[refactor, chore](tls): tidy cfg, fix doc, test tls feature (#443)

* refactor(tls): tidy cfg, fix doc, test tls feature

* fix test

Author: kanarus

Taskfile.yaml

@@ -16,6 +16,7 @@ tasks:
       - task: test:other
   test:core:
     deps:
+      - task: test:tls
       - task: test:no_rt
       - for:  [tokio, async-std, smol, nio, glommio, lambda, worker]
         task: test:rt
@@ -29,6 +30,7 @@ tasks:
 
   check:
     deps:
+      - task: check:tls
       - task: check:no_rt
       - for:  [tokio, async-std, smol, nio, glommio, lambda]
         task: check:rt-native_target
@@ -61,7 +63,7 @@ tasks:
   test:doc:
     dir: ./ohkami
     cmds:
-      - cargo test --doc --no-default-features --features DEBUG,rt_tokio,sse,ws,{{.maybe_nightly}}
+      - cargo test --doc --no-default-features --features DEBUG,rt_tokio,sse,ws,tls,{{.maybe_nightly}}
       # not activating `openapi` feature for testability of README sample codes
 
   test:examples:
@@ -92,6 +94,12 @@ tasks:
       - cargo test --lib --features rt_{{.rt}},DEBUG,ws,{{.maybe_nightly}}
       - cargo test --lib --features rt_{{.rt}},DEBUG,sse,ws,openapi,{{.maybe_nightly}}
 
+  test:tls: # currently depending on tokio-rustls and works only on tokio
+    dir: ./ohkami
+    cmds:
+      - cargo test --lib --features rt_tokio,DEBUG,tls,{{.maybe_nightly}}
+      - cargo test --lib --features rt_tokio,DEBUG,sse,ws,tls,{{.maybe_nightly}}
+
 #### checks ####
   # Assure buildability without "DEBUG" feature
 
@@ -114,6 +122,12 @@ tasks:
       - cargo check --lib --features rt_{{.rt}},ws,{{.maybe_nightly}}
       - cargo check --lib --features rt_{{.rt}},sse,ws,openapi,{{.maybe_nightly}}
 
+  check:tls: # currently depending on tokio-rustls and works only on tokio
+    dir: ./ohkami
+    cmds:
+      - cargo check --lib --features rt_tokio,tls,{{.maybe_nightly}}
+      - cargo check --lib --features rt_tokio,sse,ws,tls,{{.maybe_nightly}}
+
   check:rt_worker:
     dir: ./ohkami
     cmds:

ohkami/Cargo.toml

@@ -91,7 +91,7 @@ nightly = []
 openapi = ["dep:ohkami_openapi", "ohkami_macros/openapi"]
 sse     = ["ohkami_lib/stream"]
 ws      = ["ohkami_lib/stream", "dep:mews"]
-tls     = ["__rt_native__", "rt_tokio", "dep:rustls", "dep:tokio-rustls"]
+tls     = ["rt_tokio", "dep:rustls", "dep:tokio-rustls"]  # currently depending on tokio-rustls and works only on tokio
 
 ##### internal #####
 __rt__        = []
@@ -104,6 +104,7 @@ DEBUG = ["tokio?/rt-multi-thread", "tokio?/macros"]
 #    "openapi",
 #    "sse",
 #    "ws",
+#    "tls",
 #    "rt_tokio",
 #    #"rt_async-std",
 #    #"rt_smol",
@@ -114,5 +115,7 @@ DEBUG = ["tokio?/rt-multi-thread", "tokio?/macros"]
 #]
 
 
-[dev-dependencies]
-sqlx = { version = "0.8", features = ["runtime-tokio", "postgres", "macros"] }
+[dev-dependencies] # for doc test
+sqlx = { version = "0.8", features = ["runtime-tokio", "postgres", "macros"] }
+rustls = { version = "0.23", features = ["ring"] }
+rustls-pemfile = { version = "2.2" }

ohkami/src/lib.rs

@@ -175,7 +175,7 @@ mod __rt__ {
         }
 
         pub(crate) const PORT: u16 = {
-            #[cfg(feature="rt_tokio")    ] {3001}
+            #[cfg(feature="rt_tokio")    ] {if cfg!(feature="tls") {9443} else {3001}}
             #[cfg(feature="rt_async-std")] {3002}
             #[cfg(feature="rt_smol")     ] {3003}
             #[cfg(feature="rt_nio")      ] {3004}

