1use std::collections::HashMap;
4use std::error::Error;
5use std::str::FromStr;
6use std::sync::Arc;
7
8use crate::ferron_common::{
9 ErrorLogger, HyperUpgraded, RequestData, ResponseData, ServerConfig, ServerModule,
10 ServerModuleHandlers, SocketData,
11};
12use crate::ferron_common::{HyperResponse, WithRuntime};
13use async_trait::async_trait;
14use http_body_util::combinators::BoxBody;
15use http_body_util::{BodyExt, Empty};
16use hyper::body::Bytes;
17use hyper::client::conn::http1::SendRequest;
18use hyper::header::HeaderName;
19use hyper::{header, Method, Request, StatusCode, Uri, Version};
20use hyper_tungstenite::HyperWebsocket;
21use hyper_util::rt::TokioIo;
22use rustls::pki_types::ServerName;
23use rustls::RootCertStore;
24use rustls_native_certs::load_native_certs;
25use tokio::io::{AsyncRead, AsyncWrite};
26use tokio::net::TcpStream;
27use tokio::runtime::Handle;
28use tokio::sync::RwLock;
29use tokio_rustls::TlsConnector;
30
31const DEFAULT_CONCURRENT_CONNECTIONS_PER_HOST: u32 = 32;
32
33pub fn server_module_init(
34 _config: &ServerConfig,
35) -> Result<Box<dyn ServerModule + Send + Sync>, Box<dyn Error + Send + Sync>> {
36 let mut roots: RootCertStore = RootCertStore::empty();
37 let certs_result = load_native_certs();
38 if !certs_result.errors.is_empty() {
39 Err(anyhow::anyhow!(format!(
40 "Couldn't load the native certificate store: {}",
41 certs_result.errors[0]
42 )))?
43 }
44 let certs = certs_result.certs;
45
46 for cert in certs {
47 match roots.add(cert) {
48 Ok(_) => (),
49 Err(err) => Err(anyhow::anyhow!(format!(
50 "Couldn't add a certificate to the certificate store: {}",
51 err
52 )))?,
53 }
54 }
55
56 let mut connections_vec = Vec::new();
57 for _ in 0..DEFAULT_CONCURRENT_CONNECTIONS_PER_HOST {
58 connections_vec.push(RwLock::new(HashMap::new()));
59 }
60 Ok(Box::new(ForwardedAuthenticationModule::new(
61 Arc::new(roots),
62 Arc::new(connections_vec),
63 )))
64}
65
66#[allow(clippy::type_complexity)]
67struct ForwardedAuthenticationModule {
68 roots: Arc<RootCertStore>,
69 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
70}
71
72impl ForwardedAuthenticationModule {
73 #[allow(clippy::type_complexity)]
74 fn new(
75 roots: Arc<RootCertStore>,
76 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
77 ) -> Self {
78 Self { roots, connections }
79 }
80}
81
82impl ServerModule for ForwardedAuthenticationModule {
83 fn get_handlers(&self, handle: Handle) -> Box<dyn ServerModuleHandlers + Send> {
84 Box::new(ForwardedAuthenticationModuleHandlers {
85 roots: self.roots.clone(),
86 connections: self.connections.clone(),
87 handle,
88 })
89 }
90}
91
92#[allow(clippy::type_complexity)]
93struct ForwardedAuthenticationModuleHandlers {
94 handle: Handle,
95 roots: Arc<RootCertStore>,
96 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
97}
98
99#[async_trait]
100impl ServerModuleHandlers for ForwardedAuthenticationModuleHandlers {
101 async fn request_handler(
102 &mut self,
103 request: RequestData,
104 config: &ServerConfig,
105 socket_data: &SocketData,
106 error_logger: &ErrorLogger,
107 ) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
108 WithRuntime::new(self.handle.clone(), async move {
109 let mut auth_to = None;
110
111 if let Some(auth_to_str) = config["authTo"].as_str() {
112 auth_to = Some(auth_to_str.to_string());
113 }
114
115 let forwarded_auth_copy_headers = match config["forwardedAuthCopyHeaders"].as_vec() {
116 Some(vector) => {
117 let mut new_vector = Vec::new();
118 for yaml_value in vector.iter() {
119 if let Some(str_value) = yaml_value.as_str() {
120 new_vector.push(str_value.to_string());
121 }
122 }
123 new_vector
124 }
125 None => Vec::new(),
126 };
127
128 if let Some(auth_to) = auth_to {
129 let (hyper_request, auth_user, original_url, error_status_code) = request.into_parts();
130 let (hyper_request_parts, request_body) = hyper_request.into_parts();
131
132 let auth_request_url = auth_to.parse::<hyper::Uri>()?;
133 let scheme_str = auth_request_url.scheme_str();
134 let mut encrypted = false;
135
136 match scheme_str {
137 Some("http") => {
138 encrypted = false;
139 }
140 Some("https") => {
141 encrypted = true;
142 }
143 _ => Err(anyhow::anyhow!(
144 "Only HTTP and HTTPS reverse proxy URLs are supported."
