saluki_io/net/

ipc.rs

use std::{io::Cursor, path::Path, sync::Arc};

use hyper_rustls::{HttpsConnector, HttpsConnectorBuilder};
use hyper_util::client::legacy::connect::HttpConnector;
use rustls::{
    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
    crypto::CryptoProvider,
    pki_types::{CertificateDer, ServerName, UnixTime},
    version::TLS13,
    CertificateError, ClientConfig, DigitallySignedStruct, SignatureScheme,
};
use saluki_error::{generic_error, ErrorContext as _, GenericError};

/// Builds an HTTPS connector for connecting to the Datadog Agent's IPC endpoint.
///
/// This connector is configured to load a bundled TLS certificate/private key file, generated by the Datadog Agent, and
/// use it for both server verification and client authentication. The given certificate path is expected to be a
/// PEM-encoded file containing both the certificate and private key. The private key is only used for client
/// authentication.
pub async fn build_datadog_agent_ipc_https_connector<P: AsRef<Path>>(
    cert_path: P,
) -> Result<HttpsConnector<HttpConnector>, GenericError> {
    let tls_client_config = build_datadog_agent_ipc_tls_config(cert_path).await?;
    let mut http_connector = HttpConnector::new();
    http_connector.enforce_http(false);

    Ok(HttpsConnectorBuilder::new()
        .with_tls_config(tls_client_config)
        .https_only()
        .enable_http2()
        .wrap_connector(http_connector))
}

#[derive(Debug)]
struct DatadogAgentServerCertVerifier {
    cert: CertificateDer<'static>,
    provider: Arc<CryptoProvider>,
}

impl DatadogAgentServerCertVerifier {
    fn from_certificate_and_provider(cert: CertificateDer<'static>, provider: Arc<CryptoProvider>) -> Self {
        Self { cert, provider }
    }
}

impl ServerCertVerifier for DatadogAgentServerCertVerifier {
    fn verify_server_cert(
        &self, end_entity: &CertificateDer<'_>, _intermediates: &[CertificateDer<'_>], _server_name: &ServerName<'_>,
        _ocsp_response: &[u8], _now: UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
        // We only care about if the server certificate matches the one we have.
        //
        // This explicitly ignores things like the server using a CA certificate as an end-entity certificate and all of
        // that. We just want to verify that the server certificate is the one we expect.
        if end_entity != &self.cert {
            return Err(rustls::Error::InvalidCertificate(CertificateError::UnknownIssuer));
        }

        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls12_signature(message, cert, dss, &self.provider.signature_verification_algorithms)
    }

    fn verify_tls13_signature(
        &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls13_signature(message, cert, dss, &self.provider.signature_verification_algorithms)
    }

    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
        self.provider.signature_verification_algorithms.supported_schemes()
    }
}

pub async fn build_datadog_agent_ipc_tls_config<P: AsRef<Path>>(cert_path: P) -> Result<ClientConfig, GenericError> {
    // Read the certificate file, and extract the certificate and private key from it.
    let raw_cert_data = tokio::fs::read(cert_path.as_ref()).await.map_err(|e| {
        generic_error!(
            "Failed to read certificate file '{}' ({}).",
            cert_path.as_ref().display(),
            e.kind()
        )
    })?;

    let mut cert_reader = Cursor::new(&raw_cert_data);
    let parsed_cert = rustls_pemfile::certs(&mut cert_reader)
        .next()
        .ok_or_else(|| generic_error!("No certificate found in file."))?
        .with_error_context(|| format!("Failed to parse certificate file '{}'.", cert_path.as_ref().display()))?;

    let mut key_reader = Cursor::new(&raw_cert_data);
    let parsed_key = rustls_pemfile::private_key(&mut key_reader)
        .with_error_context(|| format!("Failed to parse private key file '{}'.", cert_path.as_ref().display()))?
        .ok_or_else(|| generic_error!("No private key found in file."))?;

    // Build our client TLS configuration to use the parsed certificate for server verification, and then to send it for
    // client authentication.
    let crypto_provider = rustls::crypto::CryptoProvider::get_default()
        .map(Arc::clone)
        .ok_or_else(|| generic_error!("Default cryptography provider not yet installed."))?;
    let agent_cert_verifier = Arc::new(DatadogAgentServerCertVerifier::from_certificate_and_provider(
        parsed_cert.clone(),
        crypto_provider,
    ));

    let tls_client_config = ClientConfig::builder_with_protocol_versions(&[&TLS13])
        .dangerous()
        .with_custom_certificate_verifier(agent_cert_verifier)
        .with_client_auth_cert(vec![parsed_cert], parsed_key)
        .with_error_context(|| {
            format!(
                "Failed to configure TLS client authentication with certificate/private key from '{}'.",
                cert_path.as_ref().display()
            )
        })?;
    Ok(tls_client_config)
}