From 94d5e178d225b0d7329835725e612658580e83a8 Mon Sep 17 00:00:00 2001 From: GW_MC <72297530+GWMCwing@users.noreply.github.com> Date: Sun, 31 May 2026 02:09:51 +0000 Subject: [PATCH 1/7] feat: refactor import_certs command into separate module for improved structure --- apps/nxmesh-agent/src/cli/import_certs.rs | 119 ++++++++++++++++++++ apps/nxmesh-agent/src/cli/mod.rs | 131 +--------------------- 2 files changed, 123 insertions(+), 127 deletions(-) create mode 100644 apps/nxmesh-agent/src/cli/import_certs.rs diff --git a/apps/nxmesh-agent/src/cli/import_certs.rs b/apps/nxmesh-agent/src/cli/import_certs.rs new file mode 100644 index 0000000..de92562 --- /dev/null +++ b/apps/nxmesh-agent/src/cli/import_certs.rs @@ -0,0 +1,119 @@ +use clap::Parser; + +#[derive(Parser)] +#[command(about = "Import certificates for agent from zip file or separate cert and key files")] +pub struct ImportCertsCommand { + /// Zip file containing ca.pem cert.pem and key.pem + #[arg(value_name = "ZIP_FILE", group = "input_source")] + zip: Option, + /// Certificate name in zip file, required if using zip input + #[arg( + long, + group = "input_source", + requires = "zip", + default_value = "cert.pem", + value_name = "CERT_NAME" + )] + cert_name: Option, + /// Key name in zip file, required if using zip input + #[arg( + long, + group = "input_source", + requires = "zip", + default_value = "key.pem", + value_name = "KEY_NAME" + )] + key_name: Option, + /// CA certificate name in zip file, required if using zip input + #[arg( + long, + group = "input_source", + requires = "zip", + default_value = "ca.pem", + value_name = "CA_NAME" + )] + ca_name: Option, + + // Separate cert and key file inputs, required if not using zip input + /// Certificate file path + #[arg( + long, + group = "input_source", + requires = "key", + conflicts_with = "zip", + value_name = "CERT_FILE" + )] + cert: Option, + + /// Key file path + #[arg( + long, + group = "input_source", + requires = "cert", + conflicts_with = "zip", + value_name = "KEY_FILE" + )] + key: Option, + + /// Master CA certificate file path for verifying master identity, optional if the CA certificate is already trusted by the system + /// This is required if the master server uses a self-signed certificate that is not trusted by the system + #[arg( + long, + group = "input_source", + conflicts_with = "zip", + value_name = "CA_CERT_FILE" + )] + ca_cert: Option, +} + +#[cfg(test)] +mod tests { + + use super::*; + + #[test] + fn parses_import_certs_with_zip_defaults() { + let parsed = ImportCertsCommand::try_parse_from(["import-certs", "bundle.zip"]); + assert!(parsed.is_ok()); + + let parsed = parsed.ok(); + assert!(parsed.is_some()); + let parsed = parsed.unwrap_or_else(|| unreachable!()); + + assert_eq!(parsed.zip.as_deref(), Some("bundle.zip")); + assert_eq!(parsed.cert_name.as_deref(), Some("cert.pem")); + assert_eq!(parsed.key_name.as_deref(), Some("key.pem")); + assert_eq!(parsed.ca_name.as_deref(), Some("ca.pem")); + assert!(parsed.cert.is_none()); + assert!(parsed.key.is_none()); + assert!(parsed.ca_cert.is_none()); + } + + #[test] + fn rejects_import_certs_with_separate_files() { + let parsed = ImportCertsCommand::try_parse_from([ + "import-certs", + "--cert", + "agent.crt", + "--key", + "agent.key", + "--ca-cert", + "ca.crt", + ]); + assert!(parsed.is_err()); + } + + #[test] + fn rejects_conflicting_zip_and_separate_inputs() { + let parsed = ImportCertsCommand::try_parse_from([ + "import-certs", + "bundle.zip", + "--cert", + "agent.crt", + "--key", + "agent.key", + ]); + + assert!(parsed.is_err()); + } +} diff --git a/apps/nxmesh-agent/src/cli/mod.rs b/apps/nxmesh-agent/src/cli/mod.rs index ad41011..a21f44e 100644 --- a/apps/nxmesh-agent/src/cli/mod.rs +++ b/apps/nxmesh-agent/src/cli/mod.rs @@ -1,5 +1,7 @@ use clap::{Parser, Subcommand}; +pub mod import_certs; + #[derive(Parser)] #[command(version, about, long_about = None)] pub struct Cli { @@ -13,78 +15,14 @@ pub struct Cli { #[derive(Subcommand)] pub enum Commands { - #[command(about = "Import certificates for agent from zip file or separate cert and key files")] - ImportCerts { - // Zip file input, mutually exclusive with separate cert and key file inputs - /// Zip file containing ca.pem cert.pem and key.pem - #[arg(value_name = "ZIP_FILE", group = "input_source")] - zip: Option, - /// Certificate name in zip file, required if using zip input - #[arg( - long, - group = "input_source", - requires = "zip", - default_value = "cert.pem", - value_name = "CERT_NAME" - )] - cert_name: Option, - /// Key name in zip file, required if using zip input - #[arg( - long, - group = "input_source", - requires = "zip", - default_value = "key.pem", - value_name = "KEY_NAME" - )] - key_name: Option, - /// CA certificate name in zip file, required if using zip input - #[arg( - long, - group = "input_source", - requires = "zip", - default_value = "ca.pem", - value_name = "CA_NAME" - )] - ca_name: Option, - - // Separate cert and key file inputs, required if not using zip input - /// Certificate file path - #[arg( - long, - group = "input_source", - requires = "key", - conflicts_with = "zip", - value_name = "CERT_FILE" - )] - cert: Option, - - /// Key file path - #[arg( - long, - group = "input_source", - requires = "cert", - conflicts_with = "zip", - value_name = "KEY_FILE" - )] - key: Option, - - /// Master CA certificate file path for verifying master identity, optional if the CA certificate is already trusted by the system - /// This is required if the master server uses a self-signed certificate that is not trusted by the system - #[arg( - long, - group = "input_source", - conflicts_with = "zip", - value_name = "CA_CERT_FILE" - )] - ca_cert: Option, - }, + ImportCerts(import_certs::ImportCertsCommand), } #[cfg(test)] mod tests { use clap::Parser; - use super::{Cli, Commands}; + use super::*; #[test] fn parses_serve_flag_without_subcommand() { @@ -98,65 +36,4 @@ mod tests { assert!(parsed.serve); assert!(parsed.command.is_none()); } - - #[test] - fn parses_import_certs_with_zip_defaults() { - let parsed = Cli::try_parse_from(["nxmesh-agent", "import-certs", "bundle.zip"]); - assert!(parsed.is_ok()); - - let parsed = parsed.ok(); - assert!(parsed.is_some()); - let parsed = parsed.unwrap_or_else(|| unreachable!()); - - match parsed.command { - Some(Commands::ImportCerts { - zip, - cert_name, - key_name, - ca_name, - cert, - key, - ca_cert, - }) => { - assert_eq!(zip.as_deref(), Some("bundle.zip")); - assert_eq!(cert_name.as_deref(), Some("cert.pem")); - assert_eq!(key_name.as_deref(), Some("key.pem")); - assert_eq!(ca_name.as_deref(), Some("ca.pem")); - assert!(cert.is_none()); - assert!(key.is_none()); - assert!(ca_cert.is_none()); - } - _ => unreachable!(), - } - } - - #[test] - fn rejects_import_certs_with_separate_files() { - let parsed = Cli::try_parse_from([ - "nxmesh-agent", - "import-certs", - "--cert", - "agent.crt", - "--key", - "agent.key", - "--ca-cert", - "ca.crt", - ]); - assert!(parsed.is_err()); - } - - #[test] - fn rejects_conflicting_zip_and_separate_inputs() { - let parsed = Cli::try_parse_from([ - "nxmesh-agent", - "import-certs", - "bundle.zip", - "--cert", - "agent.crt", - "--key", - "agent.key", - ]); - - assert!(parsed.is_err()); - } } From 3b7916d66cdbc9151f8ca339c2f3f7202113257a Mon Sep 17 00:00:00 2001 From: GW_MC <72297530+GWMCwing@users.noreply.github.com> Date: Sun, 31 May 2026 02:09:56 +0000 Subject: [PATCH 2/7] feat: add additional VSCode extensions for improved development experience --- .devcontainer/devcontainer-lock.json | 39 ++++++++++++++++++++++++++++ .devcontainer/devcontainer.json | 9 ++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 .devcontainer/devcontainer-lock.json diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json new file mode 100644 index 0000000..597ffa7 --- /dev/null +++ b/.devcontainer/devcontainer-lock.json @@ -0,0 +1,39 @@ +{ + "features": { + "ghcr.io/devcontainers-extra/features/act": { + "version": "1.0.15", + "resolved": "ghcr.io/devcontainers-extra/features/act@sha256:db4a2194930d1f7ec62822d4f600dd2fa4aff3c33b98cdb0b578b64ffb10924c", + "integrity": "sha256:db4a2194930d1f7ec62822d4f600dd2fa4aff3c33b98cdb0b578b64ffb10924c" + }, + "ghcr.io/devcontainers-extra/features/bun": { + "version": "1.1.0", + "resolved": "ghcr.io/devcontainers-extra/features/bun@sha256:0624284ecaead9dd4c6654616a7f939cfa4ebcbc60593700a74e35b1767befa5", + "integrity": "sha256:0624284ecaead9dd4c6654616a7f939cfa4ebcbc60593700a74e35b1767befa5" + }, + "ghcr.io/devcontainers/features/common-utils:2": { + "version": "2.5.9", + "resolved": "ghcr.io/devcontainers/features/common-utils@sha256:cb0c4d3c276f157eed17935747e364178d75fee17f55c4e129966f64633deb3a", + "integrity": "sha256:cb0c4d3c276f157eed17935747e364178d75fee17f55c4e129966f64633deb3a" + }, + "ghcr.io/devcontainers/features/docker-in-docker:2": { + "version": "2.17.0", + "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:25b9f05705ffba7dbe503230ac76081419306f8c8bc88e0ce78c4ecd99a0c78c", + "integrity": "sha256:25b9f05705ffba7dbe503230ac76081419306f8c8bc88e0ce78c4ecd99a0c78c" + }, + "ghcr.io/devcontainers/features/node:1": { + "version": "1.7.1", + "resolved": "ghcr.io/devcontainers/features/node@sha256:8c0de46939b61958041700ee89e3493f3b2e4131a06dc46b4d9423427d06e5f6", + "integrity": "sha256:8c0de46939b61958041700ee89e3493f3b2e4131a06dc46b4d9423427d06e5f6" + }, + "ghcr.io/devcontainers/features/rust:1": { + "version": "1.5.0", + "resolved": "ghcr.io/devcontainers/features/rust@sha256:0c55e65f2e3df736e478f26ee4d5ed41bae6b54dac1318c443e31444c8ed283c", + "integrity": "sha256:0c55e65f2e3df736e478f26ee4d5ed41bae6b54dac1318c443e31444c8ed283c" + }, + "ghcr.io/guiyomh/features/just:0": { + "version": "0.1.0", + "resolved": "ghcr.io/guiyomh/features/just@sha256:8311dff976bd153a54a879021353a7e149963e580022b25af49c45cfc5f13bec", + "integrity": "sha256:8311dff976bd153a54a879021353a7e149963e580022b25af49c45cfc5f13bec" + } + } +} diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 645d85e..3fcbe19 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -43,7 +43,14 @@ "esbenp.prettier-vscode", "dbaeumer.vscode-eslint", "ms-azuretools.vscode-docker", - "nefrob.vscode-just-syntax" + "nefrob.vscode-just-syntax", + "zxh404.vscode-proto3", + "mhutchie.git-graph", + "qwtel.sqlite-viewer", + "streetsidesoftware.code-spell-checker", + "christian-kohler.npm-intellisense", + "christian-kohler.path-intellisense", + "redhat.vscode-yaml" ], "settings": { "rust-analyzer.cargo.features": "all", From 7173f504ed8447d28fd279624982b7d220ff5b7c Mon Sep 17 00:00:00 2001 From: GW_MC <72297530+GWMCwing@users.noreply.github.com> Date: Sun, 31 May 2026 02:31:15 +0000 Subject: [PATCH 3/7] refactor: settings into modules --- apps/nxmesh-agent/src/config/settings.rs | 560 ------------------ apps/nxmesh-agent/src/config/settings/auth.rs | 166 ++++++ apps/nxmesh-agent/src/config/settings/cors.rs | 34 ++ apps/nxmesh-agent/src/config/settings/grpc.rs | 56 ++ apps/nxmesh-agent/src/config/settings/log.rs | 82 +++ apps/nxmesh-agent/src/config/settings/mod.rs | 77 +++ .../nxmesh-agent/src/config/settings/nginx.rs | 280 +++++++++ 7 files changed, 695 insertions(+), 560 deletions(-) delete mode 100644 apps/nxmesh-agent/src/config/settings.rs create mode 100644 apps/nxmesh-agent/src/config/settings/auth.rs create mode 100644 apps/nxmesh-agent/src/config/settings/cors.rs create mode 100644 apps/nxmesh-agent/src/config/settings/grpc.rs create mode 100644 apps/nxmesh-agent/src/config/settings/log.rs create mode 100644 apps/nxmesh-agent/src/config/settings/mod.rs create mode 100644 