Merge pull request 'Update rustls for tokio-postgres' (#58) from asonix/update-tokio-postgres-rustls into main

Reviewed-on: https://git.asonix.dog/asonix/pict-rs/pulls/58
This commit is contained in:
asonix 2024-05-19 15:35:47 +00:00
commit a7c78cd54e
5 changed files with 93 additions and 139 deletions

194
Cargo.lock generated
View file

@ -253,21 +253,6 @@ dependencies = [
"memchr", "memchr",
] ]
[[package]]
name = "android-tzdata"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
[[package]]
name = "android_system_properties"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
dependencies = [
"libc",
]
[[package]] [[package]]
name = "anstream" name = "anstream"
version = "0.6.13" version = "0.6.13"
@ -376,6 +361,7 @@ dependencies = [
"aws-lc-sys", "aws-lc-sys",
"mirai-annotations", "mirai-annotations",
"paste", "paste",
"untrusted 0.7.1",
"zeroize", "zeroize",
] ]
@ -491,16 +477,6 @@ dependencies = [
"tokio", "tokio",
] ]
[[package]]
name = "bcder"
version = "0.7.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c627747a6774aab38beb35990d88309481378558875a41da1a4b2e373c906ef0"
dependencies = [
"bytes",
"smallvec",
]
[[package]] [[package]]
name = "bindgen" name = "bindgen"
version = "0.69.4" version = "0.69.4"
@ -607,18 +583,6 @@ version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "chrono"
version = "0.4.38"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401"
dependencies = [
"android-tzdata",
"iana-time-zone",
"num-traits",
"windows-targets 0.52.5",
]
[[package]] [[package]]
name = "clang-sys" name = "clang-sys"
version = "1.7.0" version = "1.7.0"
@ -777,12 +741,6 @@ version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e" checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e"
[[package]]
name = "core-foundation-sys"
version = "0.8.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f"
[[package]] [[package]]
name = "cpufeatures" name = "cpufeatures"
version = "0.2.12" version = "0.2.12"
@ -855,9 +813,23 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0" checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
dependencies = [ dependencies = [
"const-oid", "const-oid",
"der_derive",
"flagset",
"pem-rfc7468",
"zeroize", "zeroize",
] ]
[[package]]
name = "der_derive"
version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5fe87ce4529967e0ba1dcf8450bab64d97dfd5010a6256187ffe2e43e6f0e049"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
]
[[package]] [[package]]
name = "deranged" name = "deranged"
version = "0.3.11" version = "0.3.11"
@ -1014,6 +986,12 @@ version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fcfdc7a0362c9f4444381a9e697c79d435fe65b52a37466fc2c1184cee9edc6" checksum = "8fcfdc7a0362c9f4444381a9e697c79d435fe65b52a37466fc2c1184cee9edc6"
[[package]]
name = "flagset"
version = "0.4.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cdeb3aa5e95cf9aabc17f060cfa0ced7b83f042390760ca53bf09df9968acaa1"
[[package]] [[package]]
name = "flate2" name = "flate2"
version = "1.0.30" version = "1.0.30"
@ -1055,20 +1033,6 @@ version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c" checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
[[package]]
name = "futures"
version = "0.3.30"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "645c6916888f6cb6350d2550b80fb63e734897a8498abe35cfb732b6487804b0"
dependencies = [
"futures-channel",
"futures-core",
"futures-io",
"futures-sink",
"futures-task",
"futures-util",
]
[[package]] [[package]]
name = "futures-channel" name = "futures-channel"
version = "0.3.30" version = "0.3.30"
@ -1463,29 +1427,6 @@ dependencies = [
"tracing", "tracing",
] ]
[[package]]
name = "iana-time-zone"
version = "0.1.60"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141"
dependencies = [
"android_system_properties",
"core-foundation-sys",
"iana-time-zone-haiku",
"js-sys",
"wasm-bindgen",
"windows-core",
]
[[package]]
name = "iana-time-zone-haiku"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
