add ssl support

format code

remove expects and unwrap

meilisearch-http/Cargo.toml

@@ -22,7 +22,7 @@ actix-files = "0.2.1"
 actix-http = "1"
 actix-rt = "1"
 actix-service = "1.0.5"
-actix-web = "2"
+actix-web = { version = "2.0.0", features = ["rustls"] }
 actix-web-macros = "0.1.0"
 bytes = "0.5.4"
 chrono = { version = "0.4.11", features = ["serde"] }
@@ -41,6 +41,7 @@ mime = "0.3.16"
 pretty-bytes = "0.2.2"
 rand = "0.7.3"
 regex = "1.3.6"
+rustls = "0.16.0"
 serde = { version = "1.0.105", features = ["derive"] }
 serde_json = { version = "1.0.50", features = ["preserve_order"] }
 serde_qs = "0.5.2"

meilisearch-http/src/main.rs

@@ -7,6 +7,7 @@ use meilisearch_http::data::Data;
 use meilisearch_http::helpers::NormalizePath;
 use meilisearch_http::option::Opt;
 use meilisearch_http::{create_app, index_update_callback};
+
 use structopt::StructOpt;
 
 mod analytics;
@@ -21,11 +22,11 @@ async fn main() -> Result<(), MainError> {
 
     #[cfg(all(not(debug_assertions), feature = "sentry"))]
     let _sentry = sentry::init((
-            "https://5ddfa22b95f241198be2271aaf028653@sentry.io/3060337",
-            sentry::ClientOptions {
-                release: sentry::release_name!(),
-                ..Default::default()
-            },
+        "https://5ddfa22b95f241198be2271aaf028653@sentry.io/3060337",
+        sentry::ClientOptions {
+            release: sentry::release_name!(),
+            ..Default::default()
+        },
     ));
 
     match opt.env.as_ref() {
@@ -62,7 +63,7 @@ async fn main() -> Result<(), MainError> {
 
     print_launch_resume(&opt, &data);
 
-    HttpServer::new(move || {
+    let http_server = HttpServer::new(move || {
         create_app(&data)
             .wrap(
                 Cors::new()
@@ -73,10 +74,16 @@ async fn main() -> Result<(), MainError> {
             .wrap(middleware::Logger::default())
             .wrap(middleware::Compress::default())
             .wrap(NormalizePath)
-    })
-    .bind(opt.http_addr)?
-    .run()
-    .await?;
+    });
+
+    if let Some(config) = opt.get_ssl_config()? {
+        http_server
+            .bind_rustls(opt.http_addr, config)?
+            .run()
+            .await?;
+    } else {
+        http_server.bind(opt.http_addr)?.run().await?;
+    }
 
     Ok(())
 }

meilisearch-http/src/option.rs

@@ -1,3 +1,13 @@
+use std::io::{BufReader, Read};
+use std::path::PathBuf;
+use std::sync::Arc;
+use std::{error, fs};
+
+use rustls::internal::pemfile::{certs, pkcs8_private_keys, rsa_private_keys};
+use rustls::{
+    AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth,
+    RootCertStore,
+};
 use structopt::StructOpt;
 
