Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-05-03 05:16:28 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat: replace reqwest with hyper

Browse Source 
This change replaces
usage of `reqwest` and `hyper-util`
with custom connection establishment code
so it is done in the same way
as for IMAP and SMTP connections.
This way we control HTTP, IMAP and SMTP
connection establishment
and schedule connection attempts
to resolved IP addresses
in the same way for all 3 protocols.
This commit is contained in:
link2xt
2024-08-27 23:41:16 +00:00
parent 54cfc21e28
commit c7c3b9ca90
9 changed files with 251 additions and 339 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
Cargo.lock generated
View File

@@ -378,12 +378,6 @@ dependencies = [
"tokio", "tokio",
] ]
[[package]]
name = "atomic-waker"
version = "1.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
[[package]] [[package]]
name = "attohttpc" name = "attohttpc"
version = "0.24.1" version = "0.24.1"
@@ -415,7 +409,7 @@ dependencies = [
"http 1.1.0", "http 1.1.0",
"http-body 1.0.0", "http-body 1.0.0",
"http-body-util", "http-body-util",
"hyper 1.2.0", "hyper 1.4.1",
"hyper-util", "hyper-util",
"itoa", "itoa",
"matchit", "matchit",
@@ -1267,6 +1261,7 @@ dependencies = [
"async_zip", "async_zip",
"base64 0.22.1", "base64 0.22.1",
"brotli", "brotli",
"bytes",
"chrono", "chrono",
"criterion", "criterion",
"deltachat-contact-tools", "deltachat-contact-tools",
@@ -1282,7 +1277,10 @@ dependencies = [
"futures-lite 2.3.0", "futures-lite 2.3.0",
"hex", "hex",
"hickory-resolver", "hickory-resolver",
"http-body-util",
"humansize", "humansize",
"hyper 1.4.1",
"hyper-util",
"image", "image",
"iroh-gossip", "iroh-gossip",
"iroh-net", "iroh-net",
@@ -1307,12 +1305,12 @@ dependencies = [
"rand 0.8.5", "rand 0.8.5",
"ratelimit", "ratelimit",
"regex", "regex",
"reqwest",
"rusqlite", "rusqlite",
"rust-hsluv", "rust-hsluv",
"sanitize-filename", "sanitize-filename",
"serde", "serde",
"serde_json", "serde_json",
"serde_urlencoded",
"sha-1", "sha-1",
"smallvec", "smallvec",
"strum", "strum",
@@ -2412,25 +2410,6 @@ dependencies = [
"tracing", "tracing",
] ]
[[package]]
name = "h2"
version = "0.4.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa82e28a107a8cc405f0839610bdc9b15f1e25ec7d696aa5cf173edbcb1486ab"
dependencies = [
"atomic-waker",
"bytes",
"fnv",
"futures-core",
"futures-sink",
"http 1.1.0",
"indexmap",
"slab",
"tokio",
"tokio-util",
"tracing",
]
[[package]] [[package]]
name = "half" name = "half"
version = "2.4.0" version = "2.4.0"
@@ -2627,9 +2606,9 @@ dependencies = [
[[package]] [[package]]
name = "http-body-util" name = "http-body-util"
version = "0.1.0" version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41cb79eb393015dadd30fc252023adb0b2400a0caee0fa2a077e6e21a551e840" checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f"
dependencies = [ dependencies = [
"bytes", "bytes",
"futures-util", "futures-util",
@@ -2689,7 +2668,7 @@ dependencies = [
"futures-channel", "futures-channel",
"futures-core", "futures-core",
"futures-util", "futures-util",
"h2 0.3.26", "h2",
"http 0.2.12", "http 0.2.12",
"http-body 0.4.6", "http-body 0.4.6",
"httparse", "httparse",
@@ -2705,14 +2684,13 @@ dependencies = [
[[package]] [[package]]
name = "hyper" name = "hyper"
version = "1.2.0" version = "1.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "186548d73ac615b32a73aafe38fb4f56c0d340e110e5a200bcadbaf2e199263a" checksum = "50dfd22e0e76d0f662d429a5f80fcaf3855009297eab6a0a9f8543834744ba05"
dependencies = [ dependencies = [
"bytes", "bytes",
"futures-channel", "futures-channel",
"futures-util", "futures-util",
"h2 0.4.5",
"http 1.1.0", "http 1.1.0",
"http-body 1.0.0", "http-body 1.0.0",
"httparse", "httparse",
@@ -2732,7 +2710,7 @@ checksum = "5ee4be2c948921a1a5320b629c4193916ed787a7f7f293fd3f7f5a6c9de74155"
dependencies = [ dependencies = [
"futures-util", "futures-util",
"http 1.1.0", "http 1.1.0",
"hyper 1.2.0", "hyper 1.4.1",
