Update hyper to 1.3.1 and reqwest to 0.12.5. (#1211)

This PR updates hyper, reqwest, and the rustls stack to their current versions.

Cargo.toml

@@ -33,7 +33,9 @@ fern            = { version = "0.6.2", features = ["syslog-6"] }
 futures-util    = "0.3"
 fslock          = "0.2.1"
 hex             = "0.4"
-hyper           = { version = "^0.14", features = ["server"] }
+http-body-util  = "0.1"
+hyper           = { version = "1.3.1", features = ["server"] }
+hyper-util      = { version = "0.1", features = [ "server" ] }
 intervaltree    = "0.2.6"
 jmespatch       = { version = "0.3", features = ["sync"], optional = true }
 kmip            = { version = "0.4.2", package = "kmip-protocol", features = [ "tls-with-openssl" ], optional = true }
@@ -44,19 +46,20 @@ once_cell       = { version = "1.7.2", optional = true }
 openidconnect   = { version = "2.0.0", optional = true, default_features = false }
 openssl         = { version = "0.10", features = ["v110"] }
 oso             = { version = "0.12", optional = true, default_features = false }
+pin-project-lite = "0.2.4"
 r2d2            = { version = "0.8.9", optional = true }
 rand            = "0.8"
 regex           = { version = "1.5.5", optional = true, default_features = false, features = [ "std" ] }
-reqwest         = { version = "0.11", features = ["json"] }
+reqwest         = { version = "0.12.5", features = ["json"] }
 rpassword       = { version = "7.3.1", optional = true }
 #rpki            = { version = "0.18.0", features = ["ca", "compat", "rrdp"] }
 rpki            = { git = "https://github.com/nLnetLabs/rpki-rs", features = [ "ca", "compat", "rrdp" ] }
-rustls-pemfile  = "1.0.4"
+rustls-pemfile  = "2.1.2"
 scrypt          = { version = "0.11", optional = true, default-features = false }
 serde           = { version = "1.0", features = ["derive", "rc"] }
 serde_json      = "1.0"
 tokio           = { version = "1", features = [ "macros", "rt", "rt-multi-thread", "signal", "time" ] }
-tokio-rustls    = "0.24.1"
+tokio-rustls    = { version = "0.26", default-features = false, features = [ "ring", "logging", "tls12" ] }
 toml            = "0.8.14"
 unicode-normalization = { version = "^0.1", optional = true }
 url             = { version = "2.3.1", features = ["serde"] }

src/commons/util/httpclient.rs

@@ -61,7 +61,9 @@ fn report_delete(uri: &str, content_type: Option<&str>, token: Option<&Token>) {
 }
 
 /// Gets the Bearer token from the request header, if present.
-pub fn get_bearer_token(request: &hyper::Request<hyper::Body>) -> Option<Token> {
+pub fn get_bearer_token(
+    request: &hyper::Request<hyper::body::Incoming>
+) -> Option<Token> {
     request
         .headers()
         .get(hyper::header::AUTHORIZATION)

src/daemon/auth/authorizer.rs

@@ -15,7 +15,7 @@ use crate::{
     daemon::{
         auth::{common::permissions::Permission, policy::AuthPolicy, providers::AdminTokenAuthProvider},
         config::Config,
-        http::HttpResponse,
+        http::{HttpResponse, HyperRequest},
     },
 };
 
@@ -69,7 +69,9 @@ impl From<OpenIDConnectAuthProvider> for AuthProvider {
 }
 
 impl AuthProvider {
-    pub async fn authenticate(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<Option<ActorDef>> {
+    pub async fn authenticate(
+        &self, request: &HyperRequest
+    ) -> KrillResult<Option<ActorDef>> {
         match &self {
             AuthProvider::Token(provider) => provider.authenticate(request),
             #[cfg(feature = "multi-user")]
@@ -89,7 +91,9 @@ impl AuthProvider {
         }
     }
 
-    pub async fn login(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<LoggedInUser> {
+    pub async fn login(
+        &self, request: &HyperRequest
+    ) -> KrillResult<LoggedInUser> {
         match &self {
             AuthProvider::Token(provider) => provider.login(request),
             #[cfg(feature = "multi-user")]
@@ -99,7 +103,9 @@ impl AuthProvider {
         }
     }
 
-    pub async fn logout(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<HttpResponse> {
+    pub async fn logout(
+        &self, request: &HyperRequest
+    ) -> KrillResult<HttpResponse> {
         match &self {
             AuthProvider::Token(provider) => provider.logout(request),
             #[cfg(feature = "multi-user")]
@@ -163,7 +169,7 @@ impl Authorizer {
         })
     }
 
-    pub async fn actor_from_request(&self, request: &hyper::Request<hyper::Body>) -> Actor {
+    pub async fn actor_from_request(&self, request: &HyperRequest) -> Actor {
         trace!("Determining actor for request {:?}", &request);
 
