diff --git a/Cargo.lock b/Cargo.lock index 4415eebe..6557d455 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -27,6 +27,12 @@ dependencies = [ "memchr", ] +[[package]] +name = "allocator-api2" +version = "0.2.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923" + [[package]] name = "android_system_properties" version = "0.1.5" @@ -92,6 +98,18 @@ version = "1.0.102" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" +[[package]] +name = "argon2" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072" +dependencies = [ + "base64ct", + "blake2", + "cpufeatures", + "password-hash", +] + [[package]] name = "askama" version = "0.14.0" @@ -134,13 +152,29 @@ dependencies = [ "winnow 0.7.15", ] +[[package]] +name = "asn1-rs" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048" +dependencies = [ + "asn1-rs-derive 0.5.1", + "asn1-rs-impl", + "displaydoc", + "nom", + "num-traits", + "rusticata-macros", + "thiserror 1.0.69", + "time", +] + [[package]] name = "asn1-rs" version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60" dependencies = [ - "asn1-rs-derive", + "asn1-rs-derive 0.6.0", "asn1-rs-impl", "displaydoc", "nom", @@ -150,6 +184,18 @@ dependencies = [ "time", ] +[[package]] +name = "asn1-rs-derive" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + [[package]] name = "asn1-rs-derive" version = "0.6.0" @@ -184,6 +230,15 @@ dependencies = [ "syn", ] +[[package]] +name = "atoi" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f28d99ec8bfea296261ca1af174f24225171fea9664ba9003cbebee704810528" +dependencies = [ + "num-traits", +] + [[package]] name = "atomic-waker" version = "1.1.2" @@ -196,6 +251,28 @@ version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" +[[package]] +name = "aws-lc-rs" +version = "1.16.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f" +dependencies = [ + "aws-lc-sys", + "zeroize", +] + +[[package]] +name = "aws-lc-sys" +version = "0.40.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7" +dependencies = [ + "cc", + "cmake", + "dunce", + "fs_extra", +] + [[package]] name = "axum" version = "0.8.8" @@ -248,12 +325,47 @@ dependencies = [ "tracing", ] +[[package]] +name = "base16ct" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf" + +[[package]] +name = "base32" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "022dfe9eb35f19ebbcb51e0b40a5ab759f46ad60cadf7297e0bd085afb50e076" + +[[package]] +name = "base64" +version = "0.21.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" + [[package]] name = "base64" version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" +[[package]] +name = "base64ct" +version = "1.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" + +[[package]] +name = "base64urlsafedata" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42f7f6be94fa637132933fd0a68b9140bcb60e3d46164cb68e82a2bb8d102b3a" +dependencies = [ + "base64 0.21.7", + "pastey", + "serde", +] + [[package]] name = "basic-toml" version = "0.1.10" @@ -268,6 +380,9 @@ name = "bitflags" version = "2.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af" +dependencies = [ + "serde_core", +] [[package]] name = "blake2" @@ -419,6 +534,12 @@ dependencies = [ "zeroize", ] +[[package]] +name = "claims" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bba18ee93d577a8428902687bcc2b6b45a56b1981a1f6d779731c86cc4c5db18" + [[package]] name = "clap" version = "4.6.0" @@ -459,12 +580,46 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9" +[[package]] +name = "cmake" +version = "0.1.58" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c0f78a02292a74a88ac736019ab962ece0bc380e3f977bf72e376c5d78ff0678" +dependencies = [ + "cc", +] + [[package]] name = "colorchoice" version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570" +[[package]] +name = "concurrent-queue" +version = "2.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973" +dependencies = [ + "crossbeam-utils", +] + +[[package]] +name = "const-oid" +version = "0.9.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" + +[[package]] +name = "core-foundation" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation" version = "0.10.1" @@ -490,6 +645,21 @@ dependencies = [ "libc", ] +[[package]] +name = "crc" +version = "3.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5eb8a2a1cd12ab0d987a5d5e825195d372001a4094a0376319d5a0ad71c1ba0d" +dependencies = [ + "crc-catalog", +] + +[[package]] +name = "crc-catalog" +version = "2.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5" + [[package]] name = "crc32fast" version = "1.5.0" @@ -499,6 +669,39 @@ dependencies = [ "cfg-if", ] +[[package]] +name = "crossbeam-queue" +version = "0.3.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f58bbc28f91df819d0aa2a2c00cd19754769c2fad90579b3592b1c9ba7a3115" +dependencies = [ + "crossbeam-utils", +] + +[[package]] +name = "crossbeam-utils" +version = "0.8.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" + +[[package]] +name = "crunchy" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5" + +[[package]] +name = "crypto-bigint" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76" +dependencies = [ + "generic-array", + "rand_core 0.6.4", + "subtle", + "zeroize", +] + [[package]] name = "crypto-common" version = "0.1.7" @@ -506,7 +709,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a" dependencies = [ "generic-array", - "rand_core", + "rand_core 0.6.4", "typenum", ] @@ -519,6 +722,7 @@ dependencies = [ "cfg-if", "cpufeatures", "curve25519-dalek-derive", + "digest", "fiat-crypto", "rustc_version", "subtle", @@ -542,8 +746,18 @@ version = "0.20.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee" dependencies = [ - "darling_core", - "darling_macro", + "darling_core 0.20.11", + "darling_macro 0.20.11", +] + +[[package]] +name = "darling" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25ae13da2f202d56bd7f91c25fba009e7717a1e4a1cc98a76d844b65ae912e9d" +dependencies = [ + "darling_core 0.23.0", + "darling_macro 0.23.0", ] [[package]] @@ -560,13 +774,37 @@ dependencies = [ "syn", ] +[[package]] +name = "darling_core" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9865a50f7c335f53564bb694ef660825eb8610e0a53d3e11bf1b0d3df31e03b0" +dependencies = [ + "ident_case", + "proc-macro2", + "quote", + "strsim", + "syn", +] + [[package]] name = "darling_macro" version = "0.20.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead" dependencies = [ - "darling_core", + "darling_core 0.20.11", + "quote", + "syn", +] + +[[package]] +name = "darling_macro" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d" +dependencies = [ + "darling_core 0.23.0", "quote", "syn", ] @@ -582,14 +820,15 @@ name = "defguard-gateway" version = "2.0.0" dependencies = [ "axum", - "base64", + "base64 0.22.1", "chrono", "clap", "defguard_certs", + "defguard_grpc_tls", "defguard_version", "defguard_wireguard_rs", "env_logger", - "ipnetwork", + "ipnetwork 0.21.1", "libc", "log", "mnl", @@ -597,6 +836,9 @@ dependencies = [ "nix 0.31.2", "prost", "prost-types", + "rustls", + "rustls-pki-types", + "rustls-webpki", "serde", "syslog", "thiserror 2.0.18", @@ -620,7 +862,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4b7c7f465dde186f958a0a0e4ae823af623451ba26817b8b366b9968286df7a1" dependencies = [ "aead", - "base64", + "base64 0.22.1", "blake2", "chacha20poly1305", "hex", @@ -642,21 +884,77 @@ dependencies = [ [[package]] name = "defguard_certs" version = "0.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=01957186101fc105803d56f1190efbdb5102df2f#01957186101fc105803d56f1190efbdb5102df2f" +source = "git+https://github.com/DefGuard/defguard.git?rev=564dc72c#564dc72c8c18c6b25ff1401e2e18dc40e1ff39a4" dependencies = [ - "base64", + "base64 0.22.1", "chrono", "rcgen", "rustls-pki-types", "thiserror 2.0.18", "time", - "x509-parser", + "x509-parser 0.18.1", +] + +[[package]] +name = "defguard_common" +version = "2.0.0" +source = "git+https://github.com/DefGuard/defguard.git?rev=710b1bfd#710b1bfd5c10328b201bcf43ed9b99483d462012" +dependencies = [ + "anyhow", + "argon2", + "base32", + "base64 0.22.1", + "chrono", + "claims", + "clap", + "ed25519-dalek", + "humantime", + "ipnetwork 0.20.0", + "jsonwebtoken", + "model_derive", + "openidconnect", + "rand 0.8.5", + "reqwest", + "rsa", + "secrecy", + "serde", + "serde_cbor_2", + "serde_json", + "sqlx", + "struct-patch", + "thiserror 2.0.18", + "tokio", + "tonic", + "totp-lite", + "tracing", + "url", + "utoipa", + "uuid", + "vergen-git2", + "webauthn-rs", + "x25519-dalek", +] + +[[package]] +name = "defguard_grpc_tls" +version = "0.0.0" +source = "git+https://github.com/DefGuard/defguard.git?rev=710b1bfd#710b1bfd5c10328b201bcf43ed9b99483d462012" +dependencies = [ + "defguard_common", + "http", + "rustls", + "thiserror 2.0.18", + "tokio", + "tonic", + "tower-service", + "tracing", + "x509-parser 0.18.1", ] [[package]] name = "defguard_version" version = "0.0.0" -source = "git+https://github.com/DefGuard/defguard.git?rev=01957186101fc105803d56f1190efbdb5102df2f#01957186101fc105803d56f1190efbdb5102df2f" +source = "git+https://github.com/DefGuard/defguard.git?rev=7d28f46e#7d28f46e828a975118d4943f204614a737d1c92e" dependencies = [ "axum", "http", @@ -676,7 +974,7 @@ version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a6805597cb34bef686b2c3f732ca1f88e6de676d92d43acd632ea5aae5169466" dependencies = [ - "base64", + "base64 0.22.1", "defguard_boringtun", "ipnet", "libc", @@ -696,13 +994,38 @@ dependencies = [ "x25519-dalek", ] +[[package]] +name = "der" +version = "0.7.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb" +dependencies = [ + "const-oid", + "pem-rfc7468", + "zeroize", +] + +[[package]] +name = "der-parser" +version = "9.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553" +dependencies = [ + "asn1-rs 0.6.2", + "displaydoc", + "nom", + "num-bigint", + "num-traits", + "rusticata-macros", +] + [[package]] name = "der-parser" version = "10.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6" dependencies = [ - "asn1-rs", + "asn1-rs 0.7.1", "displaydoc", "nom", "num-bigint", @@ -717,6 +1040,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c" dependencies = [ "powerfmt", + "serde_core", ] [[package]] @@ -734,7 +1058,7 @@ version = "0.