 const POSSIBLE_ENV: [&str; 2] = ["development", "production"];
@@ -38,4 +48,125 @@ pub struct Opt {
     /// The maximum size, in bytes, of accepted JSON payloads
     #[structopt(long, env = "MEILI_HTTP_PAYLOAD_SIZE_LIMIT", default_value = "10485760")] // 10MB
     pub http_payload_size_limit: usize,
+
+    /// Read server certificates from CERTFILE.
+    /// This should contain PEM-format certificates
+    /// in the right order (the first certificate should
+    /// certify KEYFILE, the last should be a root CA).
+    #[structopt(long, env = "MEILI_SSL_CERT_PATH", parse(from_os_str))]
+    pub ssl_cert_path: Option<PathBuf>,
+
+    /// Read private key from KEYFILE.  This should be a RSA
+    /// private key or PKCS8-encoded private key, in PEM format.
+    #[structopt(long, env = "MEILI_SSL_KEY_PATH", parse(from_os_str))]
+    pub ssl_key_path: Option<PathBuf>,
+
+    /// Enable client authentication, and accept certificates
+    /// signed by those roots provided in CERTFILE.
+    #[structopt(long, env = "MEILI_SSL_AUTH_PATH", parse(from_os_str))]
+    pub ssl_auth_path: Option<PathBuf>,
+
+    /// Read DER-encoded OCSP response from OCSPFILE and staple to certificate.
+    /// Optional
+    #[structopt(long, env = "MEILI_SSL_OCSP_PATH", parse(from_os_str))]
+    pub ssl_ocsp_path: Option<PathBuf>,
+
+    /// Send a fatal alert if the client does not complete client authentication.
+    #[structopt(long, env = "MEILI_SSL_REQUIRE_AUTH")]
+    pub ssl_require_auth: bool,
+
+    /// SSL support session resumption
+    #[structopt(long, env = "MEILI_SSL_RESUMPTION")]
+    pub ssl_resumption: bool,
+
+    /// SSL support tickets.
+    #[structopt(long, env = "MEILI_SSL_TICKETS")]
+    pub ssl_tickets: bool,
+}
+
+impl Opt {
+    pub fn get_ssl_config(&self) -> Result<Option<rustls::ServerConfig>, Box<dyn error::Error>> {
+        if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) {
+            let client_auth = match &self.ssl_auth_path {
+                Some(auth_path) => {
+                    let roots = load_certs(auth_path.to_path_buf())?;
+                    let mut client_auth_roots = RootCertStore::empty();
+                    for root in roots {
+                        client_auth_roots.add(&root).unwrap();
+                    }
+                    if self.ssl_require_auth {
+                        AllowAnyAuthenticatedClient::new(client_auth_roots)
+                    } else {
+                        AllowAnyAnonymousOrAuthenticatedClient::new(client_auth_roots)
+                    }
+                }
+                None => NoClientAuth::new(),
+            };
+
+            let mut config = rustls::ServerConfig::new(client_auth);
+            config.key_log = Arc::new(rustls::KeyLogFile::new());
+
+            let certs = load_certs(cert_path.to_path_buf())?;
+            let privkey = load_private_key(key_path.to_path_buf())?;
+            let ocsp = load_ocsp(&self.ssl_ocsp_path)?;
+            config
+                .set_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![])
+                .map_err(|_| "bad certificates/private key")?;
+
+            if self.ssl_resumption {
+                config.set_persistence(rustls::ServerSessionMemoryCache::new(256));
+            }
+
+            if self.ssl_tickets {
+                config.ticketer = rustls::Ticketer::new();
+            }
+
+            Ok(Some(config))
+        } else {
+            Ok(None)
+        }
+    }
+}
+
+fn load_certs(filename: PathBuf) -> Result<Vec<rustls::Certificate>, Box<dyn error::Error>> {
+    let certfile = fs::File::open(filename).map_err(|_| "cannot open certificate file")?;
+    let mut reader = BufReader::new(certfile);
+    Ok(certs(&mut reader).map_err(|_| "cannot read certificate file")?)
+}
+
+fn load_private_key(filename: PathBuf) -> Result<rustls::PrivateKey, Box<dyn error::Error>> {
+    let rsa_keys = {
+        let keyfile =
+            fs::File::open(filename.clone()).map_err(|_| "cannot open private key file")?;
+        let mut reader = BufReader::new(keyfile);
+        rsa_private_keys(&mut reader).map_err(|_| "file contains invalid rsa private key")?
+    };
+
+    let pkcs8_keys = {
+        let keyfile = fs::File::open(filename).map_err(|_| "cannot open private key file")?;
+        let mut reader = BufReader::new(keyfile);
+        pkcs8_private_keys(&mut reader)
+            .map_err(|_| "file contains invalid pkcs8 private key (encrypted keys not supported)")?
+    };
+
+    // prefer to load pkcs8 keys
+    if !pkcs8_keys.is_empty() {
+        Ok(pkcs8_keys[0].clone())
+    } else {
+        assert!(!rsa_keys.is_empty());
+        Ok(rsa_keys[0].clone())
+    }
+}
+
+fn load_ocsp(filename: &Option<PathBuf>) -> Result<Vec<u8>, Box<dyn error::Error>> {
+    let mut ret = Vec::new();
+
+    if let &Some(ref name) = filename {
+        fs::File::open(name)
+            .map_err(|_| "cannot open ocsp file")?
+            .read_to_end(&mut ret)
+            .map_err(|_| "cannot read oscp file")?;
+    }
+
+    Ok(ret)
 }

meilisearch-http/tests/common.rs

@@ -31,6 +31,8 @@ impl Server {
             main_map_size: default_db_options.main_map_size,
             update_map_size: default_db_options.update_map_size,
             http_payload_size_limit: 10000000,
+            ssl_key_path: None,
+            ssl_cert_path:None,
         };
 
         let data = Data::new(opt.clone());