feat(rust): added TLS inlet support

implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator.rs

@@ -17,6 +17,9 @@ pub const OCKAM_ROLE_ATTRIBUTE_KEY: &str = "ockam-role";
 /// the corresponding key is [`OCKAM_ROLE_ATTRIBUTE_KEY`]
 pub const OCKAM_ROLE_ATTRIBUTE_ENROLLER_VALUE: &str = "enroller";
 
+/// Identity attribute key that indicates the privileges to access the project TLS certificate
+pub const OCKAM_TLS_ATTRIBUTE_KEY: &str = "ockam-tls-certificate";
+
 pub struct DirectAuthenticatorError(pub String);
 
 pub type DirectAuthenticatorResult<T> = Either<T, DirectAuthenticatorError>;

implementations/rust/ockam/ockam_api/src/nodes/models/portal.rs

@@ -54,10 +54,12 @@ pub struct CreateInlet {
     /// If not set, the node's identifier will be used.
     #[n(10)] pub(crate) secure_channel_identifier: Option<Identifier>,
     /// Enable UDP NAT puncture.
-    #[n(11)] pub enable_udp_puncture: bool,
+    #[n(11)] pub(crate) enable_udp_puncture: bool,
     /// Disable fallback to TCP.
     /// TCP won't be used to transfer data between the Inlet and the Outlet.
-    #[n(12)] pub disable_tcp_fallback: bool,
+    #[n(12)] pub(crate) disable_tcp_fallback: bool,
+    /// TLS certificate provider route.
+    #[n(13)] pub(crate) tls_certificate_provider: Option<MultiAddr>,
 }
 
 impl CreateInlet {
@@ -85,6 +87,7 @@ impl CreateInlet {
             secure_channel_identifier: None,
             enable_udp_puncture,
             disable_tcp_fallback,
+            tls_certificate_provider: None,
         }
     }
 
@@ -113,9 +116,14 @@ impl CreateInlet {
             secure_channel_identifier: None,
             enable_udp_puncture,
             disable_tcp_fallback,
+            tls_certificate_provider: None,
         }
     }
 
+    pub fn set_tls_certificate_provider(&mut self, provider: MultiAddr) {
+        self.tls_certificate_provider = Some(provider);
+    }
+
     pub fn set_wait_ms(&mut self, ms: u64) {
         self.wait_for_outlet_duration = Some(Duration::from_millis(ms))
     }

implementations/rust/ockam/ockam_api/src/nodes/service.rs

@@ -21,6 +21,7 @@ pub mod tcp_outlets;
 mod transport;
 pub mod workers;
 
+mod certificate_provider;
 mod http;
 mod manager;
 mod trust;

