feat: serve https

Author: ymgyt

.dev/self_signed_certs/certificate.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlTCCATugAwIBAgIUA86Riy2FThTljOBvpMNN5CmnVgIwCgYIKoZIzj0EAwIw
+IDEeMBwGA1UEAwwVc3luZGljYXRpb25kLnltZ3l0LmlvMB4XDTI0MDIxMTEwMDE1
+NFoXDTM0MDIwODEwMDE1NFowIDEeMBwGA1UEAwwVc3luZGljYXRpb25kLnltZ3l0
+LmlvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhztnvCAv0+oFHVue7EYfitKl
+HXw83579zSlB4DyhF/5LN8ljr0TljOTsSXlSAtPkladiASIDXPVm1xzzVgiHhaNT
+MFEwHQYDVR0OBBYEFBvVS3MisB/EBclw0i+v/iSXTNI0MB8GA1UdIwQYMBaAFBvV
+S3MisB/EBclw0i+v/iSXTNI0MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwID
+SAAwRQIhALBtRGKYgN65Evvw4u7a7hmNw441BNUo0kXOL5kb+Rv4AiAjHfuhruKb
+qzmvo4OdZIVIWhrsBqakXynXmS5rZIiHng==
+-----END CERTIFICATE-----

.dev/self_signed_certs/private_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKmgzy8Zj73IXrit3
+EWT5DLFTagNNiwguS9j2I37ZIHShRANCAASHO2e8IC/T6gUdW57sRh+K0qUdfDzf
+nv3NKUHgPKEX/ks3yWOvROWM5OxJeVIC0+SVp2IBIgNc9WbXHPNWCIeF
+-----END PRIVATE KEY-----

Cargo.lock

@@ -16,6 +16,7 @@ repository  = "https://github.com/ymgyt/syndicationd"
 anyhow         = { version = "1" }
 async-trait    = { version = "0.1.77" }
 axum           = { version = "0.7.4" }
+axum-server    = { version = "0.6.0", features = ["tls-rustls"] }
 chrono         = { version = "0.4.31" }
 clap           = { version = "4.4" }
 feed-rs        = { version = "1.4" }
@@ -24,6 +25,7 @@ graphql_client = { version = "0.13.0", default-features = false }
 headers        = { version = "0.4.0" }
 http           = { version = "0.2" }                              # request use 0.2
 kvsd           = { version = "0.1.2", default-features = false }
+thiserror      = { version = "1.0.56" }
 # kvsd                               = { path = "../kvsd" }
 moka                               = { version = "0.12.4", features = ["future"] }
 opentelemetry                      = { version = "0.21.0" }

Cargo.toml

@@ -19,8 +19,9 @@ async-graphql      = { version = "7.0", features = ["tracing"] }
 async-graphql-axum = { version = "7.0" }
 async-trait        = { workspace = true }
 axum               = { workspace = true }
+axum-server        = { workspace = true }
 chrono             = { workspace = true }
-clap               = { workspace = true, features = ["derive"] }
+clap               = { workspace = true, features = ["derive", "env"] }
 feed-rs            = { workspace = true }
 futures-util       = { workspace = true }
 graphql_client     = { workspace = true }
@@ -33,7 +34,7 @@ serde              = { workspace = true }
 serde_json         = "1.0.111"
 supports-color     = { version = "2.1.0" }
 synd_feed          = { path = "../synd_feed", version = "0.1.0" }
-thiserror          = "1.0.56"
+thiserror          = { workspace = true }
 tokio              = { workspace = true, features = ["macros", "rt-multi-thread"] }
 tower              = { version = "0.4.13", default_features = false, features = ["limit", "timeout"] }
 tower-http         = { version = "0.5.1", default_features = false, features = ["trace", "sensitive-headers", "cors", "limit"] }

crates/synd_api/Cargo.toml

@@ -1,25 +1,40 @@
+use std::path::PathBuf;
+
 use clap::Parser;
 
 #[derive(Parser, Debug)]
 #[command(version, propagate_version = true, disable_help_subcommand = true)]
 pub struct Args {
     #[command(flatten)]
     pub kvsd: KvsdOptions,
+    #[command(flatten)]
+    pub tls: TlsOptions,
 }
 