"hyper-util", "hyper-util",
"rustls 0.23.10", "rustls 0.23.10",
"rustls-pki-types", "rustls-pki-types",
@@ -2742,34 +2720,18 @@ dependencies = [
"webpki-roots 0.26.1", "webpki-roots 0.26.1",
] ]
[[package]]
name = "hyper-tls"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
dependencies = [
"bytes",
"http-body-util",
"hyper 1.2.0",
"hyper-util",
"native-tls",
"tokio",
"tokio-native-tls",
"tower-service",
]
[[package]] [[package]]
name = "hyper-util" name = "hyper-util"
version = "0.1.3" version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ca38ef113da30126bbff9cd1705f9273e15d45498615d138b0c20279ac7a76aa" checksum = "cde7055719c54e36e95e8719f95883f22072a48ede39db7fc17a4e1d5281e9b9"
dependencies = [ dependencies = [
"bytes", "bytes",
"futures-channel", "futures-channel",
"futures-util", "futures-util",
"http 1.1.0", "http 1.1.0",
"http-body 1.0.0", "http-body 1.0.0",
"hyper 1.2.0", "hyper 1.4.1",
"pin-project-lite", "pin-project-lite",
"socket2", "socket2",
"tokio", "tokio",
@@ -3015,7 +2977,7 @@ dependencies = [
"anyhow", "anyhow",
"erased_set", "erased_set",
"http-body-util", "http-body-util",
"hyper 1.2.0", "hyper 1.4.1",
"hyper-util", "hyper-util",
"once_cell", "once_cell",
"prometheus-client", "prometheus-client",
@@ -3052,7 +3014,7 @@ dependencies = [
"hostname", "hostname",
"http 1.1.0", "http 1.1.0",
"http-body-util", "http-body-util",
"hyper 1.2.0", "hyper 1.4.1",
"hyper-util", "hyper-util",
"igd-next", "igd-next",
"iroh-base", "iroh-base",
@@ -3480,7 +3442,7 @@ dependencies = [
"netlink-packet-route", "netlink-packet-route",
"netlink-sys", "netlink-sys",
"once_cell", "once_cell",
"system-configuration 0.6.0", "system-configuration",
"windows-sys 0.52.0", "windows-sys 0.52.0",
] ]
@@ -4789,22 +4751,18 @@ checksum = "c7d6d2a27d57148378eb5e111173f4276ad26340ecc5c49a4a2152167a2d6a37"
dependencies = [ dependencies = [
"base64 0.22.1", "base64 0.22.1",
"bytes", "bytes",
"encoding_rs",
"futures-core", "futures-core",
"futures-util", "futures-util",
"h2 0.4.5",
"http 1.1.0", "http 1.1.0",
"http-body 1.0.0", "http-body 1.0.0",
"http-body-util", "http-body-util",
"hyper 1.2.0", "hyper 1.4.1",
"hyper-rustls", "hyper-rustls",
"hyper-tls",
"hyper-util", "hyper-util",
"ipnet", "ipnet",
"js-sys", "js-sys",
"log", "log",
"mime", "mime",
"native-tls",
"once_cell", "once_cell",
"percent-encoding", "percent-encoding",
"pin-project-lite", "pin-project-lite",
@@ -4816,9 +4774,7 @@ dependencies = [
"serde_json", "serde_json",
"serde_urlencoded", "serde_urlencoded",
"sync_wrapper 1.0.0", "sync_wrapper 1.0.0",
"system-configuration 0.5.1",
"tokio", "tokio",
"tokio-native-tls",
"tokio-rustls 0.26.0", "tokio-rustls 0.26.0",
"tower-service", "tower-service",
"url", "url",
@@ -5710,17 +5666,6 @@ dependencies = [
"winapi", "winapi",
] ]
[[package]]
name = "system-configuration"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba3a3adc5c275d719af8cb4272ea1c4a6d668a777f37e115f6d11ddbc1c8e0e7"
dependencies = [
"bitflags 1.3.2",
"core-foundation",
"system-configuration-sys 0.5.0",
]
[[package]] [[package]]
name = "system-configuration" name = "system-configuration"
version = "0.6.0" version = "0.6.0"
@@ -5729,17 +5674,7 @@ checksum = "658bc6ee10a9b4fcf576e9b0819d95ec16f4d2c02d39fd83ac1c8789785c4a42"
dependencies = [ dependencies = [
"bitflags 2.6.0", "bitflags 2.6.0",
"core-foundation", "core-foundation",
"system-configuration-sys 0.6.0", "system-configuration-sys",
]
[[package]]
name = "system-configuration-sys"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a75fb188eb626b924683e3b95e3a48e63551fcfb51949de2f06a9d91dbee93c9"
dependencies = [
"core-foundation-sys",
"libc",
] ]
[[package]] [[package]]
@@ -5938,16 +5873,6 @@ dependencies = [
"syn 2.0.72", "syn 2.0.72",
] ]
[[package]]
name = "tokio-native-tls"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
dependencies = [
"native-tls",
"tokio",
]
[[package]] [[package]]
name = "tokio-rustls" name = "tokio-rustls"
version = "0.24.1" version = "0.24.1"

