Temporary Yeet TLS from external-proxy

metalbear-co · Sep 9, 2024 · 3344bf3 · 3344bf3
1 parent d0231fa
commit 3344bf3
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 150 deletions.
diff --git a/mirrord/cli/src/error.rs b/mirrord/cli/src/error.rs
@@ -99,12 +99,6 @@ pub(crate) enum ExternalProxyError {
     #[error(transparent)]
     #[diagnostic(help("{GENERAL_BUG}"))]
     Tls(#[from] ConnectionTlsError),
-
-    #[error(
-        "there was no tls information provided, see `external_proxy` keys in config if specified"
-    )]
-    #[diagnostic(help("{GENERAL_BUG}"))]
-    MissingTlsInfo,
 }
 
 /// Errors that can occur when executing the `mirrord intproxy` command.

diff --git a/mirrord/cli/src/external_proxy.rs b/mirrord/cli/src/external_proxy.rs
@@ -20,9 +20,8 @@
 //! ```
 
 use std::{
-    fs::{File, OpenOptions},
+    fs::OpenOptions,
     io,
-    io::BufReader,
     net::SocketAddr,
     sync::{
         atomic::{AtomicUsize, Ordering},
@@ -34,10 +33,9 @@ use std::{
 use futures::{SinkExt, StreamExt};
 use mirrord_analytics::{AnalyticsReporter, CollectAnalytics, Reporter};
 use mirrord_config::LayerConfig;
-use mirrord_intproxy::agent_conn::{AgentConnection, ConnectionTlsError};
+use mirrord_intproxy::agent_conn::AgentConnection;
 use mirrord_protocol::DaemonCodec;
 use tokio::net::{TcpListener, TcpStream};
-use tokio_rustls::server::TlsStream;
 use tokio_util::sync::CancellationToken;
 use tracing::Level;
 use tracing_subscriber::EnvFilter;
@@ -99,7 +97,7 @@ pub async fn proxy(watch: drain::Watch) -> Result<()> {
     let mut analytics = AnalyticsReporter::new(config.telemetry, execution_kind, watch);
     (&config).collect_analytics(analytics.get_mut());
 
-    let tls_acceptor = create_external_proxy_tls_acceptor(&config).await?;
+    // let tls_acceptor = create_external_proxy_tls_acceptor(&config).await?;
     let listener = create_listen_socket(SocketAddr::new(config.external_proxy.listen, 0))
         .map_err(ExternalProxyError::ListenerSetup)?;
     print_addr(&listener).map_err(ExternalProxyError::ListenerSetup)?;
@@ -120,7 +118,6 @@ pub async fn proxy(watch: drain::Watch) -> Result<()> {
                 if let Ok((stream, peer_addr)) = conn {
                     tracing::debug!(?peer_addr, "new connection");
 
-                    let tls_acceptor = tls_acceptor.clone();
                     let connections = connections.clone();
                     let cancellation_token = cancellation_token.clone();
                     let connection_cancelation_token = cancellation_token.child_token();
@@ -129,8 +126,6 @@ pub async fn proxy(watch: drain::Watch) -> Result<()> {
                     connections.fetch_add(1, Ordering::Relaxed);
 
                     let fut = async move {
-                        let stream = tls_acceptor.accept(stream).await?;
-
                         handle_connection(stream, peer_addr, agent_conn, connection_cancelation_token).await;
 
                         tracing::debug!(?peer_addr, "closed connection");
@@ -174,63 +169,9 @@ pub async fn proxy(watch: drain::Watch) -> Result<()> {
     Ok(())
 }
 
-async fn create_external_proxy_tls_acceptor(
-    config: &LayerConfig,
-) -> Result<tokio_rustls::TlsAcceptor, ExternalProxyError> {
-    let (Some(client_tls_certificate), Some(tls_certificate), Some(tls_key)) = (
-        config.internal_proxy.client_tls_certificate.as_ref(),
-        config.external_proxy.tls_certificate.as_ref(),
-        config.external_proxy.tls_key.as_ref(),
-    ) else {
-        return Err(ExternalProxyError::MissingTlsInfo);
-    };
-
-    let tls_client_certificates = rustls_pemfile::certs(&mut BufReader::new(
-        File::open(client_tls_certificate)
-            .map_err(|error| {
-                ConnectionTlsError::MissingPem(client_tls_certificate.to_path_buf(), error)
-            })
-            .map_err(ExternalProxyError::Tls)?,
-    ))
-    .collect::<Result<Vec<_>, _>>()
-    .map_err(|error| ConnectionTlsError::ParsingPem(client_tls_certificate.to_path_buf(), error))
-    .map_err(ExternalProxyError::Tls)?;
-
-    let tls_certificate = rustls_pemfile::certs(&mut BufReader::new(
-        File::open(tls_certificate)
-            .map_err(|error| ConnectionTlsError::MissingPem(tls_certificate.to_path_buf(), error))
-            .map_err(ExternalProxyError::Tls)?,
-    ))
-    .collect::<Result<Vec<_>, _>>()
-    .map_err(|error| ConnectionTlsError::ParsingPem(tls_certificate.to_path_buf(), error))
-    .map_err(ExternalProxyError::Tls)?;
-
-    let tls_keys = rustls_pemfile::private_key(&mut BufReader::new(
-        File::open(tls_key)
-            .map_err(|error| ConnectionTlsError::MissingPem(tls_key.to_path_buf(), error))?,
-    ))
-    .map_err(|error| ConnectionTlsError::ParsingPem(tls_key.to_path_buf(), error))?
-    .ok_or_else(|| ConnectionTlsError::MissingPrivateKey(tls_key.to_path_buf()))?;
-
-    let mut roots = rustls::RootCertStore::empty();
-
-    roots.add_parsable_certificates(tls_client_certificates);
-
-    let client_verifier = rustls::server::WebPkiClientVerifier::builder(roots.into())
-        .build()
-        .map_err(ConnectionTlsError::ClientVerifier)?;
-
-    let tls_config = rustls::ServerConfig::builder()
-        .with_client_cert_verifier(client_verifier)
-        .with_single_cert(tls_certificate, tls_keys)
-        .map_err(ConnectionTlsError::ServerConfig)?;
-
-    Ok(tokio_rustls::TlsAcceptor::from(Arc::new(tls_config)))
-}
-
 #[tracing::instrument(level = Level::TRACE, skip(agent_conn))]
 async fn handle_connection(
-    stream: TlsStream<TcpStream>,
+    stream: TcpStream,
     peer_addr: SocketAddr,
     mut agent_conn: AgentConnection,
     cancellation_token: CancellationToken,