apps/nxmesh-agent/src/config/settings/nginx.rs diff --git a/apps/nxmesh-agent/src/config/settings.rs b/apps/nxmesh-agent/src/config/settings.rs deleted file mode 100644 index 11c419a..0000000 --- a/apps/nxmesh-agent/src/config/settings.rs +++ /dev/null @@ -1,560 +0,0 @@ -use config::{Config, ConfigError, Environment, File}; -use serde::{Deserialize, Deserializer, Serialize}; -use std::{os::unix::fs::PermissionsExt, str::FromStr}; -use tracing::level_filters::LevelFilter; - -const NGINX_BINARY_PATH_TEMPLATE: &str = "{{nginx_binary_path}}"; -const NGINX_DEFAULT_BINARY: &str = "nginx"; - -type ValidationError = String; - -trait Validate { - fn validate(&self) -> Result<(), ValidationError>; -} - -/// Agent settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct Settings { - pub grpc: GrpcSettings, - #[serde(default)] - pub log: LogSettings, - pub nginx: Option, -} - -/// gRPC client settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct GrpcSettings { - pub connection_string: String, - pub m_auth: MAuthSettings, - #[serde(default)] - pub cors: Option, -} - -#[derive(Debug, Clone, Serialize, Deserialize)] -pub enum MAuthSettings { - Tls(TLSSettings), -} - -/// TLS certificate settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub enum TLSSettings { - RawPath { - ca_path: String, - cert_path: String, - key_path: String, - }, - ZipPath { - cert_zip_path: String, - }, -} - -/// CORS settings -#[derive(Debug, Clone, Serialize, Deserialize, Default)] -pub struct CorsSettings { - #[serde(default)] - pub allowed_origins: Vec, - #[serde(default)] - pub allowed_methods: Vec, - #[serde(default)] - pub allowed_headers: Vec, - #[serde(default)] - pub allow_credentials: bool, -} - -/// Logging settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct LogSettings { - #[serde( - deserialize_with = "deserialize_level_filter", - serialize_with = "serialize_level_filter" - )] - pub level: LevelFilter, -} - -impl Default for LogSettings { - fn default() -> Self { - Self { - level: default_log_level(), - } - } -} - -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct NginxSettings { - #[serde(default = "default_nginx_config_path")] - pub nginx_config_path: String, - // #[serde(default = "default_nginx_binary_path")] - #[serde(default)] - pub nginx_binary_path: Option, - // commands - #[serde(default = "default_nginx_reload_command")] - pub override_nginx_reload_command: Vec, - #[serde(default = "default_nginx_test_command")] - pub override_nginx_test_command: Vec, - // timeouts - #[serde(default = "default_nginx_reload_timeout_seconds")] - pub nginx_reload_timeout_seconds: u64, - #[serde(default = "default_nginx_test_timeout_seconds")] - pub nginx_test_timeout_seconds: u64, -} - -impl Validate for Settings { - fn validate(&self) -> Result<(), ValidationError> { - self.grpc.validate()?; - if let Some(nginx) = &self.nginx { - nginx.validate()?; - } - Ok(()) - } -} - -impl Settings { - /// Load settings from config files and environment - pub fn load() -> Result { - let run_mode = std::env::var("RUN_MODE").unwrap_or_else(|_| "development".into()); - - let settings = Config::builder() - .add_source(File::with_name("config/default").required(false)) - .add_source(File::with_name(&format!("config/{}", run_mode)).required(false)) - .add_source(File::with_name("config/agent/default").required(false)) - .add_source(File::with_name(&format!("config/agent/{}", run_mode)).required(false)) - .add_source(Environment::with_prefix("NXMESH").separator("__")) - .build()?; - - let mut settings: Self = settings.try_deserialize()?; - - settings.validate().map_err(ConfigError::Message)?; - - if let Some(nginx) = &mut settings.nginx { - nginx.validate().map_err(ConfigError::Message)?; - - // replace binary path template in commands with actual binary path, if the template is present - nginx - .override_nginx_reload_command - .iter_mut() - .for_each(|cmd| { - *cmd = cmd.replace( - NGINX_BINARY_PATH_TEMPLATE, - &nginx - .nginx_binary_path - .clone() - .unwrap_or_else(|| NGINX_DEFAULT_BINARY.into()), - ); - }); - nginx - .override_nginx_test_command - .iter_mut() - .for_each(|cmd| { - *cmd = cmd.replace( - NGINX_BINARY_PATH_TEMPLATE, - &nginx - .nginx_binary_path - .clone() - .unwrap_or_else(|| NGINX_DEFAULT_BINARY.into()), - ); - }); - } - - Ok(settings) - } -} - -impl Validate for GrpcSettings { - fn validate(&self) -> Result<(), ValidationError> { - if self.connection_string.is_empty() { - return Err("gRPC connection string cannot be empty".into()); - } - self.m_auth.validate()?; - if let Some(cors) = &self.cors { - cors.validate()?; - } - Ok(()) - } -} - -impl Validate for MAuthSettings { - fn validate(&self) -> Result<(), ValidationError> { - match self { - MAuthSettings::Tls(tls_settings) => tls_settings.validate()?, - } - Ok(()) - } -} - -impl Validate for TLSSettings { - fn validate(&self) -> Result<(), ValidationError> { - match self { - TLSSettings::RawPath { - ca_path, - cert_path, - key_path, - } => { - if !std::path::Path::new(ca_path).exists() { - return Err(format!("CA file not found: {}", ca_path)); - } - if !std::path::Path::new(cert_path).exists() { - return Err(format!("Certificate file not found: {}", cert_path)); - } - if !std::path::Path::new(key_path).exists() { - return Err(format!("Key file not found: {}", key_path)); - } - } - TLSSettings::ZipPath { cert_zip_path } => { - if !std::path::Path::new(cert_zip_path).exists() { - return Err(format!("Certificate zip file not found: {}", cert_zip_path)); - } - } - } - Ok(()) - } -} - -impl Validate for CorsSettings { - fn validate(&self) -> Result<(), ValidationError> { - Ok(()) - } -} - -impl Validate for NginxSettings { - fn validate(&self) -> Result<(), ValidationError> { - match &self.nginx_binary_path { - Some(path) if path.is_empty() => { - return Err("Nginx binary path cannot be empty".into()); - } - Some(path) if !std::path::Path::new(path).exists() => { - return Err(format!("Nginx binary not found: {}", path)); - } - Some(path) - if !std::fs::metadata(path) - .map_err(|e| format!("Failed to read nginx binary metadata: {}", e))? - .permissions() - .mode() - & 0o111 - != 0 => - { - return Err(format!("Nginx binary is not executable: {}", path)); - } - _ => {} - } - if self.nginx_config_path.is_empty() { - return Err("Nginx config path cannot be empty".into()); - } - if !std::path::Path::new(&self.nginx_config_path).exists() { - return Err(format!( - "Nginx config file not found: {}", - self.nginx_config_path - )); - } - - // ensure reload and test commands contain the binary path template - if !&self - .override_nginx_reload_command - .join(" ") - .contains(NGINX_BINARY_PATH_TEMPLATE) - { - return Err(format!( - "Nginx reload command must contain the binary path template '{}': {}", - NGINX_BINARY_PATH_TEMPLATE, - self.override_nginx_reload_command.join(" ") - )); - } - if !&self - .override_nginx_test_command - .join(" ") - .contains(NGINX_BINARY_PATH_TEMPLATE) - { - return Err(format!( - "Nginx test command must contain the binary path template '{}': {}", - NGINX_BINARY_PATH_TEMPLATE, - self.override_nginx_test_command.join(" ") - )); - } - Ok(()) - } -} - -fn default_log_level() -> LevelFilter { - LevelFilter::INFO -} - -fn default_nginx_config_path() -> String { - "/etc/nginx/nginx.conf".into() -} - -fn default_nginx_reload_command() -> Vec { - vec![ - NGINX_BINARY_PATH_TEMPLATE.to_string(), - "-s".to_string(), - "reload".to_string(), - ] -} - -fn default_nginx_test_command() -> Vec { - vec![NGINX_BINARY_PATH_TEMPLATE.to_string(), "-t".to_string()] -} - -fn default_nginx_reload_timeout_seconds() -> u64 { - 30 -} - -fn default_nginx_test_timeout_seconds() -> u64 { - 30 -} - -fn deserialize_level_filter<'de, D>(deserializer: D) -> Result -where - D: Deserializer<'de>, -{ - let s = String::deserialize(deserializer)?; - LevelFilter::from_str(&s).map_err(serde::de::Error::custom) -} - -fn serialize_level_filter(level: &LevelFilter, serializer: S) -> Result -where - S: serde::Serializer, -{ - serializer.serialize_str(&level.to_string()) -} - -#[cfg(test)] -mod tests { - use std::{ - fs, - os::unix::fs::PermissionsExt, - path::{Path, PathBuf}, - }; - - use tempfile::TempDir; - - use super::*; - - #[test] - fn test_esnure_send_and_sync() { - fn assert_send_sync() {} - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - } - - fn write_file(path: &Path) { - let result = fs::write(path, b"content"); - assert!(result.is_ok()); - } - - fn create_exec_file(path: &Path) { - write_file(path); - let metadata = fs::metadata(path); - assert!(metadata.is_ok()); - let metadata = metadata.ok(); - assert!(metadata.is_some()); - let metadata = metadata.unwrap_or_else(|| unreachable!()); - - let mut perms = metadata.permissions(); - perms.set_mode(0o755); - let result = fs::set_permissions(path, perms); - assert!(result.is_ok()); - } - - fn create_non_exec_file(path: &Path) { - write_file(path); - let metadata = fs::metadata(path); - assert!(metadata.is_ok()); - let metadata = metadata.ok(); - assert!(metadata.is_some()); - let metadata = metadata.unwrap_or_else(|| unreachable!()); - - let mut perms = metadata.permissions(); - perms.set_mode(0o644); - let result = fs::set_permissions(path, perms); - assert!(result.is_ok()); - } - - fn valid_tls_raw_paths(temp_dir: &TempDir) -> (PathBuf, PathBuf, PathBuf) { - let ca_path = temp_dir.path().join("ca.pem"); - let cert_path = temp_dir.path().join("cert.pem"); - let key_path = temp_dir.path().join("key.pem"); - - write_file(&ca_path); - write_file(&cert_path); - write_file(&key_path); - - (ca_path, cert_path, key_path) - } - - #[test] - fn tls_raw_path_validate_succeeds_when_all_files_exist() { - let temp_dir = TempDir::new(); - assert!(temp_dir.is_ok()); - let temp_dir = temp_dir.ok(); - assert!(temp_dir.is_some()); - let temp_dir = temp_dir.unwrap_or_else(|| unreachable!()); - - let (ca_path, cert_path, key_path) = valid_tls_raw_paths(&temp_dir); - let settings = TLSSettings::RawPath { - ca_path: ca_path.to_string_lossy().to_string(), - cert_path: cert_path.to_string_lossy().to_string(), - key_path: key_path.to_string_lossy().to_string(), - }; - - assert!(settings.validate().is_ok()); - } - - #[test] - fn tls_raw_path_validate_fails_when_ca_missing() { - let settings = TLSSettings::RawPath { - ca_path: "/tmp/does-not-exist-ca.pem".into(), - cert_path: "/tmp/does-not-exist-cert.pem".into(), - key_path: "/tmp/does-not-exist-key.pem".into(), - }; - - let result = settings.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_else(|| unreachable!()); - assert!(msg.contains("CA file not found")); - } - - #[test] - fn tls_zip_path_validate_fails_when_zip_missing() { - let settings = TLSSettings::ZipPath { - cert_zip_path: "/tmp/missing-certs.zip".into(), - }; - - let result = settings.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_else(|| unreachable!()); - assert!(msg.contains("Certificate zip file not found")); - } - - #[test] - fn grpc_validate_fails_when_connection_string_empty() { - let settings = GrpcSettings { - connection_string: "".into(), - m_auth: MAuthSettings::Tls(TLSSettings::ZipPath { - cert_zip_path: "/tmp/does-not-exist.zip".into(), - }), - cors: None, - }; - - let result = settings.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_else(|| unreachable!()); - assert!(msg.contains("gRPC connection string cannot be empty")); - } - - #[test] - fn nginx_validate_succeeds_for_valid_paths_and_commands() { - let temp_dir = TempDir::new(); - assert!(temp_dir.is_ok()); - let temp_dir = temp_dir.ok(); - assert!(temp_dir.is_some()); - let temp_dir = temp_dir.unwrap_or_else(|| unreachable!