1
//! A simple reverse-proxy implementation for onion services.
2

            
3
use futures::io::BufReader;
4
use futures::{
5
    AsyncRead, AsyncWrite, Future, FutureExt as _, Stream, StreamExt as _, select_biased,
6
};
7
use itertools::iproduct;
8
use oneshot_fused_workaround as oneshot;
9
use safelog::sensitive as sv;
10
use std::collections::HashMap;
11
use std::io::Error as IoError;
12
use std::sync::{Arc, Mutex};
13
use strum::IntoEnumIterator;
14
use tor_cell::relaycell::msg as relaymsg;
15
use tor_error::{ErrorKind, HasKind, debug_report};
16
use tor_hsservice::{HsNickname, RendRequest, StreamRequest};
17
use tor_log_ratelim::log_ratelim;
18
use tor_proto::client::stream::DataStream;
19
use tor_proto::stream::IncomingStreamRequest;
20
use tor_rtcompat::{Runtime, SpawnExt as _};
21

            
22
use crate::config::{
23
    Encapsulation, ProxyAction, ProxyActionDiscriminants, ProxyConfig, TargetAddr,
24
};
25

            
26
/// A reverse proxy that handles connections from an `OnionService` by routing
27
/// them to local addresses.
28
#[derive(Debug)]
29
pub struct OnionServiceReverseProxy {
30
    /// Mutable state held by this reverse proxy.
31
    state: Mutex<State>,
32
}
33

            
34
/// Mutable part of an RProxy
35
#[derive(Debug)]
36
struct State {
37
    /// The current configuration for this reverse proxy.
38
    config: ProxyConfig,
39
    /// A sender that we'll drop when it's time to shut down this proxy.
40
    shutdown_tx: Option<oneshot::Sender<void::Void>>,
41
    /// A receiver that we'll use to monitor for shutdown signals.
42
    shutdown_rx: futures::future::Shared<oneshot::Receiver<void::Void>>,
43
}
44

            
45
/// An error that prevents further progress while processing requests.
46
#[derive(Clone, Debug, thiserror::Error)]
47
#[non_exhaustive]
48
pub enum HandleRequestsError {
49
    /// The runtime says it was unable to spawn a task.
50
    #[error("Unable to spawn a task")]
51
    Spawn(#[source] Arc<futures::task::SpawnError>),
52
}
53

            
54
impl HasKind for HandleRequestsError {
55
    fn kind(&self) -> ErrorKind {
56
        match self {
57
            HandleRequestsError::Spawn(e) => e.kind(),
58
        }
59
    }
60
}
61

            
62
impl OnionServiceReverseProxy {
63
    /// Create a new proxy with a given configuration.
64
    pub fn new(config: ProxyConfig) -> Arc<Self> {
65
        let (shutdown_tx, shutdown_rx) = oneshot::channel();
66
        Arc::new(Self {
67
            state: Mutex::new(State {
68
                config,
69
                shutdown_tx: Some(shutdown_tx),
70
                shutdown_rx: shutdown_rx.shared(),
71
            }),
72
        })
73
    }
74

            
75
    /// Try to change the configuration of this proxy.
76
    ///
77
    /// This change applies only to new connections through the proxy; existing
78
    /// connections are not affected.
79
    pub fn reconfigure(
80
        &self,
81
        config: ProxyConfig,
82
        how: tor_config::Reconfigure,
83
    ) -> Result<(), tor_config::ReconfigureError> {
84
        if how == tor_config::Reconfigure::CheckAllOrNothing {
85
            // Every possible reconfiguration is allowed.
86
            return Ok(());
87
        }
88
        let mut state = self.state.lock().expect("poisoned lock");
89
        state.config = config;
90
        // Note: we don't need to use a postage::watch here, since we just want
91
        // to lock this configuration whenever we get a request.  We could use a
92
        // Mutex<Arc<>> instead, but the performance shouldn't matter.
93
        //
94
        Ok(())
95
    }
96