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8" dependencies = [ - "darling", + "darling 0.20.11", "proc-macro2", "quote", "syn", @@ -757,6 +1081,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ "block-buffer", + "const-oid", "crypto-common", "subtle", ] @@ -783,55 +1108,177 @@ dependencies = [ ] [[package]] -name = "either" -version = "1.15.0" +name = "dotenvy" +version = "0.15.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719" +checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b" [[package]] -name = "env_filter" -version = "1.0.1" +name = "dunce" +version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32e90c2accc4b07a8456ea0debdc2e7587bdd890680d71173a15d4ae604f6eef" +checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813" + +[[package]] +name = "dyn-clone" +version = "1.0.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555" + +[[package]] +name = "ecdsa" +version = "0.16.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca" dependencies = [ - "log", - "regex", + "der", + "digest", + "elliptic-curve", + "rfc6979", + "signature", + "spki", ] [[package]] -name = "env_logger" -version = "0.11.10" +name = "ed25519" +version = "2.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0621c04f2196ac3f488dd583365b9c09be011a4ab8b9f37248ffcc8f6198b56a" +checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53" dependencies = [ - "anstream", - "anstyle", - "env_filter", - "jiff", - "log", + "pkcs8", + "signature", ] [[package]] -name = "equivalent" -version = "1.0.2" +name = "ed25519-dalek" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" +checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9" +dependencies = [ + "curve25519-dalek", + "ed25519", + "rand_core 0.6.4", + "serde", + "sha2", + "subtle", + "zeroize", +] [[package]] -name = "errno" -version = "0.3.14" +name = "either" +version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" +checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719" dependencies = [ - "libc", - "windows-sys 0.61.2", + "serde", ] [[package]] -name = "fastrand" -version = "2.4.1" +name = "elliptic-curve" +version = "0.13.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6" +checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47" +dependencies = [ + "base16ct", + "crypto-bigint", + "digest", + "ff", + "generic-array", + "group", + "hkdf", + "pem-rfc7468", + "pkcs8", + "rand_core 0.6.4", + "sec1", + "subtle", + "zeroize", +] + +[[package]] +name = "encoding_rs" +version = "0.8.35" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "env_filter" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32e90c2accc4b07a8456ea0debdc2e7587bdd890680d71173a15d4ae604f6eef" +dependencies = [ + "log", + "regex", +] + +[[package]] +name = "env_logger" +version = "0.11.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0621c04f2196ac3f488dd583365b9c09be011a4ab8b9f37248ffcc8f6198b56a" +dependencies = [ + "anstream", + "anstyle", + "env_filter", + "jiff", + "log", +] + +[[package]] +name = "equivalent" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" + +[[package]] +name = "errno" +version = "0.3.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" +dependencies = [ + "libc", + "windows-sys 0.61.2", +] + +[[package]] +name = "etcetera" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "136d1b5283a1ab77bd9257427ffd09d8667ced0570b6f938942bc7568ed5b943" +dependencies = [ + "cfg-if", + "home", + "windows-sys 0.48.0", +] + +[[package]] +name = "event-listener" +version = "5.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e13b66accf52311f30a0db42147dadea9850cb48cd070028831ae5f5d4b856ab" +dependencies = [ + "concurrent-queue", + "parking", + "pin-project-lite", +] + +[[package]] +name = "fastrand" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6" + +[[package]] +name = "ff" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393" +dependencies = [ + "rand_core 0.6.4", + "subtle", +] [[package]] name = "fiat-crypto" @@ -861,6 +1308,17 @@ dependencies = [ "miniz_oxide", ] +[[package]] +name = "flume" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da0e4dd2a88388a1f4ccc7c9ce104604dab68d9f408dc34cd45823d5a9069095" +dependencies = [ + "futures-core", + "futures-sink", + "spin", +] + [[package]] name = "fnv" version = "1.0.7" @@ -873,6 +1331,21 @@ version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "form_urlencoded" version = "1.2.2" @@ -891,6 +1364,12 @@ dependencies = [ "autocfg", ] +[[package]] +name = "fs_extra" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c" + [[package]] name = "futures-channel" version = "0.3.32" @@ -898,6 +1377,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" dependencies = [ "futures-core", + "futures-sink", ] [[package]] @@ -906,6 +1386,34 @@ version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" +[[package]] +name = "futures-executor" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d" +dependencies = [ + "futures-core", + "futures-task", + "futures-util", +] + +[[package]] +name = "futures-intrusive" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d930c203dd0b6ff06e0201a4a2fe9149b43c684fd4420555b26d21b1a02956f" +dependencies = [ + "futures-core", + "lock_api", + "parking_lot", +] + +[[package]] +name = "futures-io" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718" + [[package]] name = "futures-sink" version = "0.3.32" @@ -925,7 +1433,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" dependencies = [ "futures-core", + "futures-io", + "futures-sink", "futures-task", + "memchr", "pin-project-lite", "slab", ] @@ -938,6 +1449,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" dependencies = [ "typenum", "version_check", + "zeroize", ] [[package]] @@ -947,8 +1459,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0" dependencies = [ "cfg-if", + "js-sys", "libc", "wasi", + "wasm-bindgen", ] [[package]] @@ -1006,6 +1520,17 @@ dependencies = [ "scroll", ] +[[package]] +name = "group" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" +dependencies = [ + "ff", + "rand_core 0.6.4", + "subtle", +] + [[package]] name = "h2" version = "0.4.13" @@ -1018,19 +1543,38 @@ dependencies = [ "futures-core", "futures-sink", "http", - "indexmap", + "indexmap 2.14.0", "slab", "tokio", "tokio-util", "tracing", ] +[[package]] +name = "half" +version = "2.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b" +dependencies = [ + "cfg-if", + "crunchy", + "zerocopy", +] + +[[package]] +name = "hashbrown" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" + [[package]] name = "hashbrown" version = "0.15.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" dependencies = [ + "allocator-api2", + "equivalent", "foldhash", ] @@ -1040,6 +1584,15 @@ version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51" +[[package]] +name = "hashlink" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1" +dependencies = [ + "hashbrown 0.15.5", +] + [[package]] name = "heck" version = "0.5.0" @@ -1052,6 +1605,15 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +[[package]] +name = "hkdf" +version = "0.12.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7" +dependencies = [ + "hmac", +] + [[package]] name = "hmac" version = "0.12.1" @@ -1061,6 +1623,15 @@ dependencies = [ "digest", ] +[[package]] +name = "home" +version = "0.5.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cc627f471c528ff0c4a49e1d5e60450c8f6461dd6d10ba9dcd3a61d3dff7728d" +dependencies = [ + "windows-sys 0.61.2", +] + [[package]] name = "hostname" version = "0.4.2" @@ -1117,6 +1688,12 @@ version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9" +[[package]] +name = "humantime" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424" + [[package]] name = "hyper" version = "1.9.0" @@ -1139,6 +1716,21 @@ dependencies = [ "want", ] +[[package]] +name = "hyper-rustls" +version = "0.27.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "33ca68d021ef39cf6463ab54c1d0f5daf03377b70561305bb89a8f83aab66e0f" +dependencies = [ + "http", + "hyper", + "hyper-util", + "rustls", + "tokio", + "tokio-rustls", + "tower-service", +] + [[package]] name = "hyper-timeout" version = "0.5.2" @@ -1152,24 +1744,45 @@ dependencies = [ "tower-service", ] +[[package]] +name = "hyper-tls" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" +dependencies = [ + "bytes", + "http-body-util", + "hyper", + "hyper-util", + "native-tls", + "tokio", + "tokio-native-tls", + "tower-service", +] + [[package]] name = "hyper-util" version = "0.1.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0" dependencies = [ + "base64 0.22.1", "bytes", "futures-channel", "futures-util", "http", "http-body", "hyper", + "ipnet", "libc", + "percent-encoding", "pin-project-lite", "socket2", + "system-configuration", "tokio", "tower-service", "tracing", + "windows-registry", ] [[package]] @@ -1311,6 +1924,17 @@ dependencies = [ "icu_properties", ] +[[package]] +name = "indexmap" +version = "1.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99" +dependencies = [ + "autocfg", + "hashbrown 0.12.3", + "serde", +] + [[package]] name = "indexmap" version = "2.14.0" @@ -1360,18 +1984,46 @@ version = "2.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" +[[package]] +name = "ipnetwork" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bf466541e9d546596ee94f9f69590f89473455f88372423e0008fc1a7daf100e" +dependencies = [ + "serde", +] + [[package]] name = "ipnetwork" version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf370abdafd54d13e54a620e8c3e1145f28e46cc9d704bc6d94414559df41763" +[[package]] +name = "iri-string" +version = "0.7.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20" +dependencies = [ + "memchr", + "serde", +] + [[package]] name = "is_terminal_polyfill" version = "1.70.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695" +[[package]] +name = "itertools" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" +dependencies = [ + "either", +] + [[package]] name = "itertools" version = "0.14.0" @@ -1427,15 +2079,43 @@ version = "0.3.94" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2e04e2ef80ce82e13552136fabeef8a5ed1f985a96805761cbb9a2c34e7664d9" dependencies = [ + "cfg-if", + "futures-util", "once_cell", "wasm-bindgen", ] +[[package]] +name = "jsonwebtoken" +version = "10.