//! Implement an HTTP1 CONNECT proxy using `hyper`.

//!

//! Note that Tor defines several extensions to HTTP CONNECT;

//! See [the spec](spec.torproject.org/http-connect.html)

//! for more information.

use super::{ListenerIsolation, ProxyContext};

use anyhow::{Context as _, anyhow};

use arti_client::{StreamPrefs, TorAddr};

use futures::{AsyncRead, AsyncWrite, io::BufReader};

use http::{Method, StatusCode, response::Builder as ResponseBuilder};

use hyper::{Response, server::conn::http1::Builder as ServerBuilder, service::service_fn};

use safelog::{Sensitive as Sv, sensitive as sv};

use tor_error::{ErrorKind, ErrorReport as _, HasKind, into_internal, warn_report};

use tor_rtcompat::Runtime;

use tor_rtcompat::SpawnExt as _;

use tracing::{instrument, warn};

use hyper_futures_io::FuturesIoCompat;

#[cfg(feature = "rpc")]

use {crate::rpc::conntarget::ConnTarget, tor_rpcbase as rpc};

cfg_if::cfg_if! {

    if #[cfg(feature="rpc")] {

        /// Error type returned from a failed connect_with_prefs.

        type ClientError = Box<dyn arti_client::rpc::ClientConnectionError>;

    } else {

        /// Error type returned from a failed connect_with_prefs.

        type ClientError = arti_client::Error;

    }

}

/// Request type that we receive from Hyper.

type Request = hyper::Request<hyper::body::Incoming>;

/// We use "String" as our body type, since we only return a body on error,

/// in which case it already starts life as a formatted string.

///

/// (We could use () or `Empty` for our (200 OK) replies,

/// but empty strings are cheap enough that it isn't worth it.)

type Body = String;

/// A value used to isolate streams received via HTTP CONNECT.

#[derive(Clone, Debug, Eq, PartialEq)]

pub(super) struct Isolation {

    /// The value of the Proxy-Authorization header.

    proxy_auth: Option<ProxyAuthorization>,

    /// The legacy X-Tor-Isolation token.

    x_tor_isolation: Option<String>,

    /// The up-to-date Tor-Isolation token.

    tor_isolation: Option<String>,

}

impl Isolation {

    /// Return true if no isolation field in this object is set.

        let Isolation {

}

/// Constants and code for the HTTP headers we use.

mod hdr {

    pub(super) use http::header::{CONTENT_TYPE, HOST, PROXY_AUTHORIZATION, SERVER, VIA};

    /// Client-to-proxy: Which IP family should we use?

    pub(super) const TOR_FAMILY_PREFERENCE: &str = "Tor-Family-Preference";

    /// Client-To-Proxy: The ID of an RPC object to receive our request.

    pub(super) const TOR_RPC_TARGET: &str = "Tor-RPC-Target";

    /// Client-To-Proxy: An isolation token to use with our stream.

    /// (Legacy name.)

    pub(super) const X_TOR_STREAM_ISOLATION: &str = "X-Tor-Stream-Isolation";

    /// Client-To-Proxy: An isolation token to use with our stream.

    pub(super) const TOR_STREAM_ISOLATION: &str = "Tor-Stream-Isolation";

    /// Proxy-to-client: A list of the capabilities that this proxy provides.

    pub(super) const TOR_CAPABILITIES: &str = "Tor-Capabilities";

    /// Proxy-to-client: A machine-readable list of failure reasons.

    pub(super) const TOR_REQUEST_FAILED: &str = "Tor-Request-Failed";

    /// A list of all the headers that we support from client-to-proxy.

    ///

    /// Does not include headers that we check for HTTP conformance,

    /// but not for any other purpose.

    pub(super) const ALL_REQUEST_HEADERS: &[&str] = &[

        TOR_FAMILY_PREFERENCE,

        TOR_RPC_TARGET,

        X_TOR_STREAM_ISOLATION,

        TOR_STREAM_ISOLATION,

        // Can't use 'PROXY_AUTHORIZATION', since it isn't a str, and its as_str() isn't const.

