saluki_io/net/

ipc.rs

use std::{
    path::{Path, PathBuf},
    sync::Arc,
    time::Duration,
};

use hyper_rustls::{HttpsConnector, HttpsConnectorBuilder};
use hyper_util::client::legacy::connect::HttpConnector;
use rustls::{
    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
    crypto::CryptoProvider,
    pki_types::{CertificateDer, ServerName, UnixTime},
    version::TLS13,
    CertificateError, ClientConfig, DigitallySignedStruct, ServerConfig, SignatureScheme,
};
use rustls_pki_types::{pem::PemObject as _, PrivateKeyDer};
use saluki_error::{generic_error, ErrorContext as _, GenericError};

const DEFAULT_DATADOG_AGENT_CONFIG_DIR: &str = "/etc/datadog-agent";
const DEFAULT_IPC_CERT_FILE_NAME: &str = "ipc_cert.pem";
const DEFAULT_CERT_READ_TIMEOUT: Duration = Duration::from_secs(20);
const DEFAULT_CERT_READ_INTERVAL: Duration = Duration::from_millis(100);

/// Gets the IPC certificate file path from the configuration.
///
/// This function uses the same logic as the RemoteAgentClient to determine the certificate path,
/// ensuring consistency between the client and server TLS configurations.
pub fn get_ipc_cert_file_path(ipc_cert_file_path: Option<&PathBuf>, auth_token_file_path: &Path) -> PathBuf {
    // If the IPC cert file path is set explicitly, we always prefer that.
    if let Some(path) = ipc_cert_file_path {
        if !path.as_os_str().is_empty() {
            return path.clone();
        }
    }

    // Otherwise, we default to the same directory as the auth token file with the default certificate file name.
    let mut cert_path = auth_token_file_path
        .parent()
        .map(|p| p.to_path_buf())
        .unwrap_or_else(|| PathBuf::from(DEFAULT_DATADOG_AGENT_CONFIG_DIR));

    cert_path.push(DEFAULT_IPC_CERT_FILE_NAME);
    cert_path
}

/// Builds an HTTPS connector for connecting to the Datadog Agent's IPC endpoint.
///
/// This connector is configured to load a bundled TLS certificate/private key file, generated by the Datadog Agent, and
/// use it for both server verification and client authentication. The given certificate path is expected to be a
/// PEM-encoded file containing both the certificate and private key. The private key is only used for client
/// authentication.
pub async fn build_datadog_agent_ipc_https_connector<P: AsRef<Path>>(
    cert_path: P,
) -> Result<HttpsConnector<HttpConnector>, GenericError> {
    let tls_client_config = build_datadog_agent_client_ipc_tls_config(cert_path).await?;
    let mut http_connector = HttpConnector::new();
    http_connector.enforce_http(false);

    Ok(HttpsConnectorBuilder::new()
        .with_tls_config(tls_client_config)
        .https_only()
        .enable_http2()
        .wrap_connector(http_connector))
}

#[derive(Debug)]
struct DatadogAgentServerCertVerifier {
    cert: CertificateDer<'static>,
    provider: Arc<CryptoProvider>,
}

impl DatadogAgentServerCertVerifier {
    fn from_certificate_and_provider(cert: CertificateDer<'static>, provider: Arc<CryptoProvider>) -> Self {
        Self { cert, provider }
    }
}

impl ServerCertVerifier for DatadogAgentServerCertVerifier {
    fn verify_server_cert(
        &self, end_entity: &CertificateDer<'_>, _intermediates: &[CertificateDer<'_>], _server_name: &ServerName<'_>,
        _ocsp_response: &[u8], _now: UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
        // We only care about if the server certificate matches the one we have.
        //
        // This explicitly ignores things like the server using a CA certificate as an end-entity certificate and all of
        // that. We just want to verify that the server certificate is the one we expect.
        if end_entity != &self.cert {
            return Err(rustls::Error::InvalidCertificate(CertificateError::UnknownIssuer));
        }

        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls12_signature(message, cert, dss, &self.provider.signature_verification_algorithms)
    }

    fn verify_tls13_signature(
        &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls13_signature(message, cert, dss, &self.provider.signature_verification_algorithms)
    }

    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
        self.provider.signature_verification_algorithms.supported_schemes()
    }
}

pub async fn build_datadog_agent_client_ipc_tls_config<P: AsRef<Path>>(
    cert_path: P,
) -> Result<ClientConfig, GenericError> {
    // Read the certificate file, and extract the certificate and private key from it.
    let raw_cert_data = read_cert_file(
        cert_path.as_ref(),
        DEFAULT_CERT_READ_TIMEOUT,
        DEFAULT_CERT_READ_INTERVAL,
    )
    .await?;

    let parsed_cert = CertificateDer::from_pem_slice(&raw_cert_data[..])
        .with_error_context(|| format!("Failed to parse certificate file '{}'.", cert_path.as_ref().display()))?;

    let parsed_key = PrivateKeyDer::from_pem_slice(&raw_cert_data[..])
        .with_error_context(|| format!("Failed to parse private key file '{}'.", cert_path.as_ref().display()))?;

