rd: Don't downgrade to HTTP #7

Merged
steffo merged 6 commits from feature/rd-no-downgrade into main 2024-12-16 01:02:59 +00:00
Showing only changes of commit 69f5232ab9 - Show all commits

View file

@ -15,17 +15,16 @@ impl ResourceDescriptor {
/// ///
/// In order, this method attempts: /// In order, this method attempts:
/// ///
/// 1. HTTPS [XRD](ResourceDescriptorJRD::get) /// 1. [XRD](ResourceDescriptorJRD::get)
/// 2. HTTPS [JRD](ResourceDescriptorJRD::get) /// 2. [JRD](ResourceDescriptorJRD::get)
/// 3. HTTPS [JRD](ResourceDescriptorJRD::get) with .json path suffix /// 3. [JRD](ResourceDescriptorJRD::get) with .json path suffix
/// 4. HTTP [XRD](ResourceDescriptorJRD::get)
/// 5. HTTP [JRD](ResourceDescriptorJRD::get)
/// 6. HTTP [JRD](ResourceDescriptorJRD::get) with .json path suffix
/// ///
/// # Notes /// # Notes
/// ///
/// This follows redirects until the redirect chain is 10 hops; see [`reqwest::redirect`] for more info. /// This follows redirects until the redirect chain is 10 hops; see [`reqwest::redirect`] for more info.
/// ///
/// Only the protocol specified in the passed [`reqwest::Url`] is used to fetch the [`ResourceDescriptor`]; despite the specification allowing servers to use only one between HTTP and HTTPS, no implicit downgrade is ever performed to prevent MITM attacks.
///
/// # Examples /// # Examples
/// ///
/// ``` /// ```
@ -53,121 +52,51 @@ impl ResourceDescriptor {
log::trace!("Unsetting URL fragment..."); log::trace!("Unsetting URL fragment...");
url.set_fragment(None); url.set_fragment(None);
log::trace!("Setting URL scheme to HTTPS..."); log::trace!("Attempting XRD retrieval...");
url.set_scheme("https") let xrd = match ResourceDescriptorXRD::get(client, url.clone()).await {
.map_err(UrlManipulation)?;
log::trace!("Cloning URL for HTTPS XRD retrieval...");
let https_xrd_url = url.clone();
log::trace!("Attempting HTTPS XRD retrieval...");
let https_xrd = match ResourceDescriptorXRD::get(client, https_xrd_url).await {
Ok(data) => { Ok(data) => {
log::trace!("HTTPS XRD retrieval was successful, returning..."); log::trace!("XRD retrieval was successful, returning...");
return Ok(Self::XRD(data)) return Ok(Self::XRD(data))
} }
Err(err) => { Err(err) => {
log::warn!("HTTPS XRD retrieval failed."); log::warn!("XRD retrieval failed.");
err err
} }
}; };
log::trace!("Cloning URL for HTTPS JRD retrieval..."); log::trace!("Attempting JRD retrieval...");
let https_jrd_url = url.clone(); let jrd = match ResourceDescriptorJRD::get(client, url.clone()).await {
log::trace!("Attempting HTTPS JRD retrieval...");
let https_jrd = match ResourceDescriptorJRD::get(client, https_jrd_url).await {
Ok(data) => { Ok(data) => {
log::trace!("HTTPS JRD retrieval was successful, returning..."); log::trace!("JRD retrieval was successful, returning...");
return Ok(Self::JRD(data)) return Ok(Self::JRD(data))
} }
Err(err) => { Err(err) => {
log::warn!("HTTPS JRD retrieval failed."); log::warn!("JRD retrieval failed.");
err err
} }
}; };
log::trace!("Cloning URL for HTTPS JRD .json retrieval..."); log::trace!("Altering URL path for JRD .json retrieval...");
let mut https_jrdj_url = url.clone(); url.set_path(
&format!("{}.json", url.path())
log::trace!("Altering URL path for HTTPS JRD .json retrieval...");
