From 3344bf34ec0d25b456010ae36955dccd60b7a696 Mon Sep 17 00:00:00 2001 From: Dmitry Dodzin Date: Mon, 9 Sep 2024 19:49:37 +0300 Subject: [PATCH] Temporary Yeet TLS from external-proxy --- mirrord/cli/src/error.rs | 6 --- mirrord/cli/src/external_proxy.rs | 67 ++---------------------- mirrord/intproxy/src/agent_conn.rs | 84 ++---------------------------- 3 files changed, 7 insertions(+), 150 deletions(-) diff --git a/mirrord/cli/src/error.rs b/mirrord/cli/src/error.rs index 497e2d8c30a..a509c439dc3 100644 --- a/mirrord/cli/src/error.rs +++ b/mirrord/cli/src/error.rs @@ -99,12 +99,6 @@ pub(crate) enum ExternalProxyError { #[error(transparent)] #[diagnostic(help("{GENERAL_BUG}"))] Tls(#[from] ConnectionTlsError), - - #[error( - "there was no tls information provided, see `external_proxy` keys in config if specified" - )] - #[diagnostic(help("{GENERAL_BUG}"))] - MissingTlsInfo, } /// Errors that can occur when executing the `mirrord intproxy` command. diff --git a/mirrord/cli/src/external_proxy.rs b/mirrord/cli/src/external_proxy.rs index be08738a619..b0ef36ce22b 100644 --- a/mirrord/cli/src/external_proxy.rs +++ b/mirrord/cli/src/external_proxy.rs @@ -20,9 +20,8 @@ //! ``` use std::{ - fs::{File, OpenOptions}, + fs::OpenOptions, io, - io::BufReader, net::SocketAddr, sync::{ atomic::{AtomicUsize, Ordering}, @@ -34,10 +33,9 @@ use std::{ use futures::{SinkExt, StreamExt}; use mirrord_analytics::{AnalyticsReporter, CollectAnalytics, Reporter}; use mirrord_config::LayerConfig; -use mirrord_intproxy::agent_conn::{AgentConnection, ConnectionTlsError}; +use mirrord_intproxy::agent_conn::AgentConnection; use mirrord_protocol::DaemonCodec; use tokio::net::{TcpListener, TcpStream}; -use tokio_rustls::server::TlsStream; use tokio_util::sync::CancellationToken; use tracing::Level; use tracing_subscriber::EnvFilter; @@ -99,7 +97,7 @@ pub async fn proxy(watch: drain::Watch) -> Result<()> { let mut analytics = AnalyticsReporter::new(config.telemetry, execution_kind, watch); (&config).collect_analytics(analytics.get_mut()); - let tls_acceptor = create_external_proxy_tls_acceptor(&config).await?; + // let tls_acceptor = create_external_proxy_tls_acceptor(&config).await?; let listener = create_listen_socket(SocketAddr::new(config.external_proxy.listen, 0)) .map_err(ExternalProxyError::ListenerSetup)?; print_addr(&listener).map_err(ExternalProxyError::ListenerSetup)?; @@ -120,7 +118,6 @@ pub async fn proxy(watch: drain::Watch) -> Result<()> { if let Ok((stream, peer_addr)) = conn { tracing::debug!(?peer_addr, "new connection"); - let tls_acceptor = tls_acceptor.clone(); let connections = connections.clone(); let cancellation_token = cancellation_token.clone(); let connection_cancelation_token = cancellation_token.child_token(); @@ -129,8 +126,6 @@ pub async fn proxy(watch: drain::Watch) -> Result<()> { connections.fetch_add(1, Ordering::Relaxed); let fut = async move { - let stream = tls_acceptor.accept(stream).await?; - handle_connection(stream, peer_addr, agent_conn, connection_cancelation_token).await; tracing::debug!(?peer_addr, "closed connection"); @@ -174,63 +169,9 @@ pub async fn proxy(watch: drain::Watch) -> Result<()> { Ok(()) } -async fn create_external_proxy_tls_acceptor( - config: &LayerConfig, -) -> Result { - let (Some(client_tls_certificate), Some(tls_certificate), Some(tls_key)) = ( - config.internal_proxy.client_tls_certificate.as_ref(), - config.external_proxy.tls_certificate.as_ref(), - config.external_proxy.tls_key.as_ref(), - ) else { - return Err(ExternalProxyError::MissingTlsInfo); - }; - - let tls_client_certificates = rustls_pemfile::certs(&mut BufReader::new( - File::open(client_tls_certificate) - .map_err(|error| { - ConnectionTlsError::MissingPem(client_tls_certificate.to_path_buf(), error) - }) - .map_err(ExternalProxyError::Tls)?, - )) - .collect::, _>>() - .map_err(|error| ConnectionTlsError::ParsingPem(client_tls_certificate.to_path_buf(), error)) - .map_err(ExternalProxyError::Tls)?; - - let tls_certificate = rustls_pemfile::certs(&mut BufReader::new( - File::open(tls_certificate) - .map_err(|error| ConnectionTlsError::MissingPem(tls_certificate.to_path_buf(), error)) - .map_err(ExternalProxyError::Tls)?, - )) - .collect::, _>>() - .map_err(|error| ConnectionTlsError::ParsingPem(tls_certificate.to_path_buf(), error)) - .map_err(ExternalProxyError::Tls)?; - - let tls_keys = rustls_pemfile::private_key(&mut