()); - - let nginx_binary = temp_dir.path().join("nginx"); - let nginx_config = temp_dir.path().join("nginx.conf"); - - create_exec_file(&nginx_binary); - write_file(&nginx_config); - - let nginx = NginxSettings { - nginx_config_path: nginx_config.to_string_lossy().to_string(), - nginx_binary_path: Some(nginx_binary.to_string_lossy().to_string()), - override_nginx_reload_command: default_nginx_reload_command(), - override_nginx_test_command: default_nginx_test_command(), - nginx_reload_timeout_seconds: 30, - nginx_test_timeout_seconds: 30, - }; - - assert!(nginx.validate().is_ok()); - } - - #[test] - fn nginx_validate_fails_for_non_executable_binary() { - let temp_dir = TempDir::new(); - assert!(temp_dir.is_ok()); - let temp_dir = temp_dir.ok(); - assert!(temp_dir.is_some()); - let temp_dir = temp_dir.unwrap_or_else(|| unreachable!()); - - let nginx_binary = temp_dir.path().join("nginx"); - let nginx_config = temp_dir.path().join("nginx.conf"); - - create_non_exec_file(&nginx_binary); - write_file(&nginx_config); - - let nginx = NginxSettings { - nginx_config_path: nginx_config.to_string_lossy().to_string(), - nginx_binary_path: Some(nginx_binary.to_string_lossy().to_string()), - override_nginx_reload_command: default_nginx_reload_command(), - override_nginx_test_command: default_nginx_test_command(), - nginx_reload_timeout_seconds: 30, - nginx_test_timeout_seconds: 30, - }; - - let result = nginx.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_else(|| unreachable!()); - assert!(msg.contains("Nginx binary is not executable")); - } - - #[test] - fn nginx_validate_fails_when_reload_command_lacks_template() { - let temp_dir = TempDir::new(); - assert!(temp_dir.is_ok()); - let temp_dir = temp_dir.ok(); - assert!(temp_dir.is_some()); - let temp_dir = temp_dir.unwrap_or_else(|| unreachable!()); - - let nginx_binary = temp_dir.path().join("nginx"); - let nginx_config = temp_dir.path().join("nginx.conf"); - - create_exec_file(&nginx_binary); - write_file(&nginx_config); - - let nginx = NginxSettings { - nginx_config_path: nginx_config.to_string_lossy().to_string(), - nginx_binary_path: Some(nginx_binary.to_string_lossy().to_string()), - override_nginx_reload_command: vec!["nginx".into(), "-s".into(), "reload".into()], - override_nginx_test_command: default_nginx_test_command(), - nginx_reload_timeout_seconds: 30, - nginx_test_timeout_seconds: 30, - }; - - let result = nginx.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_else(|| unreachable!()); - assert!(msg.contains("Nginx reload command must contain the binary path template")); - } - - #[test] - fn level_filter_round_trip_serialization() { - #[derive(Serialize, Deserialize)] - struct Wrapper { - #[serde( - deserialize_with = "deserialize_level_filter", - serialize_with = "serialize_level_filter" - )] - level: LevelFilter, - } - - let original = Wrapper { - level: LevelFilter::DEBUG, - }; - - let encoded = serde_json::to_string(&original); - assert!(encoded.is_ok()); - let encoded = encoded.ok(); - assert!(encoded.is_some()); - let encoded = encoded.unwrap_or_else(|| unreachable!()); - assert!(encoded.to_lowercase().contains("debug")); - - let decoded = serde_json::from_str::(&encoded); - assert!(decoded.is_ok()); - let decoded = decoded.ok(); - assert!(decoded.is_some()); - let decoded = decoded.unwrap_or_else(|| unreachable!()); - assert_eq!(decoded.level, LevelFilter::DEBUG); - } -} diff --git a/apps/nxmesh-agent/src/config/settings/auth.rs b/apps/nxmesh-agent/src/config/settings/auth.rs new file mode 100644 index 0000000..fe9206c --- /dev/null +++ b/apps/nxmesh-agent/src/config/settings/auth.rs @@ -0,0 +1,166 @@ +use serde::{Deserialize, Serialize}; + +use crate::config::settings::{Validate, ValidationError}; + +#[derive(Debug, Clone, Serialize, Deserialize)] +pub enum MAuthSettings { + Tls(TLSSettings), +} + +/// TLS certificate settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub enum TLSSettings { + RawPath { + ca_path: String, + cert_path: String, + key_path: String, + }, + ZipPath { + cert_zip_path: String, + }, +} + +impl Validate for MAuthSettings { + fn validate(&self) -> Result<(), ValidationError> { + match self { + MAuthSettings::Tls(tls_settings) => tls_settings.validate()?, + } + Ok(()) + } +} + +impl Validate for TLSSettings { + fn validate(&self) -> Result<(), ValidationError> { + match self { + TLSSettings::RawPath { + ca_path, + cert_path, + key_path, + } => { + if !std::path::Path::new(ca_path).exists() { + return Err(format!("CA file not found: {}", ca_path)); + } + if !std::path::Path::new(cert_path).exists() { + return Err(format!("Certificate file not found: {}", cert_path)); + } + if !std::path::Path::new(key_path).exists() { + return Err(format!("Key file not found: {}", key_path)); + } + } + TLSSettings::ZipPath { cert_zip_path } => { + if !std::path::Path::new(cert_zip_path).exists() { + return Err(format!("Certificate zip file not found: {}", cert_zip_path)); + } + } + } + Ok(()) + } +} + +#[cfg(test)] +mod tests { + use std::{ + fs, + os::unix::fs::PermissionsExt, + path::{Path, PathBuf}, + }; + + use tempfile::TempDir; + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + + fn write_file(path: &Path) { + let result = fs::write(path, b"content"); + assert!(result.is_ok()); + } + + fn create_exec_file(path: &Path) { + write_file(path); + let metadata = fs::metadata(path); + assert!(metadata.is_ok()); + let metadata = metadata.ok(); + assert!(metadata.is_some()); + let metadata = metadata.unwrap_or_else(|| unreachable!()); + + let mut perms = metadata.permissions(); + perms.set_mode(0o755); + let result = fs::set_permissions(path, perms); + assert!(result.is_ok()); + } + + fn create_non_exec_file(path: &Path) { + write_file(path); + let metadata = fs::metadata(path); + assert!(metadata.is_ok()); + let metadata = metadata.ok(); + assert!(metadata.is_some()); + let metadata = metadata.unwrap_or_else(|| unreachable!()); + + let mut perms = metadata.permissions(); + perms.set_mode(0o644); + let result = fs::set_permissions(path, perms); + assert!(result.is_ok()); + } + + fn valid_tls_raw_paths(temp_dir: &TempDir) -> (PathBuf, PathBuf, PathBuf) { + let ca_path = temp_dir.path().join("ca.pem"); + let cert_path = temp_dir.path().join("cert.pem"); + let key_path = temp_dir.path().join("key.pem"); + + write_file(&ca_path); + write_file(&cert_path); + write_file(&key_path); + + (ca_path, cert_path, key_path) + } + + #[test] + fn tls_raw_path_validate_succeeds_when_all_files_exist() { + let temp_dir = TempDir::new(); + assert!(temp_dir.is_ok()); + let temp_dir = temp_dir.ok(); + assert!(temp_dir.is_some()); + let temp_dir = temp_dir.unwrap_or_else(|| unreachable!()); + + let (ca_path, cert_path, key_path) = valid_tls_raw_paths(&temp_dir); + let settings = TLSSettings::RawPath { + ca_path: ca_path.to_string_lossy().to_string(), + cert_path: cert_path.to_string_lossy().to_string(), + key_path: key_path.to_string_lossy().to_string(), + }; + + assert!(settings.validate().is_ok()); + } + + #[test] + fn tls_raw_path_validate_fails_when_ca_missing() { + let settings = TLSSettings::RawPath { + ca_path: "/tmp/does-not-exist-ca.pem".into(), + cert_path: "/tmp/does-not-exist-cert.pem".into(), + key_path: "/tmp/does-not-exist-key.pem".into(), + }; + + let result = settings.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_else(|| unreachable!()); + assert!(msg.contains("CA file not found")); + } + + #[test] + fn tls_zip_path_validate_fails_when_zip_missing() { + let settings = TLSSettings::ZipPath { + cert_zip_path: "/tmp/missing-certs.zip".into(), + }; + + let result = settings.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_else(|| unreachable!()); + assert!(msg.contains("Certificate zip file not found")); + } +} diff --git a/apps/nxmesh-agent/src/config/settings/cors.rs b/apps/nxmesh-agent/src/config/settings/cors.rs new file mode 100644 index 0000000..262588a --- /dev/null +++ b/apps/nxmesh-agent/src/config/settings/cors.rs @@ -0,0 +1,34 @@ +use serde::{Deserialize, Serialize}; + +use crate::config::settings::{Validate, ValidationError}; + +/// CORS settings +#[derive(Debug, Clone, Serialize, Deserialize, Default)] +pub struct CorsSettings { + #[serde(default)] + pub allowed_origins: Vec, + #[serde(default)] + pub allowed_methods: Vec, + #[serde(default)] + pub allowed_headers: Vec, + #[serde(default)] + pub allow_credentials: bool, +} + +impl Validate for CorsSettings { + fn validate(&self) -> Result<(), ValidationError> { + Ok(()) + } +} + +#[cfg(test)] +mod tests { + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } +} diff --git a/apps/nxmesh-agent/src/config/settings/grpc.rs b/apps/nxmesh-agent/src/config/settings/grpc.rs new file mode 100644 index 0000000..d169610 --- /dev/null +++ b/apps/nxmesh-agent/src/config/settings/grpc.rs @@ -0,0 +1,56 @@ +use serde::{Deserialize, Serialize}; + +use super::super::settings::{Validate, ValidationError}; +use super::{auth::MAuthSettings, cors::CorsSettings}; + +/// gRPC client settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct GrpcSettings { + pub connection_string: String, + pub m_auth: MAuthSettings, + #[serde(default)] + pub cors: Option, +} + +impl Validate for GrpcSettings { + fn validate(&self) -> Result<(), ValidationError> { + if self.connection_string.is_empty() { + return Err("gRPC connection string cannot be empty".into()); + } + self.m_auth.validate()?; + if let Some(cors) = &self.cors { + cors.validate()?; + } + Ok(()) + } +} + +#[cfg(test)] +mod tests { + + use crate::config::settings::TLSSettings; + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + + #[test] + fn grpc_validate_fails_when_connection_string_empty() { + let settings = GrpcSettings { + connection_string: "".into(), + m_auth: MAuthSettings::Tls(TLSSettings::ZipPath { + cert_zip_path: "/tmp/does-not-exist.zip".into(), + }), + cors: None, + }; + + let result = settings.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_else(|| unreachable!()); + assert!(msg.contains("gRPC connection string cannot be empty")); + } +} diff --git a/apps/nxmesh-agent/src/config/settings/log.rs b/apps/nxmesh-agent/src/config/settings/log.rs new file mode 100644 index 0000000..a251a32 --- /dev/null +++ b/apps/nxmesh-agent/src/config/settings/log.rs @@ -0,0 +1,82 @@ +use std::str::FromStr; + +use serde::{Deserialize, Deserializer, Serialize}; +use tracing::level_filters::LevelFilter; + +/// Logging settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct LogSettings { + #[serde( + deserialize_with = "deserialize_level_filter", + serialize_with = "serialize_level_filter" + )] + pub level: LevelFilter, +} + +impl Default for LogSettings { + fn default() -> Self { + Self { + level: default_log_level(), + } + } +} + +fn default_log_level() -> LevelFilter { + LevelFilter::INFO +} + +fn deserialize_level_filter<'de, D>(deserializer: D) -> Result +where + D: Deserializer<'de>, +{ + let s = String::deserialize(deserializer)?; + LevelFilter::from_str(&s).map_err(serde::de::Error::custom) +} + +fn serialize_level_filter(level: &LevelFilter, serializer: S) -> Result +where + S: serde::Serializer, +{ + serializer.serialize_str(&level.to_string()) +} + +#[cfg(test)] +mod tests { + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + #[test] + fn level_filter_round_trip_serialization() { + #[derive(Serialize, Deserialize)] + struct Wrapper { + #[serde( + deserialize_with = "deserialize_level_filter", + serialize_with = "serialize_level_filter" + )] + level: LevelFilter, + } + + let original = Wrapper { + level: LevelFilter::DEBUG, + }; + + let encoded = serde_json::to_string(&original); + assert!