1use std::collections::HashMap;
4use std::error::Error;
5use std::str::FromStr;
6use std::sync::Arc;
7
8use crate::ferron_common::{
9 ErrorLogger, HyperUpgraded, RequestData, ResponseData, ServerConfig, ServerModule,
10 ServerModuleHandlers, SocketData,
11};
12use crate::ferron_common::{HyperResponse, WithRuntime};
13use async_trait::async_trait;
14use http_body_util::combinators::BoxBody;
15use http_body_util::{BodyExt, Empty};
16use hyper::body::Bytes;
17use hyper::client::conn::http1::SendRequest;
18use hyper::header::HeaderName;
19use hyper::{header, Method, Request, StatusCode, Uri};
20use hyper_tungstenite::HyperWebsocket;
21use hyper_util::rt::TokioIo;
22use rustls::pki_types::ServerName;
23use rustls::RootCertStore;
24use rustls_native_certs::load_native_certs;
25use tokio::io::{AsyncRead, AsyncWrite};
26use tokio::net::TcpStream;
27use tokio::runtime::Handle;
28use tokio::sync::RwLock;
29use tokio_rustls::TlsConnector;
30
31const DEFAULT_CONCURRENT_CONNECTIONS_PER_HOST: u32 = 32;
32
33pub fn server_module_init(
34 _config: &ServerConfig,
35) -> Result<Box<dyn ServerModule + Send + Sync>, Box<dyn Error + Send + Sync>> {
36 let mut roots: RootCertStore = RootCertStore::empty();
37 let certs_result = load_native_certs();
38 if !certs_result.errors.is_empty() {
39 Err(anyhow::anyhow!(format!(
40 "Couldn't load the native certificate store: {}",
41 certs_result.errors[0]
42 )))?
43 }
44 let certs = certs_result.certs;
45
46 for cert in certs {
47 match roots.add(cert) {
48 Ok(_) => (),
49 Err(err) => Err(anyhow::anyhow!(format!(
50 "Couldn't add a certificate to the certificate store: {}",
51 err
52 )))?,
53 }
54 }
55
56 let mut connections_vec = Vec::new();
57 for _ in 0..DEFAULT_CONCURRENT_CONNECTIONS_PER_HOST {
58 connections_vec.push(RwLock::new(HashMap::new()));
59 }
60 Ok(Box::new(ForwardedAuthenticationModule::new(
61 Arc::new(roots),
62 Arc::new(connections_vec),
63 )))
64}
65
66#[allow(clippy::type_complexity)]
67struct ForwardedAuthenticationModule {
68 roots: Arc<RootCertStore>,
69 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
70}
71
72impl ForwardedAuthenticationModule {
73 #[allow(clippy::type_complexity)]
74 fn new(
75 roots: Arc<RootCertStore>,
76 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
77 ) -> Self {
78 Self { roots, connections }
79 }
80}
81
82impl ServerModule for ForwardedAuthenticationModule {
83 fn get_handlers(&self, handle: Handle) -> Box<dyn ServerModuleHandlers + Send> {
84 Box::new(ForwardedAuthenticationModuleHandlers {
85 roots: self.roots.clone(),
86 connections: self.connections.clone(),
87 handle,
88 })
89 }
90}
91
92#[allow(clippy::type_complexity)]
93struct ForwardedAuthenticationModuleHandlers {
94 handle: Handle,
95 roots: Arc<RootCertStore>,
96 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
97}
98
99#[async_trait]
100impl ServerModuleHandlers for ForwardedAuthenticationModuleHandlers {
101 async fn request_handler(
102 &mut self,
103 request: RequestData,
104 config: &ServerConfig,
105 socket_data: &SocketData,
106 error_logger: &ErrorLogger,
107 ) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
108 WithRuntime::new(self.handle.clone(), async move {
109 let mut auth_to = None;
110
111 if let Some(auth_to_str) = config["authTo"].as_str() {
112 auth_to = Some(auth_to_str.to_string());
113 }
114
115 let forwarded_auth_copy_headers = match config["forwardedAuthCopyHeaders"].as_vec() {
116 Some(vector) => {
117 let mut new_vector = Vec::new();
118 for yaml_value in vector.iter() {
119 if let Some(str_value) = yaml_value.as_str() {
120 new_vector.push(str_value.to_string());
121 }
122 }
123 new_vector
124 }
125 None => Vec::new(),
126 };
127
128 if let Some(auth_to) = auth_to {
129 let (hyper_request, auth_user, original_url, error_status_code) = request.into_parts();
130 let (hyper_request_parts, request_body) = hyper_request.into_parts();
131
132 let auth_request_url = auth_to.parse::<hyper::Uri>()?;
133 let scheme_str = auth_request_url.scheme_str();
134 let mut encrypted = false;
135
136 match scheme_str {
137 Some("http") => {
138 encrypted = false;
139 }
140 Some("https") => {
141 encrypted = true;
142 }
143 _ => Err(anyhow::anyhow!(
144 "Only HTTP and HTTPS reverse proxy URLs are supported."