9
Cargo.toml
View File

@@ -47,6 +47,7 @@ async-smtp = { version = "0.9", default-features = false, features = ["runtime-t
async_zip = { version = "0.0.12", default-features = false, features = ["deflate", "fs"] } async_zip = { version = "0.0.12", default-features = false, features = ["deflate", "fs"] }
base64 = { workspace = true } base64 = { workspace = true }
brotli = { version = "6", default-features=false, features = ["std"] } brotli = { version = "6", default-features=false, features = ["std"] }
bytes = "1"
chrono = { workspace = true, features = ["alloc", "clock", "std"] } chrono = { workspace = true, features = ["alloc", "clock", "std"] }
email = { git = "https://github.com/deltachat/rust-email", branch = "master" } email = { git = "https://github.com/deltachat/rust-email", branch = "master" }
encoded-words = { git = "https://github.com/async-email/encoded-words", branch = "master" } encoded-words = { git = "https://github.com/async-email/encoded-words", branch = "master" }
@@ -57,7 +58,10 @@ futures = { workspace = true }
futures-lite = { workspace = true } futures-lite = { workspace = true }
hex = "0.4.0" hex = "0.4.0"
hickory-resolver = "0.24" hickory-resolver = "0.24"
http-body-util = "0.1.2"
humansize = "2" humansize = "2"
hyper = "1"
hyper-util = "0.1.7"
image = { version = "0.25.1", default-features=false, features = ["gif", "jpeg", "ico", "png", "pnm", "webp", "bmp"] } image = { version = "0.25.1", default-features=false, features = ["gif", "jpeg", "ico", "png", "pnm", "webp", "bmp"] }
iroh-net = { version = "0.23.0", default-features = false } iroh-net = { version = "0.23.0", default-features = false }
iroh-gossip = { version = "0.23.0", default-features = false, features = ["net"] } iroh-gossip = { version = "0.23.0", default-features = false, features = ["net"] }
@@ -78,11 +82,11 @@ quick-xml = "0.36"
quoted_printable = "0.5" quoted_printable = "0.5"
rand = { workspace = true } rand = { workspace = true }
regex = { workspace = true } regex = { workspace = true }
reqwest = { version = "0.12.5", features = ["json"] }
rusqlite = { workspace = true, features = ["sqlcipher"] } rusqlite = { workspace = true, features = ["sqlcipher"] }
rust-hsluv = "0.1" rust-hsluv = "0.1"
sanitize-filename = { workspace = true } sanitize-filename = { workspace = true }
serde_json = { workspace = true } serde_json = { workspace = true }
serde_urlencoded = "0.7.1"
serde = { workspace = true, features = ["derive"] } serde = { workspace = true, features = ["derive"] }
sha-1 = "0.10" sha-1 = "0.10"
smallvec = "1.13.2" smallvec = "1.13.2"
@@ -193,8 +197,7 @@ default = ["vendored"]
internals = [] internals = []
vendored = [ vendored = [
"async-native-tls/vendored", "async-native-tls/vendored",
"rusqlite/bundled-sqlcipher-vendored-openssl", "rusqlite/bundled-sqlcipher-vendored-openssl"
"reqwest/native-tls-vendored"
] ]
[lints.rust] [lints.rust]

2
deny.toml
View File

@@ -60,8 +60,6 @@ skip = [
{ name = "sync_wrapper", version = "0.1.2" }, { name = "sync_wrapper", version = "0.1.2" },
{ name = "synstructure", version = "0.12.6" }, { name = "synstructure", version = "0.12.6" },
{ name = "syn", version = "1.0.109" }, { name = "syn", version = "1.0.109" },
{ name = "system-configuration-sys", version = "0.5.0" },
{ name = "system-configuration", version = "0.5.1" },
{ name = "time", version = "<0.3" }, { name = "time", version = "<0.3" },
{ name = "tokio-rustls", version = "0.24.1" }, { name = "tokio-rustls", version = "0.24.1" },
{ name = "toml_edit", version = "0.21.1" }, { name = "toml_edit", version = "0.21.1" },