            
97
    /// Shut down all request-handlers running using with this proxy.
98
    pub fn shutdown(&self) {
99
        let mut state = self.state.lock().expect("poisoned lock");
100
        let _ = state.shutdown_tx.take();
101
    }
102

            
103
    /// Use this proxy to handle a stream of [`RendRequest`]s.
104
    ///
105
    /// The future returned by this function blocks indefinitely, so you may
106
    /// want to spawn a separate task for it.
107
    ///
108
    /// The provided nickname is used for logging.
109
    pub async fn handle_requests<R, S>(
110
        &self,
111
        runtime: R,
112
        nickname: HsNickname,
113
        requests: S,
114
    ) -> Result<(), HandleRequestsError>
115
    where
116
        R: Runtime,
117
        S: Stream<Item = RendRequest> + Unpin,
118
    {
119
        let mut stream_requests = tor_hsservice::handle_rend_requests(requests).fuse();
120
        let mut shutdown_rx = self
121
            .state
122
            .lock()
123
            .expect("poisoned lock")
124
            .shutdown_rx
125
            .clone()
126
            .fuse();
127
        let nickname = Arc::new(nickname);
128

            
129
        /// Which of the three counters for each action
130
        #[cfg(feature = "metrics")]
131
        #[derive(Clone, Copy, Eq, PartialEq, Hash)]
132
        enum CounterSelector {
133
            /// Two counters, one for successes, one for failures
134
            Ret(Result<(), ()>),
135
            /// One counter for the total
136
            Total,
137
        }
138

            
139
        #[cfg(feature = "metrics")]
140
        let metrics_counters = {
141
            use CounterSelector as CS;
142

            
143
            let counters = iproduct!(
144
                ProxyActionDiscriminants::iter(),
145
                [
146
                    (CS::Total, "arti_hss_proxy_connections_total"),
147
                    (CS::Ret(Ok(())), "arti_hss_proxy_connections_ok_total"),
148
                    (CS::Ret(Err(())), "arti_hss_proxy_connections_failed_total"),
149
                ],
150
            )
151
            .map(|(action, (outcome, name))| {
152
                let k = (action, outcome);
153
                let nickname = nickname.to_string();
154
                let action: &str = action.into();
155
                let v = metrics::counter!(name, "nickname" => nickname, "action" => action);
156
                (k, v)
157
            })
158
            .collect::<HashMap<(ProxyActionDiscriminants, CounterSelector), _>>();
159

            
160
            Arc::new(counters)
161
        };
162

            
163
        loop {
164
            let stream_request = select_biased! {
165
                _ = shutdown_rx => return Ok(()),
166
                stream_request = stream_requests.next() => match stream_request {
167
                    None => return Ok(()),
168
                    Some(s) => s,
169
                }
170
            };
171

            
172
            runtime.spawn({
173
                let action = self.choose_action(stream_request.request());
174
                let runtime = runtime.clone();
175
                let nickname = nickname.clone();
176
                let req = stream_request.request().clone();
177

            
178
                #[cfg(feature = "metrics")]
179
                let metrics_counters = metrics_counters.clone();
180

            
181
                async move {
182
                    let outcome =
183
                        run_action(runtime, nickname.as_ref(), action.clone(), stream_request).await;
184

            
185
                    #[cfg(feature = "metrics")]
186
                    {
187
                        use CounterSelector as CS;
188

            
189
                        let action = ProxyActionDiscriminants::from(&action);
190
                        let outcome = outcome.as_ref().map(|_|()).map_err(|_|());
191
                        for outcome in [CS::Total, CS::Ret(outcome)] {
192
                            if let Some(counter) = metrics_counters.get(&(action, outcome)) {
193
                                counter.increment(1);
194
                            } else {
195
                                // statically be impossible, but let's not panic
196
                            }
197
                        }
198
                    }
199