145 ))?,
146 };
147
148 let host = match auth_request_url.host() {
149 Some(host) => host,
150 None => Err(anyhow::anyhow!(
151 "The reverse proxy URL doesn't include the host"
152 ))?,
153 };
154
155 let port = auth_request_url.port_u16().unwrap_or(match scheme_str {
156 Some("http") => 80,
157 Some("https") => 443,
158 _ => 80,
159 });
160
161 let addr = format!("{}:{}", host, port);
162 let authority = auth_request_url.authority().cloned();
163
164 let hyper_request_path = hyper_request_parts.uri.path();
165
166 let path_and_query = format!(
167 "{}{}",
168 hyper_request_path,
169 match hyper_request_parts.uri.query() {
170 Some(query) => format!("?{}", query),
171 None => "".to_string(),
172 }
173 );
174
175 let mut auth_hyper_request_parts = hyper_request_parts.clone();
176
177 auth_hyper_request_parts.uri = Uri::from_str(&format!(
178 "{}{}",
179 auth_request_url.path(),
180 match auth_request_url.query() {
181 Some(query) => format!("?{}", query),
182 None => "".to_string(),
183 }
184 ))?;
185
186 let original_host = hyper_request_parts.headers.get(header::HOST).cloned();
187
188 match authority {
190 Some(authority) => {
191 auth_hyper_request_parts
192 .headers
193 .insert(header::HOST, authority.to_string().parse()?);
194 }
195 None => {
196 auth_hyper_request_parts.headers.remove(header::HOST);
197 }
198 }
199
200 auth_hyper_request_parts
202 .headers
203 .insert(header::CONNECTION, "keep-alive".parse()?);
204
205 auth_hyper_request_parts.headers.insert(
207 "x-forwarded-for",
208 socket_data
209 .remote_addr
210 .ip()
211 .to_canonical()
212 .to_string()
213 .parse()?,
214 );
215
216 if socket_data.encrypted {
217 auth_hyper_request_parts
218 .headers
219 .insert("x-forwarded-proto", "https".parse()?);
220 } else {
221 auth_hyper_request_parts
222 .headers
223 .insert("x-forwarded-proto", "http".parse()?);
224 }
225
226 if let Some(original_host) = original_host {
227 auth_hyper_request_parts
228 .headers
229 .insert("x-forwarded-host", original_host);
230 }
231
232 auth_hyper_request_parts
233 .headers
234 .insert("x-forwarded-uri", path_and_query.parse()?);
235
236 auth_hyper_request_parts.headers.insert(
237 "x-forwarded-method",
238 hyper_request_parts.method.as_str().parse()?,
239 );
240
241 auth_hyper_request_parts.method = Method::GET;
242
243 let auth_request = Request::from_parts(
244 auth_hyper_request_parts,
245 Empty::new().map_err(|e| match e {}).boxed(),
246 );
247 let original_hyper_request = Request::from_parts(hyper_request_parts, request_body);
248 let original_request = RequestData::new(
249 original_hyper_request,
250 auth_user,
251 original_url,
252 error_status_code,
253 );
254
255 let connections = &self.connections[rand::random_range(..self.connections.len())];
256
257 let rwlock_read = connections.read().await;
258 let sender_read_option = rwlock_read.get(&addr);
259
260 if let Some(sender_read) = sender_read_option {
261 if !sender_read.is_closed() {
262 drop(rwlock_read);
263 let mut rwlock_write = connections.write().await;
264 let sender_option = rwlock_write.get_mut(&addr);
265
266 if let Some(sender) = sender_option {
267 if !sender.is_closed() {
268 let result = http_forwarded_auth_kept_alive(
269 sender,
270 auth_request,
271 error_logger,
272 original_request,
273 forwarded_auth_copy_headers,
274 )
275 .await;
276 drop(rwlock_write);
277 return result;
278 } else {
279 drop(rwlock_write);
280 }
281 } else {
282 drop(rwlock_write);
283 }
284 } else {
285 drop(rwlock_read);
286 }
287 } else {
288 drop(rwlock_read);
289 }
290
291 let stream = match TcpStream::connect(&addr).await {
292 Ok(stream) => stream,
293 Err(err) => {
294 match err.kind() {
295 tokio::io::ErrorKind::ConnectionRefused
296 | tokio::io::ErrorKind::NotFound
297 | tokio::io::ErrorKind::HostUnreachable => {
298 error_logger
299 .log(&format!("Service unavailable: {}", err))
300 .await;
301 return Ok(
302 ResponseData::builder_without_request()