7
src/net.rs
View File

@@ -29,13 +29,6 @@ use tls::wrap_tls;
/// This constant should be more than the largest expected RTT. /// This constant should be more than the largest expected RTT.
pub(crate) const TIMEOUT: Duration = Duration::from_secs(60); pub(crate) const TIMEOUT: Duration = Duration::from_secs(60);
/// Transaction timeout, e.g. for a GET or POST request
/// together with all connection attempts.
///
/// This is the worst case time user has to wait on a very slow network
/// after clicking a button and before getting an error message.
pub(crate) const TRANSACTION_TIMEOUT: Duration = Duration::from_secs(300);
/// TTL for caches in seconds. /// TTL for caches in seconds.
pub(crate) const CACHE_TTL: u64 = 30 * 24 * 60 * 60; pub(crate) const CACHE_TTL: u64 = 30 * 24 * 60 * 60;

307
src/net/http.rs
View File

@@ -1,22 +1,17 @@
//! # HTTP module. //! # HTTP module.
use std::sync::Arc; use anyhow::{anyhow, bail, Context as _, Result};
use bytes::Bytes;
use anyhow::{anyhow, Result}; use http_body_util::BodyExt;
use hyper_util::rt::TokioIo;
use mime::Mime; use mime::Mime;
use once_cell::sync::Lazy; use serde::Serialize;
use crate::context::Context; use crate::context::Context;
use crate::net::lookup_host_with_cache; use crate::net::session::SessionStream;
use crate::net::tls::wrap_tls;
use crate::socks::Socks5Config; use crate::socks::Socks5Config;
static LETSENCRYPT_ROOT: Lazy<reqwest::tls::Certificate> = Lazy::new(|| {
reqwest::tls::Certificate::from_der(include_bytes!(
"../../assets/root-certificates/letsencrypt/isrgrootx1.der"
))
.unwrap()
});
/// HTTP(S) GET response. /// HTTP(S) GET response.
#[derive(Debug)] #[derive(Debug)]
pub struct Response { pub struct Response {
@@ -32,48 +27,95 @@ pub struct Response {
/// Retrieves the text contents of URL using HTTP GET request. /// Retrieves the text contents of URL using HTTP GET request.
pub async fn read_url(context: &Context, url: &str) -> Result<String> { pub async fn read_url(context: &Context, url: &str) -> Result<String> {
Ok(read_url_inner(context, url).await?.text().await?) let response = read_url_blob(context, url).await?;
let text = String::from_utf8_lossy(&response.blob);
Ok(text.to_string())
}
async fn get_http_sender<B>(
context: &Context,
parsed_url: hyper::Uri,
) -> Result<hyper::client::conn::http1::SendRequest<B>>
where
B: hyper::body::Body + 'static + Send,
B::Data: Send,
B::Error: Into<Box<dyn std::error::Error + Send + Sync>>,
{
let scheme = parsed_url.scheme_str().context("URL has no scheme")?;
let host = parsed_url.host().context("URL has no host")?;
let socks5_config_opt = Socks5Config::from_database(&context.sql).await?;
let stream: Box<dyn SessionStream> = match scheme {
"http" => {
let port = parsed_url.port_u16().unwrap_or(80);
// It is safe to use cached IP addresses
// for HTTPS URLs, but for HTTP URLs
// better resolve from scratch each time to prevent
// cache poisoning attacks from having lasting effects.
let load_cache = false;
if let Some(socks5_config) = socks5_config_opt {
let socks5_stream = socks5_config
.connect(context, host, port, load_cache)
.await?;
Box::new(socks5_stream)
} else {
let tcp_stream = crate::net::connect_tcp(context, host, port, load_cache).await?;
Box::new(tcp_stream)
}
}
"https" => {
let port = parsed_url.port_u16().unwrap_or(443);
let load_cache = true;
let strict_tls = true;
if let Some(socks5_config) = socks5_config_opt {
let socks5_stream = socks5_config
.connect(context, host, port, load_cache)
.await?;
let tls_stream = wrap_tls(strict_tls, host, &[], socks5_stream).await?;
Box::new(tls_stream)
} else {
let tcp_stream = crate::net::connect_tcp(context, host, port, load_cache).await?;
let tls_stream = wrap_tls(strict_tls, host, &[], tcp_stream).await?;
Box::new(tls_stream)
}
}
_ => bail!("Unknown URL scheme"),
};
let io = TokioIo::new(stream);
let (sender, conn) = hyper::client::conn::http1::handshake(io).await?;
tokio::task::spawn(conn);
Ok(sender)
} }
/// Retrieves the binary contents of URL using HTTP GET request. /// Retrieves the binary contents of URL using HTTP GET request.
