diff options
author | Stuart Stock <stuart@int08h.com> | 2018-10-27 13:22:53 -0500 |
---|---|---|
committer | Stuart Stock <stuart@int08h.com> | 2018-10-27 13:22:53 -0500 |
commit | f84d4d7907e49294a04e3cf8ca14fe0e15382c0d (patch) | |
tree | 19c6a6d031872f94d75dc6ac05bf988dda0aeaa9 /src/config | |
parent | 388976db0419127384055810ba54f0610d1069b9 (diff) | |
download | roughenough-f84d4d7907e49294a04e3cf8ca14fe0e15382c0d.zip |
Additional documentation; rustfmt pass; extract stress test loop
Diffstat (limited to 'src/config')
-rw-r--r-- | src/config/environment.rs | 20 | ||||
-rw-r--r-- | src/config/file.rs | 23 | ||||
-rw-r--r-- | src/config/memory.rs | 12 | ||||
-rw-r--r-- | src/config/mod.rs | 22 |
4 files changed, 41 insertions, 36 deletions
diff --git a/src/config/environment.rs b/src/config/environment.rs index 797f422..fa96185 100644 --- a/src/config/environment.rs +++ b/src/config/environment.rs @@ -19,7 +19,7 @@ use std::time::Duration; use config::ServerConfig; use config::{DEFAULT_BATCH_SIZE, DEFAULT_STATUS_INTERVAL}; -use key::KeyProtection; +use key::KmsProtection; use Error; /// @@ -33,7 +33,7 @@ use Error; /// seed | `ROUGHENOUGH_SEED` /// batch_size | `ROUGHENOUGH_BATCH_SIZE` /// status_interval | `ROUGHENOUGH_STATUS_INTERVAL` -/// key_protection | `ROUGHENOUGH_KEY_PROTECTION` +/// kms_protection | `ROUGHENOUGH_KMS_PROTECTION` /// health_check_port | `ROUGHENOUGH_HEALTH_CHECK_PORT` /// pub struct EnvironmentConfig { @@ -42,7 +42,7 @@ pub struct EnvironmentConfig { seed: Vec<u8>, batch_size: u8, status_interval: Duration, - key_protection: KeyProtection, + kms_protection: KmsProtection, health_check_port: Option<u16>, } @@ -51,7 +51,7 @@ const ROUGHENOUGH_INTERFACE: &str = "ROUGHENOUGH_INTERFACE"; const ROUGHENOUGH_SEED: &str = "ROUGHENOUGH_SEED"; const ROUGHENOUGH_BATCH_SIZE: &str = "ROUGHENOUGH_BATCH_SIZE"; const ROUGHENOUGH_STATUS_INTERVAL: &str = "ROUGHENOUGH_STATUS_INTERVAL"; -const ROUGHENOUGH_KEY_PROTECTION: &str = "ROUGHENOUGH_KEY_PROTECTION"; +const ROUGHENOUGH_KMS_PROTECTION: &str = "ROUGHENOUGH_KMS_PROTECTION"; const ROUGHENOUGH_HEALTH_CHECK_PORT: &str = "ROUGHENOUGH_HEALTH_CHECK_PORT"; impl EnvironmentConfig { @@ -62,7 +62,7 @@ impl EnvironmentConfig { seed: Vec::new(), batch_size: DEFAULT_BATCH_SIZE, status_interval: DEFAULT_STATUS_INTERVAL, - key_protection: KeyProtection::Plaintext, + kms_protection: KmsProtection::Plaintext, health_check_port: None, }; @@ -95,10 +95,10 @@ impl EnvironmentConfig { cfg.status_interval = Duration::from_secs(u64::from(val)); }; - if let Ok(key_protection) = env::var(ROUGHENOUGH_KEY_PROTECTION) { - cfg.key_protection = key_protection + if let Ok(kms_protection) = env::var(ROUGHENOUGH_KMS_PROTECTION) { + cfg.kms_protection = kms_protection .parse() - .unwrap_or_else(|_| panic!("invalid key_protection value: {}", key_protection)); + .unwrap_or_else(|_| panic!("invalid kms_protection value: {}", kms_protection)); } if let Ok(health_check_port) = env::var(ROUGHENOUGH_HEALTH_CHECK_PORT) { @@ -134,8 +134,8 @@ impl ServerConfig for EnvironmentConfig { self.status_interval } - fn key_protection(&self) -> &KeyProtection { - &self.key_protection + fn kms_protection(&self) -> &KmsProtection { + &self.kms_protection } fn health_check_port(&self) -> Option<u16> { diff --git a/src/config/file.rs b/src/config/file.rs index b70392d..d3ec64a 100644 --- a/src/config/file.rs +++ b/src/config/file.rs @@ -21,7 +21,7 @@ use