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0529410abe238729a60b108898784df8984c87f6054c9c4fcacc47e4803c1ce1" +dependencies = [ + "base64 0.22.1", + "ed25519-dalek", + "getrandom 0.2.17", + "hmac", + "js-sys", + "p256", + "p384", + "pem", + "rand 0.8.5", + "rsa", + "serde", + "serde_json", + "sha2", + "signature", + "simple_asn1", +] + [[package]] name = "lazy_static" version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" +dependencies = [ + "spin", +] [[package]] name = "leb128fmt" @@ -1471,6 +2151,34 @@ dependencies = [ "windows-link", ] +[[package]] +name = "libm" +version = "0.2.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" + +[[package]] +name = "libredox" +version = "0.1.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e02f3bb43d335493c96bf3fd3a321600bf6bd07ed34bc64118e9293bdffea46c" +dependencies = [ + "bitflags", + "libc", + "plain", + "redox_syscall 0.7.4", +] + +[[package]] +name = "libsqlite3-sys" +version = "0.30.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e99fb7a497b1e3339bc746195567ed8d3e24945ecd636e3619d20b9de9e9149" +dependencies = [ + "pkg-config", + "vcpkg", +] + [[package]] name = "libz-sys" version = "1.1.28" @@ -1526,8 +2234,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3" [[package]] -name = "memchr" -version = "2.8.0" +name = "md-5" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf" +dependencies = [ + "cfg-if", + "digest", +] + +[[package]] +name = "memchr" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" @@ -1594,12 +2312,38 @@ dependencies = [ "pkg-config", ] +[[package]] +name = "model_derive" +version = "0.0.0" +source = "git+https://github.com/DefGuard/defguard.git?rev=710b1bfd#710b1bfd5c10328b201bcf43ed9b99483d462012" +dependencies = [ + "quote", + "syn", +] + [[package]] name = "multimap" version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084" +[[package]] +name = "native-tls" +version = "0.2.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2" +dependencies = [ + "libc", + "log", + "openssl", + "openssl-probe", + "openssl-sys", + "schannel", + "security-framework", + "security-framework-sys", + "tempfile", +] + [[package]] name = "netlink-packet-core" version = "0.8.1" @@ -1740,6 +2484,22 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-bigint-dig" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7" +dependencies = [ + "lazy_static", + "libm", + "num-integer", + "num-iter", + "num-traits", + "rand 0.8.5", + "smallvec", + "zeroize", +] + [[package]] name = "num-conv" version = "0.2.1" @@ -1755,6 +2515,17 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-iter" +version = "0.1.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" +dependencies = [ + "autocfg", + "num-integer", + "num-traits", +] + [[package]] name = "num-traits" version = "0.2.19" @@ -1762,6 +2533,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", + "libm", ] [[package]] @@ -1773,6 +2545,26 @@ dependencies = [ "libc", ] +[[package]] +name = "oauth2" +version = "5.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d" +dependencies = [ + "base64 0.22.1", + "chrono", + "getrandom 0.2.17", + "http", + "rand 0.8.5", + "reqwest", + "serde", + "serde_json", + "serde_path_to_error", + "sha2", + "thiserror 1.0.69", + "url", +] + [[package]] name = "objc2" version = "0.6.4" @@ -1932,13 +2724,22 @@ dependencies = [ "objc2-foundation", ] +[[package]] +name = "oid-registry" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9" +dependencies = [ + "asn1-rs 0.6.2", +] + [[package]] name = "oid-registry" version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7" dependencies = [ - "asn1-rs", + "asn1-rs 0.7.1", ] [[package]] @@ -1959,12 +2760,90 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" +[[package]] +name = "openidconnect" +version = "4.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0d8c6709ba2ea764bbed26bce1adf3c10517113ddea6f2d4196e4851757ef2b2" +dependencies = [ + "base64 0.21.7", + "chrono", + "dyn-clone", + "ed25519-dalek", + "hmac", + "http", + "itertools 0.10.5", + "log", + "oauth2", + "p256", + "p384", + "rand 0.8.5", + "rsa", + "serde", + "serde-value", + "serde_json", + "serde_path_to_error", + "serde_plain", + "serde_with", + "sha2", + "subtle", + "thiserror 1.0.69", + "url", +] + +[[package]] +name = "openssl" +version = "0.10.77" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfe4646e360ec77dff7dde40ed3d6c5fee52d156ef4a62f53973d38294dad87f" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "openssl-probe" version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" +[[package]] +name = "openssl-sys" +version = "0.9.113" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ad2f2c0eba47118757e4c6d2bff2838f3e0523380021356e7875e858372ce644" +dependencies = [ + "cc", + "libc", + "pkg-config", + "vcpkg", +] + +[[package]] +name = "ordered-float" +version = "2.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c" +dependencies = [ + "num-traits", +] + [[package]] name = "os_info" version = "3.14.0" @@ -1981,6 +2860,36 @@ dependencies = [ "windows-sys 0.61.2", ] +[[package]] +name = "p256" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b" +dependencies = [ + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2", +] + +[[package]] +name = "p384" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6" +dependencies = [ + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2", +] + +[[package]] +name = "parking" +version = "2.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba" + [[package]] name = "parking_lot" version = "0.12.5" @@ -1999,11 +2908,22 @@ checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1" dependencies = [ "cfg-if", "libc", - "redox_syscall", + "redox_syscall 0.5.18", "smallvec", "windows-link", ] +[[package]] +name = "password-hash" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166" +dependencies = [ + "base64ct", + "rand_core 0.6.4", + "subtle", +] + [[package]] name = "paste" version = "1.0.15" @@ -2022,10 +2942,19 @@ version = "3.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be" dependencies = [ - "base64", + "base64 0.22.1", "serde_core", ] +[[package]] +name = "pem-rfc7468" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" +dependencies = [ + "base64ct", +] + [[package]] name = "percent-encoding" version = "2.3.2" @@ -2040,7 +2969,7 @@ checksum = "8701b58ea97060d5e5b155d383a69952a60943f0e6dfe30b04c287beb0b27455" dependencies = [ "fixedbitset", "hashbrown 0.15.5", - "indexmap", + "indexmap 2.14.0", ] [[package]] @@ -2069,6 +2998,27 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd" +[[package]] +name = "pkcs1" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" +dependencies = [ + "der", + "pkcs8", + "spki", +] + +[[package]] +name = "pkcs8" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" +dependencies = [ + "der", + "spki", +] + [[package]] name = "pkg-config" version = "0.3.32" @@ -2122,6 +3072,15 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" +[[package]] +name = "ppv-lite86" +version = "0.2.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9" +dependencies = [ + "zerocopy", +] + [[package]] name = "prettyplease" version = "0.2.37" @@ -2132,6 +3091,15 @@ dependencies = [ "syn", ] +[[package]] +name = "primeorder" +version = "0.13.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6" +dependencies = [ + "elliptic-curve", +] + [[package]] name = "proc-macro2" version = "1.0.106" @@ -2158,7 +3126,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "343d3bd7056eda839b03204e68deff7d1b13aba7af2b2fd16890697274262ee7" dependencies = [ "heck", - "itertools", + "itertools 0.14.0", "log", "multimap", "petgraph", @@ -2179,7 +3147,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "27c6023962132f4b30eb4c172c91ce92d933da334c59c23cddee82358ddafb0b" dependencies = [ "anyhow", - "itertools", + "itertools 0.14.0", "proc-macro2", "quote", "syn", @@ -2235,6 +3203,47 @@ version = "6.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" +[[package]] +name = "rand" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +dependencies = [ + "libc", + "rand_chacha 0.3.1", + "rand_core 0.6.4", +] + +[[package]] +name = "rand" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" +dependencies = [ + "rand_chacha 0.9.0", + "rand_core 0.9.5", +] + +[[package]] +name = "rand_chacha" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +dependencies = [ + "ppv-lite86", + "rand_core 0.6.4", +] + +[[package]] +name = "rand_chacha" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" +dependencies = [ + "ppv-lite86", + "rand_core 0.9.5", +] + [[package]] name = "rand_core" version = "0.6.4" @@ -2244,6 +3253,15 @@ dependencies = [ "getrandom 0.2.17", ] +[[package]] +name = "rand_core" +version = "0.9.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c" +dependencies = [ + "getrandom 0.3.4", +] + [[package]] name = "rcgen" version = "0.14.7" @@ -2254,7 +3272,7 @@ dependencies = [ "ring", "rustls-pki-types", "time", - "x509-parser", + "x509-parser 0.18.1", "yasna", ] @@ -2267,6 +3285,35 @@ dependencies = [ "bitflags", ] +[[package]] +name = "redox_syscall" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f450ad9c3b1da563fb6948a8e0fb0fb9269711c9c73d9ea1de5058c79c8d643a" +dependencies = [ + "bitflags", +] + +[[package]] +name = "ref-cast" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d" +dependencies = [ + "ref-cast-impl", +] + +[[package]] +name = "ref-cast-impl" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "regex" version = "1.12.3" @@ -2296,6 +3343,56 @@ version = "0.8.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a" +[[package]] +name = "reqwest" +version = "0.12.28" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147" +dependencies = [ + "base64 0.22.1", + "bytes", + "encoding_rs", + "futures-core", + "h2", + "http", + "http-body", + "http-body-util", + "hyper", + "hyper-rustls", + "hyper-tls", + "hyper-util", + "js-sys", + "log", + "mime", + "native-tls", + "percent-encoding", + "pin-project-lite", + "rustls-pki-types", + "serde", + "serde_json", + "serde_urlencoded", + "sync_wrapper", + "tokio", + "tokio-native-tls", + "tower", + "tower-http", + "tower-service", + "url", + "wasm-bindgen", + "wasm-bindgen-futures", + "web-sys", +] + +[[package]] +name = "rfc6979" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2" +dependencies = [ + "hmac", + "subtle", +] + [[package]] name = "ring" version = "0.17.14" @@ -2310,6 +3407,26 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "rsa" +version = "0.9.