simplify setup

t-aleksander · t-aleksander · commit 4740f831053e · 2026-01-09T13:42:06.000+01:00
diff --git a/src/grpc.rs b/src/grpc.rs
@@ -4,7 +4,7 @@ use std::{
     net::SocketAddr,
     sync::{
         atomic::{AtomicBool, AtomicU64, Ordering},
-        Arc, LazyLock, Mutex,
+        Arc, Mutex,
     },
 };
 
@@ -25,25 +25,13 @@ use tracing::Instrument;
 use crate::{
     error::ApiError,
     http::GRPC_SERVER_RESTART_CHANNEL,
-    proto::{
-        core_request, core_response, proxy_server, proxy_setup_request, proxy_setup_response,
-        CertResponse, CoreRequest, CoreResponse, CsrRequest, DeviceInfo, Done, ProxySetupRequest,
-        ProxySetupResponse,
-    },
-    CommsChannel, MIN_CORE_VERSION, VERSION,
+    proto::{core_request, core_response, proxy_server, CoreRequest, CoreResponse, DeviceInfo},
+    MIN_CORE_VERSION, VERSION,
 };
 
 // connected clients
 type ClientMap = HashMap<SocketAddr, mpsc::UnboundedSender<Result<CoreRequest, Status>>>;
 
-static SETUP_CHANNEL: LazyLock<CommsChannel<Option<Configuration>>> = LazyLock::new(|| {
-    let (tx, rx) = mpsc::channel(10);
-    (
-        Arc::new(tokio::sync::Mutex::new(tx)),
-        Arc::new(tokio::sync::Mutex::new(rx)),
-    )
-});
-
 #[derive(Debug, Clone, Default)]
 pub(crate) struct Configuration {
     pub(crate) grpc_key_pem: String,
@@ -83,58 +71,6 @@ impl ProxyServer {
         Ok(())
     }
 