(encoded.is_ok()); + let encoded = encoded.ok(); + assert!(encoded.is_some()); + let encoded = encoded.unwrap_or_else(|| unreachable!()); + assert!(encoded.to_lowercase().contains("debug")); + + let decoded = serde_json::from_str::(&encoded); + assert!(decoded.is_ok()); + let decoded = decoded.ok(); + assert!(decoded.is_some()); + let decoded = decoded.unwrap_or_else(|| unreachable!()); + assert_eq!(decoded.level, LevelFilter::DEBUG); + } +} diff --git a/apps/nxmesh-agent/src/config/settings/mod.rs b/apps/nxmesh-agent/src/config/settings/mod.rs new file mode 100644 index 0000000..f55cd79 --- /dev/null +++ b/apps/nxmesh-agent/src/config/settings/mod.rs @@ -0,0 +1,77 @@ +use config::{Config, ConfigError, Environment, File}; +use serde::{Deserialize, Serialize}; + +mod auth; +mod cors; +mod grpc; +mod log; +mod nginx; + +pub use auth::*; +pub use cors::*; +pub use grpc::*; +pub use log::*; +pub use nginx::*; + +pub type ValidationError = String; + +pub trait Validate { + fn validate(&self) -> Result<(), ValidationError>; +} + +/// Agent settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct Settings { + pub grpc: GrpcSettings, + #[serde(default)] + pub log: LogSettings, + pub nginx: Option, +} + +impl Validate for Settings { + fn validate(&self) -> Result<(), ValidationError> { + self.grpc.validate()?; + if let Some(nginx) = &self.nginx { + nginx.validate()?; + } + Ok(()) + } +} + +impl Settings { + /// Load settings from config files and environment + pub fn load() -> Result { + let run_mode = std::env::var("RUN_MODE").unwrap_or_else(|_| "development".into()); + + let settings = Config::builder() + .add_source(File::with_name("config/default").required(false)) + .add_source(File::with_name(&format!("config/{}", run_mode)).required(false)) + .add_source(File::with_name("config/agent/default").required(false)) + .add_source(File::with_name(&format!("config/agent/{}", run_mode)).required(false)) + .add_source(Environment::with_prefix("NXMESH").separator("__")) + .build()?; + + let mut settings: Self = settings.try_deserialize()?; + + settings.validate().map_err(ConfigError::Message)?; + + if let Some(nginx) = &mut settings.nginx { + nginx.validate().map_err(ConfigError::Message)?; + nginx.transform_commands(); + } + + Ok(settings) + } +} + +#[cfg(test)] +mod tests { + + use super::*; + + #[test] + fn test_ensure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } +} diff --git a/apps/nxmesh-agent/src/config/settings/nginx.rs b/apps/nxmesh-agent/src/config/settings/nginx.rs new file mode 100644 index 0000000..b5c5142 --- /dev/null +++ b/apps/nxmesh-agent/src/config/settings/nginx.rs @@ -0,0 +1,280 @@ +use std::os::unix::fs::PermissionsExt; + +use serde::{Deserialize, Serialize}; + +use crate::config::settings::{Validate, ValidationError}; + +const NGINX_BINARY_PATH_TEMPLATE: &str = "{{nginx_binary_path}}"; +const NGINX_DEFAULT_BINARY: &str = "nginx"; + +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct NginxSettings { + #[serde(default = "default_nginx_config_path")] + pub nginx_config_path: String, + // #[serde(default = "default_nginx_binary_path")] + #[serde(default)] + pub nginx_binary_path: Option, + // commands + #[serde(default = "default_nginx_reload_command")] + pub override_nginx_reload_command: Vec, + #[serde(default = "default_nginx_test_command")] + pub override_nginx_test_command: Vec, + // timeouts + #[serde(default = "default_nginx_reload_timeout_seconds")] + pub nginx_reload_timeout_seconds: u64, + #[serde(default = "default_nginx_test_timeout_seconds")] + pub nginx_test_timeout_seconds: u64, +} + +impl NginxSettings { + /// Transforms the reload and test commands by replacing the binary path template with the actual binary path if provided. + /// This MUST be called after validation to ensure the binary path is valid and the commands contain the template. + pub fn transform_commands(&mut self) { + self.override_nginx_reload_command = self.transformed_reload_command(); + self.override_nginx_test_command = self.transformed_test_command(); + } + + fn transformed_reload_command(&self) -> Vec { + self.override_nginx_reload_command + .iter() + .map(|cmd| { + cmd.replace( + NGINX_BINARY_PATH_TEMPLATE, + &self + .nginx_binary_path + .clone() + .unwrap_or_else(|| NGINX_DEFAULT_BINARY.into()), + ) + }) + .collect() + } + + fn transformed_test_command(&self) -> Vec { + self.override_nginx_test_command + .iter() + .map(|cmd| { + cmd.replace( + NGINX_BINARY_PATH_TEMPLATE, + &self + .nginx_binary_path + .clone() + .unwrap_or_else(|| NGINX_DEFAULT_BINARY.into()), + ) + }) + .collect() + } +} + +impl Validate for NginxSettings { + fn validate(&self) -> Result<(), ValidationError> { + match &self.nginx_binary_path { + Some(path) if path.is_empty() => { + return Err("Nginx binary path cannot be empty".into()); + } + Some(path) if !std::path::Path::new(path).exists() => { + return Err(format!("Nginx binary not found: {}", path)); + } + Some(path) + if !std::fs::metadata(path) + .map_err(|e| format!("Failed to read nginx binary metadata: {}", e))? + .permissions() + .mode() + & 0o111 + != 0 => + { + return Err(format!("Nginx binary is not executable: {}", path)); + } + _ => {} + } + if self.nginx_config_path.is_empty() { + return Err("Nginx config path cannot be empty".into()); + } + if !std::path::Path::new(&self.nginx_config_path).exists() { + return Err(format!( + "Nginx config file not found: {}", + self.nginx_config_path + )); + } + + // ensure reload and test commands contain the binary path template + if !&self + .override_nginx_reload_command + .join(" ") + .contains(NGINX_BINARY_PATH_TEMPLATE) + { + return Err(format!( + "Nginx reload command must contain the binary path template '{}': {}", + NGINX_BINARY_PATH_TEMPLATE, + self.override_nginx_reload_command.join(" ") + )); + } + if !&self + .override_nginx_test_command + .join(" ") + .contains(NGINX_BINARY_PATH_TEMPLATE) + { + return Err(format!( + "Nginx test command must contain the binary path template '{}': {}", + NGINX_BINARY_PATH_TEMPLATE, + self.override_nginx_test_command.join(" ") + )); + } + Ok(()) + } +} + +fn default_nginx_config_path() -> String { + "/etc/nginx/nginx.conf".into() +} + +fn default_nginx_reload_command() -> Vec { + vec![ + NGINX_BINARY_PATH_TEMPLATE.to_string(), + "-s".to_string(), + "reload".to_string(), + ] +} + +fn default_nginx_test_command() -> Vec { + vec![NGINX_BINARY_PATH_TEMPLATE.to_string(), "-t".to_string()] +} + +fn default_nginx_reload_timeout_seconds() -> u64 { + 30 +} + +fn default_nginx_test_timeout_seconds() -> u64 { + 30 +} + +#[cfg(test)] +mod tests { + use std::{fs, os::unix::fs::PermissionsExt, path::Path}; + + use tempfile::TempDir; + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + + fn write_file(path: &Path) { + let result = fs::write(path, b"content"); + assert!(result.is_ok()); + } + + fn create_exec_file(path: &Path) { + write_file(path); + let metadata = fs::metadata(path); + assert!(metadata.is_ok()); + let metadata = metadata.ok(); + assert!(metadata.is_some()); + let metadata = metadata.unwrap_or_else(|| unreachable!()); + + let mut perms = metadata.permissions(); + perms.set_mode(0o755); + let result = fs::set_permissions(path, perms); + assert!(result.is_ok()); + } + + fn create_non_exec_file(path: &Path) { + write_file(path); + let metadata = fs::metadata(path); + assert!(metadata.is_ok()); + let metadata = metadata.ok(); + assert!(metadata.is_some()); + let metadata = metadata.unwrap_or_else(|| unreachable!()); + + let mut perms = metadata.permissions(); + perms.set_mode(0o644); + let result = fs::set_permissions(path, perms); + assert!(result.is_ok()); + } + + #[test] + fn nginx_validate_succeeds_for_valid_paths_and_commands() { + let temp_dir = TempDir::new(); + assert!(temp_dir.is_ok()); + let temp_dir = temp_dir.ok(); + assert!(temp_dir.is_some()); + let temp_dir = temp_dir.unwrap_or_else(|| unreachable!()); + + let nginx_binary = temp_dir.path().join("nginx"); + let nginx_config = temp_dir.path().join("nginx.conf"); + + create_exec_file(&nginx_binary); + write_file(&nginx_config); + + let nginx = NginxSettings { + nginx_config_path: nginx_config.to_string_lossy().to_string(), + nginx_binary_path: Some(nginx_binary.to_string_lossy().to_string()), + override_nginx_reload_command: default_nginx_reload_command(), + override_nginx_test_command: default_nginx_test_command(), + nginx_reload_timeout_seconds: 30, + nginx_test_timeout_seconds: 30, + }; + + assert!(nginx.validate().is_ok()); + } + + #[test] + fn nginx_validate_fails_for_non_executable_binary() { + let temp_dir = TempDir::new(); + assert!(temp_dir.is_ok()); + let temp_dir = temp_dir.ok(); + assert!(temp_dir.is_some()); + let temp_dir = temp_dir.unwrap_or_else(|| unreachable!()); + + let nginx_binary = temp_dir.path().join("nginx"); + let nginx_config = temp_dir.path().join("nginx.conf"); + + create_non_exec_file(&nginx_binary); + write_file(&nginx_config); + + let nginx = NginxSettings { + nginx_config_path: nginx_config.to_string_lossy().to_string(), + nginx_binary_path: Some(nginx_binary.to_string_lossy().to_string()), + override_nginx_reload_command: default_nginx_reload_command(), + override_nginx_test_command: default_nginx_test_command(), + nginx_reload_timeout_seconds: 30, + nginx_test_timeout_seconds: 30, + }; + + let result = nginx.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_else(|| unreachable!()); + assert!(msg.contains("Nginx binary is not executable")); + } + + #[test] + fn nginx_validate_fails_when_reload_command_lacks_template() { + let temp_dir = TempDir::new(); + assert!(temp_dir.is_ok()); + let temp_dir = temp_dir.ok(); + assert!(temp_dir.is_some()); + let temp_dir = temp_dir.unwrap_or_else(|| unreachable!()); + + let nginx_binary = temp_dir.path().join("nginx"); + let nginx_config = temp_dir.path().join("nginx.conf"); + + create_exec_file(&nginx_binary); + write_file(&nginx_config); + + let nginx = NginxSettings { + nginx_config_path: nginx_config.to_string_lossy().to_string(), + nginx_binary_path: Some(nginx_binary.to_string_lossy().to_string()), + override_nginx_reload_command: vec!["nginx".into(), "-s".into(), "reload".into()], + override_nginx_test_command: default_nginx_test_command(), + nginx_reload_timeout_seconds: 30, + nginx_test_timeout_seconds: 30, + }; + + let result = nginx.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_else(|| unreachable!()); + assert!(msg.contains("Nginx reload command must contain the binary path template")); + } +} From 9f72cd4bbbe7720cbd766506605b314e08813d92 Mon Sep 17 00:00:00 2001 From: GW_MC <72297530+GWMCwing@users.noreply.github.com> Date: Sun, 31 May 2026 02:36:30 +0000 Subject: [PATCH 4/7] refactor: update health report to connection test and simplify proto definitions --- apps/nxmesh-agent/src/main.rs | 8 +- apps/nxmesh-master/src/service/agent/mod.rs | 39 +--- crates/nxmesh-proto/proto/agent.proto | 236 ++++++-------------- 3 files changed, 77 insertions(+), 206 deletions(-) diff --git a/apps/nxmesh-agent/src/main.rs b/apps/nxmesh-agent/src/main.rs index e3dc71f..8958005 100644 --- a/apps/nxmesh-agent/src/main.rs +++ b/apps/nxmesh-agent/src/main.rs @@ -62,14 +62,14 @@ async fn main() { // send a dummy heartbeat to verify the connection is working let client = master_connector.get_client(); - let request = nxmesh_proto::HealthReport { + let request = nxmesh_proto::TestRequest { ..Default::default() }; - match client.lock().await.report_health(request).await { - Ok(_) => info!("Successfully sent health report to master."), + match client.lock().await.connection_test(request).await { + Ok(_) => info!