1use std::collections::HashMap;
4use std::error::Error;
5use std::str::FromStr;
6use std::sync::Arc;
7
8use crate::ferron_common::{
9 ErrorLogger, HyperUpgraded, RequestData, ResponseData, ServerConfig, ServerModule,
10 ServerModuleHandlers, SocketData,
11};
12use crate::ferron_common::{HyperResponse, WithRuntime};
13use async_trait::async_trait;
14use http_body_util::combinators::BoxBody;
15use http_body_util::{BodyExt, Empty};
16use hyper::body::Bytes;
17use hyper::client::conn::http1::SendRequest;
18use hyper::header::HeaderName;
19use hyper::{header, Method, Request, StatusCode, Uri};
20use hyper_tungstenite::HyperWebsocket;
21use hyper_util::rt::TokioIo;
22use rustls::pki_types::ServerName;
23use rustls::RootCertStore;
24use rustls_native_certs::load_native_certs;
25use tokio::io::{AsyncRead, AsyncWrite};
26use tokio::net::TcpStream;
27use tokio::runtime::Handle;
28use tokio::sync::RwLock;
29use tokio_rustls::TlsConnector;
30
31const DEFAULT_CONCURRENT_CONNECTIONS_PER_HOST: u32 = 32;
32
33pub fn server_module_init(
34 _config: &ServerConfig,
35) -> Result<Box<dyn ServerModule + Send + Sync>, Box<dyn Error + Send + Sync>> {
36 let mut roots: RootCertStore = RootCertStore::empty();
37 let certs_result = load_native_certs();
38 if !certs_result.errors.is_empty() {
39 Err(anyhow::anyhow!(format!(
40 "Couldn't load the native certificate store: {}",
41 certs_result.errors[0]
42 )))?
43 }
44 let certs = certs_result.certs;
45
46 for cert in certs {
47 match roots.add(cert) {
48 Ok(_) => (),
49 Err(err) => Err(anyhow::anyhow!(format!(
50 "Couldn't add a certificate to the certificate store: {}",
51 err
52 )))?,
53 }
54 }
55
56 let mut connections_vec = Vec::new();
57 for _ in 0..DEFAULT_CONCURRENT_CONNECTIONS_PER_HOST {
58 connections_vec.push(RwLock::new(HashMap::new()));
59 }
60 Ok(Box::new(ForwardedAuthenticationModule::new(
61 Arc::new(roots),
62 Arc::new(connections_vec),
63 )))
64}
65
66#[allow(clippy::type_complexity)]
67struct ForwardedAuthenticationModule {
68 roots: Arc<RootCertStore>,
69 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
70}
71
72impl ForwardedAuthenticationModule {
73 #[allow(clippy::type_complexity)]
74 fn new(
75 roots: Arc<RootCertStore>,
76 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
77 ) -> Self {
78 Self { roots, connections }
79 }
80}
81
82impl ServerModule for ForwardedAuthenticationModule {
83 fn get_handlers(&self, handle: Handle) -> Box<dyn ServerModuleHandlers + Send> {
84 Box::new(ForwardedAuthenticationModuleHandlers {
85 roots: self.roots.clone(),
86 connections: self.connections.clone(),
87 handle,
88 })
89 }
90}
91
92#[allow(clippy::type_complexity)]
93struct ForwardedAuthenticationModuleHandlers {
94 handle: Handle,
95 roots: Arc<RootCertStore>,
96 connections: Arc<Vec<RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>>>,
97}
98
99#[async_trait]
100impl ServerModuleHandlers for ForwardedAuthenticationModuleHandlers {
101 async fn request_handler(
102 &mut self,
103 request: RequestData,
104 config: &ServerConfig,
105 socket_data: &SocketData,
106 error_logger: &ErrorLogger,
107 ) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
108 WithRuntime::new(self.handle.clone(), async move {
109 let mut auth_to = None;
110
111 if let Some(auth_to_str) = config["authTo"].as_str() {
112 auth_to = Some(auth_to_str.to_string());
113 }
114
115 let forwarded_auth_copy_headers = match config["forwardedAuthCopyHeaders"].as_vec() {
116 Some(vector) => {
117 let mut new_vector = Vec::new();
118 for yaml_value in vector.iter() {
119 if let Some(str_value) = yaml_value.as_str() {
120 new_vector.push(str_value.to_string());
121 }
122 }
123 new_vector
124 }
125 None => Vec::new(),
126 };
127
128 if let Some(auth_to) = auth_to {
129 let (hyper_request, auth_user, original_url) = request.into_parts();
130 let (hyper_request_parts, request_body) = hyper_request.into_parts();
131
132 let auth_request_url = auth_to.parse::<hyper::Uri>()?;
133 let scheme_str = auth_request_url.scheme_str();
134 let mut encrypted = false;
135
136 match scheme_str {
137 Some("http") => {
138 encrypted = false;
139 }
140 Some("https") => {
141 encrypted = true;
142 }
143 _ => Err(anyhow::anyhow!(
144 "Only HTTP and HTTPS reverse proxy URLs are supported."
