mangadex-home-rs/src/state.rs

use std::sync::atomic::{AtomicBool, Ordering};

use crate::config::{CliArgs, UnstableOptions, SEND_SERVER_VERSION, VALIDATE_TOKENS};
use crate::ping::{Request, Response, CONTROL_CENTER_PING_URL};
use arc_swap::ArcSwap;
use log::{error, info, warn};
use once_cell::sync::OnceCell;
use parking_lot::RwLock;
use rustls::sign::{CertifiedKey, SigningKey};
use rustls::Certificate;
use rustls::{ClientHello, ResolvesServerCert};
use sodiumoxide::crypto::box_::PrecomputedKey;
use thiserror::Error;
use url::Url;

pub struct ServerState {
    pub precomputed_key: PrecomputedKey,
    pub image_server: Url,
    pub url: Url,
    pub url_overridden: bool,
}

pub static PREVIOUSLY_PAUSED: AtomicBool = AtomicBool::new(false);
pub static PREVIOUSLY_COMPROMISED: AtomicBool = AtomicBool::new(false);

pub static TLS_PREVIOUSLY_CREATED: OnceCell<ArcSwap<String>> = OnceCell::new();
pub static TLS_SIGNING_KEY: OnceCell<ArcSwap<Box<dyn SigningKey>>> = OnceCell::new();
pub static TLS_CERTS: OnceCell<ArcSwap<Vec<Certificate>>> = OnceCell::new();

#[derive(Error, Debug)]
pub enum ServerInitError {
    #[error(transparent)]
    MalformedResponse(reqwest::Error),
    #[error(transparent)]
    Timeout(reqwest::Error),
    #[error(transparent)]
    SendFailure(reqwest::Error),
    #[error("Failed to parse token key")]
    KeyParseError(String),
    #[error("Token key was not provided in initial request")]
    MissingTokenKey,
}

impl ServerState {
    pub async fn init(secret: &str, config: &CliArgs) -> Result<Self, ServerInitError> {
        let resp = reqwest::Client::new()
            .post(CONTROL_CENTER_PING_URL)
            .json(&Request::from((secret, config)))
            .send()
            .await;

        if config.enable_server_string {
            warn!("Client will send Server header in responses. This is not recommended!");
            SEND_SERVER_VERSION.store(true, Ordering::Release);
        }

        match resp {
            Ok(resp) => match resp.json::<Response>().await {
                Ok(mut resp) => {
                    let key = resp
                        .token_key
                        .ok_or(ServerInitError::MissingTokenKey)
                        .and_then(|key| {
                            if let Some(key) = base64::decode(&key)
                                .ok()
                                .and_then(|k| PrecomputedKey::from_slice(&k))
                            {
                                Ok(key)
                            } else {
                                error!("Failed to parse token key: got {}", key);
                                Err(ServerInitError::KeyParseError(key))
                            }
                        })?;

                    PREVIOUSLY_COMPROMISED.store(resp.paused, Ordering::Release);
                    if resp.compromised {
                        error!("Got compromised response from control center!");
                    }

                    PREVIOUSLY_PAUSED.store(resp.paused, Ordering::Release);
                    if resp.paused {
                        warn!("Control center has paused this node!");
                    }

                    if let Some(ref override_url) = config.override_upstream {
                        resp.image_server = override_url.clone();
                        warn!("Upstream URL overridden to: {}", resp.image_server);
                    } else {
                    }

                    info!("This client's URL has been set to {}", resp.url);

                    if config
                        .unstable_options
                        .contains(&UnstableOptions::DisableTokenValidation)
                    {
                        warn!("Token validation is explicitly disabled!");
                    } else {
                        if resp.force_tokens {
                            info!("This client will validate tokens.");
                        } else {
                            info!("This client will not validate tokens.");
                        }
                        VALIDATE_TOKENS.store(resp.force_tokens, Ordering::Release);
                    }

                    let tls = resp.tls.unwrap();
                    std::mem::drop(
                        TLS_PREVIOUSLY_CREATED.set(ArcSwap::from_pointee(tls.created_at)),
                    );
                    std::mem::drop(TLS_SIGNING_KEY.set(ArcSwap::new(tls.priv_key)));
                    std::mem::drop(TLS_CERTS.set(ArcSwap::from_pointee(tls.certs)));

