refactor(config)!: re-design and clean-up configuration

.github/workflows/_test_int.yml

@@ -37,7 +37,10 @@ jobs:
         uses: supercharge/[email protected]
         with:
           mongodb-version: ${{ inputs.mongodb }}
-          mongodb-replica-set: test-rs
+          # FIXME: replica-set with authentication
+          #mongodb-replica-set: test-rs
+          mongodb-username: root
+          mongodb-password: root
 
       - name: Test DB
         uses: actions-rs/cargo@v1

docker/docker-compose.yml

@@ -33,13 +33,10 @@ services:
       - RUST_LOG=warn,inx_chronicle=debug
     tty: true
     command:
-      - "--config=config.toml"
-      - "--inx-url=http://hornet:9029"
       - "--mongodb-conn-str=mongodb://mongo:27017"
       - "--influxdb-url=http://influx:8086"
+      - "--inx-url=http://hornet:9029"
       - "--loki-url=http://loki:3100"
-    volumes:
-      - ../config.template.toml:/app/config.toml:ro
 
   influx:
     image: influxdb:1.8

src/bin/inx-chronicle/api/auth.rs

@@ -9,22 +9,22 @@ use axum::{
     TypedHeader,
 };
 
-use super::{config::ApiData, error::RequestError, ApiError, AuthError};
+use super::{config::ApiConfigData, error::RequestError, ApiError, AuthError};
 
 pub struct Auth;
 
 #[async_trait]
 impl<S: Send + Sync> FromRequestParts<S> for Auth
 where
-    ApiData: FromRef<S>,
+    ApiConfigData: FromRef<S>,
 {
     type Rejection = ApiError;
 
     async fn from_request_parts(req: &mut axum::http::request::Parts, state: &S) -> Result<Self, Self::Rejection> {
         // Unwrap: <OriginalUri as FromRequest>::Rejection = Infallable
         let OriginalUri(uri) = OriginalUri::from_request_parts(req, state).await.unwrap();
 
-        let config = ApiData::from_ref(state);
+        let config = ApiConfigData::from_ref(state);
 
         if config.public_routes.is_match(&uri.to_string()) {
             return Ok(Auth);
@@ -37,10 +37,10 @@ where
 
         jwt.validate(
             Validation::default()
-                .with_issuer(ApiData::ISSUER)
-                .with_audience(ApiData::AUDIENCE)
+                .with_issuer(ApiConfigData::ISSUER)
+                .with_audience(ApiConfigData::AUDIENCE)
                 .validate_nbf(true),
-            config.secret_key.as_ref(),
+            config.jwt_secret_key.as_ref(),
         )
         .map_err(AuthError::InvalidJwt)?;
 

src/bin/inx-chronicle/api/config.rs

@@ -10,71 +10,83 @@ use tower_http::cors::AllowOrigin;
 
 use super::{error::ConfigError, SecretKey};
 
+pub const DEFAULT_ENABLED: bool = true;
+pub const DEFAULT_PORT: u16 = 8042;
+pub const DEFAULT_ALLOW_ORIGINS: &str = "0.0.0.0";
+pub const DEFAULT_PUBLIC_ROUTES: &str = "api/core/v2/*";
+pub const DEFAULT_MAX_PAGE_SIZE: usize = 1000;
+pub const DEFAULT_JWT_PASSWORD: &str = "password";
+pub const DEFAULT_JWT_SALT: &str = "saltines";
+pub const DEFAULT_JWT_EXPIRATION: &str = "72h";
+
 /// API configuration
 #[derive(Clone, PartialEq, Eq, Debug, Serialize, Deserialize)]
 #[serde(default, deny_unknown_fields)]
 pub struct ApiConfig {
     pub enabled: bool,
     pub port: u16,
     pub allow_origins: SingleOrMultiple<String>,
-    pub password_hash: String,
-    pub password_salt: String,
-    #[serde(with = "humantime_serde")]
-    pub jwt_expiration: Duration,
     pub public_routes: Vec<String>,
-    pub identity_path: Option<String>,
     pub max_page_size: usize,
-    pub argon_config: ArgonConfig,
+    pub jwt_password: String,
+    pub jwt_salt: String,
+    pub jwt_identity_file: Option<String>,
+    #[serde(with = "humantime_serde")]
+    pub jwt_expiration: Duration,
 }
 