implementations/rust/ockam/ockam_api/src/nodes/service/certificate_provider.rs

@@ -0,0 +1,141 @@
+use crate::nodes::NodeManager;
+use minicbor::{Decode, Decoder, Encode};
+use ockam_core::errcode::{Kind, Origin};
+use ockam_core::{Any, AsyncTryClone, NeutralMessage, Routed};
+use ockam_multiaddr::MultiAddr;
+use ockam_node::{Context, MessageSendReceiveOptions};
+use ockam_transport_tcp::{TlsCertificate, TlsCertificateProvider};
+use std::fmt::{Debug, Display, Formatter};
+use std::sync::Arc;
+use std::time::Duration;
+use tonic::async_trait;
+
+#[derive(Clone)]
+pub(crate) struct ProjectCertificateProvider {
+    node_manager: Arc<NodeManager>,
+    to: MultiAddr,
+}
+
+impl Debug for ProjectCertificateProvider {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        write!(f, "ProjectCertificateProvider {{ to: {:?} }}", self.to)
+    }
+}
+
+impl ProjectCertificateProvider {
+    pub fn new(node_manager: Arc<NodeManager>, to: MultiAddr) -> Self {
+        Self { node_manager, to }
+    }
+}
+
+impl Display for ProjectCertificateProvider {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        write!(f, "certificate retrieval from: {}", self.to)
+    }
+}
+
+#[derive(Encode, Decode)]
+struct CertificateRequest {}
+
+#[derive(Debug, Encode, Decode)]
+#[rustfmt::skip]
+#[cbor(map)]
+struct CertificateResponse {
+    #[n(1)] kind: ReplyKind,
+    #[n(2)] certificate: Option<TlsCertificate>,
+}
+
+#[derive(Debug, Encode, Decode, PartialEq)]
+#[rustfmt::skip]
+#[cbor(index_only)]
+enum ReplyKind {
+    #[n(0)] Ready,
+    #[n(1)] NotReady,
+    #[n(2)] Unsupported,
+}
+
+#[async_trait]
+impl TlsCertificateProvider for ProjectCertificateProvider {
+    async fn get_certificate(&self, context: &Context) -> ockam_core::Result<TlsCertificate> {
+        debug!("requesting TLS certificate from: {}", self.to);
+        let connection = {
+            let context = Arc::new(context.async_try_clone().await?);
+            self.node_manager
+                .make_connection(
+                    context,
+                    &self.to,
+                    self.node_manager.node_identifier.clone(),
+                    None,
+                    None,
+                )
+                .await?
+        };
+
+        let options = MessageSendReceiveOptions::new().with_timeout(Duration::from_secs(30));
+
+        let payload = {
+            let mut buffer = Vec::new();
+            minicbor::Encoder::new(&mut buffer).encode(&CertificateRequest {})?;
+            buffer
+        };
+
+        let reply: Routed<Any> = context
+            .send_and_receive_extended(connection.route()?, NeutralMessage::from(payload), options)
+            .await?;
+
+        let payload = reply.into_payload();
+        let reply: CertificateResponse = Decoder::new(&payload).decode()?;
+
+        match reply.kind {
+            ReplyKind::Ready => {
+                if let Some(certificate) = reply.certificate {
+                    Ok(certificate)
+                } else {
+                    Err(ockam_core::Error::new(
+                        Origin::Transport,
+                        Kind::Invalid,
+                        "invalid reply from certificate provider",
+                    ))
+                }
+            }
+            ReplyKind::Unsupported => Err(ockam_core::Error::new(
+                Origin::Transport,
+                Kind::NotReady,
+                "certificate",
+            )),
+            ReplyKind::NotReady => Err(ockam_core::Error::new(
+                Origin::Transport,
+                Kind::NotReady,
+                "certificate",
+            )),
+        }
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+
+    #[test]
+    fn check_orchestrator_encoding_not_ready() {
+        let payload = hex::decode("A10101").unwrap();
+        let reply: CertificateResponse = Decoder::new(&payload).decode().unwrap();
+        assert_eq!(reply.kind, ReplyKind::NotReady);
+        assert!(reply.certificate.is_none());
+    }
+
+    #[test]
+    fn check_orchestrator_encoding_ready() {
+        let payload =
+            hex::decode("a2010002a2014a66756c6c5f636861696e024b707269766174655f6b6579").unwrap();
+        let reply: CertificateResponse = Decoder::new(&payload).decode().unwrap();
+        assert_eq!(reply.kind, ReplyKind::Ready);
+        assert_eq!(
+            reply.certificate,
+            Some(TlsCertificate {
+                full_chain_pem: "full_chain".as_bytes().to_vec(),
+                private_key_pem: "private_key".as_bytes().to_vec()
+            })
+        );
+    }
+}

implementations/rust/ockam/ockam_api/src/nodes/service/kafka_services.rs

@@ -210,6 +210,7 @@ impl InMemoryNode {
             None,
             false,
             false,
+            None,
         )
         .await?;
 

implementations/rust/ockam/ockam_api/src/nodes/service/tcp_inlets.rs

@@ -7,7 +7,6 @@ use tokio::time::timeout;
 use crate::address::get_free_address_for;
 use crate::DefaultAddress;
 use ockam::identity::Identifier;
-use ockam::tcp::TcpInletOptions;
 use ockam::udp::{UdpPunctureNegotiation, UdpTransport};
 use ockam::Result;
 use ockam_abac::{Action, PolicyExpression, Resource, ResourceType};
@@ -21,11 +20,13 @@ use ockam_multiaddr::{MultiAddr, Protocol};
 use ockam_node::Context;
 use ockam_transport_core::HostnamePort;
 use ockam_transport_tcp::TcpInlet;
+use ockam_transport_tcp::{new_certificate_provider_cache, TcpInletOptions};
 