dependencies = [
"cc",
]
[[package]] [[package]]
name = "idna" name = "idna"
version = "0.5.0" version = "0.5.0"
@ -2014,13 +1955,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd"
[[package]] [[package]]
name = "pem" name = "pem-rfc7468"
version = "3.0.4" version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae" checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
dependencies = [ dependencies = [
"base64 0.22.1", "base64ct",
"serde",
] ]
[[package]] [[package]]
@ -2081,7 +2021,6 @@ dependencies = [
"reqwest", "reqwest",
"reqwest-middleware", "reqwest-middleware",
"reqwest-tracing", "reqwest-tracing",
"rustls 0.22.4",
"rustls 0.23.7", "rustls 0.23.7",
"rustls-channel-resolver", "rustls-channel-resolver",
"rustls-pemfile", "rustls-pemfile",
@ -2098,7 +2037,7 @@ dependencies = [
"time", "time",
"tokio", "tokio",
"tokio-postgres", "tokio-postgres",
"tokio-postgres-rustls", "tokio-postgres-generic-rustls",
"tokio-uring", "tokio-uring",
"tokio-util", "tokio-util",
"toml", "toml",
@ -2542,7 +2481,7 @@ dependencies = [
"getrandom", "getrandom",
"libc", "libc",
"spin", "spin",
"untrusted", "untrusted 0.9.0",
"windows-sys 0.52.0", "windows-sys 0.52.0",
] ]
@ -2665,7 +2604,7 @@ dependencies = [
"aws-lc-rs", "aws-lc-rs",
"ring", "ring",
"rustls-pki-types", "rustls-pki-types",
"untrusted", "untrusted 0.9.0",
] ]
[[package]] [[package]]
@ -2852,15 +2791,6 @@ dependencies = [
"libc", "libc",
] ]
[[package]]
name = "signature"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
dependencies = [
"rand_core",
]
[[package]] [[package]]
name = "siphasher" name = "siphasher"
version = "0.3.11" version = "0.3.11"
@ -3084,6 +3014,27 @@ version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
[[package]]
name = "tls_codec"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b5e78c9c330f8c85b2bae7c8368f2739157db9991235123aa1b15ef9502bfb6a"
dependencies = [
"tls_codec_derive",
"zeroize",
]
[[package]]
name = "tls_codec_derive"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8d9ef545650e79f30233c0003bcc2504d7efac6dad25fca40744de773fe2049c"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
]
[[package]] [[package]]
name = "tokio" name = "tokio"
version = "1.37.0" version = "1.37.0"
@ -3152,18 +3103,17 @@ dependencies = [
] ]
[[package]] [[package]]
name = "tokio-postgres-rustls" name = "tokio-postgres-generic-rustls"
version = "0.11.1" version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0ea13f22eda7127c827983bdaf0d7fff9df21c8817bab02815ac277a21143677" checksum = "c8e98c31c29b2666fb28720739e11476166be4ead1610a37dcd7414bb124413a"
dependencies = [ dependencies = [
"futures", "aws-lc-rs",
"ring", "rustls 0.23.7",
"rustls 0.22.4",
"tokio", "tokio",
"tokio-postgres", "tokio-postgres",
"tokio-rustls 0.25.0", "tokio-rustls 0.26.0",
"x509-certificate", "x509-cert",
] ]
[[package]] [[package]]
@ -3499,6 +3449,12 @@ dependencies = [
"tinyvec", "tinyvec",
] ]
[[package]]
name = "untrusted"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
[[package]] [[package]]
name = "untrusted" name = "untrusted"
version = "0.9.0" version = "0.9.0"
@ -3745,15 +3701,6 @@ version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows-core"
version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
dependencies = [
"windows-targets 0.52.5",
]
[[package]] [[package]]
name = "windows-sys" name = "windows-sys"
version = "0.48.0" version = "0.48.0"
@ -3913,22 +3860,15 @@ dependencies = [
] ]
[[package]] [[package]]
name = "x509-certificate" name = "x509-cert"
version = "0.23.1" version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "66534846dec7a11d7c50a74b7cdb208b9a581cad890b7866430d438455847c85" checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94"
dependencies = [ dependencies = [
"bcder", "const-oid",
"bytes",
"chrono",
"der", "der",
"hex",
"pem",
"ring",
"signature",
"spki", "spki",
"thiserror", "tls_codec",
"zeroize",
] ]
[[package]] [[package]]