303 .status(StatusCode::SERVICE_UNAVAILABLE)
304 .build(),
305 );
306 }
307 tokio::io::ErrorKind::TimedOut => {
308 error_logger.log(&format!("Gateway timeout: {}", err)).await;
309 return Ok(
310 ResponseData::builder_without_request()
311 .status(StatusCode::GATEWAY_TIMEOUT)
312 .build(),
313 );
314 }
315 _ => {
316 error_logger.log(&format!("Bad gateway: {}", err)).await;
317 return Ok(
318 ResponseData::builder_without_request()
319 .status(StatusCode::BAD_GATEWAY)
320 .build(),
321 );
322 }
323 };
324 }
325 };
326
327 match stream.set_nodelay(true) {
328 Ok(_) => (),
329 Err(err) => {
330 error_logger.log(&format!("Bad gateway: {}", err)).await;
331 return Ok(
332 ResponseData::builder_without_request()
333 .status(StatusCode::BAD_GATEWAY)
334 .build(),
335 );
336 }
337 };
338
339 if !encrypted {
340 http_forwarded_auth(
341 connections,
342 addr,
343 stream,
344 auth_request,
345 error_logger,
346 original_request,
347 forwarded_auth_copy_headers,
348 )
349 .await
350 } else {
351 let tls_client_config = rustls::ClientConfig::builder()
352 .with_root_certificates(self.roots.clone())
353 .with_no_client_auth();
354 let connector = TlsConnector::from(Arc::new(tls_client_config));
355 let domain = ServerName::try_from(host)?.to_owned();
356
357 let tls_stream = match connector.connect(domain, stream).await {
358 Ok(stream) => stream,
359 Err(err) => {
360 error_logger.log(&format!("Bad gateway: {}", err)).await;
361 return Ok(
362 ResponseData::builder_without_request()
363 .status(StatusCode::BAD_GATEWAY)
364 .build(),
365 );
366 }
367 };
368
369 http_forwarded_auth(
370 connections,
371 addr,
372 tls_stream,
373 auth_request,
374 error_logger,
375 original_request,
376 forwarded_auth_copy_headers,
377 )
378 .await
379 }
380 } else {
381 Ok(ResponseData::builder(request).build())
382 }
383 })
384 .await
385 }
386
387 async fn proxy_request_handler(
388 &mut self,
389 request: RequestData,
390 _config: &ServerConfig,
391 _socket_data: &SocketData,
392 _error_logger: &ErrorLogger,
393 ) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
394 Ok(ResponseData::builder(request).build())
395 }
396
397 async fn response_modifying_handler(
398 &mut self,
399 response: HyperResponse,
400 ) -> Result<HyperResponse, Box<dyn Error + Send + Sync>> {
401 Ok(response)
402 }
403
404 async fn proxy_response_modifying_handler(
405 &mut self,
406 response: HyperResponse,
407 ) -> Result<HyperResponse, Box<dyn Error + Send + Sync>> {
408 Ok(response)
409 }
410
411 async fn connect_proxy_request_handler(
412 &mut self,
413 _upgraded_request: HyperUpgraded,
414 _connect_address: &str,
415 _config: &ServerConfig,
416 _socket_data: &SocketData,
417 _error_logger: &ErrorLogger,
418 ) -> Result<(), Box<dyn Error + Send + Sync>> {
419 Ok(())
420 }
421
422 fn does_connect_proxy_requests(&mut self) -> bool {
423 false
424 }
425
426 async fn websocket_request_handler(
427 &mut self,
428 _websocket: HyperWebsocket,
429 _uri: &hyper::Uri,
430 _headers: &hyper::HeaderMap,
431 _config: &ServerConfig,
432 _socket_data: &SocketData,
433 _error_logger: &ErrorLogger,
434 ) -> Result<(), Box<dyn Error + Send + Sync>> {
435 Ok(())
436 }
437
438 fn does_websocket_requests(&mut self, _config: &ServerConfig, _socket_data: &SocketData) -> bool {
439 false
440 }
441}
442
443async fn http_forwarded_auth(
444 connections: &RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>,
445 connect_addr: String,
446 stream: impl AsyncRead + AsyncWrite + Send + Unpin + 'static,
447 proxy_request: Request<BoxBody<Bytes, hyper::Error>>,
448 error_logger: &ErrorLogger,
449 mut original_request: RequestData,
450 forwarded_auth_copy_headers: Vec<String>,
451) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
452 let io = TokioIo::new(stream);
453
454 let (mut sender, conn) = match hyper::client::conn::http1::handshake(io).await {
455 Ok(data) => data,
456 Err(err) => {
