Implement mTLS

test · test · commit 598cd86a7105 · 2025-04-17T13:40:11.000+03:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -4,7 +4,7 @@ version = "1.0.0"
 edition = "2024"
 
 [dependencies]
-actix-web = "4"
+actix-web = { version = "4", features = ["openssl"] }
 tokio = { version = "1", features = ["rt-multi-thread", "macros"] }
 reqwest = { version = "0.12.15", features = ["json"] }
 futures-util = "0.3.31"
@@ -16,6 +16,7 @@ futures = "0.3.31"
 async-stream = "0.3.6"
 sha2 = "0.11.0-pre.5"
 hex = "0.4.3"
+openssl = { version = "0.10", features = ["vendored"] }
 chrono = "0.4.40"
 jsonwebtoken = "9.3.1"
 log = "0.4.27"
diff --git a/README.md b/README.md
@@ -39,9 +39,30 @@ With its advanced real‑time update capabilities, DynaRust pushes live changes
     *   **Use Case Example:** Imagine a web UI needing push notifications. Store device IDs as keys in a `devices` table. Use a separate `status` key in the same table. The frontend listens to `devices/subscribe/status`. The backend iterates through device keys, performs actions, and updates the `status` key, instantly notifying all listening frontends. Simple and blazing fast! ⚡️
 
 *   **🔒 Security:**
-    Each record needs a Authorization header for PUT, DELETE operations, each record has an owner field. Metodology is: anyone can read, only the owner can write or delete
-    Each node requires a "secret" token (set by the `CLUSTER_SECRET` environment variable) to join a cluster.
+    Certainly! Here’s a more polished and highlighted version of the **Security** section, emphasizing clarity and best practices:
 
+---
+
+### 🔒 **Security**
+
+- **Access Control:**
+    - **Read:** Anyone can read records.
+    - **Write/Delete:** Only the record’s owner (as specified in the `owner` field) can modify or delete it.
+    - **Enforcement:** All `PUT` and `DELETE` operations require an `Authorization` header. The server verifies that the requester matches the record’s owner.
+
+- **Cluster Security:**
+    - Each node must present a **secret token** (set via the `CLUSTER_SECRET` environment variable) to join the cluster, ensuring only trusted nodes participate.
+
+- **Transport Security (HTTPS):**
+    - All communication is secured with HTTPS by default.
+    - **Easy Certificate Generation:**
+        - Run `bash cert.sh`, provide a password, and a `.p12` certificate will be generated under the `cert/` directory.
+    - **Testing Mode:**
+        - Set `DYNA_MODE=http` to disable HTTPS (for testing only; **not recommended for production**).
+
+---
+
+**_Security is enforced at every layer: from user access to node-to-node communication, ensuring your data remains private and protected._**
 *   **🌐 Distributed Storage:**
     Data is automatically partitioned and spread across all nodes in the cluster.
 
diff --git a/src/main.rs b/src/main.rs
@@ -2,6 +2,7 @@ mod storage;
 mod network;
 mod tokenizer;
 mod security;
+use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod, SslVerifyMode};
 
 use actix_web::{web, App, HttpServer};
 use once_cell::sync::OnceCell;
@@ -81,6 +82,17 @@ async fn main() -> std::io::Result<()> {
         Ok(_) => println!("Cold storage loaded"),
         Err(e) => eprintln!("Error loading cold storage: {}", e),
     }
+    let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
+    builder
+        .set_private_key_file("./cert/server.key", SslFiletype::PEM)
+        .unwrap();
+    builder
+        .set_certificate_chain_file("./cert/server.crt")
+        .unwrap();
+    builder
+        .set_ca_file("./cert/ca.crt")
+        .unwrap();
+    builder.set_verify(SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT);
 
     // (Optionally) Ensure the default table exists in memory.
     {
@@ -173,37 +185,82 @@ async fn main() -> std::io::Result<()> {
     tokio::spawn(membership_sync(cluster_clone, current_clone, 60));
     let subscription_manager = web::Data::new(SubscriptionManager::new());
 
-    println!("Starting distributed DB engine at http://{}", current_node);
 