View file

@ -49,8 +49,7 @@ refinery = { version = "0.8.10", features = ["tokio-postgres", "postgres"] }
reqwest = { version = "0.12.0", default-features = false, features = ["json", "rustls-tls", "stream"] } reqwest = { version = "0.12.0", default-features = false, features = ["json", "rustls-tls", "stream"] }
reqwest-middleware = "0.3.0" reqwest-middleware = "0.3.0"
reqwest-tracing = "0.5.0" reqwest-tracing = "0.5.0"
# pinned to tokio-postgres-rustls # pinned to tokio-postgres-generic-rustls
rustls022 = { package = "rustls", version = "0.22.0" }
# pinned to actix-web # pinned to actix-web
rustls = "0.23" rustls = "0.23"
# pinned to rustls # pinned to rustls
@ -70,7 +69,7 @@ thiserror = "1.0"
time = { version = "0.3.0", features = ["serde", "serde-well-known"] } time = { version = "0.3.0", features = ["serde", "serde-well-known"] }
tokio = { version = "1", features = ["full", "tracing"] } tokio = { version = "1", features = ["full", "tracing"] }
tokio-postgres = { version = "0.7.10", features = ["with-uuid-1", "with-time-0_3", "with-serde_json-1"] } tokio-postgres = { version = "0.7.10", features = ["with-uuid-1", "with-time-0_3", "with-serde_json-1"] }
tokio-postgres-rustls = "0.11.0" tokio-postgres-generic-rustls = { version = "0.1.0", default-features = false, features = ["aws-lc-rs"] }
tokio-uring = { version = "0.4", optional = true, features = ["bytes"] } tokio-uring = { version = "0.4", optional = true, features = ["bytes"] }
tokio-util = { version = "0.7", default-features = false, features = [ tokio-util = { version = "0.7", default-features = false, features = [
"codec", "codec",

View file

@ -1938,6 +1938,19 @@ impl PictRsConfiguration {
Ok(self) Ok(self)
} }
/// Install aws-lc-rs as the default crypto provider
///
/// This would happen automatically anyway unless rustls crate features get mixed up
pub fn install_crypto_provider(self) -> Self {
if rustls::crypto::aws_lc_rs::default_provider()
.install_default()
.is_err()
{
tracing::info!("rustls crypto provider already installed");
}
self
}
/// Run the pict-rs application on a tokio `LocalSet` /// Run the pict-rs application on a tokio `LocalSet`
/// ///
/// This must be called from within `tokio::main` directly /// This must be called from within `tokio::main` directly

View file

@ -4,6 +4,7 @@ fn main() -> color_eyre::Result<()> {
pict_rs::PictRsConfiguration::build_default()? pict_rs::PictRsConfiguration::build_default()?
.install_tracing()? .install_tracing()?
.install_metrics()? .install_metrics()?
.install_crypto_provider()
.run() .run()
.await .await
}) })
@ -18,6 +19,7 @@ fn main() -> color_eyre::Result<()> {
pict_rs::PictRsConfiguration::build_default()? pict_rs::PictRsConfiguration::build_default()?
.install_tracing()? .install_tracing()?
.install_metrics()? .install_metrics()?
.install_crypto_provider()
.run_on_localset() .run_on_localset()
.await .await
}) })