BufReader::new( - File::open(tls_key) - .map_err(|error| ConnectionTlsError::MissingPem(tls_key.to_path_buf(), error))?, - )) - .map_err(|error| ConnectionTlsError::ParsingPem(tls_key.to_path_buf(), error))? - .ok_or_else(|| ConnectionTlsError::MissingPrivateKey(tls_key.to_path_buf()))?; - - let mut roots = rustls::RootCertStore::empty(); - - roots.add_parsable_certificates(tls_client_certificates); - - let client_verifier = rustls::server::WebPkiClientVerifier::builder(roots.into()) - .build() - .map_err(ConnectionTlsError::ClientVerifier)?; - - let tls_config = rustls::ServerConfig::builder() - .with_client_cert_verifier(client_verifier) - .with_single_cert(tls_certificate, tls_keys) - .map_err(ConnectionTlsError::ServerConfig)?; - - Ok(tokio_rustls::TlsAcceptor::from(Arc::new(tls_config))) -} - #[tracing::instrument(level = Level::TRACE, skip(agent_conn))] async fn handle_connection( - stream: TlsStream, + stream: TcpStream, peer_addr: SocketAddr, mut agent_conn: AgentConnection, cancellation_token: CancellationToken, diff --git a/mirrord/intproxy/src/agent_conn.rs b/mirrord/intproxy/src/agent_conn.rs index bc5742f1d2f..89003f8c84d 100644 --- a/mirrord/intproxy/src/agent_conn.rs +++ b/mirrord/intproxy/src/agent_conn.rs @@ -2,12 +2,9 @@ //! mirrord crates. use std::{ - fs::File, io, - io::BufReader, net::{IpAddr, SocketAddr, ToSocketAddrs}, - path::{Path, PathBuf}, - sync::Arc, + path::PathBuf, }; use mirrord_analytics::Reporter; @@ -25,12 +22,8 @@ use serde::{Deserialize, Serialize}; use thiserror::Error; use tokio::{ net::{TcpSocket, TcpStream}, - sync::{ - mpsc, - mpsc::{Receiver, Sender}, - }, + sync::mpsc::{Receiver, Sender}, }; -use tokio_rustls::TlsConnector; use crate::{ background_tasks::{BackgroundTask, MessageBus}, @@ -135,26 +128,7 @@ impl AgentConnection { let stream = socket.connect(proxy_sockaddr).await?; - if let (Some(tls_certificate), Some(client_tls_certificate), Some(client_tls_key)) = ( - config.external_proxy.tls_certificate.as_ref(), - config.internal_proxy.client_tls_certificate.as_ref(), - config.internal_proxy.client_tls_key.as_ref(), - ) { - wrap_connection_with_tls( - stream, - proxy_sockaddr.ip(), - proxy_addr - .split_once(':') - .map(|(domain, _)| domain) - .unwrap_or(&proxy_addr), - tls_certificate, - client_tls_certificate, - client_tls_key, - ) - .await? - } else { - wrap_raw_connection(stream) - } + wrap_raw_connection(stream) } Some(AgentConnectInfo::DirectKubernetes(connect_info)) => { @@ -235,55 +209,3 @@ impl BackgroundTask for AgentConnection { } } } - -pub async fn wrap_connection_with_tls( - stream: TcpStream, - proxy_ip: IpAddr, - proxy_server_name: &str, - tls_certificate: &Path, - client_tls_certificate: &Path, - client_tls_key: &Path, -) -> Result<(mpsc::Sender, mpsc::Receiver), ConnectionTlsError> { - let mut root_cert_store = rustls::RootCertStore::empty(); - - root_cert_store.add_parsable_certificates( - rustls_pemfile::certs(&mut BufReader::new(File::open(tls_certificate).map_err( - |error| ConnectionTlsError::MissingPem(tls_certificate.to_path_buf(), error), - )?)) - .collect::, _>>() - .map_err(|error| ConnectionTlsError::ParsingPem(tls_certificate.to_path_buf(), error))?, - ); - - let client_tls_certificate = rustls_pemfile::certs(&mut BufReader::new( - File::open(client_tls_certificate).map_err(|error| { - ConnectionTlsError::MissingPem(client_tls_certificate.to_path_buf(), error) - })?, - )) - .collect::, _>>() - .map_err(|error| ConnectionTlsError::ParsingPem(client_tls_certificate.to_path_buf(), error))?; - - let client_tls_keys = rustls_pemfile::private_key(&mut BufReader::new( - File::open(client_tls_key) - .map_err(|error| ConnectionTlsError::MissingPem(client_tls_key.to_path_buf(), error))?, - )) - .map_err(|error| ConnectionTlsError::ParsingPem(client_tls_key.to_path_buf(), error))? - .ok_or_else(|| ConnectionTlsError::MissingPrivateKey(client_tls_key.to_path_buf()))?; - - let tls_config = rustls::ClientConfig::builder() - .with_root_certificates(root_cert_store) - .with_client_auth_cert(client_tls_certificate, client_tls_keys) - .map_err(ConnectionTlsError::ClientConfig)?; - - let connector = TlsConnector::from(Arc::new(tls_config)); - - let domain = rustls::pki_types::ServerName::try_from(proxy_server_name) - .map_err(|error| ConnectionTlsError::InvalidDnsName(proxy_ip, error))? - .to_owned(); - - Ok(wrap_raw_connection( - connector - .connect(domain, stream) - .await - .map_err(ConnectionTlsError::Connection)?, - )) -}