 #[derive(clap::Args, Debug)]
-#[command(next_help_heading = "kvsd")]
+#[command(next_help_heading = "Kvsd options")]
 pub struct KvsdOptions {
-    #[arg(long = "kvsd-host")]
+    #[arg(long = "kvsd-host", env = "SYND_KVSD_HOST")]
     pub host: String,
-    #[arg(long = "kvsd-port")]
+    #[arg(long = "kvsd-port", env = "SYND_KVSD_PORT")]
     pub port: u16,
-    #[arg(long = "kvsd-username")]
+    #[arg(long = "kvsd-username", alias = "kvsd-user", env = "SYND_KVSD_USER")]
     pub username: String,
-    #[arg(long = "kvsd-password")]
+    #[arg(long = "kvsd-password", alias = "kvsd-pass", env = "SYND_KVSD_PASS")]
     pub password: String,
 }
 
+#[derive(clap::Args, Debug)]
+#[command(next_help_heading = "Tls options")]
+pub struct TlsOptions {
+    /// Tls certificate file path
+    #[arg(long = "tls-cert", env = "SYND_TLS_CERT", value_name = "CERT_PATH")]
+    pub certificate: PathBuf,
+    /// Tls private key file path
+    #[arg(long = "tls-key", env = "SYND_TLS_KEY", value_name = "KEY_PATH")]
+    pub private_key: PathBuf,
+}
+
 #[must_use]
 pub fn parse() -> Args {
     Args::parse()

crates/synd_api/src/args.rs

@@ -1,12 +1,14 @@
 use std::{sync::Arc, time::Duration};
 
+use anyhow::Context;
+use axum_server::tls_rustls::RustlsConfig;
 use synd_feed::feed::{
     cache::{CacheConfig, CacheLayer},
     parser::FeedService,
 };
 
 use crate::{
-    args::KvsdOptions,
+    args::{KvsdOptions, TlsOptions},
     config,
     repository::kvsd::KvsdClient,
     serve::auth::Authenticator,
@@ -16,10 +18,11 @@ use crate::{
 pub struct Dependency {
     pub authenticator: Authenticator,
     pub runtime: Runtime,
+    pub tls_config: RustlsConfig,
 }
 
 impl Dependency {
-    pub async fn new(kvsd: KvsdOptions) -> anyhow::Result<Self> {
+    pub async fn new(kvsd: KvsdOptions, tls: TlsOptions) -> anyhow::Result<Self> {
         let KvsdOptions {
             host,
             port,
@@ -48,9 +51,14 @@ impl Dependency {
 
         let runtime = Runtime::new(make_usecase, authorizer);
 
+        let tls_config = RustlsConfig::from_pem_file(&tls.certificate, &tls.private_key)
+            .await
+            .with_context(|| format!("tls options: {tls:?}"))?;
+
         Ok(Dependency {
             authenticator,
             runtime,
+            tls_config,
         })
     }
 }

crates/synd_api/src/dependency.rs

@@ -1,7 +1,14 @@
 use synd_o11y::{opentelemetry::OpenTelemetryGuard, tracing_subscriber::otel_metrics};
 use tracing::{error, info};
 
-use synd_api::{args, config, dependency::Dependency, serve::listen_and_serve, shutdown::Shutdown};
+use synd_api::{
+    args::{self, Args},
+    config,
+    dependency::Dependency,
+    repository::kvsd::ConnectKvsdFailed,
+    serve::listen_and_serve,
+    shutdown::Shutdown,
+};
 
 fn init_tracing() -> Option<OpenTelemetryGuard> {
     use synd_o11y::{
@@ -65,17 +72,26 @@ fn init_tracing() -> Option<OpenTelemetryGuard> {
     guard
 }
 