("Successfully sent connection test to master."), Err(e) => { - error!("Failed to send health report to master: {}", e); + error!("Failed to send connection test to master: {}", e); exit(1); } } diff --git a/apps/nxmesh-master/src/service/agent/mod.rs b/apps/nxmesh-master/src/service/agent/mod.rs index ad5a849..e8f329e 100644 --- a/apps/nxmesh-master/src/service/agent/mod.rs +++ b/apps/nxmesh-master/src/service/agent/mod.rs @@ -1,8 +1,6 @@ -use nxmesh_proto::{ - Ack, AgentMessage, HealthReport, MasterMessage, MetricsBatch, - agent_service_server::AgentService, -}; -use tracing::warn; +use nxmesh_proto::{AgentMessage, MasterMessage, agent_service_server::AgentService}; + +pub mod repo; #[derive(Debug, Default)] pub struct AgentServerService {} @@ -25,30 +23,13 @@ impl AgentService for AgentServerService { todo!() } - #[doc = " ReportHealth sends a health report to the master"] - #[allow( - mismatched_lifetime_syntaxes, - clippy::type_complexity, - clippy::type_repetition_in_bounds - )] - async fn report_health( + async fn connection_test( &self, - request: tonic::Request, - ) -> Result, tonic::Status> { - warn!("Received health report: {:?}", request.get_ref()); - todo!() - } - - #[doc = " ReportMetrics sends metrics batch to the master"] - #[allow( - mismatched_lifetime_syntaxes, - clippy::type_complexity, - clippy::type_repetition_in_bounds - )] - async fn report_metrics( - &self, - request: tonic::Request, - ) -> Result, tonic::Status> { - todo!() + _request: tonic::Request, + ) -> Result, tonic::Status> { + Ok(tonic::Response::new(nxmesh_proto::TestResponse { + success: true, + error_message: String::new(), + })) } } diff --git a/crates/nxmesh-proto/proto/agent.proto b/crates/nxmesh-proto/proto/agent.proto index ed42b96..9f57edd 100644 --- a/crates/nxmesh-proto/proto/agent.proto +++ b/crates/nxmesh-proto/proto/agent.proto @@ -11,103 +11,53 @@ service AgentService { // Stream establishes a persistent connection for real-time communication rpc Stream(stream AgentMessage) returns (stream MasterMessage); - // ReportHealth sends a health report to the master - rpc ReportHealth(HealthReport) returns (Ack); + rpc ConnectionTest(TestRequest) returns (TestResponse); +} - // ReportMetrics sends metrics batch to the master - rpc ReportMetrics(MetricsBatch) returns (Ack); +message TestRequest { + // no fields needed for test request +} + +message TestResponse { + bool success = 1; + string error_message = 2; // if success is false, this field should contain the error message +} + +// Messages sent from master to agent +message MasterMessage { + int64 timestamp = 1; + string message_id = 2; + oneof payload { + // requests + ConfigUpdate config_update = 3; + Command command = 4; + } } // Messages sent from agent to master message AgentMessage { string agent_id = 1; int64 timestamp = 2; + string message_id = 3; oneof payload { - RegistrationRequest registration = 3; - HealthReport health = 4; - ConfigStatus config_status = 5; - MetricsBatch metrics = 6; - LogBatch logs = 7; - Event event = 8; + // responses + ConfigUpdateResult config_update_result = 6; + CommandResult command_result = 7; } } -// Messages sent from master to agent -message MasterMessage { - int64 timestamp = 1; - oneof payload { - RegistrationResponse registration_response = 2; - ConfigUpdate config_update = 3; - Command command = 4; - Ack ack = 5; - Error error = 6; - } -} +// +// +// -// Registration -message RegistrationRequest { - string hostname = 1; - string ip_address = 2; - string version = 3; - repeated string capabilities = 4; - map labels = 5; - DeploymentMode deployment_mode = 6; -} - -message RegistrationResponse { - string agent_id = 1; - bool success = 2; - string error_message = 3; - int64 heartbeat_interval_seconds = 4; -} - -enum DeploymentMode { - DEPLOYMENT_MODE_UNSPECIFIED = 0; - DOCKER_SIDECAR = 1; - KUBERNETES_SIDECAR = 2; - STANDALONE = 3; -} - -// Health Reporting -message HealthReport { - NginxStatus nginx = 1; - SystemMetrics system = 2; - string config_checksum = 3; - int64 config_version = 4; - repeated Alert alerts = 5; -} - -message NginxStatus { - bool is_running = 1; - uint32 pid = 2; - uint64 uptime_seconds = 3; - uint32 active_connections = 4; - uint64 total_requests = 5; - float requests_per_second = 6; -} - -message SystemMetrics { - float cpu_percent = 1; - uint64 memory_used_bytes = 2; - uint64 memory_total_bytes = 3; - uint64 disk_used_bytes = 4; - uint64 disk_total_bytes = 5; - float load_average_1m = 6; -} - -message Alert { - string id = 1; - string severity = 2; // info, warning, error, critical - string message = 3; - int64 timestamp = 4; -} - -// Configuration +// ConfigUpdate represents a request from master to agent to update the configuration message ConfigUpdate { - string config_id = 1; - int64 version = 2; - repeated ConfigContent configs = 3; - repeated CertificateContent certificates = 4; + string config_id = 1; // unique identifier for this config update + string version = 2; + // The root config is the main nginx.conf file, this file will be used as the entry point for nginx configuration. The content of this file should include references to other config files if needed. The agent will write this root config to the nginx config directory and use it to reload nginx. + ConfigContent root_config = 3; + // The other config files that are referenced by the root config, e.g. "site.conf", "private/example.com.conf". If the root config does not reference any other config files, this field can be left empty. The agent will write these config files to the nginx config directory and ensure they are included in the root config. + repeated ConfigContent configs = 4; } message ConfigContent { @@ -116,113 +66,53 @@ message ConfigContent { string content = 2; } -message CertificateContent { - string id = 1; - // relative path from other config files, e.g. "certs/example.com.pem" - string path = 2; - string certificate_pem = 3; - string private_key_pem = 4; +message ConfigUpdateResult { + string config_id = 1; // should match the config_id in ConfigUpdate + bool success = 2; + ConfigUpdateError error_message = 3; // if success is false, this field should contain the error message } -message ConfigStatus { - string config_id = 1; - int64 version = 2; - ConfigApplyStatus status = 3; - string error_message = 4; - int64 applied_at = 5; +enum ConfigUpdateError { + UNKNOWN = 0; + INVALID_CONFIG = 1; // the config content is invalid, e.g. syntax error + WRITE_FAILED = 2; // failed to write the config file to disk + RELOAD_FAILED = 3; // failed to reload nginx with the new config } -enum ConfigApplyStatus { - CONFIG_APPLY_STATUS_UNSPECIFIED = 0; - PENDING = 1; - VALIDATING = 2; - APPLYING = 3; - SUCCESS = 4; - FAILED = 5; - ROLLED_BACK = 6; -} +// +// +// -// Metrics -message MetricsBatch { - int64 timestamp = 1; - repeated Metric metrics = 2; -} - -message Metric { - string name = 1; - double value = 2; - int64 timestamp = 3; - map labels = 4; - MetricType type = 5; -} - -enum MetricType { - METRIC_TYPE_UNSPECIFIED = 0; - GAUGE = 1; - COUNTER = 2; - HISTOGRAM = 3; -} - -// Logs -message LogBatch { - repeated LogEntry entries = 1; -} - -message LogEntry { - int64 timestamp = 1; - string level = 2; - string message = 3; - map fields = 4; -} - -// Commands +// Command represents a request from master to agent to execute a command, e.g. "reload", "test" message Command { - string command_id = 1; oneof command { - ReloadCommand reload = 2; - RestartCommand restart = 3; - StopCommand stop = 4; - GetStatusCommand get_status = 5; - ValidateConfigCommand validate_config = 6; + ReloadCommand reload = 1; + TestCommand test = 2; } } message ReloadCommand { - bool graceful = 1; + // no additional fields needed for reload command } -message RestartCommand { - bool force = 1; +message TestCommand { + // no additional fields needed for test command } -message StopCommand { - bool graceful = 1; - uint32 timeout_seconds = 2; +message CommandResult { + oneof result { + ReloadResult reload_result = 1; + TestResult test_result = 2; + } } -message GetStatusCommand {} - -message ValidateConfigCommand { - string config_content = 1; +message ReloadResult { + bool success = 1; + string error_message = 2; // if success is false, this field should contain the error message } -// Events -message Event { - string event_id = 1; - string event_type = 2; - int64 timestamp = 3; - map data = 4; +message TestResult { + bool success = 1; + string error_message = 2; // if success is false, this field should contain the error message } -// Common messages -message Ack { - string message_id = 1; - bool success = 2; - string error_message = 3; -} - -message Error { - string code = 1; - string message = 2; - map details = 3; -} From cb4ad27e89fcc37990dfac3385a9b7b5f4f878e4 Mon Sep 17 00:00:00 2001 From: GW_MC <72297530+GWMCwing@users.noreply.github.com> Date: Sun, 31 May 2026 02:36:42 +0000 Subject: [PATCH 5/7] refactor: enhance asset retrieval logic to support fallback for client subfolder --- apps/nxmesh-master/src/routes/frontend/mod.rs | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apps/nxmesh-master/src/routes/frontend/mod.rs b/apps/nxmesh-master/src/routes/frontend/mod.rs index db345f6..4b49fe5 100644 --- a/apps/nxmesh-master/src/routes/frontend/mod.rs +++ b/apps/nxmesh-master/src/routes/frontend/mod.rs @@ -37,7 +37,11 @@ pub async fn get_fallback_handler() -> Result>, axu } fn get_index_html() -> Option> { - FrontendAssets::get(INDEX_HTML).map(|asset| asset.data.as_ref().to_owned()) + // Try root index.html first, then fall back to client/index.html when assets + // are packaged under the `client/` subfolder. + FrontendAssets::get(INDEX_HTML) + .or_else(|| FrontendAssets::get(&format!("client/{}", INDEX_HTML))) + .map(|asset| asset.data.as_ref().to_owned()) } async fn get_file_handler( @@ -49,7 +53,10 @@ async fn get_file_handler( path }; - match FrontendAssets::get(&file_path) { + // Try direct lookup first, then fallback to the `client/` subfolder. + match FrontendAssets::get(&file_path) + .or_else(|| FrontendAssets::get(&format!