Merge pull request #22 from MCloudTT/secure_by_default

Added security Policy, fixed non-tokio-unstable build

.github/SECURITY.md

@@ -0,0 +1,6 @@
+
+If you think you have discovered a security issue related to MCloudTT, please write to us at [mcloudtt@nereux.blog](mcloudtt@nereux.blog) do NOT open a public issue. Along with your notification email, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the security concern. Sensitive information can be encrypted using our [PGP key](./../mcloudtt-security.public.key).
+
+We will send a non-automated acknowledgement email reply within 1 business day followed by an initial assessment of the issue within 5 business days. Subsequently, we will work in partnership with you to assess any impact of the issue and prepare a security advisory (including any patches with appropriate fix) as needed.
+
+If we confirm that your report represents a security issue in MCloudTT, we will work with you to agree on an embargo period (typically at least 2 weeks AFTER any necessary development time) which will provide enough time to test our proposed fix and develop patches prior to any broader or more public disclosure. At the end of the embargo period, MCloudTT maintainers will publicly release information about the security issue together with the patches that mitigate it.

.github/workflows/ci.yml

@@ -9,6 +9,7 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
+  RUSTFLAGS: "--cfg=tokio_unstable"
 
 jobs:
   build:

.gitignore

@@ -3,6 +3,5 @@
 .idea/
 *.lock
 *.pem
-*.key
 *.crt
 /certs

Cargo.toml

@@ -14,7 +14,7 @@ rust-version = "1.64"
 [dependencies]
 thiserror = "1.0"
 tokio = { version = "1.25.0", features = ["full", "tracing"] }
-tokio-tungstenite = "0.18.0"
+tokio-tungstenite = "0.19.0"
 tracing = "0.1.37"
 lazy_static = "1.4.0"
 config = "0.13.3"
@@ -24,18 +24,18 @@ mqtt-v5-fork = "0.2.0"
 bytes = "1"
 async-backtrace = "0.2"
 tracing-tree = "0.2.2"
-tokio-rustls = "0.23.4"
+tokio-rustls = "0.24.0"
 rustls-pemfile = "1.0.2"
 gcp-bigquery-client = { version = "0.16.4", optional = true }
 chrono = { version = "0.4.23", optional = true }
 serde = { version = "1.0.130", features = ["derive"] }
-redis = { version = "0.22.3", features = ["bytes"], optional = true }
+redis = { version = "0.23.0", features = ["bytes"], optional = true }
 serde_json = { version = "1.0", optional = true }
 rand = { version = "0.8.5" }
-console-subscriber = {version = "0.1.8", optional= true}
+console-subscriber = {version = "0.1.10", optional= true}
 
 [dev-dependencies]
-criterion = { version = "0.4.0", features = ["async_futures"]}
+criterion = { version = "0.5.1", features = ["async_futures"]}
 clap = { version = "4.1.4", features = ["derive"] }
 csv = "1.1"
 paho-mqtt = "0.12.0"
@@ -51,3 +51,4 @@ tokio_console = ["tokio/tracing",  "dep:console-subscriber"]
 [profile.release]
 lto=true
 codegen-units=1
+strip=true

config.toml

@@ -3,8 +3,8 @@ websocket = true
 timeout = 30
 
 [tls]
-certfile = "certs/broker/broker.crt"
-keyfile = "certs/broker/broker.key"
+certfile = "certs/server.crt"
+keyfile = "certs/server.key"
 