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d" +dependencies = [ + "const-oid", + "digest", + "num-bigint-dig", + "num-integer", + "num-traits", + "pkcs1", + "pkcs8", + "rand_core 0.6.4", + "signature", + "spki", + "subtle", + "zeroize", +] + [[package]] name = "rustc-hash" version = "2.1.2" @@ -2353,6 +3470,7 @@ version = "0.23.37" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4" dependencies = [ + "aws-lc-rs", "log", "once_cell", "ring", @@ -2389,6 +3507,7 @@ version = "0.103.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" dependencies = [ + "aws-lc-rs", "ring", "rustls-pki-types", "untrusted", @@ -2415,6 +3534,30 @@ dependencies = [ "windows-sys 0.61.2", ] +[[package]] +name = "schemars" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4cd191f9397d57d581cddd31014772520aa448f65ef991055d7f61582c65165f" +dependencies = [ + "dyn-clone", + "ref-cast", + "serde", + "serde_json", +] + +[[package]] +name = "schemars" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc" +dependencies = [ + "dyn-clone", + "ref-cast", + "serde", + "serde_json", +] + [[package]] name = "scopeguard" version = "1.2.0" @@ -2441,6 +3584,30 @@ dependencies = [ "syn", ] +[[package]] +name = "sec1" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc" +dependencies = [ + "base16ct", + "der", + "generic-array", + "pkcs8", + "subtle", + "zeroize", +] + +[[package]] +name = "secrecy" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a" +dependencies = [ + "serde", + "zeroize", +] + [[package]] name = "security-framework" version = "3.7.0" @@ -2448,7 +3615,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d" dependencies = [ "bitflags", - "core-foundation", + "core-foundation 0.10.1", "core-foundation-sys", "libc", "security-framework-sys", @@ -2484,6 +3651,26 @@ dependencies = [ "serde_derive", ] +[[package]] +name = "serde-value" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c" +dependencies = [ + "ordered-float", + "serde", +] + +[[package]] +name = "serde_cbor_2" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "34aec2709de9078e077090abd848e967abab63c9fb3fdb5d4799ad359d8d482c" +dependencies = [ + "half", + "serde", +] + [[package]] name = "serde_core" version = "1.0.228" @@ -2528,6 +3715,15 @@ dependencies = [ "serde_core", ] +[[package]] +name = "serde_plain" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ce1fc6db65a611022b23a0dec6975d63fb80a302cb3388835ff02c097258d50" +dependencies = [ + "serde", +] + [[package]] name = "serde_spanned" version = "1.1.1" @@ -2549,6 +3745,59 @@ dependencies = [ "serde", ] +[[package]] +name = "serde_with" +version = "3.18.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dd5414fad8e6907dbdd5bc441a50ae8d6e26151a03b1de04d89a5576de61d01f" +dependencies = [ + "base64 0.22.1", + "chrono", + "hex", + "indexmap 1.9.3", + "indexmap 2.14.0", + "schemars 0.9.0", + "schemars 1.2.1", + "serde_core", + "serde_json", + "serde_with_macros", + "time", +] + +[[package]] +name = "serde_with_macros" +version = "3.18.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3db8978e608f1fe7357e211969fd9abdcae80bac1ba7a3369bb7eb6b404eb65" +dependencies = [ + "darling 0.23.0", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "sha1" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest", +] + +[[package]] +name = "sha2" +version = "0.10.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest", +] + [[package]] name = "sharded-slab" version = "0.1.7" @@ -2574,12 +3823,34 @@ dependencies = [ "libc", ] +[[package]] +name = "signature" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de" +dependencies = [ + "digest", + "rand_core 0.6.4", +] + [[package]] name = "simd-adler32" version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "703d5c7ef118737c72f1af64ad2f6f8c5e1921f818cdcb97b8fe6fc69bf66214" +[[package]] +name = "simple_asn1" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d" +dependencies = [ + "num-bigint", + "num-traits", + "thiserror 2.0.18", + "time", +] + [[package]] name = "siphasher" version = "1.0.2" @@ -2597,6 +3868,9 @@ name = "smallvec" version = "1.15.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03" +dependencies = [ + "serde", +] [[package]] name = "smawk" @@ -2614,6 +3888,224 @@ dependencies = [ "windows-sys 0.61.2", ] +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" +dependencies = [ + "lock_api", +] + +[[package]] +name = "spki" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" +dependencies = [ + "base64ct", + "der", +] + +[[package]] +name = "sqlx" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1fefb893899429669dcdd979aff487bd78f4064e5e7907e4269081e0ef7d97dc" +dependencies = [ + "sqlx-core", + "sqlx-macros", + "sqlx-mysql", + "sqlx-postgres", + "sqlx-sqlite", +] + +[[package]] +name = "sqlx-core" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee6798b1838b6a0f69c007c133b8df5866302197e404e8b6ee8ed3e3a5e68dc6" +dependencies = [ + "base64 0.22.1", + "bytes", + "chrono", + "crc", + "crossbeam-queue", + "either", + "event-listener", + "futures-core", + "futures-intrusive", + "futures-io", + "futures-util", + "hashbrown 0.15.5", + "hashlink", + "indexmap 2.14.0", + "ipnetwork 0.20.0", + "log", + "memchr", + "native-tls", + "once_cell", + "percent-encoding", + "serde", + "serde_json", + "sha2", + "smallvec", + "thiserror 2.0.18", + "tokio", + "tokio-stream", + "tracing", + "url", + "uuid", +] + +[[package]] +name = "sqlx-macros" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2d452988ccaacfbf5e0bdbc348fb91d7c8af5bee192173ac3636b5fb6e6715d" +dependencies = [ + "proc-macro2", + "quote", + "sqlx-core", + "sqlx-macros-core", + "syn", +] + +[[package]] +name = "sqlx-macros-core" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19a9c1841124ac5a61741f96e1d9e2ec77424bf323962dd894bdb93f37d5219b" +dependencies = [ + "dotenvy", + "either", + "heck", + "hex", + "once_cell", + "proc-macro2", + "quote", + "serde", + "serde_json", + "sha2", + "sqlx-core", + "sqlx-mysql", + "sqlx-postgres", + "sqlx-sqlite", + "syn", + "tokio", + "url", +] + +[[package]] +name = "sqlx-mysql" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa003f0038df784eb8fecbbac13affe3da23b45194bd57dba231c8f48199c526" +dependencies = [ + "atoi", + "base64 0.22.1", + "bitflags", + "byteorder", + "bytes", + "chrono", + "crc", + "digest", + "dotenvy", + "either", + "futures-channel", + "futures-core", + "futures-io", + "futures-util", + "generic-array", + "hex", + "hkdf", + "hmac", + "itoa", + "log", + "md-5", + "memchr", + "once_cell", + "percent-encoding", + "rand 0.8.5", + "rsa", + "serde", + "sha1", + "sha2", + "smallvec", + "sqlx-core", + "stringprep", + "thiserror 2.0.18", + "tracing", + "uuid", + "whoami", +] + +[[package]] +name = "sqlx-postgres" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db58fcd5a53cf07c184b154801ff91347e4c30d17a3562a635ff028ad5deda46" +dependencies = [ + "atoi", + "base64 0.22.1", + "bitflags", + "byteorder", + "chrono", + "crc", + "dotenvy", + "etcetera", + "futures-channel", + "futures-core", + "futures-util", + "hex", + "hkdf", + "hmac", + "home", + "ipnetwork 0.20.0", + "itoa", + "log", + "md-5", + "memchr", + "once_cell", + "rand 0.8.5", + "serde", + "serde_json", + "sha2", + "smallvec", + "sqlx-core", + "stringprep", + "thiserror 2.0.18", + "tracing", + "uuid", + "whoami", +] + +[[package]] +name = "sqlx-sqlite" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c2d12fe70b2c1b4401038055f90f151b78208de1f9f89a7dbfd41587a10c3eea" +dependencies = [ + "atoi", + "chrono", + "flume", + "futures-channel", + "futures-core", + "futures-executor", + "futures-intrusive", + "futures-util", + "libsqlite3-sys", + "log", + "percent-encoding", + "serde", + "serde_urlencoded", + "sqlx-core", + "thiserror 2.0.18", + "tracing", + "url", + "uuid", +] + [[package]] name = "stable_deref_trait" version = "1.2.1" @@ -2626,12 +4118,43 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" +[[package]] +name = "stringprep" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b4df3d392d81bd458a8a621b8bffbd2302a12ffe288a9d931670948749463b1" +dependencies = [ + "unicode-bidi", + "unicode-normalization", + "unicode-properties", +] + [[package]] name = "strsim" version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" +[[package]] +name = "struct-patch" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "16d4caaaccd69c9b56c5f5b33d4dca462464d3275230e4d2d3739ba6d4bf5bcb" +dependencies = [ + "struct-patch-derive", +] + +[[package]] +name = "struct-patch-derive" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1671c6f0992b1b4cb4f5f8ea4a58f9a5f7f895a7638ef9690633dcec0aa67944" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "subtle" version = "2.6.1" @@ -2654,6 +4177,9 @@ name = "sync_wrapper" version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263" +dependencies = [ + "futures-core", +] [[package]] name = "synstructure" @@ -2678,6 +4204,27 @@ dependencies = [ "time", ] +[[package]] +name = "system-configuration" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b" +dependencies = [ + "bitflags", + "core-foundation 0.9.4", + "system-configuration-sys", +] + +[[package]] +name = "system-configuration-sys" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "tempfile" version = "3.27.0" @@ -2792,6 +4339,21 @@ dependencies = [ "zerovec", ] +[[package]] +name = "tinyvec" +version = "1.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3" +dependencies = [ + "tinyvec_macros", +] + +[[package]] +name = "tinyvec_macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" + [[package]] name = "tokio" version = "1.51.1" @@ -2801,6 +4363,7 @@ dependencies = [ "bytes", "libc", "mio", + "parking_lot", "pin-project-lite", "signal-hook-registry", "socket2", @@ -2819,6 +4382,16 @@ dependencies = [ "syn", ] +[[package]] +name = "tokio-native-tls" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" +dependencies = [ + "native-tls", + "tokio", +] + [[package]] name = "tokio-rustls" version = "0.26.4" @@ -2859,7 +4432,7 @@ version = "0.9.12+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863" dependencies = [ - "indexmap", + "indexmap 2.14.0", "serde_core", "serde_spanned", "toml_datetime 0.7.5+spec-1.1.0", @@ -2922,7 +4495,7 @@ checksum = "fec7c61a0695dc1887c1b53952990f3ad2e3a31453e1f49f10e75424943a93ec" dependencies = [ "async-trait", "axum", - "base64", + "base64 0.22.1", "bytes", "flate2", "h2", @@ -2985,6 +4558,18 @@ dependencies = [ "tonic-build", ] +[[package]] +name = "totp-lite" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8e43134db17199f7f721803383ac5854edd0d3d523cc34dba321d6acfbe76c3" +dependencies = [ + "digest", + "hmac", + "sha1", + "sha2", +] + [[package]] name = "tower" version = "0.5.3" @@ -2993,7 +4578,7 @@ checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4" dependencies = [ "futures-core", "futures-util", - "indexmap", + "indexmap 2.14.0", "pin-project-lite", "slab", "sync_wrapper", @@ -3004,6 +4589,24 @@ dependencies = [ "tracing", ] +[[package]] +name = "tower-http" +version = "0.6.