ohkami/src/ohkami/mod.rs

@@ -610,7 +610,9 @@ impl Ohkami {
     /// 
     /// ```no_run
     /// use ohkami::prelude::*;
-    /// use rustls::{ServerConfig, Certificate, PrivateKey};
+    /// use rustls::ServerConfig;
+    /// use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+    /// 
     /// use std::fs::File;
     /// use std::io::BufReader;
     /// 
@@ -621,33 +623,31 @@ impl Ohkami {
     /// #[tokio::main]
     /// async fn main() -> std::io::Result<()> {
     ///     // Initialize rustls crypto provider
-    ///     match rustls::crypto::ring::default_provider().install_default() {
-    //          Ok(_) => println!("Successfully installed rustls crypto provider"),
-    //          Err(e) => {
-    //              eprintln!("Failed to install rustls crypto provider: {:?}", e);
-    //              std::process::exit(1);
-    //          }
-    //      }
+    ///     rustls::crypto::ring::default_provider().install_default()
+    ///         .expect("Failed to install rustls crypto provider");
+    /// 
     ///     // Load certificates and private key
-    ///     let cert_file = File::open("path/to/cert.pem")?;
-    ///     let key_file = File::open("path/to/key.pem")?;
+    ///     let cert_file = File::open("server.crt")?;
+    ///     let key_file = File::open("server.key")?;
     ///     
     ///     let cert_chain = rustls_pemfile::certs(&mut BufReader::new(cert_file))
-    ///         .map(|certs| certs.into_iter().map(Certificate).collect())
-    ///         .unwrap_or_default();
-    ///     
-    ///     let key = rustls_pemfile::pkcs8_private_keys(&mut BufReader::new(key_file))
-    ///         .next()
-    ///         .map(|key| PrivateKey(key))
-    ///         .expect("Failed to load private key");
+    ///         .map(|cd| cd.map(CertificateDer::from))
+    ///         .collect::<Result<Vec<_>, _>>()?;
     ///     
+    ///     let key = rustls_pemfile::read_one(&mut BufReader::new(key_file))?
+    ///         .map(|p| match p {
+    ///             rustls_pemfile::Item::Pkcs1Key(k) => PrivateKeyDer::Pkcs1(k),
+    ///             rustls_pemfile::Item::Pkcs8Key(k) => PrivateKeyDer::Pkcs8(k),
+    ///             _ => panic!("Unexpected private key type"),
+    ///         })
+    ///         .expect("Failed to read private key");
+    /// 
     ///     // Build TLS configuration
     ///     let tls_config = ServerConfig::builder()
-    ///         .with_safe_defaults()
     ///         .with_no_client_auth()
     ///         .with_single_cert(cert_chain, key)
     ///         .expect("Failed to build TLS configuration");
-    ///     
+    /// 
     ///     // Create and run Ohkami with HTTPS
     ///     Ohkami::new((
     ///         "/".GET(hello),
@@ -656,6 +656,17 @@ impl Ohkami {
     ///     Ok(())
     /// }
     /// ```
+    /// 
+    /// ```sh
+    /// $ openssl req -x509 -newkey rsa:4096 -nodes -keyout server.key -out server.crt -days 365 -subj "/CN=localhost"
+    /// 
+    /// $ cargo run
+    /// ```
+    /// 
+    /// ```sh
+    /// $ curl --insecure https://localhost:8443
+    /// Hello, secure ohkami!
+    /// ```
     pub async fn howl_tls<T>(self, bind: impl __rt__::IntoTcpListener<T>, tls_config: rustls::ServerConfig) {    
         let (router, _) = self.into_router().finalize();
         let router = Arc::new(router);

ohkami/src/session/mod.rs

@@ -8,35 +8,28 @@ use crate::util::timeout_in;
 use crate::router::r#final::Router;
 use crate::{Request, Response};
 
-#[cfg(feature="ws")]
-use crate::__rt__::TcpStream;
-
-pub(crate) struct Session<S> {
+pub(crate) struct Session<C> {
     router: Arc<Router>,
-    connection: S,
+    connection: C,
     ip: std::net::IpAddr,
 }
 
-#[cfg(feature="ws")]
-pub(crate) trait WebSocketUpgradeable {
-    fn into_websocket_stream(self) -> Result<TcpStream, &'static str>;
+pub(crate) trait Connection: AsyncRead + AsyncWrite + Unpin {
+    #[cfg(feature="ws")]
+    fn into_websocket_stream(self) -> Result<crate::__rt__::TcpStream, &'static str>;
 }
 
-#[cfg(feature="ws")]
-impl WebSocketUpgradeable for TcpStream {
-    fn into_websocket_stream(self) -> Result<TcpStream, &'static str> {
+impl Connection for crate::__rt__::TcpStream {
+    #[cfg(feature="ws")]
+    fn into_websocket_stream(self) -> Result<crate::__rt__::TcpStream, &'static str> {
         Ok(self)
     }
 }
 