145 ))?,
146 };
147
148 let host = match auth_request_url.host() {
149 Some(host) => host,
150 None => Err(anyhow::anyhow!(
151 "The reverse proxy URL doesn't include the host"
152 ))?,
153 };
154
155 let port = auth_request_url.port_u16().unwrap_or(match scheme_str {
156 Some("http") => 80,
157 Some("https") => 443,
158 _ => 80,
159 });
160
161 let addr = format!("{}:{}", host, port);
162 let authority = auth_request_url.authority().cloned();
163
164 let hyper_request_path = hyper_request_parts.uri.path();
165
166 let path_and_query = format!(
167 "{}{}",
168 hyper_request_path,
169 match hyper_request_parts.uri.query() {
170 Some(query) => format!("?{}", query),
171 None => "".to_string(),
172 }
173 );
174
175 let mut auth_hyper_request_parts = hyper_request_parts.clone();
176
177 auth_hyper_request_parts.uri = Uri::from_str(&format!(
178 "{}{}",
179 auth_request_url.path(),
180 match auth_request_url.query() {
181 Some(query) => format!("?{}", query),
182 None => "".to_string(),
183 }
184 ))?;
185
186 let original_host = hyper_request_parts.headers.get(header::HOST).cloned();
187
188 match authority {
190 Some(authority) => {
191 auth_hyper_request_parts
192 .headers
193 .insert(header::HOST, authority.to_string().parse()?);
194 }
195 None => {
196 auth_hyper_request_parts.headers.remove(header::HOST);
197 }
198 }
199
200 auth_hyper_request_parts
202 .headers
203 .insert(header::CONNECTION, "keep-alive".parse()?);
204
205 auth_hyper_request_parts.headers.insert(
207 "x-forwarded-for",
208 socket_data
209 .remote_addr
210 .ip()
211 .to_canonical()
212 .to_string()
213 .parse()?,
214 );
215
216 if socket_data.encrypted {
217 auth_hyper_request_parts
218 .headers
219 .insert("x-forwarded-proto", "https".parse()?);
220 } else {
221 auth_hyper_request_parts
222 .headers
223 .insert("x-forwarded-proto", "http".parse()?);
224 }
225
226 if let Some(original_host) = original_host {
227 auth_hyper_request_parts
228 .headers
229 .insert("x-forwarded-host", original_host);
230 }
231
232 auth_hyper_request_parts
233 .headers
234 .insert("x-forwarded-uri", path_and_query.parse()?);
235
236 auth_hyper_request_parts.headers.insert(
237 "x-forwarded-method",
238 hyper_request_parts.method.as_str().parse()?,
239 );
240
241 auth_hyper_request_parts.method = Method::GET;
242
243 let auth_request = Request::from_parts(
244 auth_hyper_request_parts,
245 Empty::new().map_err(|e| match e {}).boxed(),
246 );
247 let original_hyper_request = Request::from_parts(hyper_request_parts, request_body);
248 let original_request = RequestData::new(original_hyper_request, auth_user, original_url);
249
250 let connections = &self.connections[rand::random_range(..self.connections.len())];
251
252 let rwlock_read = connections.read().await;
253 let sender_read_option = rwlock_read.get(&addr);
254
255 if let Some(sender_read) = sender_read_option {
256 if !sender_read.is_closed() {
257 drop(rwlock_read);
258 let mut rwlock_write = connections.write().await;
259 let sender_option = rwlock_write.get_mut(&addr);
260
261 if let Some(sender) = sender_option {
262 if !sender.is_closed() {
263 let result = http_forwarded_auth_kept_alive(
264 sender,
265 auth_request,
266 error_logger,
267 original_request,
268 forwarded_auth_copy_headers,
269 )
270 .await;
271 drop(rwlock_write);
272 return result;
273 } else {
274 drop(rwlock_write);
275 }
276 } else {
277 drop(rwlock_write);
278 }
279 } else {
280 drop(rwlock_read);
281 }
282 } else {
283 drop(rwlock_read);
284 }
285
286 let stream = match TcpStream::connect(&addr).await {
287 Ok(stream) => stream,
288 Err(err) => {
289 match err.kind() {
290 tokio::io::ErrorKind::ConnectionRefused
291 | tokio::io::ErrorKind::NotFound
292 | tokio::io::ErrorKind::HostUnreachable => {
293 error_logger
294 .log(&format!("Service unavailable: {}", err))
295 .await;
296 return Ok(
297 ResponseData::builder_without_request()