("client/{}", file_path))) + { Some(asset) => { let content_type = mime_guess::from_path(&file_path).first_or_octet_stream(); let response = axum::response::Response::builder() From 153c092abea96c40de6ee19f1a0ac25931d46cc7 Mon Sep 17 00:00:00 2001 From: GW_MC <72297530+GWMCwing@users.noreply.github.com> Date: Sun, 31 May 2026 02:37:41 +0000 Subject: [PATCH 6/7] refactor: update act command to include artifact server path for improved functionality --- justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/justfile b/justfile index 3e636b7..4330597 100644 --- a/justfile +++ b/justfile @@ -38,7 +38,7 @@ setup-frontend: act *ARGS: # run act with custom secret-file @echo "🎬 Running act with custom secrets file..." - act --env-file .github/.env --secret-file .github/.secrets.env --var-file .github/.var.env --network host {{ ARGS }} + act --env-file .github/.env --secret-file .github/.secrets.env --var-file .github/.var.env --network host --artifact-server-path ./.act/.artifacts {{ ARGS }} # Start all services for development dev: From c52c0b3103a0861946ebe5b6711f75199fd9403d Mon Sep 17 00:00:00 2001 From: GW_MC <72297530+GWMCwing@users.noreply.github.com> Date: Sun, 31 May 2026 02:56:03 +0000 Subject: [PATCH 7/7] refactor: reorganize settings into separate modules for improved structure and maintainability --- apps/nxmesh-master/src/config/settings.rs | 586 ------------------ .../nxmesh-master/src/config/settings/auth.rs | 58 ++ .../nxmesh-master/src/config/settings/cert.rs | 276 +++++++++ .../nxmesh-master/src/config/settings/cors.rs | 34 + .../src/config/settings/database.rs | 48 ++ .../nxmesh-master/src/config/settings/grpc.rs | 53 ++ apps/nxmesh-master/src/config/settings/log.rs | 81 +++ apps/nxmesh-master/src/config/settings/mod.rs | 75 +++ .../src/config/settings/server.rs | 103 +++ 9 files changed, 728 insertions(+), 586 deletions(-) delete mode 100644 apps/nxmesh-master/src/config/settings.rs create mode 100644 apps/nxmesh-master/src/config/settings/auth.rs create mode 100644 apps/nxmesh-master/src/config/settings/cert.rs create mode 100644 apps/nxmesh-master/src/config/settings/cors.rs create mode 100644 apps/nxmesh-master/src/config/settings/database.rs create mode 100644 apps/nxmesh-master/src/config/settings/grpc.rs create mode 100644 apps/nxmesh-master/src/config/settings/log.rs create mode 100644 apps/nxmesh-master/src/config/settings/mod.rs create mode 100644 apps/nxmesh-master/src/config/settings/server.rs diff --git a/apps/nxmesh-master/src/config/settings.rs b/apps/nxmesh-master/src/config/settings.rs deleted file mode 100644 index 64f01e2..0000000 --- a/apps/nxmesh-master/src/config/settings.rs +++ /dev/null @@ -1,586 +0,0 @@ -use config::{Config, ConfigError, Environment, File}; -use rcgen::string::Ia5String; -use serde::{Deserialize, Deserializer, Serialize}; -use std::{net::IpAddr, str::FromStr}; -use tracing::level_filters::LevelFilter; - -type ValidationError = String; - -trait Validate { - fn validate(&self) -> Result<(), ValidationError>; -} - -/// Master server settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct Settings { - pub server: ServerSettings, - pub database: DatabaseSettings, - pub grpc: GrpcSettings, - pub auth: AuthSettings, - #[serde(default)] - pub log: LogSettings, -} - -/// HTTP server settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct ServerSettings { - #[serde(default = "default_server_bind_address")] - pub bind_address: String, - #[serde(default = "default_server_port")] - pub port: u16, - #[serde(default)] - pub certificate: CertificateSettings, - #[serde(default)] - pub cors: Option, -} - -/// Database connection settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct DatabaseSettings { - pub url: String, - pub max_connections: Option, -} - -/// gRPC server settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct GrpcSettings { - #[serde(default = "default_grpc_bind_address")] - pub bind_address: String, - #[serde(default = "default_grpc_port")] - pub port: u16, - #[serde(default)] - pub certificate: CertificateSettings, - #[serde(default)] - pub cors: Option, -} - -/// Authentication settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct AuthSettings { - pub jwt_secret: String, - #[serde(default = "default_jwt_expiration_hours")] - pub jwt_expiration_hours: u64, -} - -/// TLS certificate settings -#[derive(Debug, Clone, Serialize, Deserialize, Default)] -pub struct CertificateSettings { - #[serde(default = "default_cert_folder")] - pub cert_dir: String, - #[serde( - default, - serialize_with = "serialize_ia5string_vec", - deserialize_with = "deserialize_ia5string_vec" - )] - pub san_dns: Vec, - #[serde(default)] - pub san_ip: Vec, - #[serde(default)] - cert_path: Option, - #[serde(default)] - key_path: Option, -} - -impl CertificateSettings { - pub fn cert_path(&self) -> Option { - self.cert_path - .as_ref() - .map(|p| format!("{}/{}", self.cert_dir, p)) - } - - pub fn key_path(&self) -> Option { - self.key_path - .as_ref() - .map(|p| format!("{}/{}", self.cert_dir, p)) - } -} - -/// CORS settings -#[derive(Debug, Clone, Serialize, Deserialize, Default)] -pub struct CorsSettings { - #[serde(default)] - pub allowed_origins: Vec, - #[serde(default)] - pub allowed_methods: Vec, - #[serde(default)] - pub allowed_headers: Vec, - #[serde(default)] - pub allow_credentials: bool, -} - -/// Logging settings -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct LogSettings { - #[serde( - deserialize_with = "deserialize_level_filter", - serialize_with = "serialize_level_filter" - )] - pub level: LevelFilter, -} - -impl Default for LogSettings { - fn default() -> Self { - Self { - level: default_log_level(), - } - } -} - -impl Validate for Settings { - fn validate(&self) -> Result<(), ValidationError> { - self.server.validate()?; - self.grpc.validate()?; - self.database.validate()?; - self.auth.validate()?; - Ok(()) - } -} - -impl Settings { - /// Load settings from config files and environment - pub fn load() -> Result { - let run_mode = std::env::var("RUN_MODE").unwrap_or_else(|_| "development".into()); - - let settings = Config::builder() - .add_source(File::with_name("config/default").required(false)) - .add_source(File::with_name(&format!("config/{}", run_mode)).required(false)) - .add_source(File::with_name("config/master/default").required(false)) - .add_source(File::with_name(&format!("config/master/{}", run_mode)).required(false)) - .add_source(Environment::with_prefix("NXMESH").separator("__")) - .build()?; - - let settings: Self = settings.try_deserialize()?; - - settings.validate().map_err(ConfigError::Message)?; - - Ok(settings) - } -} - -impl Validate for ServerSettings { - fn validate(&self) -> Result<(), ValidationError> { - if self.bind_address.is_empty() { - return Err("Server bind address cannot be empty".into()); - } - if self.port == 0 { - return Err("Server port must be greater than 0".into()); - } - self.certificate.validate()?; - if let Some(cors) = &self.cors { - cors.validate()?; - } - Ok(()) - } -} - -impl Validate for GrpcSettings { - fn validate(&self) -> Result<(), ValidationError> { - if self.bind_address.is_empty() { - return Err("gRPC bind address cannot be empty".into()); - } - if self.port == 0 { - return Err("gRPC port must be greater than 0".into()); - } - self.certificate.validate()?; - if let Some(cors) = &self.cors { - cors.validate()?; - } - Ok(()) - } -} - -impl Validate for DatabaseSettings { - fn validate(&self) -> Result<(), ValidationError> { - if self.url.is_empty() { - return Err("Database URL cannot be empty".into()); - } - if let Some(max_connections) = self.max_connections - && max_connections == 0 - { - return Err("Max database connections must be greater than 0".into()); - } - Ok(()) - } -} - -impl Validate for AuthSettings { - fn validate(&self) -> Result<(), ValidationError> { - if self.jwt_secret.is_empty() { - return Err("JWT secret cannot be empty".into()); - } - if self.jwt_expiration_hours == 0 { - return Err("JWT expiration hours must be greater than 0".into()); - } - Ok(()) - } -} - -impl Validate for CertificateSettings { - fn validate(&self) -> Result<(), ValidationError> { - let base_path = std::path::Path::new(&self.cert_dir); - if !base_path.exists() { - // create the cert directory if it doesn't exist - std::fs::create_dir_all(base_path).map_err(|e| { - format!( - "Failed to create certificate directory {:?}: {}", - base_path, e - ) - })?; - } - let cert_path = self.cert_path.as_ref().map(|p| base_path.join(p)); - let key_path = self.key_path.as_ref().map(|p| base_path.join(p)); - if (cert_path.is_some() && key_path.is_none()) - || (cert_path.is_none() && key_path.is_some()) - { - return Err("Both certificate and key paths must be provided for TLS".into()); - } - if let (Some(cert_path), Some(key_path)) = (&cert_path, &key_path) { - if !std::path::Path::new(cert_path).exists() { - return Err(format!("Certificate file not found: {:?}", cert_path)); - } - if !std::path::Path::new(key_path).exists() { - return Err(format!("Key file not found: {:?}", key_path)); - } - } - - // validate for SAN entries - must be valid DNS names or IP addresses - for dns in &self.san_dns { - if dns.to_string().is_empty() { - return Err("SAN DNS entries cannot be empty".into()); - } - } - for ip in &self.san_ip { - if ip.is_unspecified() { - return Err("SAN IP entries cannot be unspecified".into()); - } - } - // require at least one SAN entry for the generated certificate - if self.san_dns.is_empty() && self.san_ip.is_empty() { - return Err( - "At least one SAN entry (DNS or IP) must be provided for the certificate".into(), - ); - } - - Ok(()) - } -} - -impl Validate for CorsSettings { - fn validate(&self) -> Result<(), ValidationError> { - Ok(()) - } -} - -fn default_jwt_expiration_hours() -> u64 { - 24 -} - -fn default_server_bind_address() -> String { - "0.0.0.0".into() -} - -fn default_server_port() -> u16 { - 8080 -} - -fn default_grpc_bind_address() -> String { - "0.0.0.0".into() -} - -fn default_grpc_port() -> u16 { - 50051 -} - -fn default_log_level() -> LevelFilter { - LevelFilter::INFO -} - -fn default_cert_folder() -> String { - "./certs".into() -} - -fn deserialize_level_filter<'de, D>(deserializer: D) -> Result -where - D: Deserializer<'de>, -{ - let s = String::deserialize(deserializer)?; - LevelFilter::from_str(&s).map_err(serde::de::Error::custom) -} - -fn serialize_level_filter(level: &LevelFilter, serializer: S) -> Result -where - S: serde::Serializer, -{ - serializer.serialize_str(&level.to_string()) -} - -fn deserialize_ia5string_vec<'de, D>(deserializer: D) -> Result, D::Error> -where - D: Deserializer<'de>, -{ - let vec = Vec::::deserialize(deserializer)?; - vec.into_iter() - .map(|s| Ia5String::try_from(s).map_err(serde::de::Error::custom)) - .collect() -} - -fn serialize_ia5string_vec(vec: &Vec, serializer: S) -> Result -where - S: serde::Serializer, -{ - let string_vec: Vec = vec.iter().map(|ia5| ia5.to_string()).collect(); - string_vec.serialize(serializer) -} - -#[cfg(test)] -mod tests { - use std::{ - fs, - net::{IpAddr, Ipv4Addr}, - path::PathBuf, - time::{SystemTime, UNIX_EPOCH}, - }; - - use super::*; - - #[test] - fn test_esnure_send_and_sync() { - fn assert_send_sync() {} - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - assert_send_sync::(); - } - - fn make_temp_dir(prefix: &str) -> PathBuf { - let ts = SystemTime::now().duration_since(UNIX_EPOCH); - assert!(ts.is_ok()); - let ts = ts.unwrap_or_default(); - let path = std::env::temp_dir().join(format!( - "{}_{}_{}", - prefix, - std::process::id(), - ts.as_nanos() - )); - let created = fs::create_dir_all(&path); - assert!(created.is_ok()); - path - } - - #[test] - fn certificate_paths_include_cert_dir() { - let cert = CertificateSettings { - cert_dir: "./certs".to_string(), - san_dns: Vec::new(), - san_ip: Vec::new(), - cert_path: Some("server.crt".to_string()), - key_path: Some("server.key".to_string()), - }; - - assert_eq!(cert.cert_path(), Some("./certs/server.crt".to_string())); - assert_eq!(cert.key_path(), Some("./certs/server.key".to_string())); - } - - #[test] - fn certificate_validate_creates_directory_when_missing() { - let cert_dir = make_temp_dir("nxmesh-master-cert-create").join("nested"); - let san = Ia5String::try_from("localhost".to_string()); - assert!(san.is_ok()); - let san = san.unwrap_or_else(|_| unreachable!()); - let cert = CertificateSettings { - cert_dir: cert_dir.to_string_lossy().to_string(), - san_dns: vec![san], - san_ip: Vec::new(), - cert_path: None, - key_path: None, - }; - - let result = cert.validate(); - assert!(result.is_ok()); - assert!(cert_dir.exists()); - - let _ = fs::remove_dir_all(cert_dir.parent().unwrap_or(&cert_dir)); - } - - #[test] - fn certificate_validate_fails_when_only_cert_path_is_set() { - let cert_dir = make_temp_dir("nxmesh-master-cert-partial"); - let san = Ia5String::try_from("localhost".to_string()); - assert!(san.is_ok()); - let san = san.unwrap_or_else(|_| unreachable!()); - let cert = CertificateSettings { - cert_dir: cert_dir.to_string_lossy().to_string(), - san_dns: vec![san], - san_ip: Vec::new(), - cert_path: Some("server.crt".to_string()), - key_path: None, - }; - - let result = cert.