                    Ok(Self {
                        precomputed_key: key,
                        image_server: resp.image_server,
                        url: resp.url,
                        url_overridden: config.override_upstream.is_some(),
                    })
                }
                Err(e) => {
                    error!("Got malformed response: {}. Is MangaDex@Home down?", e);
                    Err(ServerInitError::MalformedResponse(e))
                }
            },
            Err(e) => match e {
                e if e.is_timeout() => {
                    error!("Response timed out to control server. Is MangaDex@Home down?");
                    Err(ServerInitError::Timeout(e))
                }
                e => {
                    error!("Failed to send request: {}", e);
                    Err(ServerInitError::SendFailure(e))
                }
            },
        }
    }
}

pub struct RwLockServerState(pub RwLock<ServerState>);

pub struct DynamicServerCert;

impl ResolvesServerCert for DynamicServerCert {
    fn resolve(&self, _: ClientHello) -> Option<CertifiedKey> {
        // TODO: wait for actix-web to use a new version of rustls so we can
        // remove cloning the certs all the time
        Some(CertifiedKey {
            cert: TLS_CERTS.get().unwrap().load().as_ref().clone(),
            key: TLS_SIGNING_KEY.get().unwrap().load_full(),
            ocsp: None,
            sct_list: None,
        })
    }
}
don't fill logs with compromised response 2021-04-22 21:34:23 -07:00			`use std::sync::atomic::{AtomicBool, Ordering};`
finish minimum version 2021-03-22 14:47:56 -07:00
Use unstable options 2021-04-25 09:55:31 -07:00			`use crate::config::{CliArgs, UnstableOptions, SEND_SERVER_VERSION, VALIDATE_TOKENS};`
use arc_swap for tls 2021-04-23 21:56:58 -07:00			`use crate::ping::{Request, Response, CONTROL_CENTER_PING_URL};`
			`use arc_swap::ArcSwap;`
better logging 2021-03-22 20:19:56 -07:00			`use log::{error, info, warn};`
use arc_swap for tls 2021-04-23 21:56:58 -07:00			`use once_cell::sync::OnceCell;`
finish minimum version 2021-03-22 14:47:56 -07:00			`use parking_lot::RwLock;`
use arc_swap for tls 2021-04-23 21:56:58 -07:00			`use rustls::sign::{CertifiedKey, SigningKey};`
			`use rustls::Certificate;`
comment why tls is slow 2021-04-23 20:28:47 -07:00			`use rustls::{ClientHello, ResolvesServerCert};`
finish minimum version 2021-03-22 14:47:56 -07:00			`use sodiumoxide::crypto::box_::PrecomputedKey;`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`use thiserror::Error;`
finish minimum version 2021-03-22 14:47:56 -07:00			`use url::Url;`

			`pub struct ServerState {`
			`pub precomputed_key: PrecomputedKey,`
			`pub image_server: Url,`
debug streaming 2021-04-18 20:06:18 -07:00			`pub url: Url,`
			`pub url_overridden: bool,`
better logging 2021-03-22 20:19:56 -07:00			`}`

don't fill logs with compromised response 2021-04-22 21:34:23 -07:00			`pub static PREVIOUSLY_PAUSED: AtomicBool = AtomicBool::new(false);`
			`pub static PREVIOUSLY_COMPROMISED: AtomicBool = AtomicBool::new(false);`
finish minimum version 2021-03-22 14:47:56 -07:00
use arc_swap for tls 2021-04-23 21:56:58 -07:00			`pub static TLS_PREVIOUSLY_CREATED: OnceCell<ArcSwap<String>> = OnceCell::new();`
			`pub static TLS_SIGNING_KEY: OnceCell<ArcSwap<Box<dyn SigningKey>>> = OnceCell::new();`
			`pub static TLS_CERTS: OnceCell<ArcSwap<Vec<Certificate>>> = OnceCell::new();`