+async fn run(Args { kvsd, tls }: Args, shutdown: Shutdown) -> anyhow::Result<()> {
+    let dep = Dependency::new(kvsd, tls).await?;
+
+    info!(version = config::VERSION, "Runinng...");
+
+    listen_and_serve(dep, shutdown.notify()).await
+}
+
 #[tokio::main]
 async fn main() {
     let args = args::parse();
     let _guard = init_tracing();
-    let dep = Dependency::new(args.kvsd).await.unwrap();
     let shutdown = Shutdown::watch_signal();
 
-    info!(version = config::VERSION, "Runinng...");
-
-    if let Err(err) = listen_and_serve(dep, shutdown.notify()).await {
-        error!("{err:?}");
+    if let Err(err) = run(args, shutdown).await {
+        if let Some(err) = err.downcast_ref::<ConnectKvsdFailed>() {
+            error!("{err}: make sure kvsd is running");
+        } else {
+            error!("{err:?}");
+        }
         std::process::exit(1);
     }
 }

crates/synd_api/src/main.rs

@@ -1,19 +1,25 @@
 use std::{io::ErrorKind, time::Duration};
 
+use anyhow::Context;
 use async_trait::async_trait;
 use futures_util::TryFutureExt;
 use kvsd::{
     client::{tcp::Client, Api},
     Key, Value,
 };
 use serde::{Deserialize, Serialize};
+use thiserror::Error;
 use tokio::sync::Mutex;
 use tokio::{net::TcpStream, sync::MutexGuard};
 
 use crate::repository::{
     self, subscription::RepositoryResult, RepositoryError, SubscriptionRepository,
 };
 
+#[derive(Error, Debug)]
+#[error("connect kvsd failed")]
+pub struct ConnectKvsdFailed;
+
 pub struct KvsdClient {
     #[allow(dead_code)]
     client: Mutex<Client<TcpStream>>,
@@ -48,14 +54,16 @@ impl KvsdClient {
                     err => break err,
                 }
                 retry += 1;
-                tokio::time::sleep(Duration::from_millis(500)).await;
+                tokio::time::sleep(Duration::from_millis(1000)).await;
             }
         };
 
         tokio::time::timeout(timeout, handshake)
-            .await?
+            .await
+            .map_err(anyhow::Error::from)
+            .context(ConnectKvsdFailed)?
+            .map_err(anyhow::Error::from)
             .inspect(|_| tracing::info!("Kvsd handshake successfully completed"))
-            .map_err(Into::into)
     }
 
     async fn get<'a, T>(

crates/synd_api/src/repository/kvsd.rs

@@ -48,6 +48,7 @@ where
     let Dependency {
         authenticator,
         runtime,
+        tls_config,
     } = dep;
 
     let schema = gql::schema_builder().data(runtime).finish();
@@ -71,8 +72,8 @@ where
         )
         .route("/healthcheck", get(probe::healthcheck));
 
-    axum::serve(listener, service)
-        .with_graceful_shutdown(shutdown)
+    axum_server::from_tcp_rustls(listener.into_std()?, tls_config)
+        .serve(service.into_make_service())
         .await?;
 
     tracing::info!("Shutdown complete");

crates/synd_api/src/serve/mod.rs

@@ -52,6 +52,7 @@ integration = []
 synd_api  = { path = "../synd_api" }
 synd_test = { path = "../synd_test" }
 
+axum-server  = { workspace = true }
 kvsd         = { workspace = true }
 serial_test  = { version = "3.0.0", default_features = false, features = ["async", "file_locks"] }
 tempdir      = "0.3.7"

crates/synd_term/Cargo.toml

@@ -31,6 +31,8 @@ impl Client {
             .user_agent(config::USER_AGENT)
             .timeout(Duration::from_secs(10))
             .connect_timeout(Duration::from_secs(10))
+            // this client specifically targets the syndicationd api, so accepts self signed certificates
+            .danger_accept_invalid_certs(true)
             .build()?;
 
         Ok(Self {

crates/synd_term/src/client/mod.rs

@@ -6,7 +6,7 @@ use std::{
 use directories::ProjectDirs;
 
 pub mod api {
-    pub const ENDPOINT: &str = "http://localhost:5959/graphql";
+    pub const ENDPOINT: &str = "https://localhost:5959/graphql";
 }
 
 pub mod github {