[ADD] Support for https redirect URIs (TLS)

This commit adds support for TLS-encrypted redirect URIs.
The commit adds a second server for https:
1. Binding a new TCP socket
2. Uses `rcgen` to generate a new TLS certificate (only in memory)
3. Uses `rustls` to do the TLS handshake and convert the TCPStream
into a TLS stream
4. Generalizes the `request` function (and its dependent) to accept an
object implementing `Read + Write` instead of just `TCPStream`
5. Redirects all `redirect_uri` that contain `https` to the https server

Signed-off-by: Silvano Cortesi <[email protected]>

Cargo.toml

@@ -39,6 +39,8 @@ url = "2"
 urlencoding = "2"
 wait-timeout = "0.2"
 whoami = "1.5"
+rustls = { version = "0.23.12", features = ["ring", "std"], default-features = false }
+rcgen = { version = "0.13.1", features = ["crypto", "ring"], default-features = false }
 
 [target.'cfg(target_os="openbsd")'.dependencies]
 pledge = "0.4"

src/config.l

@@ -20,6 +20,7 @@ client_id "CLIENT_ID"
 client_secret "CLIENT_SECRET"
 error_notify_cmd "ERROR_NOTIFY_CMD"
 http_listen "HTTP_LISTEN"
+https_listen "HTTPS_LISTEN"
 login_hint "LOGIN_HINT"
 transient_error_if_cmd "TRANSIENT_ERROR_IF_CMD"
 refresh_retry "REFRESH_RETRY"

src/config.rs

@@ -26,6 +26,7 @@ const REFRESH_RETRY_DEFAULT: Duration = Duration::from_secs(40);
 const AUTH_NOTIFY_INTERVAL_DEFAULT: u64 = 15 * 60;
 /// What is the default bind() address for the HTTP server?
 const HTTP_LISTEN_DEFAULT: &str = "127.0.0.1:0";
+const HTTPS_LISTEN_DEFAULT: &str = "127.0.0.1:0";
 
 #[derive(Debug)]
 pub struct Config {
@@ -34,6 +35,7 @@ pub struct Config {
     pub auth_notify_interval: Duration,
     pub error_notify_cmd: Option<String>,
     pub http_listen: String,
+    pub https_listen: String,
     pub transient_error_if_cmd: Option<String>,
     refresh_at_least: Option<Duration>,
     refresh_before_expiry: Option<Duration>,
@@ -69,6 +71,7 @@ impl Config {
         let mut auth_notify_interval = None;
         let mut error_notify_cmd = None;
         let mut http_listen = None;
+        let mut https_listen = None;
         let mut transient_error_if_cmd = None;
         let mut refresh_at_least = None;
         let mut refresh_before_expiry = None;
@@ -130,6 +133,14 @@ impl Config {
                                 http_listen,
                             )?)
                         }
+                        config_ast::TopLevel::HttpsListen(span) => {
+                            https_listen = Some(check_not_assigned_str(
+                                &lexer,
+                                "https_listen",
+                                span,
+                                https_listen,
+                            )?)
+                        }
                         config_ast::TopLevel::TransientErrorIfCmd(span) => {
                             transient_error_if_cmd = Some(check_not_assigned_str(
                                 &lexer,
@@ -188,6 +199,7 @@ impl Config {
                 .unwrap_or_else(|| Duration::from_secs(AUTH_NOTIFY_INTERVAL_DEFAULT)),
             error_notify_cmd,
             http_listen: http_listen.unwrap_or_else(|| HTTP_LISTEN_DEFAULT.to_owned()),
+            https_listen: https_listen.unwrap_or_else(|| HTTPS_LISTEN_DEFAULT.to_owned()),
             transient_error_if_cmd,
             refresh_at_least,
             refresh_before_expiry,
@@ -482,10 +494,15 @@ impl Account {
             && self.token_uri == act_dump.token_uri
     }
 
-    pub fn redirect_uri(&self, http_port: u16) -> Result<Url, Box<dyn Error>> {
+    pub fn redirect_uri(&self, http_port: u16, https_port: u16) -> Result<Url, Box<dyn Error>> {
         let mut url = Url::parse(&self.redirect_uri)?;
-        url.set_port(Some(http_port))
-            .map_err(|_| "Cannot set port")?;
+        if self.redirect_uri.to_lowercase().starts_with("https") {
+            url.set_port(Some(https_port))
+                .map_err(|_| "Cannot set https port")?;
+        } else {
+            url.set_port(Some(http_port))
+                .map_err(|_| "Cannot set http port")?;
+        }
         Ok(url)
     }
 
@@ -786,6 +803,33 @@ mod test {
         invalid_uri("token_uri");
     }
 
+    #[test]
+    fn valid_https_config() {
+        let c = Config::from_str(
+            r#"
+            https_listen = "127.0.0.1:56789";
+            account "x" {
+                // Mandatory fields
+                auth_uri = "http://a.com";
+                auth_uri_fields = {"l": "m", "n": "o", "l": "p"};
+                client_id = "b";
+                scopes = ["c", "d"];
+                token_uri = "http://f.com";
+                // Optional fields
+                redirect_uri = "https://e.com";
+            }
+        "#,
+        )
+        .unwrap();
+        assert_eq!(c.https_listen, "127.0.0.1:56789".to_owned());
+        let act = &c.accounts["x"];
+        assert_eq!(act.redirect_uri, "https://e.com");
+        let uri = act.redirect_uri(0, 56789).unwrap();
+        assert_eq!(uri.scheme(), "https");
+        assert_eq!(uri.port(), Some(56789));
+        assert_eq!(uri.host_str(), Some("e.com"));
+    }
+
     #[test]
     fn mandatory_account_fields() {
         let fields = &[

src/config.y

@@ -17,6 +17,7 @@ TopLevel -> Result<TopLevel, ()>:
   | "AUTH_NOTIFY_INTERVAL" "=" "TIME" ";" { Ok(TopLevel::AuthNotifyInterval(map_err($3)?)) }
   | "ERROR_NOTIFY_CMD" "=" "STRING" ";" { Ok(TopLevel::ErrorNotifyCmd(map_err($3)?)) }
   | "HTTP_LISTEN" "=" "STRING" ";" { Ok(TopLevel::HttpListen(map_err($3)?)) }
+  | "HTTPS_LISTEN" "=" "STRING" ";" { Ok(TopLevel::HttpsListen(map_err($3)?)) }
   | "TRANSIENT_ERROR_IF_CMD" "=" "STRING" ";" { Ok(TopLevel::TransientErrorIfCmd(map_err($3)?)) }
   | "REFRESH_AT_LEAST" "=" "TIME" ";" { Ok(TopLevel::RefreshAtLeast(map_err($3)?)) }
   | "REFRESH_BEFORE_EXPIRY" "=" "TIME" ";" { Ok(TopLevel::RefreshBeforeExpiry(map_err($3)?)) }

src/config_ast.rs

@@ -7,6 +7,7 @@ pub enum TopLevel {
     AuthNotifyInterval(Span),
     ErrorNotifyCmd(Span),
     HttpListen(Span),
+    HttpsListen(Span),
     TransientErrorIfCmd(Span),
     RefreshAtLeast(Span),
     RefreshBeforeExpiry(Span),