From 66a14d0c7c1297fcb0431aea8e52fa40d6a16de3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fe=CC=81lix=20Saparelli?= Date: Tue, 28 Jun 2022 03:09:04 +1200 Subject: [PATCH] Polish up new secure options --- src/helpers.rs | 26 ++++++++++++++++---------- src/helpers/tls_version.rs | 2 ++ src/main.rs | 21 ++++++++++++++------- 3 files changed, 32 insertions(+), 17 deletions(-) diff --git a/src/helpers.rs b/src/helpers.rs index 18794acb..e476464c 100644 --- a/src/helpers.rs +++ b/src/helpers.rs @@ -6,7 +6,7 @@ use cargo_toml::Manifest; use futures_util::stream::Stream; use log::debug; use once_cell::sync::OnceCell; -use reqwest::{Client, ClientBuilder, Method, Response}; +use reqwest::{Client, ClientBuilder, Method, Response, tls}; use serde::Serialize; use tinytemplate::TinyTemplate; use tokio::task::block_in_place; @@ -32,8 +32,14 @@ pub use path_ext::*; mod tls_version; pub use tls_version::TLSVersion; -/// (enable https only mode, min TLS version_option) -pub static REQWESTGLOBALCONFIG: OnceCell<(bool, Option)> = OnceCell::new(); +#[derive(Debug)] +pub struct ReqwestConfig { + pub secure: bool, + pub min_tls: Option, +} + +/// (secure mode, min TLS version) +pub static REQWESTGLOBALCONFIG: OnceCell = OnceCell::new(); /// Load binstall metadata from the crate `Cargo.toml` at the provided path pub fn load_manifest_path>( @@ -53,15 +59,15 @@ pub fn load_manifest_path>( pub fn new_reqwest_client_builder() -> ClientBuilder { let mut builder = ClientBuilder::new(); - if let Some((https_only, min_tls_ver_opt)) = REQWESTGLOBALCONFIG.get() { - builder = builder.https_only(*https_only); - - if *https_only { - builder = builder.min_tls_version(reqwest::tls::Version::TLS_1_2); + if let Some(ReqwestConfig { secure, min_tls }) = REQWESTGLOBALCONFIG.get() { + if *secure { + builder = builder + .https_only(true) + .min_tls_version(tls::Version::TLS_1_2) } - if let Some(min_tls_ver) = *min_tls_ver_opt { - builder = builder.min_tls_version(min_tls_ver.into()); + if let Some(ver) = *min_tls { + builder = builder.min_tls_version(ver); } } diff --git a/src/helpers/tls_version.rs b/src/helpers/tls_version.rs index 1f0ad5dc..35f86123 100644 --- a/src/helpers/tls_version.rs +++ b/src/helpers/tls_version.rs @@ -3,7 +3,9 @@ use reqwest::tls::Version; #[derive(Debug, Copy, Clone, ArgEnum)] pub enum TLSVersion { + #[clap(name = "1.2")] Tls1_2, + #[clap(name = "1.3")] Tls1_3, } diff --git a/src/main.rs b/src/main.rs index 169e74d7..f5684031 100644 --- a/src/main.rs +++ b/src/main.rs @@ -88,15 +88,22 @@ struct Options { #[clap(long)] no_cleanup: bool, - /// Enable https only mode. + /// Enforce downloads over secure transports only. /// - /// When https only mode is enabled, it will also set - /// minimum TLS version to tls1_2. + /// Insecure HTTP downloads will be removed completely in the future; in the meantime this + /// option forces a fail when the remote endpoint uses plaintext HTTP or insecure TLS suites. + /// + /// Without this option, plain HTTP will warn. + /// + /// Implies `--min-tls-version=1.2`. #[clap(long)] - https_only_mode: bool, + secure: bool, - /// Decide which TLS version to use. - #[clap(long, arg_enum)] + /// Require a minimum TLS version from remote endpoints. + /// + /// The default is not to require any minimum TLS version, and use the negotiated highest + /// version available to both this client and the remote server. + #[clap(long, arg_enum, value_name = "VERSION")] min_tls_version: Option, /// Override manifest source. @@ -194,7 +201,7 @@ async fn entry() -> Result<()> { // Initialize REQWESTGLOBALCONFIG REQWESTGLOBALCONFIG - .set((opts.https_only_mode, opts.min_tls_version)) + .set(ReqwestConfig { secure: opts.secure, min_tls: opts.min_tls_version.map(|v| v.into()) }) .unwrap(); // Setup logging