 [ports]
 tcp = 1883

mcloudtt-security.public.key

@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGSd5oYBEADaWGuVopTuASGSauxq/W7JSq8YGMxpjvLD8M/U64eKx3ckcL5l
+nCDOpktvNmSPFZLr5YZ3BeRvLxWlQdbh/2Eh+LMk14w86yctIOuWySWz4nScSxMb
+vIOrNpRcmZ3Fg7s5uVSpklJxkIFgUwpAWjkyvuvcQLRXAaEA3bHK8htgK7R1cEcr
+v7HXr1yuKAsG8BsCrcXABFhZCTZkOLYTZFPdg/NKtjAUewKgc41uMb5weEoW+rP5
+HnOwQk5qhLedIHBHriwlnSz6eFwxn1P0OqZwZiD6gGrXfy63YLCEYIoUWu2RGXIB
+ava9+tOxsEGG6pnahGD2cmNVsZoeWfdbaSeF0TRIjF7DRR8p3lAH41IVC4GmOh1u
+PKapVoGC1WLp8XPr4bf9iG8BH0kHOnZTD2joNtOhucwognvGGDW4lKqeUv9slsId
+rUrc6shnNnrk+IBVh4i7/yea57EwTohEuI5LaiLnuMqoZx8Xkg61zKB490XdK77W
+xvvQ3uXuVkHyJamkWgrOOEJBFrLuaONrnh8+Ed3EwU+ulxYi9CQc8EfBAwuOrbgz
+v3XxXUqAhJEyT8c5liPlj+hnBGd/1C3Czq6HUlXsrTwGMi20HRic8qLq6/EbY8dx
+nlQj819u1iLCco2W0w3o9y7KjNTOqzbFWfYQoWZZfUoaZvm39+VUFhyyfQARAQAB
+tB9NQ2xvdWRUVCA8bWNsb3VkdHRAbmVyZXV4LmJsb2c+iQJOBBMBCAA4FiEE366r
+xumgyDKuM68hCV5HJA60OLkFAmSd5oYCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
+F4AACgkQCV5HJA60OLnzhBAAzD+R+AZSLkK8uAjVehOInW9c4MLt7TM0JnFBGczU
+sWTqzkS4kErhjdew+OV8chdV3ZZPFEO7Bq6dXsngWvv+b38F0Z1udTVmu0aTNw+E
+8c0x9BGvb3nZXdkFkinczQ8BTmBqyEwhsXI0udl/SuJ+Rnv1LRZ0Smtt6zKRoN72
+lIzwySVD/dEs2lf3oNLw2qe1NdDfyARDv5pzx0SSejPwpLOdzn3dEg7icVf0YHOb
+TSYb4XW+9by/X5+3hDGnzEams473zXxUCAs2aNozFTIt7XO9BozXJs/FTedWBNMl
+d+9tqhEpfOqtbmOxx+pFRqzcKRoOJvYuqIFZNDNA8K4lD9E/CQPfc6LmXKz7nC6V
+rk+yt1+Xl2z9y2/RbdgHLFs93gM2Rl4JrGGHk2qg3oIqWa2bvVkqrN84/cDw383F
+k/Za50T6NoGXAz+px2RmunqBPW0OeJn/50DV5r2UKcdkpoS4DIMceNlO8QuelBlH
+PBbZ0ZTbxVFvTjwNXoblGJkHbX1gVDBKJIdSYAi9vJjvk/KaDLjuDDLvyCQydwm+
+nLb21UuMqhkwtqdY2suGMfJtbQ/Sv0pYgD4fvrPzfbIdWcDREW4Guo2NGZ/xz+Jr