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_default(); - assert!(msg.contains("Both certificate and key paths must be provided")); - - let _ = fs::remove_dir_all(&cert_dir); - } - - #[test] - fn certificate_validate_fails_with_unspecified_ip() { - let cert_dir = make_temp_dir("nxmesh-master-cert-unspecified-ip"); - let cert = CertificateSettings { - cert_dir: cert_dir.to_string_lossy().to_string(), - san_dns: Vec::new(), - san_ip: vec![IpAddr::V4(Ipv4Addr::UNSPECIFIED)], - cert_path: None, - key_path: None, - }; - - let result = cert.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_default(); - assert!(msg.contains("SAN IP entries cannot be unspecified")); - - let _ = fs::remove_dir_all(&cert_dir); - } - - #[test] - fn certificate_validate_fails_without_any_san_entries() { - let cert_dir = make_temp_dir("nxmesh-master-cert-no-san"); - let cert = CertificateSettings { - cert_dir: cert_dir.to_string_lossy().to_string(), - san_dns: Vec::new(), - san_ip: Vec::new(), - cert_path: None, - key_path: None, - }; - - let result = cert.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_default(); - assert!(msg.contains("At least one SAN entry")); - - let _ = fs::remove_dir_all(&cert_dir); - } - - #[test] - fn database_validate_fails_for_zero_max_connections() { - let db = DatabaseSettings { - url: "postgres://localhost/db".to_string(), - max_connections: Some(0), - }; - - let result = db.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_default(); - assert!(msg.contains("Max database connections must be greater than 0")); - } - - #[test] - fn auth_validate_fails_for_empty_secret() { - let auth = AuthSettings { - jwt_secret: "".to_string(), - jwt_expiration_hours: 24, - }; - - let result = auth.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_default(); - assert!(msg.contains("JWT secret cannot be empty")); - } - - #[test] - fn server_validate_fails_for_zero_port() { - let cert_dir = make_temp_dir("nxmesh-master-server-validate"); - let san = Ia5String::try_from("localhost".to_string()); - assert!(san.is_ok()); - let san = san.unwrap_or_else(|_| unreachable!()); - let server = ServerSettings { - bind_address: "0.0.0.0".to_string(), - port: 0, - certificate: CertificateSettings { - cert_dir: cert_dir.to_string_lossy().to_string(), - san_dns: vec![san], - san_ip: Vec::new(), - cert_path: None, - key_path: None, - }, - cors: None, - }; - - let result = server.validate(); - assert!(result.is_err()); - let msg = result.err().unwrap_or_default(); - assert!(msg.contains("Server port must be greater than 0")); - - let _ = fs::remove_dir_all(&cert_dir); - } - - #[test] - fn level_filter_round_trip_serialization() { - #[derive(Serialize, Deserialize)] - struct Wrapper { - #[serde( - deserialize_with = "deserialize_level_filter", - serialize_with = "serialize_level_filter" - )] - level: LevelFilter, - } - - let data = Wrapper { - level: LevelFilter::DEBUG, - }; - - let encoded = serde_json::to_string(&data); - assert!(encoded.is_ok()); - let encoded = encoded.unwrap_or_default(); - assert!(encoded.to_lowercase().contains("debug")); - - let decoded: Result = serde_json::from_str(&encoded); - assert!(decoded.is_ok()); - let decoded = decoded.unwrap_or(Wrapper { - level: LevelFilter::ERROR, - }); - assert_eq!(decoded.level, LevelFilter::DEBUG); - } - - #[test] - fn ia5string_vec_round_trip_serialization() { - #[derive(Serialize, Deserialize)] - struct Wrapper { - #[serde( - deserialize_with = "deserialize_ia5string_vec", - serialize_with = "serialize_ia5string_vec" - )] - san_dns: Vec, - } - - let first = Ia5String::try_from("localhost".to_string()); - assert!(first.is_ok()); - let second = Ia5String::try_from("example.com".to_string()); - assert!(second.is_ok()); - - let first = first.unwrap_or_else(|_| unreachable!()); - let second = second.unwrap_or_else(|_| unreachable!()); - - let data = Wrapper { - san_dns: vec![first, second], - }; - - let encoded = serde_json::to_string(&data); - assert!(encoded.is_ok()); - let encoded = encoded.unwrap_or_default(); - assert!(encoded.contains("localhost")); - assert!(encoded.contains("example.com")); - - let decoded: Result = serde_json::from_str(&encoded); - assert!(decoded.is_ok()); - let decoded = decoded.unwrap_or(Wrapper { - san_dns: Vec::new(), - }); - assert_eq!(decoded.san_dns.len(), 2); - } -} diff --git a/apps/nxmesh-master/src/config/settings/auth.rs b/apps/nxmesh-master/src/config/settings/auth.rs new file mode 100644 index 0000000..76daa61 --- /dev/null +++ b/apps/nxmesh-master/src/config/settings/auth.rs @@ -0,0 +1,58 @@ +use serde::{Deserialize, Serialize}; + +use crate::config::settings::{Validate, ValidationError}; + +/// Authentication settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct AuthSettings { + pub jwt_secret: String, + #[serde(default = "default_jwt_expiration_hours")] + pub jwt_expiration_hours: u64, +} + +impl Validate for AuthSettings { + fn validate(&self) -> Result<(), ValidationError> { + if self.jwt_secret.is_empty() { + return Err("JWT secret cannot be empty".into()); + } + if self.jwt_expiration_hours == 0 { + return Err("JWT expiration hours must be greater than 0".into()); + } + Ok(()) + } +} + +fn default_jwt_expiration_hours() -> u64 { + 24 +} + +#[cfg(test)] +mod tests { + use std::{ + fs, + net::{IpAddr, Ipv4Addr}, + path::PathBuf, + time::{SystemTime, UNIX_EPOCH}, + }; + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + + #[test] + fn auth_validate_fails_for_empty_secret() { + let auth = AuthSettings { + jwt_secret: "".to_string(), + jwt_expiration_hours: 24, + }; + + let result = auth.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_default(); + assert!(msg.contains("JWT secret cannot be empty")); + } +} diff --git a/apps/nxmesh-master/src/config/settings/cert.rs b/apps/nxmesh-master/src/config/settings/cert.rs new file mode 100644 index 0000000..2f69460 --- /dev/null +++ b/apps/nxmesh-master/src/config/settings/cert.rs @@ -0,0 +1,276 @@ +use std::net::IpAddr; + +use rcgen::string::Ia5String; +use serde::{Deserialize, Deserializer, Serialize}; + +use crate::config::settings::{Validate, ValidationError}; + +/// TLS certificate settings +#[derive(Debug, Clone, Serialize, Deserialize, Default)] +pub struct CertificateSettings { + #[serde(default = "default_cert_folder")] + pub cert_dir: String, + #[serde( + default, + serialize_with = "serialize_ia5string_vec", + deserialize_with = "deserialize_ia5string_vec" + )] + pub san_dns: Vec, + #[serde(default)] + pub san_ip: Vec, + #[serde(default)] + pub cert_path: Option, + #[serde(default)] + pub key_path: Option, +} + +impl CertificateSettings { + pub fn cert_path(&self) -> Option { + self.cert_path + .as_ref() + .map(|p| format!("{}/{}", self.cert_dir, p)) + } + + pub fn key_path(&self) -> Option { + self.key_path + .as_ref() + .map(|p| format!("{}/{}", self.cert_dir, p)) + } +} + +impl Validate for CertificateSettings { + fn validate(&self) -> Result<(), ValidationError> { + let base_path = std::path::Path::new(&self.cert_dir); + if !base_path.exists() { + // create the cert directory if it doesn't exist + std::fs::create_dir_all(base_path).map_err(|e| { + format!( + "Failed to create certificate directory {:?}: {}", + base_path, e + ) + })?; + } + let cert_path = self.cert_path.as_ref().map(|p| base_path.join(p)); + let key_path = self.key_path.as_ref().map(|p| base_path.join(p)); + if (cert_path.is_some() && key_path.is_none()) + || (cert_path.is_none() && key_path.is_some()) + { + return Err("Both certificate and key paths must be provided for TLS".into()); + } + if let (Some(cert_path), Some(key_path)) = (&cert_path, &key_path) { + if !std::path::Path::new(cert_path).exists() { + return Err(format!("Certificate file not found: {:?}", cert_path)); + } + if !std::path::Path::new(key_path).exists() { + return Err(format!("Key file not found: {:?}", key_path)); + } + } + + // validate for SAN entries - must be valid DNS names or IP addresses + for dns in &self.san_dns { + if dns.to_string().is_empty() { + return Err("SAN DNS entries cannot be empty".into()); + } + } + for ip in &self.san_ip { + if ip.is_unspecified() { + return Err("SAN IP entries cannot be unspecified".into()); + } + } + // require at least one SAN entry for the generated certificate + if self.san_dns.is_empty() && self.san_ip.is_empty() { + return Err( + "At least one SAN entry (DNS or IP) must be provided for the certificate".into(), + ); + } + + Ok(()) + } +} + +fn default_cert_folder() -> String { + "./certs".into() +} + +fn deserialize_ia5string_vec<'de, D>(deserializer: D) -> Result, D::Error> +where + D: Deserializer<'de>, +{ + let vec = Vec::::deserialize(deserializer)?; + vec.into_iter() + .map(|s| Ia5String::try_from(s).map_err(serde::de::Error::custom)) + .collect() +} + +fn serialize_ia5string_vec(vec: &Vec, serializer: S) -> Result +where + S: serde::Serializer, +{ + let string_vec: Vec = vec.iter().map(|ia5| ia5.to_string()).collect(); + string_vec.serialize(serializer) +} + +#[cfg(test)] +mod tests { + use std::{ + fs, + net::{IpAddr, Ipv4Addr}, + path::PathBuf, + time::{SystemTime, UNIX_EPOCH}, + }; + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + + fn make_temp_dir(prefix: &str) -> PathBuf { + let ts = SystemTime::now().duration_since(UNIX_EPOCH); + assert!(ts.is_ok()); + let ts = ts.unwrap_or_default(); + let path = std::env::temp_dir().join(format!( + "{}_{}_{}", + prefix, + std::process::id(), + ts.as_nanos() + )); + let created = fs::create_dir_all(&path); + assert!(created.is_ok()); + path + } + + #[test] + fn certificate_paths_include_cert_dir() { + let cert = CertificateSettings { + cert_dir: "./certs".to_string(), + san_dns: Vec::new(), + san_ip: Vec::new(), + cert_path: Some("server.crt".to_string()), + key_path: Some("server.key".to_string()), + }; + + assert_eq!(cert.cert_path(), Some("./certs/server.crt".to_string())); + assert_eq!(cert.key_path(), Some("./certs/server.key".to_string())); + } + + #[test] + fn certificate_validate_creates_directory_when_missing() { + let cert_dir = make_temp_dir("nxmesh-master-cert-create").join("nested"); + let san = Ia5String::try_from("localhost".to_string()); + assert!(san.is_ok()); + let san = san.unwrap_or_else(|_| unreachable!()); + let cert = CertificateSettings { + cert_dir: cert_dir.to_string_lossy().to_string(), + san_dns: vec![san], + san_ip: Vec::new(), + cert_path: None, + key_path: None, + }; + + let result = cert.validate(); + assert!(result.is_ok()); + assert!(cert_dir.exists()); + + let _ = fs::remove_dir_all(cert_dir.parent().unwrap_or(&cert_dir)); + } + + #[test] + fn certificate_validate_fails_when_only_cert_path_is_set() { + let cert_dir = make_temp_dir("nxmesh-master-cert-partial"); + let san = Ia5String::try_from("localhost".to_string()); + assert!(san.is_ok()); + let san = san.unwrap_or_else(|_| unreachable!()); + let cert = CertificateSettings { + cert_dir: cert_dir.to_string_lossy().to_string(), + san_dns: vec![san], + san_ip: Vec::new(), + cert_path: Some("server.crt".to_string()), + key_path: None, + }; + + let result = cert.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_default(); + assert!(msg.contains("Both certificate and key paths must be provided")); + + let _ = fs::remove_dir_all(&cert_dir); + } + + #[test] + fn certificate_validate_fails_with_unspecified_ip() { + let cert_dir = make_temp_dir("nxmesh-master-cert-unspecified-ip"); + let cert = CertificateSettings { + cert_dir: cert_dir.to_string_lossy().to_string(), + san_dns: Vec::new(), + san_ip: vec![IpAddr::V4(Ipv4Addr::UNSPECIFIED)], + cert_path: None, + key_path: None, + }; + + let result = cert.