298 .status(StatusCode::SERVICE_UNAVAILABLE)
299 .build(),
300 );
301 }
302 tokio::io::ErrorKind::TimedOut => {
303 error_logger.log(&format!("Gateway timeout: {}", err)).await;
304 return Ok(
305 ResponseData::builder_without_request()
306 .status(StatusCode::GATEWAY_TIMEOUT)
307 .build(),
308 );
309 }
310 _ => {
311 error_logger.log(&format!("Bad gateway: {}", err)).await;
312 return Ok(
313 ResponseData::builder_without_request()
314 .status(StatusCode::BAD_GATEWAY)
315 .build(),
316 );
317 }
318 };
319 }
320 };
321
322 match stream.set_nodelay(true) {
323 Ok(_) => (),
324 Err(err) => {
325 error_logger.log(&format!("Bad gateway: {}", err)).await;
326 return Ok(
327 ResponseData::builder_without_request()
328 .status(StatusCode::BAD_GATEWAY)
329 .build(),
330 );
331 }
332 };
333
334 if !encrypted {
335 http_forwarded_auth(
336 connections,
337 addr,
338 stream,
339 auth_request,
340 error_logger,
341 original_request,
342 forwarded_auth_copy_headers,
343 )
344 .await
345 } else {
346 let tls_client_config = rustls::ClientConfig::builder()
347 .with_root_certificates(self.roots.clone())
348 .with_no_client_auth();
349 let connector = TlsConnector::from(Arc::new(tls_client_config));
350 let domain = ServerName::try_from(host)?.to_owned();
351
352 let tls_stream = match connector.connect(domain, stream).await {
353 Ok(stream) => stream,
354 Err(err) => {
355 error_logger.log(&format!("Bad gateway: {}", err)).await;
356 return Ok(
357 ResponseData::builder_without_request()
358 .status(StatusCode::BAD_GATEWAY)
359 .build(),
360 );
361 }
362 };
363
364 http_forwarded_auth(
365 connections,
366 addr,
367 tls_stream,
368 auth_request,
369 error_logger,
370 original_request,
371 forwarded_auth_copy_headers,
372 )
373 .await
374 }
375 } else {
376 Ok(ResponseData::builder(request).build())
377 }
378 })
379 .await
380 }
381
382 async fn proxy_request_handler(
383 &mut self,
384 request: RequestData,
385 _config: &ServerConfig,
386 _socket_data: &SocketData,
387 _error_logger: &ErrorLogger,
388 ) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
389 Ok(ResponseData::builder(request).build())
390 }
391
392 async fn response_modifying_handler(
393 &mut self,
394 response: HyperResponse,
395 ) -> Result<HyperResponse, Box<dyn Error + Send + Sync>> {
396 Ok(response)
397 }
398
399 async fn proxy_response_modifying_handler(
400 &mut self,
401 response: HyperResponse,
402 ) -> Result<HyperResponse, Box<dyn Error + Send + Sync>> {
403 Ok(response)
404 }
405
406 async fn connect_proxy_request_handler(
407 &mut self,
408 _upgraded_request: HyperUpgraded,
409 _connect_address: &str,
410 _config: &ServerConfig,
411 _socket_data: &SocketData,
412 _error_logger: &ErrorLogger,
413 ) -> Result<(), Box<dyn Error + Send + Sync>> {
414 Ok(())
415 }
416
417 fn does_connect_proxy_requests(&mut self) -> bool {
418 false
419 }
420
421 async fn websocket_request_handler(
422 &mut self,
423 _websocket: HyperWebsocket,
424 _uri: &hyper::Uri,
425 _config: &ServerConfig,
426 _socket_data: &SocketData,
427 _error_logger: &ErrorLogger,
428 ) -> Result<(), Box<dyn Error + Send + Sync>> {
429 Ok(())
430 }
431
432 fn does_websocket_requests(&mut self, _config: &ServerConfig, _socket_data: &SocketData) -> bool {
433 false
434 }
435}
436
437async fn http_forwarded_auth(
438 connections: &RwLock<HashMap<String, SendRequest<BoxBody<Bytes, hyper::Error>>>>,
439 connect_addr: String,
440 stream: impl AsyncRead + AsyncWrite + Send + Unpin + 'static,
441 proxy_request: Request<BoxBody<Bytes, hyper::Error>>,
442 error_logger: &ErrorLogger,
443 mut original_request: RequestData,
444 forwarded_auth_copy_headers: Vec<String>,
445) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
446 let io = TokioIo::new(stream);
447
448 let (mut sender, conn) = match hyper::client::conn::http1::handshake(io).await {
449 Ok(data) => data,
450 Err(err) => {
451 error_logger.log(&format!("Bad gateway: {}", err)).await;