 impl Default for ApiConfig {
     fn default() -> Self {
         Self {
-            enabled: true,
-            port: 8042,
-            allow_origins: "*".to_string().into(),
-            password_hash: "c42cf2be3a442a29d8cd827a27099b0c".to_string(),
-            password_salt: "saltines".to_string(),
-            // 72 hours
-            jwt_expiration: Duration::from_secs(72 * 60 * 60),
-            public_routes: Default::default(),
-            identity_path: None,
-            max_page_size: 1000,
-            argon_config: Default::default(),
+            enabled: DEFAULT_ENABLED,
+            port: DEFAULT_PORT,
+            allow_origins: SingleOrMultiple::Single(DEFAULT_ALLOW_ORIGINS.to_string()),
+            public_routes: vec![DEFAULT_PUBLIC_ROUTES.to_string()],
+            max_page_size: DEFAULT_MAX_PAGE_SIZE,
+            jwt_identity_file: None,
+            jwt_password: DEFAULT_JWT_PASSWORD.to_string(),
+            jwt_salt: DEFAULT_JWT_SALT.to_string(),
+            jwt_expiration: DEFAULT_JWT_EXPIRATION.parse::<humantime::Duration>().unwrap().into(),
         }
     }
 }
 
 #[derive(Clone, Debug)]
-pub struct ApiData {
+pub struct ApiConfigData {
     pub port: u16,
     pub allow_origins: AllowOrigin,
-    pub password_hash: Vec<u8>,
-    pub password_salt: String,
-    pub jwt_expiration: Duration,
     pub public_routes: RegexSet,
-    pub secret_key: SecretKey,
     pub max_page_size: usize,
-    pub argon_config: ArgonConfig,
+    pub jwt_password_hash: Vec<u8>,
+    pub jwt_password_salt: String,
+    pub jwt_secret_key: SecretKey,
+    pub jwt_expiration: Duration,
+    pub jwt_argon_config: JwtArgonConfig,
 }
 
-impl ApiData {
+impl ApiConfigData {
     pub const ISSUER: &'static str = "chronicle";
     pub const AUDIENCE: &'static str = "api";
 }
 
-impl TryFrom<ApiConfig> for ApiData {
+impl TryFrom<ApiConfig> for ApiConfigData {
     type Error = ConfigError;
 
     fn try_from(config: ApiConfig) -> Result<Self, Self::Error> {
         Ok(Self {
             port: config.port,
             allow_origins: AllowOrigin::try_from(config.allow_origins)?,
-            password_hash: hex::decode(config.password_hash)?,
-            password_salt: config.password_salt,
-            jwt_expiration: config.jwt_expiration,
             public_routes: RegexSet::new(config.public_routes.iter().map(route_to_regex).collect::<Vec<_>>())?,
-            secret_key: match &config.identity_path {
+            max_page_size: config.max_page_size,
+            jwt_password_hash: argon2::hash_raw(
+                config.jwt_password.as_bytes(),
+                config.jwt_salt.as_bytes(),
+                &Into::into(&JwtArgonConfig::default()),
+            )
+            // TODO: Replace this once we switch to a better error lib
+            .expect("invalid JWT config"),
+            jwt_password_salt: config.jwt_salt,
+            jwt_secret_key: match &config.jwt_identity_file {
                 Some(path) => SecretKey::from_file(path)?,
                 None => {
                     if let Ok(path) = std::env::var("IDENTITY_PATH") {
@@ -84,8 +96,8 @@ impl TryFrom<ApiConfig> for ApiData {
                     }
                 }
             },
-            max_page_size: config.max_page_size,
-            argon_config: config.argon_config,
+            jwt_expiration: config.jwt_expiration,
+            jwt_argon_config: JwtArgonConfig::default(),
         })
     }
 }
@@ -130,9 +142,27 @@ impl TryFrom<SingleOrMultiple<String>> for AllowOrigin {
     }
 }
 