 use crate::error::ApiError;
 use crate::nodes::connection::Connection;
 use crate::nodes::models::portal::{CreateInlet, InletStatus};
 use crate::nodes::registry::InletInfo;
+use crate::nodes::service::certificate_provider::ProjectCertificateProvider;
 use crate::nodes::{BackgroundNodeClient, InMemoryNode};
 use crate::session::sessions::{
     ConnectionStatus, CurrentInletStatus, ReplacerOutcome, ReplacerOutputKind, Session,
@@ -60,6 +61,7 @@ impl NodeManagerWorker {
             secure_channel_identifier,
             enable_udp_puncture,
             disable_tcp_fallback,
+            tls_certificate_provider,
         } = create_inlet;
         match self
             .node_manager
@@ -77,6 +79,7 @@ impl NodeManagerWorker {
                 secure_channel_identifier,
                 enable_udp_puncture,
                 disable_tcp_fallback,
+                tls_certificate_provider,
             )
             .await
         {
@@ -127,6 +130,7 @@ impl NodeManager {
         enable_udp_puncture: bool,
         // TODO: Introduce mode enum
         disable_tcp_fallback: bool,
+        tls_certificate_provider: Option<MultiAddr>,
     ) -> Result<InletStatus> {
         info!("Handling request to create inlet portal");
         debug! {
@@ -206,6 +210,7 @@ impl NodeManager {
             policy_expression,
             secure_channel_identifier,
             disable_tcp_fallback,
+            tls_certificate_provider,
             connection: None,
             inlet: None,
             handle: None,
@@ -382,6 +387,7 @@ impl InMemoryNode {
         secure_channel_identifier: Option<Identifier>,
         enable_udp_puncture: bool,
         disable_tcp_fallback: bool,
+        tls_certificate_provider: Option<MultiAddr>,
     ) -> Result<InletStatus> {
         self.node_manager
             .create_inlet(
@@ -398,6 +404,7 @@ impl InMemoryNode {
                 secure_channel_identifier,
                 enable_udp_puncture,
                 disable_tcp_fallback,
+                tls_certificate_provider,
             )
             .await
     }
@@ -417,6 +424,7 @@ struct InletSessionReplacer {
     policy_expression: Option<PolicyExpression>,
     secure_channel_identifier: Option<Identifier>,
     disable_tcp_fallback: bool,
+    tls_certificate_provider: Option<MultiAddr>,
 
     // current status
     connection: Option<Connection>,
@@ -647,6 +655,17 @@ impl SessionReplacer for InletSessionReplacer {
                 options
             };
 
+            let options = if let Some(tls_provider) = &self.tls_certificate_provider {
+                options.with_tls_certificate_provider(new_certificate_provider_cache(Arc::new(
+                    ProjectCertificateProvider::new(
+                        self.node_manager.clone(),
+                        tls_provider.clone(),
+                    ),
+                )))
+            } else {
+                options
+            };
+
             // TODO: Instead just update the route in the existing inlet
             // Finally, attempt to create a new inlet using the new route:
             let inlet = self
@@ -733,6 +752,7 @@ pub trait Inlets {
         secure_channel_identifier: &Option<Identifier>,
         enable_udp_puncture: bool,
         disable_tcp_fallback: bool,
+        tls_certificate_provider: &Option<MultiAddr>,
     ) -> miette::Result<Reply<InletStatus>>;
 
     async fn show_inlet(&self, ctx: &Context, alias: &str) -> miette::Result<Reply<InletStatus>>;
@@ -755,6 +775,7 @@ impl Inlets for BackgroundNodeClient {
         secure_channel_identifier: &Option<Identifier>,
         enable_udp_puncture: bool,
         disable_tcp_fallback: bool,
+        tls_certificate_provider: &Option<MultiAddr>,
     ) -> miette::Result<Reply<InletStatus>> {
         let request = {
             let via_project = outlet_addr.matches(0, &[ProjectProto::CODE.into()]);
@@ -788,6 +809,9 @@ impl Inlets for BackgroundNodeClient {
             if let Some(identifier) = secure_channel_identifier {
                 payload.set_secure_channel_identifier(identifier.clone())
             }
+            if let Some(tls_provider) = tls_certificate_provider {
+                payload.set_tls_certificate_provider(tls_provider.clone())
+            }
             payload.set_wait_ms(wait_for_outlet_timeout.as_millis() as u64);
             Request::post("/node/inlet").body(payload)
         };

implementations/rust/ockam/ockam_api/tests/latency.rs

@@ -163,6 +163,7 @@ pub fn measure_buffer_latency_two_nodes_portal() {
                     None,
                     false,
                     false,
+                    None,
                 )
                 .await?;
 

implementations/rust/ockam/ockam_api/tests/portals.rs

@@ -57,6 +57,7 @@ async fn inlet_outlet_local_successful(context: &mut Context) -> ockam::Result<(
             None,
             false,
             false,
+            None,
         )
         .await?;
 
@@ -132,6 +133,7 @@ fn portal_node_goes_down_reconnect() {
                     None,
                     false,
                     false,
+                    None,
                 )
                 .await?;
 
@@ -286,6 +288,7 @@ fn portal_low_bandwidth_connection_keep_working_for_60s() {
                     None,
                     false,
                     false,
+                    None,
                 )
                 .await?;
 
@@ -397,6 +400,7 @@ fn portal_heavy_load_exchanged() {
                     None,
                     false,
                     false,
+                    None,
                 )
                 .await?;
 
@@ -547,6 +551,7 @@ fn test_portal_payload_transfer(outgoing_disruption: Disruption, incoming_disrup
                     None,
                     false,
                     false,
+                    None,
                 )
                 .await?;