View file

@ -26,7 +26,7 @@ use diesel_async::{
use futures_core::Stream; use futures_core::Stream;
use tokio::sync::Notify; use tokio::sync::Notify;
use tokio_postgres::{AsyncMessage, Connection, NoTls, Notification, Socket}; use tokio_postgres::{AsyncMessage, Connection, NoTls, Notification, Socket};
use tokio_postgres_rustls::MakeRustlsConnect; use tokio_postgres_generic_rustls::{AwsLcRsDigest, MakeRustlsConnect};
use tracing::Instrument; use tracing::Instrument;
use url::Url; use url::Url;
use uuid::Uuid; use uuid::Uuid;
@ -142,7 +142,7 @@ pub(crate) enum TlsError {
Invalid, Invalid,
#[error("Couldn't add certificate to root store")] #[error("Couldn't add certificate to root store")]
Add(#[source] rustls022::Error), Add(#[source] rustls::Error),
} }
impl PostgresError { impl PostgresError {
@ -173,8 +173,8 @@ impl PostgresError {
async fn build_tls_connector( async fn build_tls_connector(
certificate_file: Option<PathBuf>, certificate_file: Option<PathBuf>,
) -> Result<MakeRustlsConnect, TlsError> { ) -> Result<MakeRustlsConnect<AwsLcRsDigest>, TlsError> {
let mut cert_store = rustls022::RootCertStore { let mut cert_store = rustls::RootCertStore {
roots: Vec::from(webpki_roots::TLS_SERVER_ROOTS), roots: Vec::from(webpki_roots::TLS_SERVER_ROOTS),
}; };
@ -195,18 +195,18 @@ async fn build_tls_connector(
cert_store.add(cert).map_err(TlsError::Add)?; cert_store.add(cert).map_err(TlsError::Add)?;
} }
let config = rustls022::ClientConfig::builder() let config = rustls::ClientConfig::builder()
.with_root_certificates(cert_store) .with_root_certificates(cert_store)
.with_no_client_auth(); .with_no_client_auth();
let tls = MakeRustlsConnect::new(config); let tls = MakeRustlsConnect::new(config, AwsLcRsDigest);
Ok(tls) Ok(tls)
} }
async fn connect_for_migrations( async fn connect_for_migrations(
postgres_url: &Url, postgres_url: &Url,
tls_connector: Option<MakeRustlsConnect>, tls_connector: Option<MakeRustlsConnect<AwsLcRsDigest>>,
) -> Result< ) -> Result<
( (
tokio_postgres::Client, tokio_postgres::Client,
@ -266,7 +266,7 @@ where
async fn build_pool( async fn build_pool(
postgres_url: &Url, postgres_url: &Url,
tx: tokio::sync::mpsc::Sender<Notification>, tx: tokio::sync::mpsc::Sender<Notification>,
connector: Option<MakeRustlsConnect>, connector: Option<MakeRustlsConnect<AwsLcRsDigest>>,
max_size: u32, max_size: u32,
) -> Result<Pool<AsyncPgConnection>, ConnectPostgresError> { ) -> Result<Pool<AsyncPgConnection>, ConnectPostgresError> {
let mut config = ManagerConfig::default(); let mut config = ManagerConfig::default();
@ -667,7 +667,7 @@ async fn delegate_notifications(
fn build_handler( fn build_handler(
sender: tokio::sync::mpsc::Sender<Notification>, sender: tokio::sync::mpsc::Sender<Notification>,
connector: Option<MakeRustlsConnect>, connector: Option<MakeRustlsConnect<AwsLcRsDigest>>,
) -> ConfigFn { ) -> ConfigFn {
Box::new( Box::new(
move |config: &str| -> BoxFuture<'_, ConnectionResult<AsyncPgConnection>> { move |config: &str| -> BoxFuture<'_, ConnectionResult<AsyncPgConnection>> {