-#[cfg(feature="ws")]
-impl<S> Session<S>
-where
-    S: AsyncRead + AsyncWrite + Unpin + WebSocketUpgradeable,
-{
+impl<C: Connection> Session<C> {
     pub(crate) fn new(
         router: Arc<Router>,
-        connection: S,
+        connection: C,
         ip: std::net::IpAddr
     ) -> Self {
         Self {
@@ -85,14 +78,15 @@ where
                 }
             }
         }).await {
-            None => crate::WARNING!("[WARNING] \
+            None => crate::WARNING!("\
                 Session timeouted. In Ohkami, Keep-Alive timeout \
                 is set to 42 seconds by default and is configurable \
                 by `OHKAMI_KEEPALIVE_TIMEOUT` environment variable.\
             "),
 
             Some(Upgrade::None) => crate::DEBUG!("about to shutdown connection"),
 
+            #[cfg(feature="ws")]
             Some(Upgrade::WebSocket(ws)) => {
                 match self.connection.into_websocket_stream() {
                     Ok(tcp_stream) => {
@@ -103,7 +97,7 @@ where
                             tcp_stream
                         ).await;
                         if aborted {
-                            crate::WARNING!("[WARNING] \
+                            crate::WARNING!("\
                                 WebSocket session aborted by timeout. In Ohkami, \
                                 WebSocket timeout is set to 3600 seconds (1 hour) \
                                 by default and is configurable by `OHKAMI_WEBSOCKET_TIMEOUT` \
@@ -114,78 +108,10 @@ where
                         crate::DEBUG!("WebSocket session finished");
                     }
                     Err(msg) => {
-                        crate::WARNING!("[WARNING] {}", msg);
+                        crate::WARNING!("{msg}");
                     }
                 }
             }
         }
     }
 }
-
-// There has to be some cleaner implementation to apply the conditional trait bounds in this...
-#[cfg(not(feature="ws"))]
-impl<S> Session<S>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
-    pub(crate) fn new(
-        router: Arc<Router>,
-        connection: S,
-        ip: std::net::IpAddr
-    ) -> Self {
-        Self {
-            router,
-            connection,
-            ip
-        }
-    }
-
-    pub(crate) async fn manage(mut self) {
-        #[cold] #[inline(never)]
-        fn panicking(panic: Box<dyn Any + Send>) -> Response {
-            if let Some(msg) = panic.downcast_ref::<String>() {
-                crate::WARNING!("[Panicked]: {msg}");
-            } else if let Some(msg) = panic.downcast_ref::<&str>() {
-                crate::WARNING!("[Panicked]: {msg}");
-            } else {
-                crate::WARNING!("[Panicked]");
-            }
-            crate::Response::InternalServerError()
-        }
-
-        match timeout_in(Duration::from_secs(crate::CONFIG.keepalive_timeout()), async {
-            let mut req = Request::init(self.ip);
-            let mut req = unsafe {Pin::new_unchecked(&mut req)};
-            loop {
-                req.clear();
-                match req.as_mut().read(&mut self.connection).await {
-                    Ok(Some(())) => {
-                        let close = matches!(req.headers.Connection(), Some("close" | "Close"));
-
-                        let res = match catch_unwind(AssertUnwindSafe({
-                            let req = req.as_mut();
-                            || self.router.handle(req.get_mut())
-                        })) {
-                            Ok(future) => future.await,
-                            Err(panic) => panicking(panic),
-                        };
-                        let upgrade = res.send(&mut self.connection).await;
-
-                        if !upgrade.is_none() {break upgrade}
-                        if close {break Upgrade::None}
-                    }
-                    Ok(None) => break Upgrade::None,
-                    Err(res) => {res.send(&mut self.connection).await;},
-                }
-            }
-        }).await {
-            None => crate::WARNING!("[WARNING] \
-                Session timeouted. In Ohkami, Keep-Alive timeout \
-                is set to 42 seconds by default and is configurable \
-                by `OHKAMI_KEEPALIVE_TIMEOUT` environment variable.\
-            "),
-
-            Some(Upgrade::None) => crate::DEBUG!("about to shutdown connection"),
-        }
-    }
-}

ohkami/src/tls/mod.rs

@@ -1,8 +1,9 @@
 use tokio::io::{AsyncRead, AsyncWrite};
+
 pub struct TlsStream(pub tokio_rustls::server::TlsStream<tokio::net::TcpStream>);
 
-#[cfg(feature="ws")]
-impl crate::session::WebSocketUpgradeable for TlsStream {
+impl crate::session::Connection for TlsStream {
+    #[cfg(feature="ws")]
     fn into_websocket_stream(self) -> Result<crate::__rt__::TcpStream, &'static str> {
         Err("WebSocket connections are not supported over TLS yet")
     }