add policy module, other fixes

dfinity · Apr 25, 2024 · b36ff00 · b36ff00
1 parent b632e59
commit b36ff00
Show file tree

Hide file tree

Showing 12 changed files with 326 additions and 154 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -40,7 +40,6 @@ moka = { version = "0.12", features = ["sync", "future"] }
 once_cell = "1.19"
 prometheus = "0.13"
 rand = "0.8"
-regex = "1.10"
 # TODO switch back when Reqwest upgrades to Rustls 0.23
 # https://github.com/seanmonstar/reqwest/pull/2225
 #reqwest = { version = "0.12", features = ["rustls-tls"] }

diff --git a/src/cli.rs b/src/cli.rs
@@ -8,7 +8,6 @@ use clap::{Args, Parser};
 use fqdn::FQDN;
 use hickory_resolver::config::CLOUDFLARE_IPS;
 use humantime::parse_duration;
-use regex::Regex;
 use reqwest::Url;
 
 use crate::{
@@ -140,25 +139,21 @@ pub struct Cert {
 
 #[derive(Args)]
 pub struct Domain {
-    /// List of domains that we serve
-    #[clap(long = "domain")]
-    pub domains: Vec<FQDN>,
+    /// List of domains that we serve system subnets from
+    #[clap(long = "domain-system")]
+    pub domains_system: Vec<FQDN>,
 
-    /// List of canister aliases in format 'alias:<canister_id>'
+    /// List of domains that we serve app subnets from
+    #[clap(long = "domain-app")]
+    pub domains_app: Vec<FQDN>,
+
+    /// List of canister aliases in format '<alias>:<canister_id>'
     #[clap(long = "domain-alias")]
     pub canister_aliases: Vec<CanisterAlias>,
 }
 
 #[derive(Args)]
 pub struct Policy {
-    /// Regex to match domains that are allowed to serve system subnets
-    #[clap(long = "policy-domain-system")]
-    pub domains_system: Vec<Regex>,
-
-    /// Regex to match domains that are allowed to serve app subnets
-    #[clap(long = "policy-domain-app")]
-    pub domains_app: Vec<Regex>,
-
     /// Path to a list of pre-isolation canisters, one canister per line
     #[clap(long = "policy-pre-isolation-canisters")]
     pub pre_isolation_canisters: Option<PathBuf>,
@@ -167,9 +162,17 @@ pub struct Policy {
     #[clap(long = "policy-denylist-url")]
     pub denylist_url: Option<Url>,
 
+    /// Path to a list of whitelisted canisters
+    #[clap(long = "policy-denylist-allowlist")]
+    pub denylist_allowlist: Option<PathBuf>,
+
     /// Path to a local denylist cache for initial seeding
     #[clap(long = "policy-denylist-seed")]
     pub denylist_seed: Option<PathBuf>,
+
+    /// How frequently to poll denlylist for updates
+    #[clap(long = "policy-denylist-poll-interval", default_value = "1m", value_parser = parse_duration)]
+    pub denylist_poll_interval: Duration,
 }
 
 #[derive(Args)]

diff --git a/src/core.rs b/src/core.rs
@@ -1,5 +1,6 @@
 use anyhow::Error;
 use async_trait::async_trait;
+use prometheus::Registry;
 use rustls::sign::CertifiedKey;
 use std::sync::Arc;
 use tokio_util::{sync::CancellationToken, task::TaskTracker};
@@ -28,30 +29,44 @@ pub trait Run: Send + Sync {
     async fn run(&self, token: CancellationToken) -> Result<(), Error>;
 }
 
-pub async fn main(cli: Cli) -> Result<(), Error> {
+pub async fn main(cli: &Cli) -> Result<(), Error> {
     let token = CancellationToken::new();
     let tracker = TaskTracker::new();
 
-    let http_client = Arc::new(ReqwestClient::new(&cli)?);
+    let registry = Registry::new();
+
+    let http_client = Arc::new(ReqwestClient::new(cli)?);
 
     // Handle SIGTERM/SIGHUP and Ctrl+C
     // Cancelling a token cancels all of its clones too
     let handler_token = token.clone();
     ctrlc::set_handler(move || handler_token.cancel())?;
 
+    // Make a list of all supported domains
+    let mut domains = cli.domain.domains_system.clone();
+    domains.extend(cli.domain.domains_app.clone());
+
     let storage = Arc::new(Storage::new());
     let canister_resolver = CanisterResolver::new(
-        cli.domain.domains.clone(),
+        domains,
         cli.domain.canister_aliases.clone(),
         storage.clone() as Arc<dyn LooksupCustomDomain>,
     )?;
-    let router = routing::setup_router(
-        &cli,
-        Arc::new(canister_resolver) as Arc<dyn ResolvesCanister>,
-    )?;
 
+    // List of cancellable tasks to execute & watch
     let mut runners: Vec<(String, Arc<dyn Run>)> = vec![];
 
+    // Create a router
+    let (router, denylist_runner) = routing::setup_router(
+        cli,
+        http_client.clone(),
+        &registry,
+        Arc::new(canister_resolver) as Arc<dyn ResolvesCanister>,
+    )?;
+    if let Some(v) = denylist_runner {
+        runners.push(("denylist_updater".into(), v));
+    }
+
     let server_options = server::Options::from(&cli.http_server);
     // Set up HTTP
     let http_server = Arc::new(Server::new(
@@ -64,7 +79,7 @@ pub async fn main(cli: Cli) -> Result<(), Error> {
 
     // Set up HTTPS
     let (aggregator, rustls_cfg) = tls::setup(
-        &cli,
+        cli,
         http_client.clone(),
         storage.clone() as Arc<dyn StoresCertificates<Arc<CertifiedKey>>>,
         storage.clone() as Arc<dyn ResolvesServerCert>,

diff --git a/src/main.rs b/src/main.rs
@@ -24,9 +24,9 @@ async fn main() -> Result<(), Error> {
     let cli = Cli::parse();
 
     let subscriber = tracing_subscriber::FmtSubscriber::builder()
-        .with_max_level(tracing::Level::DEBUG)
+        .with_max_level(tracing::Level::INFO)
         .finish();
     tracing::subscriber::set_global_default(subscriber)?;
 
-    core::main(cli).await
+    core::main(&cli).await
 }