         // Try the legacy provider first, if any
@@ -210,7 +216,9 @@ impl Authorizer {
 
     /// Submit credentials directly to the configured provider to establish a
     /// login session, if supported by the configured provider.
-    pub async fn login(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<LoggedInUser> {
+    pub async fn login(
+        &self, request: &HyperRequest
+    ) -> KrillResult<LoggedInUser> {
         let user = self.primary_provider.login(request).await?;
 
         // The user has passed authentication, but may still not be
@@ -250,7 +258,9 @@ impl Authorizer {
 
     /// Return the URL at which an end-user should be directed to logout with
     /// the configured provider.
-    pub async fn logout(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<HttpResponse> {
+    pub async fn logout(
+        &self, request: &HyperRequest
+    ) -> KrillResult<HttpResponse> {
         self.primary_provider.logout(request).await
     }
 }

src/daemon/auth/providers/admin_token.rs

@@ -3,8 +3,9 @@ use std::sync::Arc;
 use crate::{
     commons::{actor::ActorDef, api::Token, error::Error, util::httpclient, KrillResult},
     constants::ACTOR_DEF_ADMIN_TOKEN,
-    daemon::{auth::LoggedInUser, config::Config, http::HttpResponse},
+    daemon::{auth::LoggedInUser, config::Config},
 };
+use crate::daemon::http::{HyperRequest, HttpResponse};
 
 // This is NOT an actual relative path to redirect to. Instead it is the path
 // string of an entry in the Vue router routes table to "route" to (in the
@@ -26,7 +27,9 @@ impl AdminTokenAuthProvider {
 }
 
 impl AdminTokenAuthProvider {
-    pub fn authenticate(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<Option<ActorDef>> {
+    pub fn authenticate(
+        &self, request: &HyperRequest
+    ) -> KrillResult<Option<ActorDef>> {
         if log_enabled!(log::Level::Trace) {
             trace!("Attempting to authenticate the request..");
         }
@@ -49,7 +52,7 @@ impl AdminTokenAuthProvider {
         Ok(HttpResponse::text_no_cache(LAGOSTA_LOGIN_ROUTE_PATH.into()))
     }
 
-    pub fn login(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<LoggedInUser> {
+    pub fn login(&self, request: &HyperRequest) -> KrillResult<LoggedInUser> {
         match self.authenticate(request)? {
             Some(actor_def) => Ok(LoggedInUser {
                 token: self.required_token.clone(),
@@ -60,7 +63,9 @@ impl AdminTokenAuthProvider {
         }
     }
 
-    pub fn logout(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<HttpResponse> {
+    pub fn logout(
+        &self, request: &HyperRequest
+    ) -> KrillResult<HttpResponse> {
         if let Ok(Some(actor)) = self.authenticate(request) {
             info!("User logged out: {}", actor.name.as_str());
         }

src/daemon/auth/providers/config_file/provider.rs

@@ -15,9 +15,9 @@ use crate::{
         auth::providers::config_file::config::ConfigUserDetails,
         auth::{Auth, LoggedInUser},
         config::Config,
-        http::HttpResponse,
     },
 };
+use crate::daemon::http::{HttpResponse, HyperRequest};
 
 const UI_LOGIN_ROUTE_PATH: &str = "/login?withId=true";
 
@@ -84,7 +84,7 @@ impl ConfigFileAuthProvider {
     }
 
     /// Parse HTTP Basic Authorization header
-    fn get_auth(&self, request: &hyper::Request<hyper::Body>) -> Option<Auth> {
+    fn get_auth(&self, request: &HyperRequest) -> Option<Auth> {
         let header = request.headers().get(hyper::http::header::AUTHORIZATION)?;
         let auth = header.to_str().ok()?.strip_prefix("Basic ")?;
         let auth = BASE64_ENGINE.decode(auth).ok()?;
@@ -99,7 +99,9 @@ impl ConfigFileAuthProvider {
 }
 
 impl ConfigFileAuthProvider {
-    pub fn authenticate(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<Option<ActorDef>> {
+    pub fn authenticate(
+        &self, request: &HyperRequest
+    ) -> KrillResult<Option<ActorDef>> {
         if log_enabled!(log::Level::Trace) {
             trace!("Attempting to authenticate the request..");
         }
@@ -129,7 +131,7 @@ impl ConfigFileAuthProvider {
         Ok(HttpResponse::text_no_cache(UI_LOGIN_ROUTE_PATH.into()))
     }
 
-    pub fn login(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<LoggedInUser> {
+    pub fn login(&self, request: &HyperRequest) -> KrillResult<LoggedInUser> {
         if let Some(Auth::UsernameAndPassword { username, password }) = self.get_auth(request) {
             use scrypt::scrypt;
 