        "Proxy-Authorization",

    ];

    /// Return the unique string-valued value of the header `name`;

    /// or None if the header doesn't exist,

    /// or an error if the header is duplicated or not UTF-8.

        };

        }

}

/// Given a just-received TCP connection `S` on a HTTP proxy port, handle the

/// HTTP handshake and relay the connection over the Tor network.

///

/// Uses `isolation_info` to decide which circuits this connection

/// may use.  Requires that `isolation_info` is a pair listing the listener

/// id and the source address for the HTTP request.

#[instrument(skip_all, level = "trace")]

    // NOTES:

    // * We _could_ use a timeout, but we trust that the client is not trying to DOS us.

    ServerBuilder::new()

        .half_close(false)

        .keep_alive(true)

        .max_headers(256)

        .max_buf_size(16 * 1024)

        .title_case_headers(true)

        .auto_date_header(false) // We omit the date header out of general principle.

        .serve_connection(

            FuturesIoCompat(stream),

        )

        .with_upgrades()

        .await?;

    Ok(())

/// Handle a single HTTP request.

///

/// This function is invoked by hyper.

    // Avoid cross-site attacks based on DNS forgery by validating that the Host

    // header is in fact localhost.  In these cases, we don't want to reply at all,

    // _even with an error message_, since our headers could be used to tell a hostile

    // webpage information about the local arti process.

    //

    // We don't do this for CONNECT requests, since those are forbidden by

    // XHR and JS fetch(), and since Host _will_ be non-localhost for those.

            }

        }

        Method::CONNECT => {

        }

    }

/// Return an appropriate reply to the given OPTIONS request.

    use hyper::body::Body as _;

        _ => {

        }

    }

        // RFC 9110 says that if a client wants to include a body with its OPTIONS request (!),

        // it must include a Content-Type header.  Therefore, we reject such requests.

        // TODO: It would be cool to detect nonempty bodies in other ways, though in practice

        // it should never come up.

/// Return an appropriate reply to the given CONNECT request.

    }

/// Helper for handle_connect_request:

/// return an error type that can be converted into an HTTP message.

///

/// (This is a separate function to make error handling simpler.)

    // If we reach this point, the request looks okay, so we'll try to connect.

    // We have connected.  We need to launch a separate task to actually be the proxy, though,

    // since IIUC hyper::upgrade::on won't return an answer

    // until after the response is given to the client.

                }

            }

/// Set the IP family preference in `prefs`.

        };

        // TODO: Perhaps we should check unconditionally whether the IP address is consistent with header,

        // if one was given?  On the other hand, if the application tells us to make an IPV6-only

        // connection to an IPv4 address, it probably deserves what it gets.

/// Configure the stream isolation from the provided headers.

/// An isolation value based on the Proxy-Authorization header.

#[derive(Debug, Clone, Eq, PartialEq)]

pub(super) enum ProxyAuthorization {

    /// The entire contents of the Proxy-Authorization header.

    Legacy(String),

    /// The decoded value of the basic authorization, with the user set to "tor-iso".

    Modern(Vec<u8>),

}

impl ProxyAuthorization {

    /// Return a ProxyAuthorization based on the value of the Proxy-Authorization header.

    ///

    /// Give a warning if the header is in the legacy (obsolete) format.

        } else {

                hdr::PROXY_AUTHORIZATION,

                hdr::X_TOR_STREAM_ISOLATION,

                hdr::PROXY_AUTHORIZATION

            );

        }

    /// Helper: Try to return a Modern authorization value, if this is one.

        use base64ct::Encoding as _;

        // TODO: Is this the right format, or should we allow missing padding?

        } else {

        }

    /// Return true if this ProxyAuthorization has no authorization information.

        }

}

/// Look up the connection target given the value of an Tor-RPC-Target header.

#[cfg(feature = "rpc")]

    };

    };

/// Look up the connection target given the value of an Tor-RPC-Target header

//

// (This is the implementation when we have no RPC support.)