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8" +dependencies = [ + "bitflags", + "bytes", + "futures-util", + "http", + "http-body", + "iri-string", + "pin-project-lite", + "tower", + "tower-layer", + "tower-service", +] + [[package]] name = "tower-layer" version = "0.3.3" @@ -3096,12 +4699,33 @@ version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dbc4bc3a9f746d862c45cb89d705aa10f187bb96c76001afab07a0d35ce60142" +[[package]] +name = "unicode-bidi" +version = "0.3.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5" + [[package]] name = "unicode-ident" version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" +[[package]] +name = "unicode-normalization" +version = "0.1.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fd4f6878c9cb28d874b009da9e8d183b5abc80117c40bbd187a1fde336be6e8" +dependencies = [ + "tinyvec", +] + +[[package]] +name = "unicode-properties" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7df058c713841ad818f1dc5d3fd88063241cc61f49f5fbea4b951e8cf5a8d71d" + [[package]] name = "unicode-xid" version = "0.2.6" @@ -3139,7 +4763,7 @@ dependencies = [ "glob", "goblin", "heck", - "indexmap", + "indexmap 2.14.0", "once_cell", "serde", "tempfile", @@ -3181,7 +4805,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "98f51ebca0d9a4b2aa6c644d5ede45c56f73906b96403c08a1985e75ccb64a01" dependencies = [ "anyhow", - "indexmap", + "indexmap 2.14.0", "proc-macro2", "quote", "syn", @@ -3224,7 +4848,7 @@ checksum = "a806dddc8208f22efd7e95a5cdf88ed43d0f3271e8f63b47e757a8bbdb43b63a" dependencies = [ "anyhow", "heck", - "indexmap", + "indexmap 2.14.0", "tempfile", "uniffi_internal_macros", ] @@ -3267,6 +4891,7 @@ dependencies = [ "idna", "percent-encoding", "serde", + "serde_derive", ] [[package]] @@ -3281,6 +4906,43 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" +[[package]] +name = "utoipa" +version = "5.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2fcc29c80c21c31608227e0912b2d7fddba57ad76b606890627ba8ee7964e993" +dependencies = [ + "indexmap 2.14.0", + "serde", + "serde_json", + "utoipa-gen", +] + +[[package]] +name = "utoipa-gen" +version = "5.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d79d08d92ab8af4c5e8a6da20c47ae3f61a0f1dabc1997cdf2d082b757ca08b" +dependencies = [ + "proc-macro2", + "quote", + "regex", + "syn", + "uuid", +] + +[[package]] +name = "uuid" +version = "1.23.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ddd74a9687298c6858e9b88ec8935ec45d22e8fd5e6394fa1bd4e99a87789c76" +dependencies = [ + "getrandom 0.4.2", + "js-sys", + "serde_core", + "wasm-bindgen", +] + [[package]] name = "valuable" version = "0.1.1" @@ -3370,6 +5032,12 @@ dependencies = [ "wit-bindgen", ] +[[package]] +name = "wasite" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b" + [[package]] name = "wasm-bindgen" version = "0.2.117" @@ -3383,6 +5051,16 @@ dependencies = [ "wasm-bindgen-shared", ] +[[package]] +name = "wasm-bindgen-futures" +version = "0.4.67" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "03623de6905b7206edd0a75f69f747f134b7f0a2323392d664448bf2d3c5d87e" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + [[package]] name = "wasm-bindgen-macro" version = "0.2.117" @@ -3432,7 +5110,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909" dependencies = [ "anyhow", - "indexmap", + "indexmap 2.14.0", "wasm-encoder", "wasmparser", ] @@ -3445,10 +5123,88 @@ checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe" dependencies = [ "bitflags", "hashbrown 0.15.5", - "indexmap", + "indexmap 2.14.0", "semver", ] +[[package]] +name = "web-sys" +version = "0.3.94" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cd70027e39b12f0849461e08ffc50b9cd7688d942c1c8e3c7b22273236b4dd0a" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "webauthn-attestation-ca" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fafcf13f7dc1fb292ed4aea22cdd3757c285d7559e9748950ee390249da4da6b" +dependencies = [ + "base64urlsafedata", + "openssl", + "openssl-sys", + "serde", + "tracing", + "uuid", +] + +[[package]] +name = "webauthn-rs" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1b24d082d3360258fefb6ffe56123beef7d6868c765c779f97b7a2fcf06727f8" +dependencies = [ + "base64urlsafedata", + "serde", + "tracing", + "url", + "uuid", + "webauthn-rs-core", +] + +[[package]] +name = "webauthn-rs-core" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "15784340a24c170ce60567282fb956a0938742dbfbf9eff5df793a686a009b8b" +dependencies = [ + "base64 0.21.7", + "base64urlsafedata", + "der-parser 9.0.0", + "hex", + "nom", + "openssl", + "openssl-sys", + "rand 0.9.4", + "rand_chacha 0.9.0", + "serde", + "serde_cbor_2", + "serde_json", + "thiserror 1.0.69", + "tracing", + "url", + "uuid", + "webauthn-attestation-ca", + "webauthn-rs-proto", + "x509-parser 0.16.0", +] + +[[package]] +name = "webauthn-rs-proto" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "16a1fb2580ce73baa42d3011a24de2ceab0d428de1879ece06e02e8c416e497c" +dependencies = [ + "base64 0.21.7", + "base64urlsafedata", + "serde", + "serde_json", + "url", +] + [[package]] name = "weedle2" version = "5.0.0" @@ -3458,6 +5214,16 @@ dependencies = [ "nom", ] +[[package]] +name = "whoami" +version = "1.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5d4a4db5077702ca3015d3d02d74974948aba2ad9e12ab7df718ee64ccd7e97d" +dependencies = [ + "libredox", + "wasite", +] + [[package]] name = "widestring" version = "0.4.3" @@ -3547,6 +5313,17 @@ dependencies = [ "windows-link", ] +[[package]] +name = "windows-registry" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720" +dependencies = [ + "windows-link", + "windows-result", + "windows-strings", +] + [[package]] name = "windows-result" version = "0.4.1" @@ -3565,13 +5342,22 @@ dependencies = [ "windows-link", ] +[[package]] +name = "windows-sys" +version = "0.48.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" +dependencies = [ + "windows-targets 0.48.5", +] + [[package]] name = "windows-sys" version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets", + "windows-targets 0.52.6", ] [[package]] @@ -3580,7 +5366,7 @@ version = "0.59.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b" dependencies = [ - "windows-targets", + "windows-targets 0.52.6", ] [[package]] @@ -3592,20 +5378,35 @@ dependencies = [ "windows-link", ] +[[package]] +name = "windows-targets" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +dependencies = [ + "windows_aarch64_gnullvm 0.48.5", + "windows_aarch64_msvc 0.48.5", + "windows_i686_gnu 0.48.5", + "windows_i686_msvc 0.48.5", + "windows_x86_64_gnu 0.48.5", + "windows_x86_64_gnullvm 0.48.5", + "windows_x86_64_msvc 0.48.5", +] + [[package]] name = "windows-targets" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", + "windows_aarch64_gnullvm 0.52.6", + "windows_aarch64_msvc 0.52.6", + "windows_i686_gnu 0.52.6", "windows_i686_gnullvm", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", + "windows_i686_msvc 0.52.6", + "windows_x86_64_gnu 0.52.6", + "windows_x86_64_gnullvm 0.52.6", + "windows_x86_64_msvc 0.52.6", ] [[package]] @@ -3617,18 +5418,36 @@ dependencies = [ "windows-link", ] +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" + [[package]] name = "windows_aarch64_gnullvm" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" +[[package]] +name = "windows_aarch64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" + [[package]] name = "windows_aarch64_msvc" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" +[[package]] +name = "windows_i686_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" + [[package]] name = "windows_i686_gnu" version = "0.52.6" @@ -3641,24 +5460,48 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" +[[package]] +name = "windows_i686_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" + [[package]] name = "windows_i686_msvc" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" +[[package]] +name = "windows_x86_64_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" + [[package]] name = "windows_x86_64_gnu" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" + [[package]] name = "windows_x86_64_gnullvm" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" +[[package]] +name = "windows_x86_64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" + [[package]] name = "windows_x86_64_msvc" version = "0.52.6" @@ -3724,7 +5567,7 @@ checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21" dependencies = [ "anyhow", "heck", - "indexmap", + "indexmap 2.14.0", "prettyplease", "syn", "wasm-metadata", @@ -3755,7 +5598,7 @@ checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2" dependencies = [ "anyhow", "bitflags", - "indexmap", + "indexmap 2.14.0", "log", "serde", "serde_derive", @@ -3774,7 +5617,7 @@ checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736" dependencies = [ "anyhow", "id-arena", - "indexmap", + "indexmap 2.14.0", "log", "semver", "serde", @@ -3797,23 +5640,40 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277" dependencies = [ "curve25519-dalek", - "rand_core", + "rand_core 0.6.4", "serde", "zeroize", ] +[[package]] +name = "x509-parser" +version = "0.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69" +dependencies = [ + "asn1-rs 0.6.2", + "data-encoding", + "der-parser 9.0.0", + "lazy_static", + "nom", + "oid-registry 0.7.1", + "rusticata-macros", + "thiserror 1.0.69", + "time", +] + [[package]] name = "x509-parser" version = "0.18.