2024-01-01 14:58:21 -05:00
|
|
|
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
2023-08-22 13:56:00 +08:00
|
|
|
|
|
|
|
use std::cell::RefCell;
|
|
|
|
use std::marker::PhantomData;
|
|
|
|
use std::rc::Rc;
|
|
|
|
use std::sync::Arc;
|
|
|
|
|
|
|
|
use crate::DatabaseHandler;
|
|
|
|
use anyhow::Context;
|
|
|
|
use async_trait::async_trait;
|
2024-07-02 01:09:47 +01:00
|
|
|
use bytes::Bytes;
|
2023-08-22 13:56:00 +08:00
|
|
|
use deno_core::error::type_error;
|
|
|
|
use deno_core::error::AnyError;
|
2024-07-02 01:09:47 +01:00
|
|
|
use deno_core::futures::Stream;
|
2023-08-22 13:56:00 +08:00
|
|
|
use deno_core::OpState;
|
2023-10-31 12:13:57 +01:00
|
|
|
use deno_fetch::create_http_client;
|
|
|
|
use deno_fetch::CreateHttpClientOptions;
|
2024-11-04 09:17:21 -08:00
|
|
|
use deno_permissions::PermissionCheckError;
|
2023-10-31 12:13:57 +01:00
|
|
|
use deno_tls::rustls::RootCertStore;
|
|
|
|
use deno_tls::Proxy;
|
|
|
|
use deno_tls::RootCertStoreProvider;
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 10:54:47 -06:00
|
|
|
use deno_tls::TlsKeys;
|
2023-10-31 12:13:57 +01:00
|
|
|
use denokv_remote::MetadataEndpoint;
|
|
|
|
use denokv_remote::Remote;
|
2024-07-02 01:09:47 +01:00
|
|
|
use denokv_remote::RemoteResponse;
|
|
|
|
use denokv_remote::RemoteTransport;
|
2024-07-18 00:37:31 +01:00
|
|
|
use http_body_util::BodyExt;
|
2023-08-22 13:56:00 +08:00
|
|
|
use url::Url;
|
2023-10-31 12:13:57 +01:00
|
|
|
|
|
|
|
#[derive(Clone)]
|
|
|
|
pub struct HttpOptions {
|
|
|
|
pub user_agent: String,
|
|
|
|
pub root_cert_store_provider: Option<Arc<dyn RootCertStoreProvider>>,
|
|
|
|
pub proxy: Option<Proxy>,
|
|
|
|
pub unsafely_ignore_certificate_errors: Option<Vec<String>>,
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 10:54:47 -06:00
|
|
|
pub client_cert_chain_and_key: TlsKeys,
|
2023-10-31 12:13:57 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
impl HttpOptions {
|
|
|
|
pub fn root_cert_store(&self) -> Result<Option<RootCertStore>, AnyError> {
|
|
|
|
Ok(match &self.root_cert_store_provider {
|
|
|
|
Some(provider) => Some(provider.get_or_try_init()?.clone()),
|
|
|
|
None => None,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2023-08-22 13:56:00 +08:00
|
|
|
|
|
|
|
pub trait RemoteDbHandlerPermissions {
|
2024-11-04 09:17:21 -08:00
|
|
|
fn check_env(&mut self, var: &str) -> Result<(), PermissionCheckError>;
|
2023-08-22 13:56:00 +08:00
|
|
|
fn check_net_url(
|
|
|
|
&mut self,
|
|
|
|
url: &Url,
|
|
|
|
api_name: &str,
|
2024-11-04 09:17:21 -08:00
|
|
|
) -> Result<(), PermissionCheckError>;
|
2023-08-22 13:56:00 +08:00
|
|
|
}
|
|
|
|
|
2024-06-06 23:37:53 -04:00
|
|
|
impl RemoteDbHandlerPermissions for deno_permissions::PermissionsContainer {
|
|
|
|
#[inline(always)]
|
2024-11-04 09:17:21 -08:00
|
|
|
fn check_env(&mut self, var: &str) -> Result<(), PermissionCheckError> {
|
2024-06-06 23:37:53 -04:00
|
|
|
deno_permissions::PermissionsContainer::check_env(self, var)
|
|
|
|
}
|
|
|
|
|
|
|
|
#[inline(always)]
|
|
|
|
fn check_net_url(
|
|
|
|
&mut self,
|
|
|
|
url: &Url,
|
|
|
|
api_name: &str,
|
2024-11-04 09:17:21 -08:00
|
|
|
) -> Result<(), PermissionCheckError> {
|
2024-06-06 23:37:53 -04:00
|
|
|