#[cfg(not(feature = "rpc"))]

fn find_conn_target<R: Runtime>(

    context: &ProxyContext<R>,

    rpc_target: Option<&str>,

) -> Result<arti_client::TorClient<R>, HttpConnectError> {

    if rpc_target.is_some() {

        Err(HttpConnectError::NoRpcSupport)

    } else {

        Ok(context.tor_client.clone())

    }

}

/// Extension trait on ResponseBuilder

trait RespBldExt {

    /// Return a response for a successful builder.

    fn ok(self, method: &Method) -> anyhow::Result<Response<Body>, HttpConnectError>;

    /// Return a response for an error message.

    fn err(

        self,

        method: &Method,

        message: impl Into<String>,

    ) -> Result<Response<Body>, HttpConnectError>;

}

impl RespBldExt for ResponseBuilder {

}

/// Return a string representing our capabilities.

    use std::sync::LazyLock;

/// Add all common headers to the builder `bld`, and return a new builder.

    ) {

/// An error that occurs during an HTTP CONNECT attempt, which can (usually)

/// be reported to the client.

#[derive(Clone, Debug, thiserror::Error)]

enum HttpConnectError {

    /// Tried to connect to an invalid stream target.

    #[error("Invalid target address {0:?}")]

    InvalidStreamTarget(Sv<String>, #[source] arti_client::TorAddrError),

    /// We found a duplicate HTTP header that we do not allow.

    ///

    /// (We only enforce this for the headers that we look at ourselves.)

    #[error("Duplicate HTTP header found.")]

    DuplicateHeader,

    /// We tried to found an HTTP header whose value wasn't encode as UTF-8.

    ///

    /// (We only enforce this for the headers that we look at ourselves.)

    #[error("HTTP header value was not in UTF-8")]

    HeaderNotUtf8,

    /// The Tor-Family-Preference header wasn't as expected.

    #[error("Unrecognized value for {}", hdr::TOR_FAMILY_PREFERENCE)]

    InvalidFamilyPreference,

    /// The user asked to use an RPC object, but we don't support RPC.

    #[error(

        "Found {} header, but we are running without RPC support",

        hdr::TOR_RPC_TARGET

    )]

    NoRpcSupport,

    /// The user asked to use an RPC object, but we didn't find the one they wanted.

    #[error("RPC target object not found")]

    RpcObjectNotFound,

    /// arti_client was unable to connect to a stream target.

    #[error("Unable to connect to {0}")]

    ConnectFailed(Sv<TorAddr>, #[source] ClientError),

    /// We encountered an internal error.

    #[error("Internal error while handling request")]

    Internal(#[from] tor_error::Bug),

}

impl HasKind for HttpConnectError {

        use ErrorKind as EK;

        use HttpConnectError as HCE;

            HCE::InvalidStreamTarget(_, _)

            | HCE::DuplicateHeader

            | HCE::HeaderNotUtf8

            | HCE::InvalidFamilyPreference

        }

}

impl HttpConnectError {

    /// Return an appropriate HTTP status code for this error.

        use HttpConnectError as HCE; // Not a Joyce reference

        use StatusCode as SC;

            HCE::InvalidStreamTarget(_, _)

            | HCE::DuplicateHeader

            | HCE::HeaderNotUtf8

            | HCE::InvalidFamilyPreference

            | HCE::RpcObjectNotFound

        }

    /// If possible, return a response that we should give to this error.

    /// Return the end reason for this error, if this error does in fact represent an END message

    /// from the remote side of a stream.

    //

    // TODO: This function is a bit fragile; it forces us to use APIs from tor-proto and

    // tor-cell that are not re-exported from arti-client.  It also relies on the fact that

    // there is a single error type way down in `tor-proto` representing a received END message.

        use tor_proto::Error::EndReceived;

        } else {

        }

}

/// Return the appropriate HTTP status code for a remote END reason.

///

/// Return `None` if the END reason is unrecognized and we should use the `ErrorKind`

///

/// (We  _could_ use the ErrorKind unconditionally,

/// but the mapping from END reason to ErrorKind is [given in the spec][spec],

/// so we try to obey it.)