    // Build our client TLS configuration to use the parsed certificate for server verification, and then to send it for
    // client authentication.
    let crypto_provider = rustls::crypto::CryptoProvider::get_default()
        .map(Arc::clone)
        .ok_or_else(|| generic_error!("Default cryptography provider not yet installed."))?;
    let agent_cert_verifier = Arc::new(DatadogAgentServerCertVerifier::from_certificate_and_provider(
        parsed_cert.clone(),
        crypto_provider,
    ));

    let tls_client_config = ClientConfig::builder_with_protocol_versions(&[&TLS13])
        .dangerous()
        .with_custom_certificate_verifier(agent_cert_verifier)
        .with_client_auth_cert(vec![parsed_cert], parsed_key)
        .with_error_context(|| {
            format!(
                "Failed to configure TLS client authentication with certificate/private key from '{}'.",
                cert_path.as_ref().display()
            )
        })?;
    Ok(tls_client_config)
}

/// Builds a server TLS configuration for the Datadog Agent's IPC endpoint.
///
/// This function reads the certificate file, parses the certificate and private key,
/// and creates a server TLS configuration. The certificate path is expected to be a
/// PEM-encoded file containing both the certificate and private key.
pub async fn build_datadog_agent_server_tls_config<P: AsRef<Path>>(cert_path: P) -> Result<ServerConfig, GenericError> {
    // Read the certificate file, and extract the certificate and private key from it.
    let raw_cert_data = read_cert_file(
        cert_path.as_ref(),
        DEFAULT_CERT_READ_TIMEOUT,
        DEFAULT_CERT_READ_INTERVAL,
    )
    .await?;

    let parsed_cert = CertificateDer::from_pem_slice(&raw_cert_data[..])
        .with_error_context(|| format!("Failed to parse certificate file '{}'.", cert_path.as_ref().display()))?;

    let parsed_key = PrivateKeyDer::from_pem_slice(&raw_cert_data[..])
        .with_error_context(|| format!("Failed to parse private key file '{}'.", cert_path.as_ref().display()))?;

    // Build the server TLS configuration
    let tls_server_config = ServerConfig::builder()
        .with_no_client_auth()
        .with_single_cert(vec![parsed_cert], parsed_key)
        .map_err(|e| generic_error!("Failed to configure TLS server: {}", e))?;

    Ok(tls_server_config)
}

/// Reads a certificate file and retries up to a certain number of times with a certain wait duration between attempts.
async fn read_cert_file(cert_path: &Path, timeout: Duration, interval: Duration) -> Result<Vec<u8>, GenericError> {
    if timeout < interval {
        return Err(generic_error!(
            "Timeout is less than interval. Timeout: {}, Interval: {}",
            timeout.as_secs(),
            interval.as_secs()
        ));
    }

    let start_time = std::time::Instant::now();
    let mut last_error: String = String::new();
    while start_time.elapsed() < timeout {
        match tokio::fs::read(cert_path).await {
            Ok(data) => return Ok(data),
            Err(e) => {
                last_error = e.to_string();
                tokio::time::sleep(interval).await;
            }
        }
    }
    Err(generic_error!(
        "Failed to read certificate file '{}' after {} seconds: {}",
        cert_path.display(),
        timeout.as_secs(),
        last_error
    ))
}

#[cfg(test)]
mod tests {
    use std::path::{Path, PathBuf};

    use super::get_ipc_cert_file_path;

    fn default_agent_auth_token_file_path() -> PathBuf {
        PathBuf::from("/etc/datadog-agent/auth_token")
    }

    #[test]
    fn ipc_cert_file_path_defaults() {
        let default_auth_token_path = default_agent_auth_token_file_path();
        let custom_auth_token_path = PathBuf::from("/secret/auth_token");
        let invalid_auth_token_path = PathBuf::from("/");
        let custom_ipc_cert_path = PathBuf::from("/tmp/custom_ipc_cert.pem");

        // When the IPC cert file path is explicitly set, it should be used.
        let result = get_ipc_cert_file_path(Some(&custom_ipc_cert_path), &default_auth_token_path);
        assert_eq!(result, custom_ipc_cert_path);

        // When the IPC cert file path is not set, it should default to the same directory as the auth token file using
        // the default certificate file name.
        let result = get_ipc_cert_file_path(None, &default_auth_token_path);
        assert_eq!(result.parent(), default_auth_token_path.as_path().parent());
        assert_eq!(result.file_name().and_then(|s| s.to_str()), Some("ipc_cert.pem"));

        // This should hold when using a custom auth token file path as well.
        let result = get_ipc_cert_file_path(None, &custom_auth_token_path);
        assert_eq!(result.parent(), custom_auth_token_path.as_path().parent());
        assert_eq!(result.file_name().and_then(|s| s.to_str()), Some("ipc_cert.pem"));

        // If the auth token file path is somehow unset or invalid (e.g., no parent directory), we should use the same
        // logic but with the default Datadog Agent configuration directory.
        let result = get_ipc_cert_file_path(None, &invalid_auth_token_path);
        assert_eq!(result.parent(), Some(Path::new("/etc/datadog-agent")));
        assert_eq!(result.file_name().and_then(|s| s.to_str()), Some("ipc_cert.pem"));
    }
}