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202" dependencies = [ - "asn1-rs", + "asn1-rs 0.7.1", "data-encoding", - "der-parser", + "der-parser 10.0.0", "lazy_static", "nom", - "oid-registry", + "oid-registry 0.8.1", "ring", "rusticata-macros", "thiserror 2.0.18", @@ -3852,6 +5712,26 @@ dependencies = [ "synstructure", ] +[[package]] +name = "zerocopy" +version = "0.8.48" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9" +dependencies = [ + "zerocopy-derive", +] + +[[package]] +name = "zerocopy-derive" +version = "0.8.48" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "zerofrom" version = "0.1.7" diff --git a/Cargo.toml b/Cargo.toml index 74228c5c..b75d4d36 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,8 +8,11 @@ axum = "0.8" base64 = "0.22" chrono = "0.4" clap = { version = "4.6", features = ["derive", "env"] } -defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "01957186101fc105803d56f1190efbdb5102df2f" } -defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "01957186101fc105803d56f1190efbdb5102df2f" } +defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "564dc72c" } +defguard_grpc_tls = { git = "https://github.com/DefGuard/defguard.git", rev = "710b1bfd" } +defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "7d28f46e" } +rustls-webpki = { version = "0.103", features = ["ring", "std"] } +rustls-pki-types = "1" defguard_wireguard_rs = "0.9" env_logger = "0.11" ipnetwork = "0.21" @@ -46,7 +49,9 @@ mnl = "0.3" nix = { version = "0.31", default-features = false, features = ["ioctl"] } [dev-dependencies] -tokio = { version = "1", features = ["io-std", "io-util"] } +defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "564dc72c" } +rustls = { version = "0.23", default-features = false, features = ["ring"] } +tokio = { version = "1", features = ["sync", "time"] } tonic = { version = "0.14", default-features = false, features = [ "codegen", "router", diff --git a/proto b/proto index 7adfe3bf..7e1b8293 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit 7adfe3bfd1b7b701e58d25ddadd0c0c7a4a3e046 +Subproject commit 7e1b829343832d261fcfefc4587a795a975dec7e diff --git a/src/gateway.rs b/src/gateway.rs index 53806904..57f4a71d 100644 --- a/src/gateway.rs +++ b/src/gateway.rs @@ -9,24 +9,24 @@ use std::{ time::{Duration, SystemTime}, }; +use defguard_certs::{CertificateError, CertificateInfo}; +use defguard_grpc_tls::{certs::server_tls_config, server::certificate_serial_interceptor}; use defguard_version::{ ComponentInfo, DefguardComponent, Version, get_tracing_variables, server::DefguardVersionLayer, }; use defguard_wireguard_rs::{WireguardInterfaceApi, net::IpAddrMask}; use tokio::{ + fs::remove_file, sync::{mpsc, oneshot}, time::interval, }; use tokio_stream::wrappers::UnboundedReceiverStream; -use tonic::{ - Request, Response, Status, Streaming, - transport::{Identity, Server, ServerTlsConfig}, -}; +use tonic::{Request, Response, Status, Streaming, service::InterceptorLayer, transport::Server}; use tower::ServiceBuilder; use tracing::instrument; use crate::{ - GRPC_CERT_NAME, GRPC_KEY_NAME, VERSION, + CORE_CLIENT_CERT_NAME, GRPC_CA_CERT_NAME, GRPC_CERT_NAME, GRPC_KEY_NAME, VERSION, config::Config, enterprise::firewall::{ FirewallConfig, FirewallError, FirewallRule, SnatBinding, @@ -144,6 +144,10 @@ type PubKey = String; pub struct TlsConfig { pub grpc_cert_pem: String, pub grpc_key_pem: String, + /// PEM-encoded CA certificate used to verify Core's mTLS client certificate chain. + pub grpc_ca_cert_pem: String, + /// DER-encoded Core client certificate; used to extract and pin the expected serial. + pub core_client_cert_der: Vec, } pub struct Gateway { @@ -558,9 +562,11 @@ impl GatewayServer { } /// Starts the gateway process. - /// * Retrieves configuration and configuration updates from Defguard gRPC server - /// * Manages the interface according to configuration and updates - /// * Sends interface statistics to Defguard server periodically + /// * Requires a valid mTLS configuration to be set (via `set_tls_config`) before starting; + /// returns an error if TLS configuration is absent - the gRPC server never starts in plain-text mode + /// * Retrieves configuration and configuration updates from Defguard core via a mTLS-secured gRPC server + /// * Manages the WireGuard interface according to configuration and updates + /// * Sends interface statistics to Defguard core periodically pub async fn start(self, config: Config) -> Result<(), GatewayError> { info!("Starting Defguard Gateway version {VERSION} with configuration: {config:?}"); @@ -593,36 +599,42 @@ impl GatewayServer { execute_command(post_up)?; } - let grpc_cert = self + let tls_config = self .gateway .lock() - .unwrap() - .tls_config - .as_ref() - .map(|c| c.grpc_cert_pem.clone()); - let grpc_key = self - .gateway - .lock() - .unwrap() + .expect("gateway mutex poison") .tls_config - .as_ref() - .map(|c| c.grpc_key_pem.clone()); + .clone(); // Build gRPC server. let addr = config.grpc_socket(); info!("gRPC server is listening on {addr}"); - let mut builder = if let (Some(cert), Some(key)) = (grpc_cert, grpc_key) { - let identity = Identity::from_pem(cert, key); - Server::builder().tls_config(ServerTlsConfig::new().identity(identity))? - } else { - Server::builder() - }; + + let tls = tls_config.ok_or_else(|| { + GatewayError::SetupError( + "TLS configuration is required; gateway gRPC server cannot start without mTLS" + .into(), + ) + })?; + + let tls_config = + server_tls_config(&tls.grpc_cert_pem, &tls.grpc_key_pem, &tls.grpc_ca_cert_pem) + .map_err(|e| GatewayError::SetupError(e.to_string()))?; + let mut builder = Server::builder().tls_config(tls_config)?; + + // Extract Core client cert serial for pinning. + let expected_serial = CertificateInfo::from_der(&tls.core_client_cert_der) + .map_err(|e: CertificateError| GatewayError::SetupError(e.to_string()))? + .serial; // Start gRPC server. This should run indefinitely. debug!("Serving gRPC"); builder .add_service( ServiceBuilder::new() + .layer(InterceptorLayer::new(certificate_serial_interceptor( + expected_serial, + ))) .layer(DefguardVersionLayer::new(Version::parse(VERSION)?)) .service(gateway_server::GatewayServer::new(self)), ) @@ -760,25 +772,24 @@ impl gateway_server::Gateway for GatewayServer { debug!("Received purge request, removing gRPC certificate files"); let cert_path = self.cert_dir.join(GRPC_CERT_NAME); let key_path = self.cert_dir.join(GRPC_KEY_NAME); + let ca_cert_path = self.cert_dir.join(GRPC_CA_CERT_NAME); + let core_client_cert_path = self.cert_dir.join(CORE_CLIENT_CERT_NAME); - if let Err(err) = tokio::fs::remove_file(&cert_path).await - && err.kind() != std::io::ErrorKind::NotFound - { - error!( - "Failed to remove gRPC certificate at {}: {err}", - cert_path.display() - ); - return Err(Status::internal("Failed to remove gRPC certificate")); - } - info!("Removed gRPC certificate at {}", cert_path.display()); + let remove_cert_file = async |path: &std::path::Path, label: &str| -> Result<(), Status> { + if let Err(err) = remove_file(path).await + && err.kind() != std::io::ErrorKind::NotFound + { + error!("Failed to remove {label} at {}: {err}", path.display()); + return Err(Status::internal(format!("Failed to remove {label}"))); + } + info!("Removed {label} at {}", path.display()); + Ok(()) + }; - if let Err(err) = tokio::fs::remove_file(&key_path).await - && err.kind() != std::io::ErrorKind::NotFound - { - error!("Failed to remove gRPC key at {}: {err}", key_path.display()); - return Err(Status::internal("Failed to remove gRPC key")); - } - info!("Removed gRPC key at {}", cert_path.display()); + remove_cert_file(&cert_path, "gRPC certificate").await?; + remove_cert_file(&key_path, "gRPC key").await?; + remove_cert_file(&ca_cert_path, "CA certificate").await?; + remove_cert_file(&core_client_cert_path, "Core client certificate").await?; // Prepare underlying `Gateway` to enter setup mode. self.gateway diff --git a/src/lib.rs b/src/lib.rs index cebcb217..2f5d9f75 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -57,10 +57,15 @@ pub mod enterprise; pub mod logging; pub mod setup; +#[cfg(test)] +mod tests; + pub const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), "+", env!("VERGEN_GIT_SHA")); pub const GRPC_CERT_NAME: &str = "gateway_grpc_cert.pem"; pub const GRPC_KEY_NAME: &str = "gateway_grpc_key.pem"; +pub const GRPC_CA_CERT_NAME: &str = "grpc_ca_cert.pem"; +pub const CORE_CLIENT_CERT_NAME: &str = "core_client_cert.pem"; /// Masks object's field with "***" string. /// Used to log sensitive/secret objects. diff --git a/src/main.rs b/src/main.rs index f6dcd8cb..d84fc606 100644 --- a/src/main.rs +++ b/src/main.rs @@ -3,12 +3,13 @@ use std::{fs::Permissions, os::unix::fs::PermissionsExt}; use std::{ fs::{File, read_to_string}, io::Write, + path::Path, process, sync::{Arc, Mutex}, }; use defguard_gateway::{ - GRPC_CERT_NAME, GRPC_KEY_NAME, VERSION, + CORE_CLIENT_CERT_NAME, GRPC_CA_CERT_NAME, GRPC_CERT_NAME, GRPC_KEY_NAME, VERSION, config::get_config, error::GatewayError, execute_command, @@ -24,6 +25,30 @@ use defguard_wireguard_rs::Kernel; use defguard_wireguard_rs::{Userspace, WGApi}; use tokio::{sync::mpsc, task::JoinSet}; +fn load_tls_config(cert_dir: &Path) -> Result, GatewayError> { + let grpc_cert = read_to_string(cert_dir.join(GRPC_CERT_NAME)).ok(); + let grpc_key = read_to_string(cert_dir.join(GRPC_KEY_NAME)).ok(); + let grpc_ca_cert = read_to_string(cert_dir.join(GRPC_CA_CERT_NAME)).ok(); + let core_client_cert_pem = read_to_string(cert_dir.join(CORE_CLIENT_CERT_NAME)).ok(); + + match (grpc_cert, grpc_key, grpc_ca_cert, core_client_cert_pem) { + (Some(cert), Some(key), Some(ca_cert), Some(client_cert_pem)) => { + let core_client_cert_der = defguard_certs::parse_pem_certificate(&client_cert_pem) + .map_err(|e| { + GatewayError::SetupError(format!("Failed to parse Core client cert: {e}")) + })? + .to_vec(); + Ok(Some(TlsConfig { + grpc_cert_pem: cert, + grpc_key_pem: key, + grpc_ca_cert_pem: ca_cert, + core_client_cert_der, + })) + } + _ => Ok(None), + } +} + #[tokio::main] async fn main() -> Result<(), GatewayError> { // parse config @@ -44,12 +69,7 @@ async fn main() -> Result<(), GatewayError> { tokio::fs::set_permissions(cert_dir, Permissions::from_mode(0o700)).await?; } - let (grpc_cert, grpc_key) = ( - read_to_string(cert_dir.join(GRPC_CERT_NAME)).ok(), - read_to_string(cert_dir.join(GRPC_KEY_NAME)).ok(), - ); - - let needs_setup = grpc_cert.is_none() || grpc_key.is_none(); + let maybe_tls_config = load_tls_config(cert_dir)?; // TODO: The channel size may need to be adjusted or some other approach should be used // to avoid dropping log messages. @@ -108,25 +128,21 @@ async fn main() -> Result<(), GatewayError> { let post_down_clone = config.post_down.clone(); tasks.spawn(async move { - let tls_config = if needs_setup { - log::info!