+myeUC0P8NrI4q+AzfrYkuGwdCPUxfF9ZLn6Z2+AVhFROpTVMFAung683tWfAKuny
+BBm5Ag0EZJ3mhgEQAOED1L/q7tw0AeT5hNJ5K8m8QDXsDhCPrtKBJDDTgfaEw9/H
+wNoirQGGmBzWnZssLvg3asR5+kRJhg7qaUtEOiaFZ/0KO+ngP1dHPNNdD8JtHfnX
+80r6TQXJVEw8WaOxiPDKbmeZ7wltIqg5rfza1+SFGkhdly68A1gURZMaWeeWhHg7
+Zduz6PEEOOZuahnyTf6uahgMfqxJzXIh5I2n1zGZd6bdUG4xPQ4x3sCmjzfGqfA+
+cjPXjb0ruNHw2zKWnyxdyd+XzcTXdE8crmNsGnj6D1uwswxptZQAXMieBrTmDm88
+r62MZIMmmItMcZAlkkHQ09hHpf/a/d2BWT76XuOgoDqi0p+eogCpXIP6jOTi+d98
+nvh4H4l5FO5AmAZfhGOoq3II0EwKBusuaGF69NmqKMmgDbVxCWgEluzR5IPKa6Hb
+fccqrXtKfF+Qmhc3wRiSddSFaypcMJVQL3YLpU4GUWaS6GSm2pH05hmIADfe8f7r
+9j6VP0e7uFaXOYIfDVaIXU/uOJEYlrx6IHNXuXPNw0W5zaX95JH+UfpeTaZQS0PK
+yzMABQch+ZFn68z1k0wCpMgoPvGKUkTF4b4d+K01CJE4dKeaQ+twiTJ8xtvlTujT
+GEAzBs1UZDqiWCDr2w0WBCBCtF+sfO+GfBnAMfgxk9G+4NCBcrDcjlGI3JLhABEB
+AAGJAjYEGAEIACAWIQTfrqvG6aDIMq4zryEJXkckDrQ4uQUCZJ3mhgIbDAAKCRAJ
+XkckDrQ4uVsLD/9uyDv1OtE6MqjX/ott1rpCB25HfWlXON7BNYQpKbPOlU75mWMg
+xg/G/lfM/9mI1FNvXa446+fDOJeEbZE9URnVj+S20bW5xR0zohRHZQ1ifOFXx/Em
+LjQNLl0kRiFEiJbfzLZB2BRazc4LgXbRUkR17zJTWyFs+yfmTQvmoZbnQzwXjuYH
+gltT4YeTZqV02udHLL7l5mO++G5BpE/TlQosvXdP1xkoCojhrW31qO6N/FGEBgru
+u+KmUU3sNTSHXCyfWqSlqOwqIPVPAz8Du3gGQy0Z2B3UkLYxob/JSCXawI8CM+/L
+wbeUXeXyWyRSq5ztniddzkjq5w2FjOmTJ8wjp7q6j7xhTFTuYxi/Vg4HmaamZpuy
+65s8HrvtKD5nPV2oh4nWqAVjBkkQ8/BQre8VBaxlFByJqvJVNVRhApkvdZ2Gb9FF
+EP6Ue2jX3K6LDq8BNF2tVAP/6q6OWaPhycjEfRVxkYG0HQpIr6IEjS+TAjc8rbbk
+y7bXMngCnMwmBYC30x3dEu0SUp1yaOQb7kiuCci6MM0R5mA7+63G6BJqyFSu+NfI
+9fyWZy0RZyu2uQ6X7IFf/umCcWIQzcsff4M1nZRBQGzs5jKhw/clGaMmOQicYS+d
+yCJYNPUoBnbiLJDNW23WhHluC9HGO3iSZ3WJQ1gxUlZtGhTAGzKNC3s85w==
+=X+wI
+-----END PGP PUBLIC KEY BLOCK-----