///

/// [spec]: https://spec.torproject.org/http-connect.html#error-codes

    use StatusCode as S;

    use tor_cell::relaycell::msg::EndReason as R;

        //

        // 500: Internal server error.

        // 502: Bad Gateway.

        R::DESTROY | R::DONE | R::HIBERNATING | R::INTERNAL | R::RESOURCELIMIT | R::TORPROTOCOL => {

        }

        // 503: Service unavailable

        // 504: Gateway timeout.

        // This is possible if the other side sent an unrecognized error code.

    }

/// Recover the original stream from a [`hyper::upgrade::Upgraded`].

{

        // TODO Figure out whether this can happen, due to possible race conditions if the client

        // gets the OK before we check this?.

/// Recover the application stream from `request`, and launch tasks to transfer data between the application and

/// the `tor_stream`.

    // Finally. relay traffic between

    // the application stream and the tor stream, forever.

/// Return true if `host` is a possible value for a Host header addressing localhost.

    } else {

    }

/// Helper module: Make `futures` types usable by `hyper`.

//

// TODO: We may want to expose this as a separate crate, or move it into tor-async-utils,

// if we turn out to need it elsewhere.

mod hyper_futures_io {

    use pin_project::pin_project;

    use std::{

        io,

        pin::Pin,

        task::{Context, Poll, ready},

    };

    use hyper::rt::ReadBufCursor;

    /// A wrapper around an AsyncBufRead + AsyncWrite to implement traits required by hyper.

    #[derive(Debug)]

    #[pin_project]

    pub(super) struct FuturesIoCompat<T>(#[pin] pub(super) T);

    impl<T> hyper::rt::Read for FuturesIoCompat<T>

    where

        // We require AsyncBufRead here it is a good match for ReadBufCursor::put_slice.

        T: futures::io::AsyncBufRead,

    {

            // This means either "data arrived" or "EOF" depending on whether we added new bytes.

    }

    impl<T> hyper::rt::Write for FuturesIoCompat<T>

    where

        T: futures::io::AsyncWrite,

    {

    }

}

#[cfg(test)]

mod test {

    // @@ begin test lint list maintained by maint/add_warning @@

    #![allow(clippy::bool_assert_comparison)]

    #![allow(clippy::clone_on_copy)]

    #![allow(clippy::dbg_macro)]

    #![allow(clippy::mixed_attributes_style)]

    #![allow(clippy::print_stderr)]

    #![allow(clippy::print_stdout)]

    #![allow(clippy::single_char_pattern)]

    #![allow(clippy::unwrap_used)]

    #![allow(clippy::unchecked_time_subtraction)]

    #![allow(clippy::useless_vec)]

    #![allow(clippy::needless_pass_by_value)]

    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->

    use arti_client::{BootstrapBehavior, TorClient, config::TorClientConfigBuilder};

    use futures::{AsyncReadExt as _, AsyncWriteExt as _};

    use tor_rtmock::{MockRuntime, io::stream_pair};

    use super::*;

    // Make sure that HeaderMap is case-insensitive as the documentation implies.

    #[test]

    fn headermap_casei() {

        use http::header::{HeaderMap, HeaderValue};

        let mut hm = HeaderMap::new();

        hm.append(

            "my-head-is-a-house-for",

            HeaderValue::from_str("a-secret").unwrap(),

        );

        assert_eq!(

            hm.get("My-Head-Is-A-House-For").unwrap().as_bytes(),

            b"a-secret"

        );

        assert_eq!(

            hm.get("MY-HEAD-IS-A-HOUSE-FOR").unwrap().as_bytes(),

            b"a-secret"

        );