pub async fn read_url_blob(context: &Context, url: &str) -> Result<Response> { pub async fn read_url_blob(context: &Context, url: &str) -> Result<Response> {
let response = read_url_inner(context, url).await?;
let content_type = response
.headers()
.get(reqwest::header::CONTENT_TYPE)
.and_then(|value| value.to_str().ok())
.and_then(|value| value.parse::<Mime>().ok());
let mimetype = content_type
.as_ref()
.map(|mime| mime.essence_str().to_string());
let encoding = content_type.as_ref().and_then(|mime| {
mime.get_param(mime::CHARSET)
.map(|charset| charset.as_str().to_string())
});
let blob: Vec<u8> = response.bytes().await?.into();
Ok(Response {
blob,
mimetype,
encoding,
})
}
async fn read_url_inner(context: &Context, url: &str) -> Result<reqwest::Response> {
// It is safe to use cached IP addresses
// for HTTPS URLs, but for HTTP URLs
// better resolve from scratch each time to prevent
// cache poisoning attacks from having lasting effects.
let load_cache = url.starts_with("https://");
let client = get_client(context, load_cache).await?;
let mut url = url.to_string(); let mut url = url.to_string();
// Follow up to 10 http-redirects // Follow up to 10 http-redirects
for _i in 0..10 { for _i in 0..10 {
let response = client.get(&url).send().await?; let parsed_url = url
.parse::<hyper::Uri>()
.with_context(|| format!("Failed to parse URL {url:?}"))?;
let mut sender = get_http_sender(context, parsed_url.clone()).await?;
let authority = parsed_url
.authority()
.context("URL has no authority")?
.clone();
let req = hyper::Request::builder()
.uri(parsed_url.path())
.header(hyper::header::HOST, authority.as_str())
.body(http_body_util::Empty::<Bytes>::new())?;
let response = sender.send_request(req).await?;
if response.status().is_redirection() { if response.status().is_redirection() {
let headers = response.headers(); let header = response
let header = headers .headers()
.get_all("location") .get_all("location")
.iter() .iter()
.last() .last()
@@ -84,88 +126,119 @@ async fn read_url_inner(context: &Context, url: &str) -> Result<reqwest::Respons
continue; continue;
} }
return Ok(response); let content_type = response
.headers()
.get("content-type")
.and_then(|value| value.to_str().ok())
.and_then(|value| value.parse::<Mime>().ok());
let mimetype = content_type
.as_ref()
.map(|mime| mime.essence_str().to_string());
let encoding = content_type.as_ref().and_then(|mime| {
mime.get_param(mime::CHARSET)
.map(|charset| charset.as_str().to_string())
});
let body = response.collect().await?.to_bytes();
let blob: Vec<u8> = body.to_vec();
return Ok(Response {
blob,
mimetype,
encoding,
});
} }
Err(anyhow!("Followed 10 redirections")) Err(anyhow!("Followed 10 redirections"))
} }
struct CustomResolver { /// Sends an empty POST request to the URL.
context: Context, ///
/// Returns response text and whether request was successful or not.
/// Whether to return cached results or not. ///
/// If resolver can be used for URLs /// Does not follow redirects.
/// without TLS, e.g. HTTP URLs from HTML email, pub(crate) async fn post_empty(context: &Context, url: &str) -> Result<(String, bool)> {
/// this must be false. If TLS is used let parsed_url = url
/// and certificate hostnames are checked, .parse::<hyper::Uri>()
/// it is safe to load cache. .with_context(|| format!("Failed to parse URL {url:?}"))?;
load_cache: bool, let scheme = parsed_url.scheme_str().context("URL has no scheme")?;
} if scheme != "https" {
bail!("POST requests to non-HTTPS URLs are not allowed");
impl CustomResolver {
fn new(context: Context, load_cache: bool) -> Self {
Self {
context,
load_cache,
}
} }
let mut sender = get_http_sender(context, parsed_url.clone()).await?;
let authority = parsed_url
.authority()
.context("URL has no authority")?
.clone();
let req = hyper::Request::post(parsed_url.path())
.header(hyper::header::HOST, authority.as_str())
.body(http_body_util::Empty::<Bytes>::new())?;
let response = sender.send_request(req).await?;
let response_status = response.status();
let body = response.collect().await?.to_bytes();
