

src/defs.rs

@@ -11,7 +11,9 @@ use axum::{
 use serde::{Deserialize, Serialize};
 use serde_json::json;
 
-pub const DEFAULT_ADDR: &str = "0.0.0.0:3000";
+pub const DEFAULT_ADDR: &str = "[::]:3000";
+pub const DEFAULT_TLS_CERT: &str = "tls/cert.pem";
+pub const DEFAULT_TLS_PRIVKEY: &str = "tls/key.pem";
 pub const DEFAULT_TREE_NAME: &str = "kosync";
 pub const DEFAULT_DB_PATH: &str = "data/kosync";
 pub const FIELD_LEN_LIMIT: usize = 4096;