( - "gRPC TLS certificates not found in {}. They will be generated during setup.", - config.cert_dir.display() - ); - run_setup(&config, Arc::clone(&logs_rx)).await? - } else if let (Some(cert), Some(key)) = (grpc_cert, grpc_key) { - log::info!( - "Using existing gRPC TLS certificates from {}", - config.cert_dir.display() - ); - TlsConfig { - grpc_cert_pem: cert, - grpc_key_pem: key, + let tls_config = match maybe_tls_config { + None => { + log::info!( + "gRPC TLS certificates not found in {}. They will be generated during setup.", + config.cert_dir.display() + ); + run_setup(&config, Arc::clone(&logs_rx)).await? + } + Some(tls_config) => { + log::info!( + "Using existing gRPC TLS certificates from {}", + config.cert_dir.display() + ); + tls_config } - } else { - return Err(GatewayError::SetupError( - "gRPC TLS certificates are missing after setup".to_string(), - )); }; // Launch gRPC server (with purge-triggered setup loop). diff --git a/src/setup.rs b/src/setup.rs index c3936f54..0272909e 100644 --- a/src/setup.rs +++ b/src/setup.rs @@ -1,6 +1,10 @@ -use std::sync::{Arc, Mutex}; +use std::{ + sync::{Arc, Mutex}, + time::{Duration, SystemTime, UNIX_EPOCH}, +}; use defguard_version::{Version, server::DefguardVersionLayer}; +use rustls_pki_types::{CertificateDer, UnixTime}; use tokio::{ fs::OpenOptions, io::AsyncWriteExt, @@ -10,14 +14,15 @@ use tokio_stream::wrappers::UnboundedReceiverStream; use tonic::{Request, Response, Status, transport::Server}; use tower::ServiceBuilder; use tracing::instrument; +use webpki::{KeyUsage, anchor_from_trusted_cert}; use crate::{ - GRPC_CERT_NAME, GRPC_KEY_NAME, VERSION, + CORE_CLIENT_CERT_NAME, GRPC_CA_CERT_NAME, GRPC_CERT_NAME, GRPC_KEY_NAME, VERSION, config::Config, error::GatewayError, gateway::TlsConfig, proto::{ - common::{CertificateInfo, DerPayload, LogEntry}, + common::{CertBundle, CertificateInfo, DerPayload, LogEntry}, gateway::gateway_setup_server, }, }; @@ -25,6 +30,67 @@ use crate::{ const AUTH_HEADER: &str = "authorization"; type LogsReceiver = Arc>>; +/// Verify that both `component_der` and `core_client_der` are signed by `ca_der`. +/// +/// Uses ECDSA P-256 via `ring` (chosen for FreeBSD/OPNsense compatibility; +/// `aws-lc-rs` does not support FreeBSD). The proxy counterpart uses `aws-lc-rs`. +/// Both verify the same algorithm set: `ECDSA_P256_SHA256` and `ECDSA_P256_SHA384`. +/// Returns an error message string on any failure so the caller can forward it as a gRPC status. +fn validate_cert_bundle( + ca_der: &[u8], + component_der: &[u8], + core_client_der: &[u8], +) -> Result<(), String> { + let sig_algs: &[&dyn rustls_pki_types::SignatureVerificationAlgorithm] = &[ + webpki::ring::ECDSA_P256_SHA256, + webpki::ring::ECDSA_P256_SHA384, + ]; + + let ca_cert_der = CertificateDer::from(ca_der); + let trust_anchor = anchor_from_trusted_cert(&ca_cert_der) + .map_err(|e| format!("Failed to parse CA certificate as trust anchor: {e}"))?; + let trust_anchors = [trust_anchor]; + + let now = SystemTime::now() + .duration_since(UNIX_EPOCH) + .unwrap_or(Duration::ZERO); + let time = UnixTime::since_unix_epoch(now); + + // Verify component (server) certificate. + let component_cert_der = CertificateDer::from(component_der); + let component_ee = webpki::EndEntityCert::try_from(&component_cert_der) + .map_err(|e| format!("Failed to parse component certificate: {e}"))?; + component_ee + .verify_for_usage( + sig_algs, + &trust_anchors, + &[], + time, + KeyUsage::server_auth(), + None, + None, + ) + .map_err(|e| format!("Component certificate failed chain validation: {e}"))?; + + // Verify Core client certificate. + let core_client_cert_der = CertificateDer::from(core_client_der); + let core_client_ee = webpki::EndEntityCert::try_from(&core_client_cert_der) + .map_err(|e| format!("Failed to parse Core client certificate: {e}"))?; + core_client_ee + .verify_for_usage( + sig_algs, + &trust_anchors, + &[], + time, + KeyUsage::client_auth(), + None, + None, + ) + .map_err(|e| format!("Core client certificate failed chain validation: {e}"))?; + + Ok(()) +} + pub async fn run_setup( config: &Config, logs_rx: Arc>>, @@ -49,10 +115,33 @@ pub async fn run_setup( .await?; // Write key to a file. options + .clone() .open(key_path) .await? .write_all(tls_config.grpc_key_pem.as_bytes()) .await?; + // Write CA certificate to a file. + options + .clone() + .open(cert_dir.join(GRPC_CA_CERT_NAME)) + .await? + .write_all(tls_config.grpc_ca_cert_pem.as_bytes()) + .await?; + // Write Core client certificate (PEM-encoded) to a file for serial pinning on restart. + let core_client_cert_pem = defguard_certs::der_to_pem( + &tls_config.core_client_cert_der, + defguard_certs::PemLabel::Certificate, + ) + .map_err(|err| { + GatewayError::SetupError(format!( + "Failed to PEM-encode Core client certificate: {err}" + )) + })?; + options + .open(cert_dir.join(CORE_CLIENT_CERT_NAME)) + .await? + .write_all(core_client_cert_pem.as_bytes()) + .await?; log::info!( "Generated gRPC TLS certificates have been saved to {}", cert_dir.display() @@ -309,8 +398,8 @@ impl gateway_setup_server::GatewaySetup for GatewaySetupServer { } #[instrument(skip(self, request))] - async fn send_cert(&self, request: Request) -> Result, Status> { - debug!("Core sending back signed certificate for installation"); + async fn send_cert(&self, request: Request) -> Result, Status> { + debug!("Core sending back signed certificate bundle for installation"); let token = request .metadata() .get(AUTH_HEADER) @@ -324,25 +413,60 @@ impl gateway_setup_server::GatewaySetup for GatewaySetupServer { return Err(Status::unauthenticated("Invalid session token")); } - let der_payload = request.into_inner(); - let cert_der = der_payload.der_data; + let bundle = request.into_inner(); + + debug!("Validating certificate bundle received from Core"); + if let Err(reason) = validate_cert_bundle( + &bundle.ca_cert_der, + &bundle.component_cert_der, + &bundle.core_client_cert_der, + ) { + error!("Certificate bundle validation failed: {reason}"); + self.clear_setup_session(); + return Err(Status::invalid_argument(reason)); + } + debug!("Certificate bundle validated successfully against CA"); + debug!( - "Received signed certificate from Core ({} bytes)", - cert_der.len() + "Received component certificate from Core ({} bytes)", + bundle.component_cert_der.len() ); + debug!("Parsing component certificate DER data"); + let grpc_cert_pem = match defguard_certs::der_to_pem( + &bundle.component_cert_der, + defguard_certs::PemLabel::Certificate, + ) { + Ok(pem) => pem, + Err(err) => { + let msg = format!("Failed to convert component certificate DER to PEM: {err}"); + error!("{msg}"); + self.clear_setup_session(); + return Err(Status::internal(msg)); + } + }; - debug!("Parsing received certificate DER data"); - let grpc_cert_pem = - match defguard_certs::der_to_pem(&cert_der, defguard_certs::PemLabel::Certificate) { - Ok(pem) => pem, - Err(err) => { - let msg = format!("Failed to convert certificate DER to PEM: {err}"); - error!("{msg}"); - self.clear_setup_session(); - return Err(Status::internal(msg)); - } - }; - debug!("Certificate processed successfully"); + debug!( + "Received CA certificate from Core ({} bytes)", + bundle.ca_cert_der.len() + ); + debug!("Parsing CA certificate DER data"); + let grpc_ca_cert_pem = match defguard_certs::der_to_pem( + &bundle.ca_cert_der, + defguard_certs::PemLabel::Certificate, + ) { + Ok(pem) => pem, + Err(err) => { + let msg = format!("Failed to convert CA certificate DER to PEM: {err}"); + error!("{msg}"); + self.clear_setup_session(); + return Err(Status::internal(msg)); + } + }; + + debug!( + "Received Core client certificate ({} bytes); will pin serial for mTLS", + bundle.core_client_cert_der.len() + ); let key_pair = { let key_pair = self @@ -367,6 +491,8 @@ impl gateway_setup_server::GatewaySetup for GatewaySetupServer { let configuration = TlsConfig { grpc_key_pem: key_pair.serialize_pem(), grpc_cert_pem, + grpc_ca_cert_pem, + core_client_cert_der: bundle.core_client_cert_der, }; let Some(sender) = self.setup_tx.lock().await.take() else { diff --git a/src/tests/mock_wgapi.rs b/src/tests/mock_wgapi.rs new file mode 100644 index 00000000..261daac5 --- /dev/null +++ b/src/tests/mock_wgapi.rs @@ -0,0 +1,66 @@ +use std::net::IpAddr; + +use defguard_wireguard_rs::{ + InterfaceConfiguration, WireguardInterfaceApi, error::WireguardInterfaceError, host::Host, + key::Key, net::IpAddrMask, peer::Peer as WgPeer, +}; + +/// A minimal no-op WireGuard API implementation for use in tests. +/// +/// All operations return an error - the gateway warns and continues on +/// interface creation failure, and no other WireGuard operations are invoked +/// during the mTLS handshake tests. +pub(crate) struct NullWgApi; + +impl WireguardInterfaceApi for NullWgApi { + fn create_interface(&mut self) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface( + "test: no WireGuard available".into(), + )) + } + + fn assign_address(&self, _address: &IpAddrMask) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface("test".into())) + } + + fn configure_peer_routing(&self, _peers: &[WgPeer]) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface("test".into())) + } + + fn configure_interface( + &self, + _config: &InterfaceConfiguration, + ) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface("test".into())) + } + + #[cfg(not(target_os = "windows"))] + fn remove_interface(&self) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface("test".into())) + } + + #[cfg(target_os = "windows")] + fn remove_interface(&mut self) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface("test".into())) + } + + fn configure_peer(&self, _peer: &WgPeer) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface("test".into())) + } + + fn remove_peer(&self, _peer_pubkey: &Key) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface("test".into())) + } + + fn read_interface_data(&self) -> Result { + Err(WireguardInterfaceError::Interface("test".into())) + } + + fn configure_dns( + &self, + _dns: &[IpAddr], + _search_domains: &[&str], + ) -> Result<(), WireguardInterfaceError> { + Err(WireguardInterfaceError::Interface("test".into())) + } +} diff --git a/src/tests/mod.rs b/src/tests/mod.rs new file mode 100644 index 00000000..d5fb0405 --- /dev/null +++ b/src/tests/mod.rs @@ -0,0 +1,2 @@ +mod mock_wgapi; +mod mtls; diff --git a/src/tests/mtls.rs b/src/tests/mtls.rs new file mode 100644 index 00000000..e32b4fdc --- /dev/null +++ b/src/tests/mtls.rs @@ -0,0 +1,310 @@ +use std::{ + env::temp_dir, + net::TcpListener, + sync::{Arc, Mutex}, + time::Duration, +}; + +use defguard_certs::{ + CertificateAuthority, Csr, PemLabel, cert_der_to_pem, der_to_pem, generate_key_pair, +}; +use rustls::crypto::ring; +use tokio::{select, spawn, sync::oneshot, time::sleep}; +use tokio_stream::iter as stream_iter; +use tonic::{ + Code, Request, + transport::{Certificate, Channel, ClientTlsConfig, Endpoint, Identity}, +}; + +use super::mock_wgapi::NullWgApi; +use crate::{ + config::Config, + gateway::{Gateway, GatewayServer, TlsConfig}, + proto::gateway::gateway_client::GatewayClient, +}; + +struct TestCerts { + ca_cert_pem: String, + gateway_cert_pem: String, + gateway_key_pem: String, + core_client_cert_der: Vec, + core_client_cert_pem: String, + core_client_key_pem: String, + wrong_serial_cert_pem: String, + wrong_serial_key_pem: String, + rogue_client_cert_pem: String, + rogue_client_key_pem: String, +} + +impl TestCerts { + fn generate() -> Self { + let ca = CertificateAuthority::new("Test CA", "test@test.local", 365).unwrap(); + let ca_cert_pem = ca.cert_pem().unwrap(); + + // Gateway server cert: ServerAuth EKU, IP SAN 127.0.0.1 + let gw_key = generate_key_pair().unwrap(); + let gw_csr = Csr::new(&gw_key, &["127.0.0.1".to_string()], Vec::new()).unwrap(); + let gw_server_cert = ca.sign_server_cert(&gw_csr).unwrap(); + let gateway_cert_pem = cert_der_to_pem(gw_server_cert.der()).unwrap(); + let gateway_key_pem = der_to_pem(gw_key.serialized_der(), PemLabel::PrivateKey).unwrap(); + + // Core client cert A - pinned serial + let client_a = ca.issue_core_client_cert("core-client-a").unwrap(); + let core_client_cert_der = client_a.cert_der.clone(); + let core_client_cert_pem = cert_der_to_pem(&client_a.cert_der).unwrap(); + let core_client_key_pem = der_to_pem(&client_a.key_der, PemLabel::PrivateKey).unwrap(); + + // Core client cert B - different serial, same CA + let client_b = ca.issue_core_client_cert("core-client-b").unwrap(); + let wrong_serial_cert_pem = cert_der_to_pem(&client_b.cert_der).unwrap(); + let wrong_serial_key_pem = der_to_pem(&client_b.key_der, PemLabel::PrivateKey).unwrap(); + + // Rogue CA + client cert + let rogue_ca = CertificateAuthority::new("Rogue CA", "rogue@rogue.local", 365).unwrap(); + let rogue_client = rogue_ca.issue_core_client_cert("rogue-core").unwrap(); + let rogue_client_cert_pem = cert_der_to_pem(&rogue_client.cert_der).unwrap(); + let rogue_client_key_pem = der_to_pem(&rogue_client.key_der, PemLabel::PrivateKey).unwrap(); + + Self { + ca_cert_pem, + gateway_cert_pem, + gateway_key_pem, + core_client_cert_der, + core_client_cert_pem, + core_client_key_pem, + wrong_serial_cert_pem, + wrong_serial_key_pem, + rogue_client_cert_pem, + rogue_client_key_pem, + } + } +} + +fn make_tls_config(certs: &TestCerts) -> TlsConfig { + TlsConfig { + grpc_key_pem: certs.gateway_key_pem.clone(), + grpc_cert_pem: certs.gateway_cert_pem.clone(), + grpc_ca_cert_pem: certs.ca_cert_pem.clone(), + core_client_cert_der: certs.core_client_cert_der.clone(), + } +} + +fn build_gateway(config: &Config) -> Gateway { + Gateway::new(config.clone(), NullWgApi).unwrap() +} + +/// Install the rustls AWS-LC crypto provider for the process. +/// +/// Must be called before any TLS code runs. Safe to call from multiple tests - +/// subsequent calls after the first are silently ignored. +fn init_crypto() { + let _ = ring::default_provider().install_default(); +} + +/// Spawn a configured `GatewayServer` on a free port. +/// Returns `(bound_port, shutdown_tx)`. +async fn spawn_test_gateway(certs: &TestCerts) -> (u16, oneshot::Sender<()>) { + let port = TcpListener::bind("127.0.0.1:0") + .unwrap() + .local_addr() + .unwrap() + .port(); + + let mut config = Config::default(); + config.grpc_port = port; + + let gateway = build_gateway(&config); + let gateway = Arc::new(Mutex::new(gateway)); + + let (reset_tx, _reset_rx) = oneshot::channel(); + let mut server = GatewayServer::new(Arc::clone(&gateway), temp_dir(), reset_tx); + server.set_tls_config(make_tls_config(certs)); + + let (shutdown_tx, shutdown_rx) = oneshot::channel::<()>(); + spawn(async move { + select! { + _ = server.start(config) => {} + _ = shutdown_rx => {} + } + }); + + sleep(Duration::from_millis(150)).await; + + (port, shutdown_tx) +} + +/// Build a tonic `GatewayClient` with optional mTLS client identity. +async fn connect( + port: u16, + ca_cert_pem: &str, + client_identity: Option<(&str, &str)>, +) -> Result, tonic::transport::Error> { + let mut tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca_cert_pem)); + + if let Some((cert_pem, key_pem)) = client_identity { + tls = tls.identity(Identity::from_pem(cert_pem, key_pem)); + } + + let channel = Endpoint::from_shared(format!("https://127.0.0.1:{port}")) + .unwrap() + .tls_config(tls)? + .connect() + .await?; + + Ok(GatewayClient::new(channel)) +} + +/// Open a `bidi` streaming call with an empty request stream and return the status. +/// +/// The stream body is irrelevant - we only care whether the mTLS + serial-pin +/// interceptors accept or reject the connection. +async fn call_bidi(client: &mut GatewayClient) -> tonic::Status { + let empty = Vec::new(); + match client.bidi(Request::new(stream_iter(empty))).await { + Ok(_) => tonic::Status::ok("accepted"), + Err(status) => status, + } +} + +/// `start()` must return `Err` immediately when no `TlsConfig` has been set. +#[tokio::test] +async fn start_errors_without_tls_config() { + let config = Config::default(); + let gateway = build_gateway(&config); + let gateway = Arc::new(Mutex::new(gateway)); + let (reset_tx, _) = oneshot::channel(); + let server = GatewayServer::new(Arc::clone(&gateway), temp_dir(), reset_tx); + // TLS config intentionally not set. + let result = server.start(config).await; + assert!(result.is_err(), "expected Err, got Ok"); + assert!( + result + .unwrap_err() + .to_string() + .contains("TLS configuration is required"), + "unexpected error message", + ); +} + +/// A client presenting the correct CA-signed cert with the expected serial must be accepted. +/// +/// The `bidi` call may be rejected by the version interceptor (no version headers are sent), +/// but it must NOT be rejected with `Unauthenticated` - that would indicate the mTLS layer +/// or serial-pin interceptor wrongly rejected the cert. +#[tokio::test] +async fn valid_mtls_client_accepted() { + init_crypto(); + let certs = TestCerts::generate(); + let (port, shutdown_tx) = spawn_test_gateway(&certs).await; + + let mut client = connect( + port, + &certs.ca_cert_pem, + Some((&certs.core_client_cert_pem, &certs.core_client_key_pem)), + ) + .await + .expect("TLS handshake should succeed with valid client cert"); + + let status = call_bidi(&mut client).await; + + assert_ne!( + status.code(), + Code::Unauthenticated, + "valid client cert should not be rejected; got: {status}", + ); + + let _ = shutdown_tx.send(()); +} + +/// A client that presents no certificate must be rejected at the TLS layer. +#[tokio::test] +async fn no_client_cert_rejected() { + init_crypto(); + let certs = TestCerts::generate(); + let (port, shutdown_tx) = spawn_test_gateway(&certs).await; + + // connect() is lazy in tonic - the TLS handshake happens on the first RPC. + let Ok(mut client) = connect(port, &certs.ca_cert_pem, None).await else { + let _ = shutdown_tx.send(()); + return; + }; + + let empty = Vec::new(); + let result = client.bidi(Request::new(stream_iter(empty))).await; + + assert!( + result.is_err(), + "connecting without a client cert should be rejected", + ); + + let _ = shutdown_tx.send(()); +} + +/// A client presenting a cert from the correct CA but with the wrong serial must be rejected +/// by the serial-pin interceptor with `Unauthenticated`. +#[tokio::test] +async fn wrong_serial_rejected() { + init_crypto(); + let certs = TestCerts::generate(); + let (port, shutdown_tx) = spawn_test_gateway(&certs).await; + + // This cert is valid (signed by the CA the server trusts) but has a different serial. + let mut client = connect( + port, + &certs.ca_cert_pem, + Some((&certs.wrong_serial_cert_pem, &certs.wrong_serial_key_pem)), + ) + .await + .expect("TLS handshake should succeed; the serial check runs as a gRPC interceptor"); + + let status = call_bidi(&mut client).await; + + assert_eq!( + status.code(), + Code::Unauthenticated, + "wrong-serial cert must be rejected with Unauthenticated; got: {status}", + ); + + let _ = shutdown_tx.send(()); +} + +/// A client presenting a cert signed by a rogue CA must be rejected at the TLS layer +/// because the server does not trust that CA. +#[tokio::test] +async fn rogue_ca_client_rejected() { + init_crypto(); + let certs = TestCerts::generate(); + let (port, shutdown_tx) = spawn_test_gateway(&certs).await; + + // connect() is lazy in tonic - the TLS handshake happens on the first RPC. + let Ok(mut client) = connect( + port, + &certs.ca_cert_pem, + Some((&certs.rogue_client_cert_pem, &certs.rogue_client_key_pem)), + ) + .await + else { + let _ = shutdown_tx.send(()); + return; + }; + + let empty = Vec::new(); + let result = client.bidi(Request::new(stream_iter(empty))).await; + + assert!( + result.is_err(), + "rogue-CA client cert must be rejected; got Ok", + ); + // Must NOT be FailedPrecondition - that would mean the cert was accepted by the + // TLS layer and reached the gRPC handler. + if let Err(ref status) = result { + assert_ne!( + status.code(), + Code::FailedPrecondition, + "rogue-CA cert reached the gRPC handler - server-side CA verification is missing; \ + got: {status}", + ); + } + + let _ = shutdown_tx.send(()); +}