145 ))?,
146 };
147
148 let host = match auth_request_url.host() {
149 Some(host) => host,
150 None => Err(anyhow::anyhow!(
151 "The reverse proxy URL doesn't include the host"
152 ))?,
153 };
154
155 let port = auth_request_url.port_u16().unwrap_or(match scheme_str {
156 Some("http") => 80,
157 Some("https") => 443,
158 _ => 80,
159 });
160
161 let addr = format!("{host}:{port}");
162 let authority = auth_request_url.authority().cloned();
163
164 let hyper_request_path = hyper_request_parts.uri.path();
165
166 let path_and_query = format!(
167 "{}{}",
168 hyper_request_path,
169 match hyper_request_parts.uri.query() {
170 Some(query) => format!("?{query}"),
171 None => "".to_string(),
172 }
173 );
174
175 let mut auth_hyper_request_parts = hyper_request_parts.clone();
176
177 auth_hyper_request_parts.uri = Uri::from_str(&format!(
178 "{}{}",
179 auth_request_url.path(),
180 match auth_request_url.query() {
181 Some(query) => format!("?{query}"),
182 None => "".to_string(),
183 }
184 ))?;
185
186 let original_host = hyper_request_parts.headers.get(header::HOST).cloned();
187
188 match authority {
190 Some(authority) => {
191 auth_hyper_request_parts
192 .headers
193 .insert(header::HOST, authority.to_string().parse()?);
194 }
195 None => {
196 auth_hyper_request_parts.headers.remove(header::HOST);
197 }
198 }
199
200 auth_hyper_request_parts
202 .headers
203 .insert(header::CONNECTION, "keep-alive".parse()?);
204
205 auth_hyper_request_parts.headers.insert(
207 "x-forwarded-for",
208 socket_data
209 .remote_addr
210 .ip()
211 .to_canonical()
212 .to_string()
213 .parse()?,
214 );
215
216 if socket_data.encrypted {
217 auth_hyper_request_parts
218 .headers
219 .insert("x-forwarded-proto", "https".parse()?);
220 } else {
221 auth_hyper_request_parts
222 .headers
223 .insert("x-forwarded-proto", "http".parse()?);
224 }
225
226 if let Some(original_host) = original_host {
227 auth_hyper_request_parts
228 .headers
229 .insert("x-forwarded-host", original_host);
230 }
231
232 auth_hyper_request_parts
233 .headers
234 .insert("x-forwarded-uri", path_and_query.parse()?);
235
236 auth_hyper_request_parts.headers.insert(
237 "x-forwarded-method",
238 hyper_request_parts.method.as_str().parse()?,
239 );
240
241 auth_hyper_request_parts.method = Method::GET;
242 auth_hyper_request_parts.version = Version::HTTP_11;
243
244 let auth_request = Request::from_parts(
245 auth_hyper_request_parts,
246 Empty::new().map_err(|e| match e {}).boxed(),
247 );
248 let original_hyper_request = Request::from_parts(hyper_request_parts, request_body);
249 let original_request = RequestData::new(
250 original_hyper_request,
251 auth_user,
252 original_url,
253 error_status_code,
254 );
255
256 let connections = &self.connections[rand::random_range(..self.connections.len())];
257
258 let rwlock_read = connections.read().await;
259 let sender_read_option = rwlock_read.get(&addr);
260
261 if let Some(sender_read) = sender_read_option {
262 if !sender_read.is_closed() {
263 drop(rwlock_read);
264 let mut rwlock_write = connections.write().await;
265 let sender_option = rwlock_write.get_mut(&addr);
266
267 if let Some(sender) = sender_option {
268 if !sender.is_closed() && sender.ready().await.is_ok() {
269 let result = http_forwarded_auth_kept_alive(
270 sender,
271 auth_request,
272 error_logger,
273 original_request,
274 forwarded_auth_copy_headers,
275 )
276 .await;
277 drop(rwlock_write);
278 return result;
279 } else {
280 drop(rwlock_write);
281 }
282 } else {
283 drop(rwlock_write);
284 }
285 } else {
286 drop(rwlock_read);
287 }
288 } else {
289 drop(rwlock_read);
290 }
291
292 let stream = match TcpStream::connect(&addr).await {
293 Ok(stream) => stream,
294 Err(err) => {
295 match err.kind() {
296 tokio::io::ErrorKind::ConnectionRefused
297 | tokio::io::ErrorKind::NotFound
298 | tokio::io::ErrorKind::HostUnreachable => {
299 error_logger
300 .log(&format!("Service unavailable: {err}"))
301 .await;
