2024-01-01 14:58:21 -05:00
|
|
|
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
2023-08-22 01:56:00 -04:00
|
|
|
|
|
|
|
use std::cell::RefCell;
|
|
|
|
use std::marker::PhantomData;
|
|
|
|
use std::rc::Rc;
|
|
|
|
use std::sync::Arc;
|
|
|
|
|
|
|
|
use crate::DatabaseHandler;
|
|
|
|
use anyhow::Context;
|
|
|
|
use async_trait::async_trait;
|
|
|
|
use deno_core::error::type_error;
|
|
|
|
use deno_core::error::AnyError;
|
|
|
|
use deno_core::OpState;
|
2023-10-31 07:13:57 -04:00
|
|
|
use deno_fetch::create_http_client;
|
|
|
|
use deno_fetch::CreateHttpClientOptions;
|
|
|
|
use deno_tls::rustls::RootCertStore;
|
|
|
|
use deno_tls::Proxy;
|
|
|
|
use deno_tls::RootCertStoreProvider;
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
use deno_tls::TlsKeys;
|
2023-10-31 07:13:57 -04:00
|
|
|
use denokv_remote::MetadataEndpoint;
|
|
|
|
use denokv_remote::Remote;
|
2023-08-22 01:56:00 -04:00
|
|
|
use url::Url;
|
2023-10-31 07:13:57 -04:00
|
|
|
|
|
|
|
#[derive(Clone)]
|
|
|
|
pub struct HttpOptions {
|
|
|
|
pub user_agent: String,
|
|
|
|
pub root_cert_store_provider: Option<Arc<dyn RootCertStoreProvider>>,
|
|
|
|
pub proxy: Option<Proxy>,
|
|
|
|
pub unsafely_ignore_certificate_errors: Option<Vec<String>>,
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
pub client_cert_chain_and_key: TlsKeys,
|
2023-10-31 07:13:57 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
impl HttpOptions {
|
|
|
|
pub fn root_cert_store(&self) -> Result<Option<RootCertStore>, AnyError> {
|
|
|
|
Ok(match &self.root_cert_store_provider {
|
|
|
|
Some(provider) => Some(provider.get_or_try_init()?.clone()),
|
|
|
|
None => None,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2023-08-22 01:56:00 -04:00
|
|
|
|
|
|
|
pub trait RemoteDbHandlerPermissions {
|
|
|
|
fn check_env(&mut self, var: &str) -> Result<(), AnyError>;
|
|
|
|
fn check_net_url(
|
|
|
|
&mut self,
|
|
|
|
url: &Url,
|
|
|
|
api_name: &str,
|
|
|
|
) -> Result<(), AnyError>;
|
|
|
|
}
|
|
|
|
|
|
|
|
pub struct RemoteDbHandler<P: RemoteDbHandlerPermissions + 'static> {
|
2023-10-31 07:13:57 -04:00
|
|
|
http_options: HttpOptions,
|
2023-08-22 01:56:00 -04:00
|
|
|
_p: std::marker::PhantomData<P>,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl<P: RemoteDbHandlerPermissions> RemoteDbHandler<P> {
|
2023-10-31 07:13:57 -04:00
|
|
|
pub fn new(http_options: HttpOptions) -> Self {
|
|
|
|
Self {
|
|
|
|
http_options,
|
|
|
|
_p: PhantomData,
|
|
|
|
}
|
2023-08-22 01:56:00 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-31 07:13:57 -04:00
|
|
|
pub struct PermissionChecker<P: RemoteDbHandlerPermissions> {
|
|
|
|
state: Rc<RefCell<OpState>>,
|
|
|
|
_permissions: PhantomData<P>,
|
2023-08-22 01:56:00 -04:00
|
|
|
}
|
|
|
|
|
2023-12-05 08:21:46 -05:00
|
|
|
impl<P: RemoteDbHandlerPermissions> Clone for PermissionChecker<P> {
|
|
|
|
fn clone(&self) -> Self {
|
|
|
|
Self {
|
|
|
|
state: self.state.clone(),
|
|
|
|
_permissions: PhantomData,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-31 07:13:57 -04:00
|
|
|