let text = String::from_utf8_lossy(&body);
let response_text = text.to_string();
Ok((response_text, response_status.is_success()))
} }
impl reqwest::dns::Resolve for CustomResolver { /// Posts string to the given URL.
fn resolve(&self, hostname: reqwest::dns::Name) -> reqwest::dns::Resolving { ///
let context = self.context.clone(); /// Returns true if successful HTTP response code was returned.
let load_cache = self.load_cache; ///
Box::pin(async move { /// Does not follow redirects.
let port = 443; // Actual port does not matter. #[allow(dead_code)]
pub(crate) async fn post_string(context: &Context, url: &str, body: String) -> Result<bool> {
let socket_addrs = let parsed_url = url
lookup_host_with_cache(&context, hostname.as_str(), port, "", load_cache).await; .parse::<hyper::Uri>()
match socket_addrs { .with_context(|| format!("Failed to parse URL {url:?}"))?;
Ok(socket_addrs) => { let scheme = parsed_url.scheme_str().context("URL has no scheme")?;
let addrs: reqwest::dns::Addrs = Box::new(socket_addrs.into_iter()); if scheme != "https" {
bail!("POST requests to non-HTTPS URLs are not allowed");
Ok(addrs)
}
Err(err) => Err(err.into()),
}
})
} }
let mut sender = get_http_sender(context, parsed_url.clone()).await?;
let authority = parsed_url
.authority()
.context("URL has no authority")?
.clone();
let request = hyper::Request::post(parsed_url.path())
.header(hyper::header::HOST, authority.as_str())
.body(body)?;
let response = sender.send_request(request).await?;
Ok(response.status().is_success())
} }
pub(crate) async fn get_client(context: &Context, load_cache: bool) -> Result<reqwest::Client> { /// Sends a POST request with x-www-form-urlencoded data.
let socks5_config = Socks5Config::from_database(&context.sql).await?; ///
let resolver = Arc::new(CustomResolver::new(context.clone(), load_cache)); /// Does not follow redirects.
pub(crate) async fn post_form<T: Serialize + ?Sized>(
context: &Context,
url: &str,
form: &T,
) -> Result<Bytes> {
let parsed_url = url
.parse::<hyper::Uri>()
.with_context(|| format!("Failed to parse URL {url:?}"))?;
let scheme = parsed_url.scheme_str().context("URL has no scheme")?;
if scheme != "https" {
bail!("POST requests to non-HTTPS URLs are not allowed");
}
// `reqwest` uses `hyper-util` crate internally which implements let encoded_body = serde_urlencoded::to_string(form).context("Failed to encode data")?;
// [Happy Eyeballs](https://datatracker.ietf.org/doc/html/rfc6555) algorithm. let mut sender = get_http_sender(context, parsed_url.clone()).await?;
// On a dual-stack host it starts IPv4 connection attempts in parallel let authority = parsed_url
// to IPv6 connection attempts after 300 ms. .authority()
// In the worst case of all connection attempts .context("URL has no authority")?
// timing out this allows to try four IPv6 and four IPv4 .clone();
// addresses before request expires let request = hyper::Request::post(parsed_url.path())
// if request timeout is set to 5 minutes .header(hyper::header::HOST, authority.as_str())
// and connection timeout is set to 1 minute. .header("content-type", "application/x-www-form-urlencoded")
// .body(encoded_body)?;
// We do not set write timeout because `reqwest` let response = sender.send_request(request).await?;
// does not support it, but request timeout let bytes = response.collect().await?.to_bytes();
// should prevent deadlocks if the server Ok(bytes)
// does not read the data.
let builder = reqwest::ClientBuilder::new()
.connect_timeout(super::TIMEOUT)
.read_timeout(super::TIMEOUT)
.timeout(super::TRANSACTION_TIMEOUT)
.add_root_certificate(LETSENCRYPT_ROOT.clone())
.dns_resolver(resolver);
let builder = if let Some(socks5_config) = socks5_config {
let proxy = reqwest::Proxy::all(socks5_config.to_url())?;
builder.proxy(proxy)
} else {
// Disable usage of "system" proxy configured via environment variables.
// It is enabled by default in `reqwest`, see
// <https://docs.rs/reqwest/0.11.14/reqwest/struct.ClientBuilder.html#method.no_proxy>
// for documentation.
builder.no_proxy()
};
Ok(builder.build()?)
} }