302 return Ok(
303 ResponseData::builder_without_request()
304 .status(StatusCode::SERVICE_UNAVAILABLE)
305 .build(),
306 );
307 }
308 tokio::io::ErrorKind::TimedOut => {
309 error_logger.log(&format!("Gateway timeout: {err}")).await;
310 return Ok(
311 ResponseData::builder_without_request()
312 .status(StatusCode::GATEWAY_TIMEOUT)
313 .build(),
314 );
315 }
316 _ => {
317 error_logger.log(&format!("Bad gateway: {err}")).await;
318 return Ok(
319 ResponseData::builder_without_request()
320 .status(StatusCode::BAD_GATEWAY)
321 .build(),
322 );
323 }
324 };
325 }
326 };
327
328 match stream.set_nodelay(true) {
329 Ok(_) => (),
330 Err(err) => {
331 error_logger.log(&format!("Bad gateway: {err}")).await;
332 return Ok(
333 ResponseData::builder_without_request()
334 .status(StatusCode::BAD_GATEWAY)
335 .build(),
336 );
337 }
338 };
339
340 if !encrypted {
341 http_forwarded_auth(
342 connections,
343 addr,
344 stream,
345 auth_request,
346 error_logger,
347 original_request,
348 forwarded_auth_copy_headers,
349 )
350 .await
351 } else {
352 let tls_client_config = rustls::ClientConfig::builder()
353 .with_root_certificates(self.roots.clone())
354 .with_no_client_auth();
355 let connector = TlsConnector::from(Arc::new(tls_client_config));
356 let domain = ServerName::try_from(host)?.to_owned();
357
358 let tls_stream = match connector.connect(domain, stream).await {
359 Ok(stream) => stream,
360 Err(err) => {
361 error_logger.log(&format!("Bad gateway: {err}")).await;
362 return Ok(
363 ResponseData::builder_without_request()
364 .status(StatusCode::BAD_GATEWAY)
365 .build(),
366 );
367 }
368 };
369
370 http_forwarded_auth(
371 connections,
372 addr,
373 tls_stream,
374 auth_request,
375 error_logger,
376 original_request,
377 forwarded_auth_copy_headers,
378 )
379 .await
380 }
381 } else {
382 Ok(ResponseData::builder(request).build())
383 }
384 })
385 .await
386 }
387
388 async fn proxy_request_handler(
389 &mut self,
390 request: RequestData,
391 _config: &ServerConfig,
392 _socket_data: &SocketData,
393 _error_logger: &ErrorLogger,
394 ) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
395 Ok(ResponseData::builder(request).build())
396 }
397
398 async fn response_modifying_handler(
399 &mut self,
400 response: HyperResponse,
401 ) -> Result<HyperResponse, Box<dyn Error + Send + Sync>> {
402 Ok(response)
403 }
404
405 async fn proxy_response_modifying_handler(
406 &mut self,
407 response: HyperResponse,
408 ) -> Result<HyperResponse, Box<dyn Error + Send + Sync>> {
409 Ok(response)
410 }
411
412 async fn connect_proxy_request_handler(
413 &mut self,
414 _upgraded_request: HyperUpgraded,
415 _connect_address: &str,
416 _config: &ServerConfig,
417 _socket_data: &SocketData,
418 _error_logger: &ErrorLogger,
419 ) -> Result<(), Box<dyn Error + Send + Sync>> {
420 Ok(())
421 }
422
423 fn does_connect_proxy_requests(&mut self) -> bool {
424 false
425 }
426
427 async fn websocket_request_handler(
428 &mut self,
429 _websocket: HyperWebsocket,
430 _uri: &hyper::Uri,
431 _headers: &hyper::HeaderMap,
432 _config: &ServerConfig,
433 _socket_data: &SocketData,
434 _error_logger: &ErrorLogger,
435 ) -> Result<(), Box<dyn Error + Send + Sync>> {
436 Ok(())
437 }
438
439 fn does_websocket_requests(&mut self, _config: &ServerConfig, _socket_data: &SocketData) -> bool {
440 false
441 }
442}
443
444async fn http_forwarded_auth(
445 connections: &RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>,
446 connect_addr: String,
447 stream: impl AsyncRead + AsyncWrite + Send + Unpin + 'static,
448 proxy_request: Request<BoxBody<Bytes, hyper::Error>>,
449 error_logger: &ErrorLogger,
450 mut original_request: RequestData,
451 forwarded_auth_copy_headers: Vec<String>,
452) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
453 let io = TokioIo::new(stream);
454
455 let (mut sender, conn) = match hyper::client::conn::http1::handshake(io).await {
456 Ok(data) => data,
457 Err(err) => {