https_jrdj_url.set_path(
&format!("{}.json", https_jrdj_url.path())
); );
log::trace!("Attempting HTTPS JRD .json retrieval..."); log::trace!("Attempting JRD .json retrieval...");
let https_jrdj = match ResourceDescriptorJRD::get(client, https_jrdj_url).await { let jrdj = match ResourceDescriptorJRD::get(client, url.clone()).await {
Ok(data) => { Ok(data) => {
log::trace!("HTTPS JRD .json retrieval was successful, returning..."); log::trace!("JRD .json retrieval was successful, returning...");
return Ok(Self::JRD(data)) return Ok(Self::JRD(data))
} }
Err(err) => { Err(err) => {
log::warn!("HTTPS JRD .json retrieval failed."); log::warn!("JRD .json retrieval failed.");
err
}
};
log::trace!("Setting URL scheme to HTTP...");
url.set_scheme("http")
.map_err(UrlManipulation)?;
log::trace!("Cloning URL for HTTP XRD retrieval...");
let http_xrd_url = url.clone();
log::trace!("Attempting HTTP XRD retrieval...");
let http_xrd = match ResourceDescriptorXRD::get(client, http_xrd_url).await {
Ok(data) => {
log::trace!("HTTP XRD retrieval was successful, returning...");
return Ok(Self::XRD(data))
}
Err(err) => {
log::warn!("HTTP XRD retrieval failed.");
err
}
};
log::trace!("Cloning URL for HTTP JRD retrieval...");
let http_jrd_url = url.clone();
log::trace!("Attempting HTTP JRD retrieval...");
let http_jrd = match ResourceDescriptorJRD::get(client, http_jrd_url).await {
Ok(data) => {
log::trace!("HTTP JRD retrieval was successful, returning...");
return Ok(Self::JRD(data))
}
Err(err) => {
log::warn!("HTTP JRD retrieval failed.");
err
}
};
log::trace!("Cloning URL for HTTP JRD .json retrieval...");
let mut http_jrdj_url = url.clone();
log::trace!("Altering URL path for HTTPS JRD .json retrieval...");
http_jrdj_url.set_path(
&format!("{}.json", http_jrdj_url.path())
);
log::trace!("Attempting HTTP JRD .json retrieval...");
let http_jrdj = match ResourceDescriptorJRD::get(client, http_jrdj_url).await {
Ok(data) => {
log::trace!("HTTP JRD .json retrieval was successful, returning...");
return Ok(Self::JRD(data))
}
Err(err) => {
log::warn!("HTTP JRD .json retrieval failed.");
err err
} }
}; };
Err(Fetch(GetFetchFailures { Err(Fetch(GetFetchFailures {
https_xrd, xrd,
https_jrd, jrd,
https_jrdj, jrdj,
http_xrd,
http_jrd,
http_jrdj,
})) }))
} }
@ -262,7 +191,7 @@ pub enum GetError {
Fetch(GetFetchFailures), Fetch(GetFetchFailures),
} }
/// Request errors occurred during [`ResourceDescriptor::discover_http`] or [`ResourceDescriptor::discover`]. /// Request errors occurred during [`ResourceDescriptor::get`].
#[derive(Debug, Error)] #[derive(Debug, Error)]
#[error("all attempts of fetching the resource descriptor document failed")] #[error("all attempts of fetching the resource descriptor document failed")]
pub struct GetFetchFailures { pub struct GetFetchFailures {
@ -275,14 +204,3 @@ pub struct GetFetchFailures {
/// JRD with .json extension retrieval. /// JRD with .json extension retrieval.
pub jrdj: GetJRDError, pub jrdj: GetJRDError,
} }
/// Request errors occurred during [`ResourceDescriptor::discover`].
#[derive(Debug, Error)]
#[error("all attempts of fetching the resource descriptor document failed with all protocols")]
pub struct GetFetchFailuresMultiprotocol {
/// HTTPS.
pub https: GetFetchFailures,
/// HTTP.
pub http: GetFetchFailures,
}