deno_permissions::PermissionsContainer::check_net_url(self, url, api_name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-08-22 13:56:00 +08:00
|
|
|
pub struct RemoteDbHandler<P: RemoteDbHandlerPermissions + 'static> {
|
2023-10-31 12:13:57 +01:00
|
|
|
http_options: HttpOptions,
|
2023-08-22 13:56:00 +08:00
|
|
|
_p: std::marker::PhantomData<P>,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl<P: RemoteDbHandlerPermissions> RemoteDbHandler<P> {
|
2023-10-31 12:13:57 +01:00
|
|
|
pub fn new(http_options: HttpOptions) -> Self {
|
|
|
|
Self {
|
|
|
|
http_options,
|
|
|
|
_p: PhantomData,
|
|
|
|
}
|
2023-08-22 13:56:00 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-31 12:13:57 +01:00
|
|
|
pub struct PermissionChecker<P: RemoteDbHandlerPermissions> {
|
|
|
|
state: Rc<RefCell<OpState>>,
|
|
|
|
_permissions: PhantomData<P>,
|
2023-08-22 13:56:00 +08:00
|
|
|
}
|
|
|
|
|
2023-12-05 14:21:46 +01:00
|
|
|
impl<P: RemoteDbHandlerPermissions> Clone for PermissionChecker<P> {
|
|
|
|
fn clone(&self) -> Self {
|
|
|
|
Self {
|
|
|
|
state: self.state.clone(),
|
|
|
|
_permissions: PhantomData,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-31 12:13:57 +01:00
|
|
|
impl<P: RemoteDbHandlerPermissions + 'static> denokv_remote::RemotePermissions
|
|
|
|
for PermissionChecker<P>
|
|
|
|
{
|
|
|
|
fn check_net_url(&self, url: &Url) -> Result<(), anyhow::Error> {
|
|
|
|
let mut state = self.state.borrow_mut();
|
|
|
|
let permissions = state.borrow_mut::<P>();
|
2024-11-04 09:17:21 -08:00
|
|
|
permissions
|
|
|
|
.check_net_url(url, "Deno.openKv")
|
|
|
|
.map_err(Into::into)
|
2023-10-31 12:13:57 +01:00
|
|
|
}
|
2023-08-22 13:56:00 +08:00
|
|
|
}
|
|
|
|
|
2024-07-02 01:09:47 +01:00
|
|
|
#[derive(Clone)]
|
2024-07-18 00:37:31 +01:00
|
|
|
pub struct FetchClient(deno_fetch::Client);
|
|
|
|
pub struct FetchResponse(http::Response<deno_fetch::ResBody>);
|
2024-07-02 01:09:47 +01:00
|
|
|
|
2024-07-18 00:37:31 +01:00
|
|
|
impl RemoteTransport for FetchClient {
|
|
|
|
type Response = FetchResponse;
|
2024-07-02 01:09:47 +01:00
|
|
|
async fn post(
|
|
|
|
&self,
|
|
|
|
url: Url,
|
|
|
|
headers: http::HeaderMap,
|
|
|
|
body: Bytes,
|
|
|
|
) -> Result<(Url, http::StatusCode, Self::Response), anyhow::Error> {
|
2024-07-18 00:37:31 +01:00
|
|
|
let body = http_body_util::Full::new(body)
|
|
|
|
.map_err(|never| match never {})
|
|
|
|
.boxed();
|
|
|
|
let mut req = http::Request::new(body);
|
|
|
|
*req.method_mut() = http::Method::POST;
|
|
|
|
*req.uri_mut() = url.as_str().parse()?;
|
|
|
|
*req.headers_mut() = headers;
|
|
|
|
|
|
|
|
let res = self.0.clone().send(req).await?;
|
2024-07-02 01:09:47 +01:00
|
|
|
let status = res.status();
|
2024-07-18 00:37:31 +01:00
|
|
|
Ok((url, status, FetchResponse(res)))
|
2024-07-02 01:09:47 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-07-18 00:37:31 +01:00
|
|
|
impl RemoteResponse for FetchResponse {
|
2024-07-02 01:09:47 +01:00
|
|
|
async fn bytes(self) -> Result<Bytes, anyhow::Error> {
|
2024-07-18 00:37:31 +01:00
|
|
|
Ok(self.0.collect().await?.to_bytes())
|
2024-07-02 01:09:47 +01:00
|
|
|
}
|
|
|
|
fn stream(
|
|
|
|
self,
|
|
|
|
) -> impl Stream<Item = Result<Bytes, anyhow::Error>> + Send + Sync {
|