src/main.rs

@@ -19,6 +19,7 @@ use std::{
 };
 
 use tokio::sync::Mutex;
+#[cfg(feature = "tokio_console")]
 use tokio::task::Builder;
 
 use mqtt_v5_fork::types::PublishPacket;
@@ -55,15 +56,19 @@ lazy_static! {
 
 #[tokio::main]
 async fn main() -> Result {
+    // TODO: Fix logging
     // Set up tracing_tree
     #[cfg(feature = "tokio_console")]
-    let console_layer = console_subscriber::spawn();
-    let registry = Registry::default();
-    #[cfg(feature = "tokio_console")]
-    let registry = registry
-        .with(console_layer)
-        .with(EnvFilter::from_default_env().add_directive(Directive::from_str("tokio=trace")?));
-    registry.init();
+    {
+        let console_layer = console_subscriber::spawn();
+        let registry = Registry::default();
+        let registry = registry
+            .with(console_layer)
+            .with(EnvFilter::from_default_env().add_directive(Directive::from_str("tokio=trace")?));
+        registry.init();
+    }
+    #[cfg(not(feature = "tokio_console"))]
+    tracing_subscriber::fmt::init();
 
     info!("Starting MCloudTT!");
     main_loop().await
@@ -102,9 +107,20 @@ async fn main_loop() -> Result {
     // MQTT over WebSockets
     let ws_listener = TcpListener::bind(format!("{LISTENER_ADDR}:{}", settings.ports.ws)).await?;
 
-    //TLS
-    let certs = load_certs(Path::new(&settings.tls.certfile)).unwrap();
-    let mut keys = load_keys(Path::new(&settings.tls.keyfile)).unwrap();
+    // Load TLS certificates
+    let certs = load_certs(Path::new(&settings.tls.certfile)).map_err(|e| {
+        io::Error::new(
+            io::ErrorKind::InvalidInput,
+            format!("Error loading TLS certificates: {:?}", e),
+        )
+    })?;
+    let mut keys = load_keys(Path::new(&settings.tls.keyfile)).map_err(|e| {
+        io::Error::new(
+            io::ErrorKind::InvalidInput,
+            format!("Error loading TLS keys: {:?}", e),
+        )
+    })?;
+    info!("Loaded TLS certificates");
 
     let config = rustls::ServerConfig::builder()
         .with_safe_defaults()
@@ -173,18 +189,34 @@ async fn handle_new_connection(
 
     #[cfg(feature = "secure")]
     {
-        if let Ok(stream) = tls_acceptor.accept(stream).await {
-            Builder::new()
-                .name(format!("Client {}", addr).as_str())
-                .spawn(async move { client.handle_raw_tcp_stream(stream, addr).await });
-        } else {
-            info!("Peer failed to connect using tls: {:?}", addr);
+        // Make this a match that prints the error
+        match tls_acceptor.accept(stream).await {
+            Ok(stream) => {
+                #[cfg(feature = "tokio_console")]
+                Builder::new()
+                    .name(format!("Client {}", addr).as_str())
+                    .spawn(async move { client.handle_raw_tcp_stream(stream, addr).await });
+                #[cfg(not(feature = "tokio_console"))]
+                tokio::spawn(async move { client.handle_raw_tcp_stream(stream, addr).await });
+            }
+            Err(e) => {
+                info!(
+                    "Peer failed to connect using tls: {:?} because of {e} ({e:?})",
+                    addr
+                );
+            }
         }
     }
     #[cfg(not(feature = "secure"))]
-    Builder::new()
-        .name(format!("Client {}", addr).as_str())
-        .spawn(async move { client.handle_raw_tcp_stream(stream, addr).await });
+    {
+        #[cfg(feature = "tokio_console")]
+        // FIXME: Macro or function for this. It is really annoying to spawn either a named task or unnamed task depending on the tokio_console feature flag
+        Builder::new()
+            .name(format!("Client {}", addr).as_str())
+            .spawn(async move { client.handle_raw_tcp_stream(stream, addr).await });
+        #[cfg(not(feature = "tokio_console"))]
+        tokio::spawn(async move { client.handle_raw_tcp_stream(stream, addr).await });
+    }
 }
 
 fn load_certs(path: &Path) -> io::Result<Vec<Certificate>> {

src/tcp_handling.rs

@@ -44,9 +44,7 @@ pub struct Client {
 
 pub trait MCStream: AsyncReadExt + AsyncWriteExt + Unpin + Debug {}
 
-impl MCStream for TlsStream<TcpStream> {}
-
-impl MCStream for TcpStream {}
+impl<T> MCStream for T where T: AsyncReadExt + AsyncWriteExt + Unpin + Debug {}
 
 struct ReceiverFuture<'a> {
     receiver: Vec<(&'a String, &'a Receiver<Message>)>,