impl<P: RemoteDbHandlerPermissions + 'static> denokv_remote::RemotePermissions
|
|
|
|
for PermissionChecker<P>
|
|
|
|
{
|
|
|
|
fn check_net_url(&self, url: &Url) -> Result<(), anyhow::Error> {
|
|
|
|
let mut state = self.state.borrow_mut();
|
|
|
|
let permissions = state.borrow_mut::<P>();
|
|
|
|
permissions.check_net_url(url, "Deno.openKv")
|
|
|
|
}
|
2023-08-22 01:56:00 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
#[async_trait(?Send)]
|
2023-10-31 07:13:57 -04:00
|
|
|
impl<P: RemoteDbHandlerPermissions + 'static> DatabaseHandler
|
|
|
|
for RemoteDbHandler<P>
|
|
|
|
{
|
|
|
|
type DB = Remote<PermissionChecker<P>>;
|
2023-08-22 01:56:00 -04:00
|
|
|
|
|
|
|
async fn open(
|
|
|
|
&self,
|
|
|
|
state: Rc<RefCell<OpState>>,
|
|
|
|
path: Option<String>,
|
|
|
|
) -> Result<Self::DB, AnyError> {
|
|
|
|
const ENV_VAR_NAME: &str = "DENO_KV_ACCESS_TOKEN";
|
|
|
|
|
|
|
|
let Some(url) = path else {
|
|
|
|
return Err(type_error("Missing database url"));
|
|
|
|
};
|
|
|
|
|
|
|
|
let Ok(parsed_url) = Url::parse(&url) else {
|
|
|
|
return Err(type_error(format!("Invalid database url: {}", url)));
|
|
|
|
};
|
|
|
|
|
|
|
|
{
|
|
|
|
let mut state = state.borrow_mut();
|
|
|
|
let permissions = state.borrow_mut::<P>();
|
|
|
|
permissions.check_env(ENV_VAR_NAME)?;
|
|
|
|
permissions.check_net_url(&parsed_url, "Deno.openKv")?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let access_token = std::env::var(ENV_VAR_NAME)
|
|
|
|
.map_err(anyhow::Error::from)
|
|
|
|
.with_context(|| {
|
|
|
|
"Missing DENO_KV_ACCESS_TOKEN environment variable. Please set it to your access token from https://dash.deno.com/account."
|
|
|
|
})?;
|
|
|
|
|
2023-10-31 07:13:57 -04:00
|
|
|
let metadata_endpoint = MetadataEndpoint {
|
|
|
|
url: parsed_url.clone(),
|
|
|
|
access_token: access_token.clone(),
|
2023-08-22 01:56:00 -04:00
|
|
|
};
|
|
|
|
|
2023-10-31 07:13:57 -04:00
|
|
|
let options = &self.http_options;
|
|
|
|
let client = create_http_client(
|
|
|
|
&options.user_agent,
|
|
|
|
CreateHttpClientOptions {
|
|
|
|
root_cert_store: options.root_cert_store()?,
|
|
|
|
ca_certs: vec![],
|
|
|
|
proxy: options.proxy.clone(),
|
|
|
|
unsafely_ignore_certificate_errors: options
|
|
|
|
.unsafely_ignore_certificate_errors
|
|
|
|
.clone(),
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
client_cert_chain_and_key: options
|
|
|
|
.client_cert_chain_and_key
|
|
|
|
.clone()
|
|
|
|
.try_into()
|
|
|
|
.unwrap(),
|
2023-10-31 07:13:57 -04:00
|
|
|
pool_max_idle_per_host: None,
|
|
|
|
pool_idle_timeout: None,
|
2023-12-22 12:19:17 -05:00
|
|
|
http1: false,
|
2023-10-31 07:13:57 -04:00
|
|
|
http2: true,
|
|
|
|
},
|
|
|
|
)?;
|
|
|
|
|
|
|
|
let permissions = PermissionChecker {
|
|
|
|
state: state.clone(),
|
|
|
|
_permissions: PhantomData,
|
2023-08-27 00:04:12 -04:00
|
|
|
};
|
2023-08-22 01:56:00 -04:00
|
|
|
|
2023-10-31 07:13:57 -04:00
|
|
|
let remote = Remote::new(client, permissions, metadata_endpoint);
|
2023-08-22 01:56:00 -04:00
|
|
|
|
2023-10-31 07:13:57 -04:00
|
|
|
Ok(remote)
|
2023-08-22 01:56:00 -04:00
|
|
|
}
|
|
|
|
}
|