Remove some unwraps 2021-04-23 15:03:53 -07:00			`#[derive(Error, Debug)]`
			`pub enum ServerInitError {`
			`#[error(transparent)]`
			`MalformedResponse(reqwest::Error),`
			`#[error(transparent)]`
			`Timeout(reqwest::Error),`
			`#[error(transparent)]`
			`SendFailure(reqwest::Error),`
			`#[error("Failed to parse token key")]`
			`KeyParseError(String),`
			`#[error("Token key was not provided in initial request")]`
			`MissingTokenKey,`
			`}`

finish minimum version 2021-03-22 14:47:56 -07:00			`impl ServerState {`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`pub async fn init(secret: &str, config: &CliArgs) -> Result<Self, ServerInitError> {`
finish minimum version 2021-03-22 14:47:56 -07:00			`let resp = reqwest::Client::new()`
			`.post(CONTROL_CENTER_PING_URL)`
Support CLI args 2021-03-25 18:06:54 -07:00			`.json(&Request::from((secret, config)))`
finish minimum version 2021-03-22 14:47:56 -07:00			`.send()`
			`.await;`

more perf 2021-03-25 19:58:07 -07:00			`if config.enable_server_string {`
			`warn!("Client will send Server header in responses. This is not recommended!");`
			`SEND_SERVER_VERSION.store(true, Ordering::Release);`
			`}`
Support CLI args 2021-03-25 18:06:54 -07:00
finish minimum version 2021-03-22 14:47:56 -07:00			`match resp {`
			`Ok(resp) => match resp.json::<Response>().await {`
debug streaming 2021-04-18 20:06:18 -07:00			`Ok(mut resp) => {`
finish minimum version 2021-03-22 14:47:56 -07:00			`let key = resp`
			`.token_key`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`.ok_or(ServerInitError::MissingTokenKey)`
finish minimum version 2021-03-22 14:47:56 -07:00			`.and_then(\|key\| {`
			`if let Some(key) = base64::decode(&key)`
			`.ok()`
			`.and_then(\|k\| PrecomputedKey::from_slice(&k))`
			`{`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`Ok(key)`
finish minimum version 2021-03-22 14:47:56 -07:00			`} else {`
			`error!("Failed to parse token key: got {}", key);`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`Err(ServerInitError::KeyParseError(key))`
finish minimum version 2021-03-22 14:47:56 -07:00			`}`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`})?;`
finish minimum version 2021-03-22 14:47:56 -07:00
don't fill logs with compromised response 2021-04-22 21:34:23 -07:00			`PREVIOUSLY_COMPROMISED.store(resp.paused, Ordering::Release);`
finish minimum version 2021-03-22 14:47:56 -07:00			`if resp.compromised {`
better logging 2021-03-22 20:19:56 -07:00			`error!("Got compromised response from control center!");`
finish minimum version 2021-03-22 14:47:56 -07:00			`}`

don't fill logs with compromised response 2021-04-22 21:34:23 -07:00			`PREVIOUSLY_PAUSED.store(resp.paused, Ordering::Release);`
finish minimum version 2021-03-22 14:47:56 -07:00			`if resp.paused {`
better logging 2021-03-22 20:19:56 -07:00			`warn!("Control center has paused this node!");`
finish minimum version 2021-03-22 14:47:56 -07:00			`}`

debug streaming 2021-04-18 20:06:18 -07:00			`if let Some(ref override_url) = config.override_upstream {`
			`resp.image_server = override_url.clone();`
			`warn!("Upstream URL overridden to: {}", resp.image_server);`
			`} else {`
			`}`

finish minimum version 2021-03-22 14:47:56 -07:00			`info!("This client's URL has been set to {}", resp.url);`