2024-07-18 00:37:31 +01:00
|
|
|
self.0.into_body().into_data_stream()
|
2024-07-02 01:09:47 +01:00
|
|
|
}
|
|
|
|
async fn text(self) -> Result<String, anyhow::Error> {
|
2024-07-18 00:37:31 +01:00
|
|
|
let bytes = self.bytes().await?;
|
|
|
|
Ok(std::str::from_utf8(&bytes)?.into())
|
2024-07-02 01:09:47 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-08-22 13:56:00 +08:00
|
|
|
#[async_trait(?Send)]
|
2023-10-31 12:13:57 +01:00
|
|
|
impl<P: RemoteDbHandlerPermissions + 'static> DatabaseHandler
|
|
|
|
for RemoteDbHandler<P>
|
|
|
|
{
|
2024-07-18 00:37:31 +01:00
|
|
|
type DB = Remote<PermissionChecker<P>, FetchClient>;
|
2023-08-22 13:56:00 +08:00
|
|
|
|
|
|
|
async fn open(
|
|
|
|
&self,
|
|
|
|
state: Rc<RefCell<OpState>>,
|
|
|
|
path: Option<String>,
|
|
|
|
) -> Result<Self::DB, AnyError> {
|
|
|
|
const ENV_VAR_NAME: &str = "DENO_KV_ACCESS_TOKEN";
|
|
|
|
|
|
|
|
let Some(url) = path else {
|
|
|
|
return Err(type_error("Missing database url"));
|
|
|
|
};
|
|
|
|
|
|
|
|
let Ok(parsed_url) = Url::parse(&url) else {
|
|
|
|
return Err(type_error(format!("Invalid database url: {}", url)));
|
|
|
|
};
|
|
|
|
|
|
|
|
{
|
|
|
|
let mut state = state.borrow_mut();
|
|
|
|
let permissions = state.borrow_mut::<P>();
|
|
|
|
permissions.check_env(ENV_VAR_NAME)?;
|
|
|
|
permissions.check_net_url(&parsed_url, "Deno.openKv")?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let access_token = std::env::var(ENV_VAR_NAME)
|
|
|
|
.map_err(anyhow::Error::from)
|
|
|
|
.with_context(|| {
|
|
|
|
"Missing DENO_KV_ACCESS_TOKEN environment variable. Please set it to your access token from https://dash.deno.com/account."
|
|
|
|
})?;
|
|
|
|
|
2023-10-31 12:13:57 +01:00
|
|
|
let metadata_endpoint = MetadataEndpoint {
|
|
|
|
url: parsed_url.clone(),
|
|
|
|
access_token: access_token.clone(),
|
2023-08-22 13:56:00 +08:00
|
|
|
};
|
|
|
|
|
2023-10-31 12:13:57 +01:00
|
|
|
let options = &self.http_options;
|
|
|
|
let client = create_http_client(
|
|
|
|
&options.user_agent,
|
|
|
|
CreateHttpClientOptions {
|
|
|
|
root_cert_store: options.root_cert_store()?,
|
|
|
|
ca_certs: vec![],
|
|
|
|
proxy: options.proxy.clone(),
|
|
|
|
unsafely_ignore_certificate_errors: options
|
|
|
|
.unsafely_ignore_certificate_errors
|
|
|
|
.clone(),
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 10:54:47 -06:00
|
|
|
client_cert_chain_and_key: options
|
|
|
|
.client_cert_chain_and_key
|
|
|
|
.clone()
|
|
|
|
.try_into()
|
|
|
|
.unwrap(),
|
2023-10-31 12:13:57 +01:00
|
|
|
pool_max_idle_per_host: None,
|
|
|
|
pool_idle_timeout: None,
|
2023-12-23 01:19:17 +08:00
|
|
|
http1: false,
|
2023-10-31 12:13:57 +01:00
|
|
|
http2: true,
|
|
|
|
},
|
|
|
|
)?;
|
2024-07-18 00:37:31 +01:00
|
|
|
let fetch_client = FetchClient(client);
|
2023-10-31 12:13:57 +01:00
|
|
|
|
|
|
|
let permissions = PermissionChecker {
|
|
|
|
state: state.clone(),
|
|
|
|
_permissions: PhantomData,
|
2023-08-27 12:04:12 +08:00
|
|
|
};
|
2023-08-22 13:56:00 +08:00
|
|
|
|
2024-07-18 00:37:31 +01:00
|
|
|
let remote = Remote::new(fetch_client, permissions, metadata_endpoint);
|
2023-08-22 13:56:00 +08:00
|
|
|
|
2023-10-31 12:13:57 +01:00
|
|
|
Ok(remote)
|
2023-08-22 13:56:00 +08:00
|
|
|
}
|
|
|
|
}
|