-    pub(crate) async fn await_setup(
-        &self,
-        addr: SocketAddr,
-    ) -> Result<Configuration, anyhow::Error> {
-        info!("gRPC waiting for setup connection from Core on {addr}");
-        let server_builder = Server::builder();
-        let mut server_config = None;
-
-        let own_version = Version::parse(VERSION)?;
-
-        server_builder
-            .layer(tonic::service::InterceptorLayer::new(
-                DefguardVersionInterceptor::new(
-                    own_version.clone(),
-                    DefguardComponent::Core,
-                    MIN_CORE_VERSION,
-                    false,
-                ),
-            ))
-            .layer(DefguardVersionLayer::new(own_version))
-            .add_service(proxy_server::ProxyServer::new(self.clone()))
-            .serve_with_shutdown(addr, async {
-                let config = SETUP_CHANNEL.1.lock().await.recv().await;
-                if let Some(cfg) = config {
-                    debug!("Received the passed Proxy configuration");
-                    server_config = cfg;
-                } else {
-                    error!("Setup communication channel closed unexpectedly");
-                }
-            })
-            .await
-            .map_err(|err| {
-                error!("gRPC server error during setup: {err}");
-                ApiError::Unexpected("gRPC server error during setup".into())
-            })?;
-
-        debug!("gRPC setup server on {addr} has shutdown after completing setup");
-
-        Ok(server_config.map_or_else(
-            || {
-                error!("No server configuration received after setup completion");
-                Err(ApiError::Unexpected(
-                    "No server configuration received after setup".into(),
-                ))
-            },
-            |cfg| {
-                debug!("Returning received server configuration");
-                Ok(cfg)
-            },
-        )?)
-    }
-
     pub(crate) fn configure(&self, config: Configuration) {
         let mut lock = self.config.lock().unwrap();
         *lock = Some(config);
@@ -241,231 +177,6 @@ impl Clone for ProxyServer {
 #[tonic::async_trait]
 impl proxy_server::Proxy for ProxyServer {
     type BidiStream = UnboundedReceiverStream<Result<CoreRequest, Status>>;
-    type SetupStream = UnboundedReceiverStream<Result<ProxySetupRequest, Status>>;
-
-    async fn setup(
-        &self,
-        request: Request<tonic::Streaming<ProxySetupResponse>>,
-    ) -> Result<Response<Self::SetupStream>, Status> {
-        if self.setup_in_progress.swap(true, Ordering::SeqCst) {
-            info!("Proxy setup already in progress, rejecting concurrent setup attempt");
-            return Err(Status::already_exists("Proxy setup is already in progress"));
-        }
-
-        info!("Starting proxy setup handshake");
-
-        let (tx, rx) = mpsc::unbounded_channel();
-        let tls_configured = self.setup_completed();
-        let current_configuration = self.get_configuration();
-        let setup_in_progress = Arc::clone(&self.setup_in_progress);
-
-        tokio::spawn(
-            async move {
-                let mut stream = request.into_inner();
-                let mut setup_successful = false;
-                let initial_info = match stream.message().await {
-                    Ok(Some(ProxySetupResponse {
-                        payload: Some(proxy_setup_response::Payload::InitialSetupInfo(info)),
-                    })) => {
-                        info!("Received initial setup information from Defguard Core");
-                        debug!("Initial setup info: {:?}", info);
-                        info
-                    }
-                    Ok(Some(ProxySetupResponse {
-                        payload: Some(proxy_setup_response::Payload::Done(Done {})),
-                    })) => {
-                        info!("Received setup termination message from Defguard Core, skipping setup phase");
-                        setup_in_progress.store(false, Ordering::SeqCst);
-                        return;
-                    }
-                    Ok(Some(msg)) => {
-                        error!("Unexpected payload type in initial Proxy setup message: {:?}", msg);
-                        let _ = tx.send(Err(Status::invalid_argument(
-                            "Unexpected payload type in initial Proxy setup message",
-                        )));
-                        setup_in_progress.store(false, Ordering::SeqCst);
-                        return;
-                    }
-                    Ok(None) => {
-                        error!("No initial Proxy setup message received from Defguard Core");
-                        let _ = tx.send(Err(Status::aborted(
-                            "No initial Proxy setup message received from Defguard Core",
-                        )));
-                        setup_in_progress.store(false, Ordering::SeqCst);
-                        return;
-                    }
-                    Err(err) => {
-                        error!("Error receiving initial Proxy setup message from Defguard Core: {err}");
-                        let _ = tx.send(Err(Status::internal(format!(
-                            "Error receiving initial message: {err}"
-                        ))));
-                        setup_in_progress.store(false, Ordering::SeqCst);
-                        return;
-                    }
-                };
-
-                if tls_configured {
-                    info!("Certificates already generated, skipping CSR generation");
-                    if let Err(err) = tx.send(Ok(ProxySetupRequest {
-                        payload: Some(proxy_setup_request::Payload::Done(Done {})),
-                    })) {
-                        error!("Failed to send Done message: {err}");
-                    }
-                    return;
-                }
-
-                info!("Generating new key pair and CSR for certificate issuance");
-                let key_pair = match defguard_certs::generate_key_pair() {
-                    Ok(kp) => kp,
-                    Err(err) => {
-                        error!("Failed to generate key pair: {err}");
-                        let _ = tx.send(Err(Status::internal(format!(
-                            "Failed to generate key pair: {err}"
-                        ))));
-                        setup_in_progress.store(false, Ordering::SeqCst);
-                        return;
-                    }
-                };
-
-                let subject_alt_names = vec![initial_info.cert_hostname];
-
-                let csr = match defguard_certs::Csr::new(
-                    &key_pair,
-                    &subject_alt_names,
-                    vec![
-                        // TODO: Change it?
-                        (defguard_certs::DnType::CommonName, "Defguard Proxy"),
-                        (defguard_certs::DnType::OrganizationName, "Defguard"),
-                    ],
-                ) {
-                    Ok(csr) => csr,
-                    Err(err) => {
-                        error!("Failed to generate CSR: {err}");
-                        let _ = tx.send(Err(Status::internal(format!(
-                            "Failed to generate CSR: {err}"
-                        ))));
-                        setup_in_progress.store(false, Ordering::SeqCst);
-                        return;
-                    }
-                };
-
-                let csr_der = csr.to_der();
-                let csr_request = CsrRequest {
-                    csr_der: csr_der.to_vec(),
-                };
-
-                if let Err(err) = tx.send(Ok(ProxySetupRequest {
-                    payload: Some(proxy_setup_request::Payload::CsrRequest(csr_request)),
-                })) {
-                    error!("Failed to send CsrRequest: {err}");
-                    setup_in_progress.store(false, Ordering::SeqCst);
-                    return;
-                }
-
-                debug!("Sent CSR request to Core");
-
-                let mut configuration = current_configuration;
-
-                loop {
-                    match stream.message().await {
-                        Ok(Some(response)) => match response.payload {
-                            Some(proxy_setup_response::Payload::CertResponse(CertResponse {
-                                cert_der,
-                            })) => {
-                                debug!("Received CertResponse from Defguard Core");
-                                let grpc_cert_pem = match defguard_certs::der_to_pem(
-                                    &cert_der,
-                                    defguard_certs::PemLabel::Certificate,
-                                ) {
-                                    Ok(pem) => pem,
-                                    Err(err) => {
-                                        error!("Failed to convert certificate DER to PEM: {err}");
-                                        let _ = tx.send(Err(Status::internal(format!(
-                                            "Failed to convert certificate DER to PEM: {err}"
-                                        ))));
-                                        setup_in_progress.store(false, Ordering::SeqCst);
-                                        return;
-                                    }
-                                };
-
-                                configuration = Some(Configuration {
-                                    grpc_key_pem: key_pair.serialize_pem(),
-                                    grpc_cert_pem,
-                                });
-
-                                if let Err(err) = tx.send(Ok(ProxySetupRequest {
-                                    payload: Some(proxy_setup_request::Payload::Done(Done {})),
-                                })) {
-                                    error!("Failed to send Done message: {err}");
-                                    // Can't send error since tx already failed
-                                    setup_in_progress.store(false, Ordering::SeqCst);
-                                    return;
-                                }
-
-                                debug!("Sent Done message to Defguard Core");
-                            }
-                            Some(proxy_setup_response::Payload::Done(Done {})) => {
-                                debug!("Received setup termination message from Defguard Core");
-                                let lock = SETUP_CHANNEL.0.lock().await;
-                                debug!("Passing Proxy configuration to the gRPC server");
-                                if let Some(configuration) = configuration.take() {
-                                    if let Err(err) = lock.send(Some(configuration)).await {
-                                        error!("Failed to pass the received Proxy configuration to the gRPC server: {err:?}");
-                                    } else {
-                                        debug!("Passed Proxy configuration to the gRPC server");
-                                        setup_successful = true;
-                                    }
-                                } else {
-                                    error!(
-                                        "No configuration available to pass to the gRPC server on setup completion"
-                                    );
-                                }
-
-                                info!("Setup handshake completed successfully");
-                                break;
-                            }
-                            _ => {
-                                error!(
-                                    "Unexpected payload type while waiting for setup message: {:?}",
-                                    response.payload
-                                );
-                                let _ = tx.send(Err(Status::invalid_argument(
-                                    "Unexpected payload type while waiting for setup message",
-                                )));
-                                setup_in_progress.store(false, Ordering::SeqCst);
-                                return;
-                            }
-                        },
-                        Ok(None) => {
-                            error!("gRPC setup stream has been closed unexpectedly");
-                            let _ = tx.send(Err(Status::aborted(
-                                "gRPC stream has been closed unexpectedly",
-                            )));
-                            setup_in_progress.store(false, Ordering::SeqCst);
-                            return;
-                        }
-                        Err(err) => {
-                            error!("gRPC setup client error while waiting for CertResponse: {err}");
-                            let _ =
-                                tx.send(Err(Status::internal(format!("gRPC client error: {err}"))));
-                            setup_in_progress.store(false, Ordering::SeqCst);
-                            return;
-                        }
-                    }
-                }
-
-                setup_in_progress.store(false, Ordering::SeqCst);
-                if setup_successful {
-                    info!("Proxy setup completed successfully");
-                } else {
-                    warn!("Proxy setup did not complete successfully");
-                }
-            }
-            .instrument(tracing::Span::current()),
-        );
-
-        Ok(Response::new(UnboundedReceiverStream::new(rx)))
-    }
 