68
src/oauth2.rs
View File

@@ -2,12 +2,14 @@
use std::collections::HashMap; use std::collections::HashMap;
use anyhow::Result; use anyhow::{Context as _, Result};
use percent_encoding::{utf8_percent_encode, NON_ALPHANUMERIC}; use percent_encoding::{utf8_percent_encode, NON_ALPHANUMERIC};
use serde::Deserialize; use serde::Deserialize;
use crate::config::Config; use crate::config::Config;
use crate::context::Context; use crate::context::Context;
use crate::net::http::post_form;
use crate::net::read_url_blob;
use crate::provider; use crate::provider;
use crate::provider::Oauth2Authorizer; use crate::provider::Oauth2Authorizer;
use crate::tools::time; use crate::tools::time;
@@ -159,25 +161,19 @@ pub(crate) async fn get_oauth2_access_token(
// ... and POST // ... and POST
// All OAuth URLs are hardcoded HTTPS URLs, let response: Response = match post_form(context, post_url, &post_param).await {
// so it is safe to load DNS cache. Ok(resp) => match serde_json::from_slice(&resp) {
let load_cache = true;
let client = crate::net::http::get_client(context, load_cache).await?;
let response: Response = match client.post(post_url).form(&post_param).send().await {
Ok(resp) => match resp.json().await {
Ok(response) => response, Ok(response) => response,
Err(err) => { Err(err) => {
warn!( warn!(
context, context,
"Failed to parse OAuth2 JSON response from {}: error: {}", token_url, err "Failed to parse OAuth2 JSON response from {token_url}: {err:#}."
); );
return Ok(None); return Ok(None);
} }
}, },
Err(err) => { Err(err) => {
warn!(context, "Error calling OAuth2 at {}: {:?}", token_url, err); warn!(context, "Error calling OAuth2 at {token_url}: {err:#}.");
return Ok(None); return Ok(None);
} }
}; };
@@ -246,11 +242,20 @@ pub(crate) async fn get_oauth2_addr(
} }
if let Some(access_token) = get_oauth2_access_token(context, addr, code, false).await? { if let Some(access_token) = get_oauth2_access_token(context, addr, code, false).await? {
let addr_out = oauth2.get_addr(context, &access_token).await; let addr_out = match oauth2.get_addr(context, &access_token).await {
Ok(addr) => addr,
Err(err) => {
warn!(context, "Error getting addr: {err:#}.");
None
}
};
if addr_out.is_none() { if addr_out.is_none() {
// regenerate // regenerate
if let Some(access_token) = get_oauth2_access_token(context, addr, code, true).await? { if let Some(access_token) = get_oauth2_access_token(context, addr, code, true).await? {
Ok(oauth2.get_addr(context, &access_token).await) Ok(oauth2
.get_addr(context, &access_token)
.await
.unwrap_or_default())
} else { } else {
Ok(None) Ok(None)
} }
@@ -282,7 +287,7 @@ impl Oauth2 {
None None
} }
async fn get_addr(&self, context: &Context, access_token: &str) -> Option<String> { async fn get_addr(&self, context: &Context, access_token: &str) -> Result<Option<String>> {
let userinfo_url = self.get_userinfo.unwrap_or(""); let userinfo_url = self.get_userinfo.unwrap_or("");
let userinfo_url = replace_in_uri(userinfo_url, "$ACCESS_TOKEN", access_token); let userinfo_url = replace_in_uri(userinfo_url, "$ACCESS_TOKEN", access_token);
@@ -294,44 +299,21 @@ impl Oauth2 {
// "picture": "https://lh4.googleusercontent.com/-Gj5jh_9R0BY/AAAAAAAAAAI/AAAAAAAAAAA/IAjtjfjtjNA/photo.jpg" // "picture": "https://lh4.googleusercontent.com/-Gj5jh_9R0BY/AAAAAAAAAAI/AAAAAAAAAAA/IAjtjfjtjNA/photo.jpg"
// } // }
// All OAuth URLs are hardcoded HTTPS URLs, let response = read_url_blob(context, &userinfo_url).await?;
// so it is safe to load DNS cache. let parsed: HashMap<String, serde_json::Value> =
let load_cache = true; serde_json::from_slice(&response.blob).context("Error getting userinfo")?;
let client = match crate::net::http::get_client(context, load_cache).await {
Ok(cl) => cl,
Err(err) => {
warn!(context, "failed to get HTTP client: {}", err);
return None;
}
};
let response = match client.get(userinfo_url).send().await {
Ok(response) => response,
Err(err) => {
warn!(context, "failed to get userinfo: {}", err);
return None;
}
};
let response: Result<HashMap<String, serde_json::Value>, _> = response.json().await;
let parsed = match response {
Ok(parsed) => parsed,
Err(err) => {
warn!(context, "Error getting userinfo: {}", err);
return None;
}
};
// CAVE: serde_json::Value.as_str() removes the quotes of json-strings // CAVE: serde_json::Value.as_str() removes the quotes of json-strings
// but serde_json::Value.to_string() does not! // but serde_json::Value.to_string() does not!
if let Some(addr) = parsed.get("email") { if let Some(addr) = parsed.get("email") {
if let Some(s) = addr.as_str() { if let Some(s) = addr.as_str() {
Some(s.to_string()) Ok(Some(s.to_string()))
} else { } else {
warn!(context, "E-mail in userinfo is not a string: {}", addr); warn!(context, "E-mail in userinfo is not a string: {}", addr);
None Ok(None)
} }
} else { } else {
warn!(context, "E-mail missing in userinfo."); warn!(context, "E-mail missing in userinfo.");
None Ok(None)
} }
} }
} }