@@ -193,7 +195,9 @@ impl ConfigFileAuthProvider {
         }
     }
 
-    pub fn logout(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<HttpResponse> {
+    pub fn logout(
+        &self, request: &HyperRequest
+    ) -> KrillResult<HttpResponse> {
         match httpclient::get_bearer_token(request) {
             Some(token) => {
                 self.session_cache.remove(&token);

src/daemon/auth/providers/openid_connect/provider.rs

@@ -80,12 +80,10 @@ use crate::{
             Auth, LoggedInUser,
         },
         config::Config,
-        http::{
-            auth::{url_encode, AUTH_CALLBACK_ENDPOINT},
-            HttpResponse,
-        },
+        http::auth::{url_encode, AUTH_CALLBACK_ENDPOINT},
     },
 };
+use crate::daemon::http::{HttpResponse, HyperRequest};
 
 // On modern browsers (Chrome >= 51, Edge >= 16, Firefox >= 60 & Safari >= 12) the "__Host" prefix is a defence-in-depth
 // measure that causes the browser to further restrict access to the cookie, permitting access only if the cookie was
@@ -744,7 +742,9 @@ impl OpenIDConnectAuthProvider {
         }
     }
 
-    fn extract_cookie(&self, request: &hyper::Request<hyper::Body>, cookie_name: &str) -> Option<String> {
+    fn extract_cookie(
+        &self, request: &HyperRequest, cookie_name: &str
+    ) -> Option<String> {
         for cookie_hdr_val in request.headers().get_all(hyper::http::header::COOKIE) {
             if let Ok(cookie_hdr_val_str) = cookie_hdr_val.to_str() {
                 // Use a helper crate to parse the cookie string as it's
@@ -796,7 +796,7 @@ impl OpenIDConnectAuthProvider {
         Error::ApiLoginError(msg)
     }
 
-    fn get_auth(&self, request: &hyper::Request<hyper::Body>) -> Option<Auth> {
+    fn get_auth(&self, request: &HyperRequest) -> Option<Auth> {
         if let Some(query) = urlparse(request.uri().to_string()).get_parsed_query() {
             if let Some(code) = query.get_first_from_str("code") {
                 trace!("OpenID Connect: Processing potential RFC-6749 section 4.1.2 redirected Authorization Response");
@@ -1105,7 +1105,9 @@ impl OpenIDConnectAuthProvider {
     /// an error to report back to the user (one of the ApiAuth* Error types).
     /// Make sure to not leak any OIDC implementation details into the Error result!
     /// This function is also responsible for all logging around refreshing the token / extending the session.
-    pub async fn authenticate(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<Option<ActorDef>> {
+    pub async fn authenticate(
+        &self, request: &HyperRequest
+    ) -> KrillResult<Option<ActorDef>> {
         trace!("Attempting to authenticate the request..");
 
         self.initialize_connection_if_needed().await.map_err(|err| {
@@ -1372,7 +1374,7 @@ impl OpenIDConnectAuthProvider {
         debug!("OpenID Connect: Login URL will be {:?}", &authorize_url);
 
         let res_body = authorize_url.as_str().as_bytes().to_vec();
-        let mut res = HttpResponse::text_no_cache(res_body).response();
+        let mut res = HttpResponse::text_no_cache(res_body).into_response();
 
         // Create a cookie with the following attributes to attempt to protect them as much as possible:
         //   Secure       - Cookie is only sent to the server when a request is made with the https: scheme
@@ -1420,7 +1422,9 @@ impl OpenIDConnectAuthProvider {
         Ok(HttpResponse::new(res))
     }
 
-    pub async fn login(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<LoggedInUser> {
+    pub async fn login(
+        &self, request: &HyperRequest
+    ) -> KrillResult<LoggedInUser> {
         self.initialize_connection_if_needed().await.map_err(|err| {
             OpenIDConnectAuthProvider::internal_error(
                 "OpenID Connect: Cannot login user: Failed to connect to provider",
@@ -1622,7 +1626,9 @@ impl OpenIDConnectAuthProvider {
     /// logout page is not possible, instead from the end-user's perspective they are returned to the Lagosta web UI
     /// index page (which currently immediately redirects the user to the 3rd party OpenID Connect provider login page)
     /// but before that Krill contacts the provider on the logged-in users behalf to revoke their token at the provider.
-    pub async fn logout(&self, request: &hyper::Request<hyper::Body>) -> KrillResult<HttpResponse> {
+    pub async fn logout(
+        &self, request: &HyperRequest
+    ) -> KrillResult<HttpResponse> {
         // verify the bearer token indeed represents a logged-in Krill OpenID Connect provider session
         let token = httpclient::get_bearer_token(request).ok_or_else(|| {
             warn!("Unexpectedly received a logout request without a session token.");