457 error_logger.log(&format!("Bad gateway: {}", err)).await;
458 return Ok(
459 ResponseData::builder_without_request()
460 .status(StatusCode::BAD_GATEWAY)
461 .build(),
462 );
463 }
464 };
465
466 let send_request = sender.send_request(proxy_request);
467
468 let mut pinned_conn = Box::pin(conn);
469 tokio::pin!(send_request);
470
471 let response;
472
473 loop {
474 tokio::select! {
475 biased;
476
477 proxy_response = &mut send_request => {
478 let proxy_response = match proxy_response {
479 Ok(response) => response,
480 Err(err) => {
481 error_logger.log(&format!("Bad gateway: {}", err)).await;
482 return Ok(ResponseData::builder_without_request().status(StatusCode::BAD_GATEWAY).build());
483 }
484 };
485
486 if proxy_response.status().is_success() {
487 if !forwarded_auth_copy_headers.is_empty() {
488 let response_headers = proxy_response.headers();
489 let request_headers = original_request.get_mut_hyper_request().headers_mut();
490 for forwarded_auth_copy_header_string in forwarded_auth_copy_headers.iter() {
491 let forwarded_auth_copy_header= HeaderName::from_str(forwarded_auth_copy_header_string)?;
492 if response_headers.contains_key(&forwarded_auth_copy_header) {
493 while request_headers.remove(&forwarded_auth_copy_header).is_some() {}
494 for header_value in response_headers.get_all(&forwarded_auth_copy_header).iter() {
495 request_headers.append(&forwarded_auth_copy_header, header_value.clone());
496 }
497 }
498 }
499 }
500 response = ResponseData::builder(original_request).build();
501 } else {
502 response = ResponseData::builder_without_request()
503 .response(proxy_response.map(|b| {
504 b.map_err(|e| std::io::Error::other(e.to_string()))
505 .boxed()
506 }))
507 .parallel_fn(async move {
508 pinned_conn.await.unwrap_or_default();
509 })
510 .build();
511
512 }
513
514 break;
515 },
516 state = &mut pinned_conn => {
517 if state.is_err() {
518 error_logger.log("Bad gateway: incomplete response").await;
519 return Ok(ResponseData::builder_without_request().status(StatusCode::BAD_GATEWAY).build());
520 }
521 },
522 };
523 }
524
525 if !sender.is_closed() {
526 let mut rwlock_write = connections.write().await;
527 rwlock_write.insert(connect_addr, sender);
528 drop(rwlock_write);
529 }
530
531 Ok(response)
532}
533
534async fn http_forwarded_auth_kept_alive(
535 sender: &mut SendRequest<BoxBody<Bytes, hyper::Error>>,
536 proxy_request: Request<BoxBody<Bytes, hyper::Error>>,
537 error_logger: &ErrorLogger,
538 mut original_request: RequestData,
539 forwarded_auth_copy_headers: Vec<String>,
540) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
541 let proxy_response = match sender.send_request(proxy_request).await {
542 Ok(response) => response,
543 Err(err) => {
544 error_logger.log(&format!("Bad gateway: {}", err)).await;
545 return Ok(
546 ResponseData::builder_without_request()
547 .status(StatusCode::BAD_GATEWAY)
548 .build(),
549 );
550 }
551 };
552
553 let response = if proxy_response.status().is_success() {
554 if !forwarded_auth_copy_headers.is_empty() {
555 let response_headers = proxy_response.headers();
556 let request_headers = original_request.get_mut_hyper_request().headers_mut();
557 for forwarded_auth_copy_header_string in forwarded_auth_copy_headers.iter() {
558 let forwarded_auth_copy_header = HeaderName::from_str(forwarded_auth_copy_header_string)?;
559 if response_headers.contains_key(&forwarded_auth_copy_header) {
560 while request_headers
561 .remove(&forwarded_auth_copy_header)
562 .is_some()
563 {}
564 for header_value in response_headers.get_all(&forwarded_auth_copy_header).iter() {
565 request_headers.append(&forwarded_auth_copy_header, header_value.clone());
566 }
567 }
568 }
569 }
570 ResponseData::builder(original_request).build()
571 } else {
572 ResponseData::builder_without_request()
573 .response(proxy_response.map(|b| b.map_err(|e| std::io::Error::other(e.to_string())).boxed()))
574 .build()
575 };
576
577 Ok(response)
578}