-    // Build and run the HTTP server.
-    HttpServer::new(move || {
+    let use_https = match env::var("DYNA_MODE").unwrap_or_default().as_str() {
+        "http" => false,
+        _ => true
+    };
+    match use_https {
+        true => {
+            println!("Starting distributed DB engine at https://{}", current_node);
+
+            // Build and run the HTTP server.
+            HttpServer::new(move || {
+                App::new()
+                    .app_data(subscription_manager.clone())
+                    .app_data(state.clone())
+                    .app_data(cluster_data.clone())
+                    .app_data(web::Data::new(current_node.clone()))
+                    // Cluster management endpoints.
+                    .route("/join", web::post().to(join_cluster))
+                    .route("/membership", web::get().to(get_membership))
+                    .route("/update_membership", web::post().to(update_membership))
+                    .route("/heartbeat", web::get().to(heartbeat))
+                    // Key–value endpoints with multi‑table support.
+                    .route("/{table}/key/{key}", web::get().to(get_value))
+                    .route("/{table}/key/{key}", web::put().to(put_value))
+                    .route("/{table}/key/{key}", web::delete().to(delete_value))
+                    // Endpoint to fetch a table’s entire in‑memory store.
+                    .route("/{table}/store", web::get().to(get_table_store))
+                    // Global endpoint returning the entire in‑memory store.
+                    .route("/store", web::get().to(get_global_store))
+                    // Endpoints to get keys from a table.
+                    .route("/{table}/keys", web::get().to(get_all_keys))
+                    .route("/{table}/keys", web::post().to(get_multiple_keys))
+                    .route("/{table}/subscribe/{key}", web::get().to(
+                        storage::subscription::subscribe_to_key
+                    ))
+                    .route("/auth/{user}", web::post().to(security::authentication::access))
+            })
+                .bind_openssl(bind_addr.as_str(), builder)?
+                .run()
+                .await
+        }
+        false => {
+            println!("Starting distributed DB engine at http://{}", current_node);
+
+            // Build and run the HTTP server.
+        HttpServer::new(move || {
         App::new()
-            .app_data(subscription_manager.clone())
-            .app_data(state.clone())
-            .app_data(cluster_data.clone())
-            .app_data(web::Data::new(current_node.clone()))
-            // Cluster management endpoints.
-            .route("/join", web::post().to(join_cluster))
-            .route("/membership", web::get().to(get_membership))
-            .route("/update_membership", web::post().to(update_membership))
-            .route("/heartbeat", web::get().to(heartbeat))
-            // Key–value endpoints with multi‑table support.
-            .route("/{table}/key/{key}", web::get().to(get_value))
-            .route("/{table}/key/{key}", web::put().to(put_value))
-            .route("/{table}/key/{key}", web::delete().to(delete_value))
-            // Endpoint to fetch a table’s entire in‑memory store.
-            .route("/{table}/store", web::get().to(get_table_store))
-            // Global endpoint returning the entire in‑memory store.
-            .route("/store", web::get().to(get_global_store))
-            // Endpoints to get keys from a table.
-            .route("/{table}/keys", web::get().to(get_all_keys))
-            .route("/{table}/keys", web::post().to(get_multiple_keys))
-            .route("/{table}/subscribe/{key}", web::get().to(
-                storage::subscription::subscribe_to_key
-            ))
-            .route("/auth/{user}", web::post().to(security::authentication::access))
-    })
+        .app_data(subscription_manager.clone())
+        .app_data(state.clone())
+        .app_data(cluster_data.clone())
+        .app_data(web::Data::new(current_node.clone()))
+        // Cluster management endpoints.
+        .route("/join", web::post().to(join_cluster))
+        .route("/membership", web::get().to(get_membership))
+        .route("/update_membership", web::post().to(update_membership))
+        .route("/heartbeat", web::get().to(heartbeat))
+        // Key–value endpoints with multi‑table support.
+        .route("/{table}/key/{key}", web::get().to(get_value))
+        .route("/{table}/key/{key}", web::put().to(put_value))
+        .route("/{table}/key/{key}", web::delete().to(delete_value))
+        // Endpoint to fetch a table’s entire in‑memory store.
+        .route("/{table}/store", web::get().to(get_table_store))
+        // Global endpoint returning the entire in‑memory store.
+        .route("/store", web::get().to(get_global_store))
+        // Endpoints to get keys from a table.
+        .route("/{table}/keys", web::get().to(get_all_keys))
+        .route("/{table}/keys", web::post().to(get_multiple_keys))
+        .route("/{table}/subscribe/{key}", web::get().to(
+        storage::subscription::subscribe_to_key
+        ))
+        .route("/auth/{user}", web::post().to(security::authentication::access))
+        })
         .bind(bind_addr.as_str())?
         .run()
         .await
+        }
+    }
+
 }
