Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate from warp to Axum to handle HTTPS #495

Open
runcom opened this issue May 9, 2023 · 3 comments
Open

Migrate from warp to Axum to handle HTTPS #495

runcom opened this issue May 9, 2023 · 3 comments
Labels
jira

Comments

@runcom
Copy link
Contributor

runcom commented May 9, 2023

Goal: FDO supports HTTPS for its http-aware services

Acceptance criteria:

  • e2e tests remains green, no regressions
  • support secure API endpoints
  • the warp dependency is effectively removed from the project (cargo/cargo.locks)
  • support native-tls/openssl
  • services have configuration to setup certificates
  • documentation is updated to document how to set up HTTPS aware services
  • default to HTTPS (?) (question mark around self-signed certificates and how to get going with FDO easily w/o adding yet another pre-configuration step)

Testing (tentative):

  • Cargo.lock should not have references to rust-tls
  • add an e2e test with support for HTTPS and make sure it passes with self-signed certificates
@runcom runcom added the jira label May 9, 2023
@puiterwijk
Copy link
Contributor

This is a pretty good idea I think, though it would be good I think to make sure you still use the metadata in the Message trait to check the flows.
Look at https://github.com/fedora-iot/fido-device-onboard-rs/blob/main/http-wrapper/src/server.rs#L183 and line 202: this enforces that the flow of messages doesn't get broken (i.e. a later message sent without the prior setup) and that messages that need to be encrypted are that way, etc.
I'd strongly suggest to keep using this same data, since making someone add this to each route will fail eventually (someone will forget to add the check at some point).

@runcom
Copy link
Contributor Author

runcom commented May 16, 2023

This is a pretty good idea I think, though it would be good I think to make sure you still use the metadata in the Message trait to check the flows.
Look at https://github.com/fedora-iot/fido-device-onboard-rs/blob/main/http-wrapper/src/server.rs#L183 and line 202: this enforces that the flow of messages doesn't get broken (i.e. a later message sent without the prior setup) and that messages that need to be encrypted are that way, etc.
I'd strongly suggest to keep using this same data, since making someone add this to each route will fail eventually (someone will forget to add the check at some point).

awesome thanks for the input @puiterwijk !! cc @7flying

@7flying
Copy link
Contributor

7flying commented May 16, 2023

This is a pretty good idea I think, though it would be good I think to make sure you still use the metadata in the Message trait to check the flows. Look at https://github.com/fedora-iot/fido-device-onboard-rs/blob/main/http-wrapper/src/server.rs#L183 and line 202: this enforces that the flow of messages doesn't get broken (i.e. a later message sent without the prior setup) and that messages that need to be encrypted are that way, etc. I'd strongly suggest to keep using this same data, since making someone add this to each route will fail eventually (someone will forget to add the check at some point).

Thanks for pointing that out 🙏

The idea is not to change the traits/structs nor the logic, just the types so that everything stays the same but with a different framework underneath.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@runcom @puiterwijk @7flying