yaml_rust::YamlLoader; use config::ServerConfig; use config::{DEFAULT_BATCH_SIZE, DEFAULT_STATUS_INTERVAL}; -use key::KeyProtection; +use key::KmsProtection; use Error; /// @@ -42,7 +42,7 @@ pub struct FileConfig { seed: Vec<u8>, batch_size: u8, status_interval: Duration, - key_protection: KeyProtection, + kms_protection: KmsProtection, health_check_port: Option<u16>, } @@ -69,7 +69,7 @@ impl FileConfig { seed: Vec::new(), batch_size: DEFAULT_BATCH_SIZE, status_interval: DEFAULT_STATUS_INTERVAL, - key_protection: KeyProtection::Plaintext, + kms_protection: KmsProtection::Plaintext, health_check_port: None, }; @@ -87,13 +87,12 @@ impl FileConfig { let val = value.as_i64().expect("status_interval value invalid"); config.status_interval = Duration::from_secs(val as u64) } - "key_protection" => { - let val = value - .as_str() - .unwrap() - .parse() - .unwrap_or_else(|_| panic!("invalid key_protection value: {:?}", value)); - config.key_protection = val + "kms_protection" => { + let val = + value.as_str().unwrap().parse().unwrap_or_else(|_| { + panic!("invalid kms_protection value: {:?}", value) + }); + config.kms_protection = val } "health_check_port" => { let val = value.as_i64().unwrap() as u16; @@ -133,8 +132,8 @@ impl ServerConfig for FileConfig { self.status_interval } - fn key_protection(&self) -> &KeyProtection { - &self.key_protection + fn kms_protection(&self) -> &KmsProtection { + &self.kms_protection } fn health_check_port(&self) -> Option<u16> { diff --git a/src/config/memory.rs b/src/config/memory.rs index 47480d6..e3aae7e 100644 --- a/src/config/memory.rs +++ b/src/config/memory.rs @@ -14,7 +14,7 @@ use config::ServerConfig; use config::{DEFAULT_BATCH_SIZE, DEFAULT_STATUS_INTERVAL}; -use key::KeyProtection; +use key::KmsProtection; use std::time::Duration; use hex; @@ -28,7 +28,7 @@ pub struct MemoryConfig { pub seed: Vec<u8>, pub batch_size: u8, pub status_interval: Duration, - pub key_protection: KeyProtection, + pub kms_protection: KmsProtection, pub health_check_port: Option<u16>, } @@ -41,8 +41,8 @@ impl MemoryConfig { .unwrap(), batch_size: DEFAULT_BATCH_SIZE, status_interval: DEFAULT_STATUS_INTERVAL, - key_protection: KeyProtection::Plaintext, - health_check_port: None + kms_protection: KmsProtection::Plaintext, + health_check_port: None, } } } @@ -68,8 +68,8 @@ impl ServerConfig for MemoryConfig { self.status_interval } - fn key_protection(&self) -> &KeyProtection { - &self.key_protection + fn kms_protection(&self) -> &KmsProtection { + &self.kms_protection } fn health_check_port(&self) -> Option<u16> { diff --git a/src/config/mod.rs b/src/config/mod.rs index b0ff9b4..b73892f 100644 --- a/src/config/mod.rs +++ b/src/config/mod.rs @@ -37,7 +37,7 @@ pub use self::environment::EnvironmentConfig; mod memory; pub use self::memory::MemoryConfig; -use key::KeyProtection; +use key::KmsProtection; use Error; /// Maximum number of requests to process in one batch and include the the Merkle tree. @@ -56,17 +56,19 @@ pub const DEFAULT_STATUS_INTERVAL: Duration = Duration::from_secs(600); /// --- | --- | --- | --- /// `interface` | `ROUGHENOUGH_INTERFACE` | Required | IP address or interface name for listening to client requests /// `port` | `ROUGHENOUGH_PORT` | Required | UDP port to listen for requests -/// `seed` | `ROUGHENOUGH_SEED` | Required | A 32-byte hexadecimal value used to generate the server's long-term key pair. **This is a secret value and must be