458 error_logger.log(&format!("Bad gateway: {err}")).await;
459 return Ok(
460 ResponseData::builder_without_request()
461 .status(StatusCode::BAD_GATEWAY)
462 .build(),
463 );
464 }
465 };
466
467 let send_request = sender.send_request(proxy_request);
468
469 let mut pinned_conn = Box::pin(conn);
470 tokio::pin!(send_request);
471
472 let response;
473
474 loop {
475 tokio::select! {
476 biased;
477
478 proxy_response = &mut send_request => {
479 let proxy_response = match proxy_response {
480 Ok(response) => response,
481 Err(err) => {
482 error_logger.log(&format!("Bad gateway: {err}")).await;
483 return Ok(ResponseData::builder_without_request().status(StatusCode::BAD_GATEWAY).build());
484 }
485 };
486
487 if proxy_response.status().is_success() {
488 if !forwarded_auth_copy_headers.is_empty() {
489 let response_headers = proxy_response.headers();
490 let request_headers = original_request.get_mut_hyper_request().headers_mut();
491 for forwarded_auth_copy_header_string in forwarded_auth_copy_headers.iter() {
492 let forwarded_auth_copy_header= HeaderName::from_str(forwarded_auth_copy_header_string)?;
493 if response_headers.contains_key(&forwarded_auth_copy_header) {
494 while request_headers.remove(&forwarded_auth_copy_header).is_some() {}
495 for header_value in response_headers.get_all(&forwarded_auth_copy_header).iter() {
496 request_headers.append(&forwarded_auth_copy_header, header_value.clone());
497 }
498 }
499 }
500 }
501 response = ResponseData::builder(original_request).build();
502 } else {
503 response = ResponseData::builder_without_request()
504 .response(proxy_response.map(|b| {
505 b.map_err(|e| std::io::Error::other(e.to_string()))
506 .boxed()
507 }))
508 .parallel_fn(async move {
509 pinned_conn.await.unwrap_or_default();
510 })
511 .build();
512
513 }
514
515 break;
516 },
517 state = &mut pinned_conn => {
518 if state.is_err() {
519 error_logger.log("Bad gateway: incomplete response").await;
520 return Ok(ResponseData::builder_without_request().status(StatusCode::BAD_GATEWAY).build());
521 }
522 },
523 };
524 }
525
526 if !sender.is_closed() {
527 let mut rwlock_write = connections.write().await;
528 rwlock_write.insert(connect_addr, sender);
529 drop(rwlock_write);
530 }
531
532 Ok(response)
533}
534
535async fn http_forwarded_auth_kept_alive(
536 sender: &mut SendRequest<BoxBody<Bytes, hyper::Error>>,
537 proxy_request: Request<BoxBody<Bytes, hyper::Error>>,
538 error_logger: &ErrorLogger,
539 mut original_request: RequestData,
540 forwarded_auth_copy_headers: Vec<String>,
541) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
542 let proxy_response = match sender.send_request(proxy_request).await {
543 Ok(response) => response,
544 Err(err) => {
545 error_logger.log(&format!("Bad gateway: {err}")).await;
546 return Ok(
547 ResponseData::builder_without_request()
548 .status(StatusCode::BAD_GATEWAY)
549 .build(),
550 );
551 }
552 };
553
554 let response = if proxy_response.status().is_success() {
555 if !forwarded_auth_copy_headers.is_empty() {
556 let response_headers = proxy_response.headers();
557 let request_headers = original_request.get_mut_hyper_request().headers_mut();
558 for forwarded_auth_copy_header_string in forwarded_auth_copy_headers.iter() {
559 let forwarded_auth_copy_header = HeaderName::from_str(forwarded_auth_copy_header_string)?;
560 if response_headers.contains_key(&forwarded_auth_copy_header) {
561 while request_headers
562 .remove(&forwarded_auth_copy_header)
563 .is_some()
564 {}
565 for header_value in response_headers.get_all(&forwarded_auth_copy_header).iter() {
566 request_headers.append(&forwarded_auth_copy_header, header_value.clone());
567 }
568 }
569 }
570 }
571 ResponseData::builder(original_request).build()
572 } else {
573 ResponseData::builder_without_request()
574 .response(proxy_response.map(|b| b.map_err(|e| std::io::Error::other(e.to_string())).boxed()))
575 .build()
576 };
577
578 Ok(response)
579}