kinetic_common/

tls.rs

//! Shared TLS configuration logic for sources and sinks.

use kinetic_doc_derive::FieldDoc;
use serde::{Deserialize, Serialize};
use snafu::Snafu;
use std::path::PathBuf;

#[derive(Debug, Snafu)]
pub enum Error {
    #[snafu(display("Failed to read TLS certificate file: {}", path.display()))]
    ReadCert {
        path: PathBuf,
        source: std::io::Error,
    },
    #[snafu(display("TLS configuration is not yet fully implemented, but was enabled."))]
    Unimplemented,
}

type Result<T, E = Error> = std::result::Result<T, E>;

/// Standard TLS configuration options available to any component that
/// opens network connections or binds to a port.
#[derive(Clone, Debug, Deserialize, Serialize, Default, FieldDoc)]
pub struct TlsConfig {
    /// Whether TLS is enabled.
    #[serde(default)]
    #[doc_field(default = "false")]
    pub enabled: bool,

    /// Path to a PEM-encoded CA certificate file to use for verifying peers.
    #[doc_field(example = "/etc/ssl/certs/ca-bundle.crt")]
    pub ca_file: Option<PathBuf>,

    /// Path to a PEM-encoded certificate file for mutual TLS.
    #[doc_field(example = "/etc/kinetic/tls/client.crt")]
    pub crt_file: Option<PathBuf>,

    /// Path to a PEM-encoded private key file for mutual TLS.
    #[doc_field(secret, example = "/etc/kinetic/tls/client.key")]
    pub key_file: Option<PathBuf>,

    /// Whether to skip certificate verification. Insecure — use only for testing.
    #[serde(default)]
    #[doc_field(default = "false")]
    pub insecure_skip_verify: bool,
}

impl TlsConfig {
    /// Loads the actual certificate data from disk if TLS is enabled.
    ///
    /// # Returns
    /// Currently returns `Ok(())`. In the future, this will build a
    /// `rustls::ClientConfig` or `rustls::ServerConfig`.
    pub fn build(&self) -> Result<()> {
        if self.insecure_skip_verify || self.enabled {
            return Err(Error::Unimplemented);
        }

        Ok(())
    }
}