use std::net::SocketAddr; use std::sync::Arc; use anyhow::{anyhow, Result}; use base64::Engine; use hyper::service::service_fn; use hyper::{Request, Response, body::Bytes}; use hyper::server::conn::http1 as http; use hyper_util::rt::TokioIo; use http_body_util::Full; use futures::stream::{FuturesUnordered, StreamExt}; use tokio::net::TcpListener; use tokio::sync::watch; use tokio_rustls::TlsAcceptor; use tokio::net::TcpStream; use hyper::rt::{Read, Write}; use tokio::io::{AsyncRead, AsyncWrite}; use rustls_pemfile::{certs, private_key}; use aero_user::config::{DavConfig, DavUnsecureConfig}; use aero_user::login::ArcLoginProvider; use aero_collections::user::User; pub struct Server { bind_addr: SocketAddr, login_provider: ArcLoginProvider, tls: Option, } pub fn new_unsecure(config: DavUnsecureConfig, login: ArcLoginProvider) -> Server { Server { bind_addr: config.bind_addr, login_provider: login, tls: None, } } pub fn new(config: DavConfig, login: ArcLoginProvider) -> Result { let loaded_certs = certs(&mut std::io::BufReader::new(std::fs::File::open( config.certs, )?)) .collect::, _>>()?; let loaded_key = private_key(&mut std::io::BufReader::new(std::fs::File::open( config.key, )?))? .unwrap(); let tls_config = rustls::ServerConfig::builder() .with_no_client_auth() .with_single_cert(loaded_certs, loaded_key)?; let acceptor = TlsAcceptor::from(Arc::new(tls_config)); Ok(Server { bind_addr: config.bind_addr, login_provider: login, tls: Some(acceptor), }) } trait Stream: Read + Write + Send + Unpin {} impl Stream for TokioIo {} impl Server { pub async fn run(self: Self, mut must_exit: watch::Receiver) -> Result<()> { let tcp = TcpListener::bind(self.bind_addr).await?; tracing::info!("DAV server listening on {:#}", self.bind_addr); let mut connections = FuturesUnordered::new(); while !*must_exit.borrow() { let wait_conn_finished = async { if connections.is_empty() { futures::future::pending().await } else { connections.next().await } }; let (socket, remote_addr) = tokio::select! { a = tcp.accept() => a?, _ = wait_conn_finished => continue, _ = must_exit.changed() => continue, }; tracing::info!("Accepted connection from {}", remote_addr); let stream = match self.build_stream(socket).await { Ok(v) => v, Err(e) => { tracing::error!(err=?e, "TLS acceptor failed"); continue } }; let login = self.login_provider.clone(); let conn = tokio::spawn(async move { //@FIXME should create a generic "public web" server on which "routers" could be //abitrarily bound //@FIXME replace with a handler supporting http2 and TLS match http::Builder::new().serve_connection(stream, service_fn(|req: Request| { let login = login.clone(); tracing::info!("{:?} {:?}", req.method(), req.uri()); async move { auth(login, req).await } })).await { Err(e) => tracing::warn!(err=?e, "connection failed"), Ok(()) => tracing::trace!("connection terminated with success"), } }); connections.push(conn); } drop(tcp); tracing::info!("Server shutting down, draining remaining connections..."); while connections.next().await.is_some() {} Ok(()) } async fn build_stream(&self, socket: TcpStream) -> Result> { match self.tls.clone() { Some(acceptor) => { let stream = acceptor.accept(socket).await?; Ok(Box::new(TokioIo::new(stream))) } None => Ok(Box::new(TokioIo::new(socket))), } } } //@FIXME We should not support only BasicAuth async fn auth( login: ArcLoginProvider, req: Request, ) -> Result>> { tracing::info!("headers: {:?}", req.headers()); let auth_val = match req.headers().get(hyper::header::AUTHORIZATION) { Some(hv) => hv.to_str()?, None => { tracing::info!("Missing authorization field"); return Ok(Response::builder() .status(401) .header("WWW-Authenticate", "Basic realm=\"Aerogramme\"") .body(Full::new(Bytes::from("Missing Authorization field")))?) }, }; let b64_creds_maybe_padded = match auth_val.split_once(" ") { Some(("Basic", b64)) => b64, _ => { tracing::info!("Unsupported authorization field"); return Ok(Response::builder() .status(400) .body(Full::new(Bytes::from("Unsupported Authorization field")))?) }, }; // base64urlencoded may have trailing equals, base64urlsafe has not // theoretically authorization is padded but "be liberal in what you accept" let b64_creds_clean = b64_creds_maybe_padded.trim_end_matches('='); // Decode base64 let creds = base64::engine::general_purpose::STANDARD_NO_PAD.decode(b64_creds_clean)?; let str_creds = std::str::from_utf8(&creds)?; // Split username and password let (username, password) = str_creds .split_once(':') .ok_or(anyhow!("Missing colon in Authorization, can't split decoded value into a username/password pair"))?; // Call login provider let creds = match login.login(username, password).await { Ok(c) => c, Err(_) => { tracing::info!(user=username, "Wrong credentials"); return Ok(Response::builder() .status(401) .header("WWW-Authenticate", "Basic realm=\"Aerogramme\"") .body(Full::new(Bytes::from("Wrong credentials")))?) }, }; // Build a user let user = User::new(username.into(), creds).await?; // Call router with user router(user, req).await } async fn router(user: std::sync::Arc, req: Request) -> Result>> { let path_segments: Vec<_> = req.uri().path().split("/").filter(|s| *s != "").collect(); tracing::info!("router"); match path_segments.as_slice() { [] => tracing::info!("root"), [ username, ..] if *username != user.username => return Ok(Response::builder() .status(403) .body(Full::new(Bytes::from("Accessing other user ressources is not allowed")))?), [ _ ] => tracing::info!("user home"), [ _, "calendar" ] => tracing::info!("user calendars"), [ _, "calendar", colname ] => tracing::info!(name=colname, "selected calendar"), [ _, "calendar", colname, member ] => tracing::info!(name=colname, obj=member, "selected event"), _ => return Ok(Response::builder() .status(404) .body(Full::new(Bytes::from("Resource not found")))?), } Ok(Response::new(Full::new(Bytes::from("Hello World!")))) } #[allow(dead_code)] async fn collections(_user: std::sync::Arc, _req: Request) -> Result>> { unimplemented!(); }