diff --git a/mirrord/intproxy/src/agent_conn.rs b/mirrord/intproxy/src/agent_conn.rs
@@ -2,12 +2,9 @@
 //! mirrord crates.
 
 use std::{
-    fs::File,
     io,
-    io::BufReader,
     net::{IpAddr, SocketAddr, ToSocketAddrs},
-    path::{Path, PathBuf},
-    sync::Arc,
+    path::PathBuf,
 };
 
 use mirrord_analytics::Reporter;
@@ -25,12 +22,8 @@ use serde::{Deserialize, Serialize};
 use thiserror::Error;
 use tokio::{
     net::{TcpSocket, TcpStream},
-    sync::{
-        mpsc,
-        mpsc::{Receiver, Sender},
-    },
+    sync::mpsc::{Receiver, Sender},
 };
-use tokio_rustls::TlsConnector;
 
 use crate::{
     background_tasks::{BackgroundTask, MessageBus},
@@ -135,26 +128,7 @@ impl AgentConnection {
 
                 let stream = socket.connect(proxy_sockaddr).await?;
 
-                if let (Some(tls_certificate), Some(client_tls_certificate), Some(client_tls_key)) = (
-                    config.external_proxy.tls_certificate.as_ref(),
-                    config.internal_proxy.client_tls_certificate.as_ref(),
-                    config.internal_proxy.client_tls_key.as_ref(),
-                ) {
-                    wrap_connection_with_tls(
-                        stream,
-                        proxy_sockaddr.ip(),
-                        proxy_addr
-                            .split_once(':')
-                            .map(|(domain, _)| domain)
-                            .unwrap_or(&proxy_addr),
-                        tls_certificate,
-                        client_tls_certificate,
-                        client_tls_key,
-                    )
-                    .await?
-                } else {
-                    wrap_raw_connection(stream)
-                }
+                wrap_raw_connection(stream)
             }
 
             Some(AgentConnectInfo::DirectKubernetes(connect_info)) => {
@@ -235,55 +209,3 @@ impl BackgroundTask for AgentConnection {
         }
     }
 }
-
-pub async fn wrap_connection_with_tls(
-    stream: TcpStream,
-    proxy_ip: IpAddr,
-    proxy_server_name: &str,
-    tls_certificate: &Path,
-    client_tls_certificate: &Path,
-    client_tls_key: &Path,
-) -> Result<(mpsc::Sender<ClientMessage>, mpsc::Receiver<DaemonMessage>), ConnectionTlsError> {
-    let mut root_cert_store = rustls::RootCertStore::empty();
-
-    root_cert_store.add_parsable_certificates(
-        rustls_pemfile::certs(&mut BufReader::new(File::open(tls_certificate).map_err(
-            |error| ConnectionTlsError::MissingPem(tls_certificate.to_path_buf(), error),
-        )?))
-        .collect::<Result<Vec<_>, _>>()
-        .map_err(|error| ConnectionTlsError::ParsingPem(tls_certificate.to_path_buf(), error))?,
-    );
-
-    let client_tls_certificate = rustls_pemfile::certs(&mut BufReader::new(
-        File::open(client_tls_certificate).map_err(|error| {
-            ConnectionTlsError::MissingPem(client_tls_certificate.to_path_buf(), error)
-        })?,
-    ))
-    .collect::<Result<Vec<_>, _>>()
-    .map_err(|error| ConnectionTlsError::ParsingPem(client_tls_certificate.to_path_buf(), error))?;
-
-    let client_tls_keys = rustls_pemfile::private_key(&mut BufReader::new(
-        File::open(client_tls_key)
-            .map_err(|error| ConnectionTlsError::MissingPem(client_tls_key.to_path_buf(), error))?,
-    ))
-    .map_err(|error| ConnectionTlsError::ParsingPem(client_tls_key.to_path_buf(), error))?
-    .ok_or_else(|| ConnectionTlsError::MissingPrivateKey(client_tls_key.to_path_buf()))?;
-
-    let tls_config = rustls::ClientConfig::builder()
-        .with_root_certificates(root_cert_store)
-        .with_client_auth_cert(client_tls_certificate, client_tls_keys)
-        .map_err(ConnectionTlsError::ClientConfig)?;
-
-    let connector = TlsConnector::from(Arc::new(tls_config));
-
-    let domain = rustls::pki_types::ServerName::try_from(proxy_server_name)
-        .map_err(|error| ConnectionTlsError::InvalidDnsName(proxy_ip, error))?
-        .to_owned();
-
-    Ok(wrap_raw_connection(
-        connector
-            .connect(domain, stream)
-            .await
-            .map_err(ConnectionTlsError::Connection)?,
-    ))
-}