     /// Handle bidirectional communication with Defguard core.
     #[instrument(name = "bidirectional_communication", level = "info", skip(self))]
diff --git a/src/http.rs b/src/http.rs
@@ -39,6 +39,7 @@ use crate::{
     error::ApiError,
     grpc::{Configuration, ProxyServer},
     handlers::{desktop_client_mfa, enrollment, password_reset, polling},
+    setup::ProxySetupServer,
     CommsChannel, VERSION,
 };
 
@@ -192,7 +193,10 @@ pub async fn run_server(config: Config) -> anyhow::Result<()> {
 
     let server_clone = grpc_server.clone();
 
+    let setup_server = ProxySetupServer::new();
+
     // Start gRPC server.
+    // TODO: Wait with spawning the HTTP server until gRPC server is ready.
     debug!("Spawning gRPC server");
     tasks.spawn(async move {
         let cert_dir = Path::new(&config.cert_dir);
@@ -212,7 +216,7 @@ pub async fn run_server(config: Config) -> anyhow::Result<()> {
             } else if !server_clone.setup_completed() {
                 // Only attempt setup if not already configured
                 info!("No gRPC TLS certificates found at {cert_dir:?}, new certificates will be generated");
-                let configuration = server_clone
+                let configuration = setup_server
                     .await_setup(SocketAddr::new(
                         config
                             .grpc_bind_address
@@ -351,6 +355,7 @@ pub async fn run_server(config: Config) -> anyhow::Result<()> {
         .context("Error running HTTP server")
     });
 
+    // TODO: Possibly switch to using select! macro
     info!("Defguard Proxy HTTP server initialization complete");
     while let Some(Ok(result)) = tasks.join_next().await {
         result?;
diff --git a/src/lib.rs b/src/lib.rs
@@ -11,6 +11,7 @@ mod grpc;
 mod handlers;
 pub mod http;
 pub mod logging;
+mod setup;
 
 pub(crate) mod proto {
     tonic::include_proto!("defguard.proxy");
diff --git a/src/setup.rs b/src/setup.rs