Use unstable options 2021-04-25 09:55:31 -07:00			`if config`
			`.unstable_options`
			`.contains(&UnstableOptions::DisableTokenValidation)`
			`{`
debug streaming 2021-04-18 20:06:18 -07:00			`warn!("Token validation is explicitly disabled!");`
better logging 2021-03-22 20:19:56 -07:00			`} else {`
debug streaming 2021-04-18 20:06:18 -07:00			`if resp.force_tokens {`
			`info!("This client will validate tokens.");`
			`} else {`
			`info!("This client will not validate tokens.");`
			`}`
			`VALIDATE_TOKENS.store(resp.force_tokens, Ordering::Release);`
finish minimum version 2021-03-22 14:47:56 -07:00			`}`

use arc_swap for tls 2021-04-23 21:56:58 -07:00			`let tls = resp.tls.unwrap();`
explicitly mem drop lazy init failure 2021-04-24 09:57:32 -07:00			`std::mem::drop(`
			`TLS_PREVIOUSLY_CREATED.set(ArcSwap::from_pointee(tls.created_at)),`
			`);`
			`std::mem::drop(TLS_SIGNING_KEY.set(ArcSwap::new(tls.priv_key)));`
			`std::mem::drop(TLS_CERTS.set(ArcSwap::from_pointee(tls.certs)));`
use arc_swap for tls 2021-04-23 21:56:58 -07:00
finish minimum version 2021-03-22 14:47:56 -07:00			`Ok(Self {`
			`precomputed_key: key,`
			`image_server: resp.image_server,`
			`url: resp.url,`
debug streaming 2021-04-18 20:06:18 -07:00			`url_overridden: config.override_upstream.is_some(),`
finish minimum version 2021-03-22 14:47:56 -07:00			`})`
			`}`
			`Err(e) => {`
Use unstable options 2021-04-25 09:55:31 -07:00			`error!("Got malformed response: {}. Is MangaDex@Home down?", e);`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`Err(ServerInitError::MalformedResponse(e))`
finish minimum version 2021-03-22 14:47:56 -07:00			`}`
			`},`
			`Err(e) => match e {`
			`e if e.is_timeout() => {`
Use unstable options 2021-04-25 09:55:31 -07:00			`error!("Response timed out to control server. Is MangaDex@Home down?");`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`Err(ServerInitError::Timeout(e))`
finish minimum version 2021-03-22 14:47:56 -07:00			`}`
			`e => {`
Use unstable options 2021-04-25 09:55:31 -07:00			`error!("Failed to send request: {}", e);`
Remove some unwraps 2021-04-23 15:03:53 -07:00			`Err(ServerInitError::SendFailure(e))`
finish minimum version 2021-03-22 14:47:56 -07:00			`}`
			`},`
			`}`
			`}`
			`}`

			`pub struct RwLockServerState(pub RwLock<ServerState>);`

use arc_swap for tls 2021-04-23 21:56:58 -07:00			`pub struct DynamicServerCert;`

			`impl ResolvesServerCert for DynamicServerCert {`
comment why tls is slow 2021-04-23 20:28:47 -07:00			`fn resolve(&self, _: ClientHello) -> Option<CertifiedKey> {`
			`// TODO: wait for actix-web to use a new version of rustls so we can`
			`// remove cloning the certs all the time`
finish minimum version 2021-03-22 14:47:56 -07:00			`Some(CertifiedKey {`
use arc_swap for tls 2021-04-23 21:56:58 -07:00			`cert: TLS_CERTS.get().unwrap().load().as_ref().clone(),`
			`key: TLS_SIGNING_KEY.get().unwrap().load_full(),`
finish minimum version 2021-03-22 14:47:56 -07:00			`ocsp: None,`
			`sct_list: None,`
			`})`
			`}`
			`}`