+impl<T: Default> Default for SingleOrMultiple<T> {
+    fn default() -> Self {
+        Self::Single(Default::default())
+    }
+}
+
+impl<T: Clone> From<&Vec<T>> for SingleOrMultiple<T> {
+    fn from(value: &Vec<T>) -> Self {
+        if value.is_empty() {
+            unreachable!("Vec must have single or multiple elements")
+        } else if value.len() == 1 {
+            Self::Single(value[0].clone())
+        } else {
+            Self::Multiple(value.to_vec())
+        }
+    }
+}
+
 #[derive(Clone, PartialEq, Eq, Debug, Serialize, Deserialize)]
 #[serde(default)]
-pub struct ArgonConfig {
+pub struct JwtArgonConfig {
     /// The length of the resulting hash.
     hash_length: u32,
     /// The number of lanes in parallel.
@@ -149,7 +179,7 @@ pub struct ArgonConfig {
     version: argon2::Version,
 }
 
-impl Default for ArgonConfig {
+impl Default for JwtArgonConfig {
     fn default() -> Self {
         Self {
             hash_length: 32,
@@ -162,8 +192,8 @@ impl Default for ArgonConfig {
     }
 }
 
-impl<'a> From<&'a ArgonConfig> for argon2::Config<'a> {
-    fn from(val: &'a ArgonConfig) -> Self {
+impl<'a> From<&'a JwtArgonConfig> for argon2::Config<'a> {
+    fn from(val: &'a JwtArgonConfig) -> Self {
         Self {
             ad: &[],
             hash_length: val.hash_length,

src/bin/inx-chronicle/api/extractors.rs

@@ -6,7 +6,7 @@ use axum::extract::{FromRef, FromRequestParts, Query};
 use serde::Deserialize;
 
 use super::{
-    config::ApiData,
+    config::ApiConfigData,
     error::{ApiError, RequestError},
     DEFAULT_PAGE_SIZE,
 };
@@ -30,15 +30,15 @@ impl Default for Pagination {
 #[async_trait]
 impl<S: Send + Sync> FromRequestParts<S> for Pagination
 where
-    ApiData: FromRef<S>,
+    ApiConfigData: FromRef<S>,
 {
     type Rejection = ApiError;
 
     async fn from_request_parts(req: &mut axum::http::request::Parts, state: &S) -> Result<Self, Self::Rejection> {
         let Query(mut pagination) = Query::<Pagination>::from_request_parts(req, state)
             .await
             .map_err(RequestError::from)?;
-        let config = ApiData::from_ref(state);
+        let config = ApiConfigData::from_ref(state);
         pagination.page_size = pagination.page_size.min(config.max_page_size);
         Ok(pagination)
     }
@@ -117,14 +117,18 @@ mod test {
 
     #[tokio::test]
     async fn page_size_clamped() {
-        let config = ApiData::try_from(ApiConfig::default()).unwrap();
+        let config = ApiConfig {
+            max_page_size: 1000,
+            ..Default::default()
+        };
+        let data = ApiConfigData::try_from(config).unwrap();
         let req = Request::builder()
             .method("GET")
             .uri("/?pageSize=9999999")
             .body(())
             .unwrap();
         assert_eq!(
-            Pagination::from_request(req, &config).await.unwrap(),
+            Pagination::from_request(req, &data).await.unwrap(),
             Pagination {
                 page_size: 1000,
                 ..Default::default()