17
src/push.rs
View File

@@ -61,16 +61,13 @@ impl PushSubscriber {
return Ok(()); return Ok(());
}; };
let load_cache = true; if http::post_string(
let response = http::get_client(context, load_cache) context,
.await? "https://notifications.delta.chat/register",
.post("https://notifications.delta.chat/register") format!("{{\"token\":\"{token}\"}}"),
.body(format!("{{\"token\":\"{token}\"}}")) )
.send() .await?
.await?; {
let response_status = response.status();
if response_status.is_success() {
state.heartbeat_subscribed = true; state.heartbeat_subscribed = true;
} }
Ok(()) Ok(())

18
src/qr.rs
View File

@@ -19,6 +19,7 @@ use crate::context::Context;
use crate::events::EventType; use crate::events::EventType;
use crate::key::Fingerprint; use crate::key::Fingerprint;
use crate::message::Message; use crate::message::Message;
use crate::net::http::post_empty;
use crate::peerstate::Peerstate; use crate::peerstate::Peerstate;
use crate::token; use crate::token;
use crate::tools::validate_id; use crate::tools::validate_id;
@@ -612,21 +613,8 @@ async fn set_account_from_qr(context: &Context, qr: &str) -> Result<()> {
bail!("DCACCOUNT QR codes must use HTTPS scheme"); bail!("DCACCOUNT QR codes must use HTTPS scheme");
} }
// As only HTTPS is used, it is safe to load DNS cache. let (response_text, response_success) = post_empty(context, url_str).await?;
let load_cache = true; if response_success {
let response = crate::net::http::get_client(context, load_cache)
.await?
.post(url_str)
.send()
.await?;
let response_status = response.status();
let response_text = response
.text()
.await
.context("Cannot create account, request failed: empty response")?;
if response_status.is_success() {
let CreateAccountSuccessResponse { password, email } = serde_json::from_str(&response_text) let CreateAccountSuccessResponse { password, email } = serde_json::from_str(&response_text)
.with_context(|| { .with_context(|| {
format!("Cannot create account, response is malformed:\n{response_text:?}") format!("Cannot create account, response is malformed:\n{response_text:?}")

47
src/socks.rs
View File

@@ -8,7 +8,6 @@ use fast_socks5::client::{Config, Socks5Stream};
use fast_socks5::util::target_addr::ToTargetAddr; use fast_socks5::util::target_addr::ToTargetAddr;
use fast_socks5::AuthenticationMethod; use fast_socks5::AuthenticationMethod;
use fast_socks5::Socks5Command; use fast_socks5::Socks5Command;
use percent_encoding::{utf8_percent_encode, NON_ALPHANUMERIC};
use tokio::net::TcpStream; use tokio::net::TcpStream;
use tokio_io_timeout::TimeoutStream; use tokio_io_timeout::TimeoutStream;
@@ -54,20 +53,6 @@ impl Socks5Config {
} }
} }
/// Converts SOCKS5 configuration into URL.
pub fn to_url(&self) -> String {
// `socks5h` means that hostname is resolved into address by the proxy
// and DNS requests should not leak.
let mut url = "socks5h://".to_string();
if let Some((username, password)) = &self.user_password {
let username_urlencoded = utf8_percent_encode(username, NON_ALPHANUMERIC).to_string();
let password_urlencoded = utf8_percent_encode(password, NON_ALPHANUMERIC).to_string();
url += &format!("{username_urlencoded}:{password_urlencoded}@");
}
url += &format!("{}:{}", self.host, self.port);
url
}
/// If `load_dns_cache` is true, loads cached DNS resolution results. /// If `load_dns_cache` is true, loads cached DNS resolution results.
/// Use this only if the connection is going to be protected with TLS checks. /// Use this only if the connection is going to be protected with TLS checks.
pub async fn connect( pub async fn connect(
@@ -114,35 +99,3 @@ impl fmt::Display for Socks5Config {
) )
} }
} }
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_socks5h_url() {
let config = Socks5Config {
host: "127.0.0.1".to_string(),
port: 9050,
user_password: None,
};
assert_eq!(config.to_url(), "socks5h://127.0.0.1:9050");
let config = Socks5Config {
host: "example.org".to_string(),
port: 1080,
user_password: Some(("root".to_string(), "toor".to_string())),
};
assert_eq!(config.to_url(), "socks5h://root:toor@example.org:1080");
let config = Socks5Config {
host: "example.org".to_string(),
port: 1080,
user_password: Some(("root".to_string(), "foo/?\\@".to_string())),
};
assert_eq!(
config.to_url(),
"socks5h://root:foo%2F%3F%5C%40@example.org:1080"
);
}
}