un-guessable**, treat it with care. -/// `batch_size` | `ROUGHENOUGH_BATCH_SIZE` | Optional | The maximum number of requests to process in one batch. All nonces in a batch are used to build a Merkle tree, the root of which is signed. Defaults to [DEFAULT_BATCH_SIZE](constant.DEFAULT_BATCH_SIZE.html) requests per batch. -/// `status_interval` | `ROUGHENOUGH_STATUS_INTERVAL` | Optional | Number of _seconds_ between each logged status update. Default value is [DEFAULT_STATUS_INTERVAL](constant.DEFAULT_STATUS_INTERVAL.html). -/// `key_protection` | `ROUGHENOUGH_KEY_PROTECTION` | Optional | Encryption method (if any) applied to the `seed`. Defaults to "`plaintext`" (no encryption, `seed` is in the clear). -/// `health_check_port` | `ROUGHENOUGH_HEALTH_CHECK_PORT` | Optional | If present, the TCP port to respond to Google-style HTTP "legacy health check". +/// `seed` | `ROUGHENOUGH_SEED` | Required | A 32-byte hexadecimal value used to generate the server's long-term key pair. **This is a secret value and must be un-guessable**, treat it with care. (If compiled with KMS support, length will vary) +/// `batch_size` | `ROUGHENOUGH_BATCH_SIZE` | Optional | The maximum number of requests to process in one batch. All nonces in a batch are used to build a Merkle tree, the root of which is signed. Default is `64` requests per batch. +/// `status_interval` | `ROUGHENOUGH_STATUS_INTERVAL` | Optional | Number of _seconds_ between each logged status update. Default is `600` seconds (10 minutes). +/// `health_check_port` | `ROUGHENOUGH_HEALTH_CHECK_PORT` | Optional | If present, enable an HTTP health check responder on the provided port. **Use with caution**. +/// `kms_protection` | `ROUGHENOUGH_KMS_PROTECTION` | Optional | If compiled with KMS support, the ID of the KMS key used to protect the long-term identity. /// /// Implementations of this trait obtain a valid configuration from different back-end /// sources. See: /// * [FileConfig](struct.FileConfig.html) - configure via a YAML file /// * [EnvironmentConfig](struct.EnvironmentConfig.html) - configure via environment vars /// +/// The health check and KMS features require +/// pub trait ServerConfig { /// [Required] IP address or interface name to listen for client requests fn interface(&self) -> &str; @@ -90,7 +92,7 @@ pub trait ServerConfig { /// [Optional] Method used to protect the seed for the server's long-term key pair. /// Defaults to "`plaintext`" (no encryption, seed is in the clear). - fn key_protection(&self) -> &KeyProtection; + fn kms_protection(&self) -> &KmsProtection; /// [Optional] If present, the TCP port to respond to Google-style HTTP "legacy health check". /// This is a *very* simplistic check, it emits a fixed HTTP response to all TCP connections. @@ -145,10 +147,14 @@ pub fn is_valid_config(cfg: &Box<ServerConfig>) -> bool { error!("seed value is missing"); is_valid = false; } - if *cfg.key_protection() == KeyProtection::Plaintext && cfg.seed().len() != 32 { + if *cfg.kms_protection() == KmsProtection::Plaintext && cfg.seed().len() != 32 { error!("plaintext seed value must be 32 characters long"); is_valid = false; } + if *cfg.kms_protection() != KmsProtection::Plaintext && cfg.seed().len() <= 32 { + error!("KMS use enabled but seed value is too short to be an encrypted blob"); + is_valid = false; + } if cfg.batch_size() < 1 || cfg.batch_size() > 64 { error!( "batch_size {} is invalid; valid range 1-64", |