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_default(); + assert!(msg.contains("SAN IP entries cannot be unspecified")); + + let _ = fs::remove_dir_all(&cert_dir); + } + + #[test] + fn certificate_validate_fails_without_any_san_entries() { + let cert_dir = make_temp_dir("nxmesh-master-cert-no-san"); + let cert = CertificateSettings { + cert_dir: cert_dir.to_string_lossy().to_string(), + san_dns: Vec::new(), + san_ip: Vec::new(), + cert_path: None, + key_path: None, + }; + + let result = cert.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_default(); + assert!(msg.contains("At least one SAN entry")); + + let _ = fs::remove_dir_all(&cert_dir); + } + + #[test] + fn ia5string_vec_round_trip_serialization() { + #[derive(Serialize, Deserialize)] + struct Wrapper { + #[serde( + deserialize_with = "deserialize_ia5string_vec", + serialize_with = "serialize_ia5string_vec" + )] + san_dns: Vec, + } + + let first = Ia5String::try_from("localhost".to_string()); + assert!(first.is_ok()); + let second = Ia5String::try_from("example.com".to_string()); + assert!(second.is_ok()); + + let first = first.unwrap_or_else(|_| unreachable!()); + let second = second.unwrap_or_else(|_| unreachable!()); + + let data = Wrapper { + san_dns: vec![first, second], + }; + + let encoded = serde_json::to_string(&data); + assert!(encoded.is_ok()); + let encoded = encoded.unwrap_or_default(); + assert!(encoded.contains("localhost")); + assert!(encoded.contains("example.com")); + + let decoded: Result = serde_json::from_str(&encoded); + assert!(decoded.is_ok()); + let decoded = decoded.unwrap_or(Wrapper { + san_dns: Vec::new(), + }); + assert_eq!(decoded.san_dns.len(), 2); + } +} diff --git a/apps/nxmesh-master/src/config/settings/cors.rs b/apps/nxmesh-master/src/config/settings/cors.rs new file mode 100644 index 0000000..262588a --- /dev/null +++ b/apps/nxmesh-master/src/config/settings/cors.rs @@ -0,0 +1,34 @@ +use serde::{Deserialize, Serialize}; + +use crate::config::settings::{Validate, ValidationError}; + +/// CORS settings +#[derive(Debug, Clone, Serialize, Deserialize, Default)] +pub struct CorsSettings { + #[serde(default)] + pub allowed_origins: Vec, + #[serde(default)] + pub allowed_methods: Vec, + #[serde(default)] + pub allowed_headers: Vec, + #[serde(default)] + pub allow_credentials: bool, +} + +impl Validate for CorsSettings { + fn validate(&self) -> Result<(), ValidationError> { + Ok(()) + } +} + +#[cfg(test)] +mod tests { + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } +} diff --git a/apps/nxmesh-master/src/config/settings/database.rs b/apps/nxmesh-master/src/config/settings/database.rs new file mode 100644 index 0000000..982a454 --- /dev/null +++ b/apps/nxmesh-master/src/config/settings/database.rs @@ -0,0 +1,48 @@ +use serde::{Deserialize, Serialize}; + +use crate::config::settings::{Validate, ValidationError}; + +/// Database connection settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct DatabaseSettings { + pub url: String, + pub max_connections: Option, +} + +impl Validate for DatabaseSettings { + fn validate(&self) -> Result<(), ValidationError> { + if self.url.is_empty() { + return Err("Database URL cannot be empty".into()); + } + if let Some(max_connections) = self.max_connections + && max_connections == 0 + { + return Err("Max database connections must be greater than 0".into()); + } + Ok(()) + } +} + +#[cfg(test)] +mod tests { + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + #[test] + fn database_validate_fails_for_zero_max_connections() { + let db = DatabaseSettings { + url: "postgres://localhost/db".to_string(), + max_connections: Some(0), + }; + + let result = db.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_default(); + assert!(msg.contains("Max database connections must be greater than 0")); + } +} diff --git a/apps/nxmesh-master/src/config/settings/grpc.rs b/apps/nxmesh-master/src/config/settings/grpc.rs new file mode 100644 index 0000000..837c2ad --- /dev/null +++ b/apps/nxmesh-master/src/config/settings/grpc.rs @@ -0,0 +1,53 @@ +use serde::{Deserialize, Serialize}; + +use crate::config::settings::{ + Validate, ValidationError, cert::CertificateSettings, cors::CorsSettings, +}; + +/// gRPC server settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct GrpcSettings { + #[serde(default = "default_grpc_bind_address")] + pub bind_address: String, + #[serde(default = "default_grpc_port")] + pub port: u16, + #[serde(default)] + pub certificate: CertificateSettings, + #[serde(default)] + pub cors: Option, +} + +impl Validate for GrpcSettings { + fn validate(&self) -> Result<(), ValidationError> { + if self.bind_address.is_empty() { + return Err("gRPC bind address cannot be empty".into()); + } + if self.port == 0 { + return Err("gRPC port must be greater than 0".into()); + } + self.certificate.validate()?; + if let Some(cors) = &self.cors { + cors.validate()?; + } + Ok(()) + } +} + +fn default_grpc_bind_address() -> String { + "0.0.0.0".into() +} + +fn default_grpc_port() -> u16 { + 50051 +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } +} diff --git a/apps/nxmesh-master/src/config/settings/log.rs b/apps/nxmesh-master/src/config/settings/log.rs new file mode 100644 index 0000000..b4c6d24 --- /dev/null +++ b/apps/nxmesh-master/src/config/settings/log.rs @@ -0,0 +1,81 @@ +use std::str::FromStr; + +use serde::{Deserialize, Deserializer, Serialize}; +use tracing::level_filters::LevelFilter; + +/// Logging settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct LogSettings { + #[serde( + deserialize_with = "deserialize_level_filter", + serialize_with = "serialize_level_filter" + )] + pub level: LevelFilter, +} + +impl Default for LogSettings { + fn default() -> Self { + Self { + level: default_log_level(), + } + } +} + +fn default_log_level() -> LevelFilter { + LevelFilter::INFO +} + +fn deserialize_level_filter<'de, D>(deserializer: D) -> Result +where + D: Deserializer<'de>, +{ + let s = String::deserialize(deserializer)?; + LevelFilter::from_str(&s).map_err(serde::de::Error::custom) +} + +fn serialize_level_filter(level: &LevelFilter, serializer: S) -> Result +where + S: serde::Serializer, +{ + serializer.serialize_str(&level.to_string()) +} + +#[cfg(test)] +mod tests { + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + + #[test] + fn level_filter_round_trip_serialization() { + #[derive(Serialize, Deserialize)] + struct Wrapper { + #[serde( + deserialize_with = "deserialize_level_filter", + serialize_with = "serialize_level_filter" + )] + level: LevelFilter, + } + + let data = Wrapper { + level: LevelFilter::DEBUG, + }; + + let encoded = serde_json::to_string(&data); + assert!(encoded.is_ok()); + let encoded = encoded.unwrap_or_default(); + assert!(encoded.to_lowercase().contains("debug")); + + let decoded: Result = serde_json::from_str(&encoded); + assert!(decoded.is_ok()); + let decoded = decoded.unwrap_or(Wrapper { + level: LevelFilter::ERROR, + }); + assert_eq!(decoded.level, LevelFilter::DEBUG); + } +} diff --git a/apps/nxmesh-master/src/config/settings/mod.rs b/apps/nxmesh-master/src/config/settings/mod.rs new file mode 100644 index 0000000..47fa30a --- /dev/null +++ b/apps/nxmesh-master/src/config/settings/mod.rs @@ -0,0 +1,75 @@ +use config::{Config, ConfigError, Environment, File}; +use serde::{Deserialize, Serialize}; + +pub type ValidationError = String; + +pub mod auth; +pub mod cert; +pub mod cors; +pub mod database; +pub mod grpc; +pub mod log; +pub mod server; + +use auth::AuthSettings; +use database::DatabaseSettings; +use grpc::GrpcSettings; +use log::LogSettings; +use server::ServerSettings; + +pub trait Validate { + fn validate(&self) -> Result<(), ValidationError>; +} + +/// Master server settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct Settings { + pub server: ServerSettings, + pub database: DatabaseSettings, + pub grpc: GrpcSettings, + pub auth: AuthSettings, + #[serde(default)] + pub log: LogSettings, +} + +impl Validate for Settings { + fn validate(&self) -> Result<(), ValidationError> { + self.server.validate()?; + self.grpc.validate()?; + self.database.validate()?; + self.auth.validate()?; + Ok(()) + } +} + +impl Settings { + /// Load settings from config files and environment + pub fn load() -> Result { + let run_mode = std::env::var("RUN_MODE").unwrap_or_else(|_| "development".into()); + + let settings = Config::builder() + .add_source(File::with_name("config/default").required(false)) + .add_source(File::with_name(&format!("config/{}", run_mode)).required(false)) + .add_source(File::with_name("config/master/default").required(false)) + .add_source(File::with_name(&format!("config/master/{}", run_mode)).required(false)) + .add_source(Environment::with_prefix("NXMESH").separator("__")) + .build()?; + + let settings: Self = settings.try_deserialize()?; + + settings.validate().map_err(ConfigError::Message)?; + + Ok(settings) + } +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } +} diff --git a/apps/nxmesh-master/src/config/settings/server.rs b/apps/nxmesh-master/src/config/settings/server.rs new file mode 100644 index 0000000..e088804 --- /dev/null +++ b/apps/nxmesh-master/src/config/settings/server.rs @@ -0,0 +1,103 @@ +use serde::{Deserialize, Serialize}; + +use crate::config::settings::{ + Validate, ValidationError, cert::CertificateSettings, cors::CorsSettings, +}; + +/// HTTP server settings +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct ServerSettings { + #[serde(default = "default_server_bind_address")] + pub bind_address: String, + #[serde(default = "default_server_port")] + pub port: u16, + #[serde(default)] + pub certificate: CertificateSettings, + #[serde(default)] + pub cors: Option, +} + +impl Validate for ServerSettings { + fn validate(&self) -> Result<(), ValidationError> { + if self.bind_address.is_empty() { + return Err("Server bind address cannot be empty".into()); + } + if self.port == 0 { + return Err("Server port must be greater than 0".into()); + } + self.certificate.validate()?; + if let Some(cors) = &self.cors { + cors.validate()?; + } + Ok(()) + } +} + +fn default_server_bind_address() -> String { + "0.0.0.0".into() +} + +fn default_server_port() -> u16 { + 8080 +} + +#[cfg(test)] +mod tests { + use std::{ + fs, + path::PathBuf, + time::{SystemTime, UNIX_EPOCH}, + }; + + use rcgen::string::Ia5String; + + use super::*; + + #[test] + fn test_esnure_send_and_sync() { + fn assert_send_sync() {} + assert_send_sync::(); + } + + fn make_temp_dir(prefix: &str) -> PathBuf { + let ts = SystemTime::now().duration_since(UNIX_EPOCH); + assert!(ts.is_ok()); + let ts = ts.unwrap_or_default(); + let path = std::env::temp_dir().join(format!( + "{}_{}_{}", + prefix, + std::process::id(), + ts.as_nanos() + )); + let created = fs::create_dir_all(&path); + assert!(created.is_ok()); + path + } + + #[test] + fn server_validate_fails_for_zero_port() { + let cert_dir = make_temp_dir("nxmesh-master-server-validate"); + let san = Ia5String::try_from("localhost".to_string()); + assert!(san.is_ok()); + let san = san.unwrap_or_else(|_| unreachable!()); + let server = ServerSettings { + bind_address: "0.0.0.0".to_string(), + port: 0, + certificate: CertificateSettings { + cert_dir: cert_dir.to_string_lossy().to_string(), + san_dns: vec![san], + san_ip: Vec::new(), + cert_path: None, + key_path: None, + }, + cors: None, + }; + + let result = server.validate(); + assert!(result.is_err()); + let msg = result.err().unwrap_or_default(); + assert!(msg.contains("Server port must be greater than 0")); + + let _ = fs::remove_dir_all(&cert_dir); + } +}