    }

    #[test]

    fn host_header_localhost() {

        assert_eq!(host_is_localhost("localhost"), true);

        assert_eq!(host_is_localhost("localhost:9999"), true);

        assert_eq!(host_is_localhost("localHOSt:9999"), true);

        assert_eq!(host_is_localhost("127.0.0.1:9999"), true);

        assert_eq!(host_is_localhost("[::1]:9999"), true);

        assert_eq!(host_is_localhost("127.1.2.3:1234"), true);

        assert_eq!(host_is_localhost("127.0.0.1"), true);

        assert_eq!(host_is_localhost("::1"), true);

        assert_eq!(host_is_localhost("[::1]"), false); // not in the right format!

        assert_eq!(host_is_localhost("www.torproject.org"), false);

        assert_eq!(host_is_localhost("www.torproject.org:1234"), false);

        assert_eq!(host_is_localhost("localhost:0"), false);

        assert_eq!(host_is_localhost("localhost:999999"), false);

        assert_eq!(host_is_localhost("plocalhost:1234"), false);

        assert_eq!(host_is_localhost("[::0]:1234"), false);

        assert_eq!(host_is_localhost("192.0.2.55:1234"), false);

        assert_eq!(host_is_localhost("3fff::1"), false);

        assert_eq!(host_is_localhost("[3fff::1]:1234"), false);

    }

    fn interactive_test_setup(

        rt: &MockRuntime,

    ) -> anyhow::Result<(

        tor_rtmock::io::LocalStream,

        impl Future<Output = anyhow::Result<()>>,

        tempfile::TempDir,

    )> {

        let (s1, s2) = stream_pair();

        let s1: BufReader<_> = BufReader::new(s1);

        let iso: ListenerIsolation = (7, "127.0.0.1".parse().unwrap());

        let dir = tempfile::TempDir::new().unwrap();

        let cfg = TorClientConfigBuilder::from_directories(

            dir.as_ref().join("state"),

            dir.as_ref().join("cache"),

        )

        .build()

        .unwrap();

        let tor_client = TorClient::with_runtime(rt.clone())

            .config(cfg)

            .bootstrap_behavior(BootstrapBehavior::Manual)

            .create_unbootstrapped()?;

        let context: ProxyContext<_> = ProxyContext {

            tor_client,

            #[cfg(feature = "rpc")]

            rpc_mgr: None,

        };

        let handle = rt.spawn_join("HTTP Handler", handle_http_conn(context, s1, iso));

        Ok((s2, handle, dir))

    }

    #[test]

    fn successful_options_test() -> anyhow::Result<()> {

        // Try an OPTIONS request and make sure we get a plausible-looking answer.

        //

        // (This test is mostly here to make sure that invalid_host_test() isn't failing because

        // of anything besides the Host header.)

        MockRuntime::try_test_with_various(async |rt| -> anyhow::Result<()> {

            let (mut s, join, _dir) = interactive_test_setup(&rt)?;

            s.write_all(b"OPTIONS * HTTP/1.0\r\nHost: localhost\r\n\r\n")

                .await?;

            let mut buf = Vec::new();

            let _n_read = s.read_to_end(&mut buf).await?;

            let () = join.await?;

            let reply = std::str::from_utf8(&buf)?;

            assert!(dbg!(reply).starts_with("HTTP/1.0 200 OK\r\n"));

            Ok(())

        })

    }

    #[test]

    fn invalid_host_test() -> anyhow::Result<()> {

        // Try a hostname that looks like a CSRF attempt and make sure that we discard it without

        // any reply.

        MockRuntime::try_test_with_various(async |rt| -> anyhow::Result<()> {

            let (mut s, join, _dir) = interactive_test_setup(&rt)?;

            s.write_all(b"OPTIONS * HTTP/1.0\r\nHost: csrf.example.com\r\n\r\n")

                .await?;

            let mut buf = Vec::new();

            let n_read = s.read_to_end(&mut buf).await?;

            let http_outcome = join.await;

            assert_eq!(n_read, 0);

            assert!(buf.is_empty());

            assert!(http_outcome.is_err());

            let error_msg = http_outcome.unwrap_err().source().unwrap().to_string();

            assert_eq!(

                error_msg,

                r#"Host header "csrf.example.com" was not localhost. Rejecting request."#

            );

            Ok(())

        })

    }

}