452 return Ok(
453 ResponseData::builder_without_request()
454 .status(StatusCode::BAD_GATEWAY)
455 .build(),
456 );
457 }
458 };
459
460 let send_request = sender.send_request(proxy_request);
461
462 let mut pinned_conn = Box::pin(conn);
463 tokio::pin!(send_request);
464
465 let response;
466
467 loop {
468 tokio::select! {
469 biased;
470
471 proxy_response = &mut send_request => {
472 let proxy_response = match proxy_response {
473 Ok(response) => response,
474 Err(err) => {
475 error_logger.log(&format!("Bad gateway: {}", err)).await;
476 return Ok(ResponseData::builder_without_request().status(StatusCode::BAD_GATEWAY).build());
477 }
478 };
479
480 if proxy_response.status().is_success() {
481 if !forwarded_auth_copy_headers.is_empty() {
482 let response_headers = proxy_response.headers();
483 let request_headers = original_request.get_mut_hyper_request().headers_mut();
484 for forwarded_auth_copy_header_string in forwarded_auth_copy_headers.iter() {
485 let forwarded_auth_copy_header= HeaderName::from_str(forwarded_auth_copy_header_string)?;
486 if response_headers.contains_key(&forwarded_auth_copy_header) {
487 while request_headers.remove(&forwarded_auth_copy_header).is_some() {}
488 for header_value in response_headers.get_all(&forwarded_auth_copy_header).iter() {
489 request_headers.append(&forwarded_auth_copy_header, header_value.clone());
490 }
491 }
492 }
493 }
494 response = ResponseData::builder(original_request).build();
495 } else {
496 response = ResponseData::builder_without_request()
497 .response(proxy_response.map(|b| {
498 b.map_err(|e| std::io::Error::other(e.to_string()))
499 .boxed()
500 }))
501 .parallel_fn(async move {
502 pinned_conn.await.unwrap_or_default();
503 })
504 .build();
505
506 }
507
508 break;
509 },
510 state = &mut pinned_conn => {
511 if state.is_err() {
512 error_logger.log("Bad gateway: incomplete response").await;
513 return Ok(ResponseData::builder_without_request().status(StatusCode::BAD_GATEWAY).build());
514 }
515 },
516 };
517 }
518
519 if !sender.is_closed() {
520 let mut rwlock_write = connections.write().await;
521 rwlock_write.insert(connect_addr, sender);
522 drop(rwlock_write);
523 }
524
525 Ok(response)
526}
527
528async fn http_forwarded_auth_kept_alive(
529 sender: &mut SendRequest<BoxBody<Bytes, hyper::Error>>,
530 proxy_request: Request<BoxBody<Bytes, hyper::Error>>,
531 error_logger: &ErrorLogger,
532 mut original_request: RequestData,
533 forwarded_auth_copy_headers: Vec<String>,
534) -> Result<ResponseData, Box<dyn Error + Send + Sync>> {
535 let proxy_response = match sender.send_request(proxy_request).await {
536 Ok(response) => response,
537 Err(err) => {
538 error_logger.log(&format!("Bad gateway: {}", err)).await;
539 return Ok(
540 ResponseData::builder_without_request()
541 .status(StatusCode::BAD_GATEWAY)
542 .build(),
543 );
544 }
545 };
546
547 let response = if proxy_response.status().is_success() {
548 if !forwarded_auth_copy_headers.is_empty() {
549 let response_headers = proxy_response.headers();
550 let request_headers = original_request.get_mut_hyper_request().headers_mut();
551 for forwarded_auth_copy_header_string in forwarded_auth_copy_headers.iter() {
552 let forwarded_auth_copy_header = HeaderName::from_str(forwarded_auth_copy_header_string)?;
553 if response_headers.contains_key(&forwarded_auth_copy_header) {
554 while request_headers
555 .remove(&forwarded_auth_copy_header)
556 .is_some()
557 {}
558 for header_value in response_headers.get_all(&forwarded_auth_copy_header).iter() {
559 request_headers.append(&forwarded_auth_copy_header, header_value.clone());
560 }
561 }
562 }
563 }
564 ResponseData::builder(original_request).build()
565 } else {
566 ResponseData::builder_without_request()
567 .response(proxy_response.map(|b| b.map_err(|e| std::io::Error::other(e.to_string())).boxed()))
568 .build()
569 };
570
571 Ok(response)
572}