            
200
                    log_ratelim!(
201
                        "Performing action on {}", nickname;
202
                        outcome;
203
                        Err(_) => WARN, "Unable to take action {:?} for request {:?}", sv(action), sv(req)
204
                    );
205
                }
206
            })
207
                .map_err(|e| HandleRequestsError::Spawn(Arc::new(e)))?;
208
        }
209
    }
210

            
211
    /// Choose the configured action that we should take in response to a
212
    /// [`StreamRequest`], based on our current configuration.
213
    fn choose_action(&self, stream_request: &IncomingStreamRequest) -> ProxyAction {
214
        let port: u16 = match stream_request {
215
            IncomingStreamRequest::Begin(begin) => {
216
                // The C tor implementation deliberately ignores the address and
217
                // flags on the BEGIN message, so we do too.
218
                begin.port()
219
            }
220
            other => {
221
                tracing::warn!(
222
                    "Rejecting onion service request for invalid command {:?}. Internal error.",
223
                    other
224
                );
225
                return ProxyAction::DestroyCircuit;
226
            }
227
        };
228

            
229
        self.state
230
            .lock()
231
            .expect("poisoned lock")
232
            .config
233
            .resolve_port_for_begin(port)
234
            .cloned()
235
            // The default action is "destroy the circuit."
236
            .unwrap_or(ProxyAction::DestroyCircuit)
237
    }
238
}
239

            
240
/// Take the configured action from `action` on the incoming request `request`.
241
async fn run_action<R: Runtime>(
242
    runtime: R,
243
    nickname: &HsNickname,
244
    action: ProxyAction,
245
    request: StreamRequest,
246
) -> Result<(), RequestFailed> {
247
    match action {
248
        ProxyAction::DestroyCircuit => {
249
            request
250
                .shutdown_circuit()
251
                .map_err(RequestFailed::CantDestroy)?;
252
        }
253
        ProxyAction::Forward(encap, target) => match (encap, target) {
254
            (Encapsulation::Simple, ref addr @ TargetAddr::Inet(a)) => {
255
                let rt_clone = runtime.clone();
256

            
257
                // We don't use any custom options on the socket.
258
                let connect_options = Default::default();
259
                let stream = runtime.connect(&a, &connect_options);
260

            
261
                forward_connection(rt_clone, request, stream, nickname, addr).await?;
262
            }
263
            // TODO: we need more tests for Unix Socket support
264
            // I will open a issue or just finish it in this MR
265
            // (UnixTests)
266
            #[cfg(unix)]
267
            (Encapsulation::Simple, TargetAddr::Unix(unix_addr)) => {
268
                let rt_clone = runtime.clone();
269
                // We don't use any custom options on the unix socket.
270
                let connect_options = Default::default();
271
                let unix_addr_clone = unix_addr.clone();
272
                let stream = runtime.connect(&unix_addr_clone, &connect_options);
273
                forward_connection(
274
                    rt_clone,
275
                    request,
276
                    stream,
277
                    nickname,
278
                    &TargetAddr::Unix(unix_addr),
279
                )
280
                .await?;
281
            }
282
        },
283
        ProxyAction::RejectStream => {
284
            // C tor sends DONE in this case, so we do too.
285
            let end = relaymsg::End::new_with_reason(relaymsg::EndReason::DONE);
286

            
287
            request
288
                .reject(end)
289
                .await
290
                .map_err(RequestFailed::CantReject)?;
291
        }
292
        ProxyAction::IgnoreStream => drop(request),
293
    };
294
    Ok(())
295
}
296

            
297
/// An error from a single attempt to handle an onion service request.
298
#[derive(thiserror::Error, Debug, Clone)]
299
enum RequestFailed {
300
    /// Encountered an error trying to destroy a circuit.
301
    #[error("Unable to destroy onion service circuit")]
302
    CantDestroy(#[source] tor_error::Bug),
303

            
304
    /// Encountered an error trying to reject a single stream request.
305
    #[error("Unable to reject onion service request")]
306
    CantReject(#[source] tor_hsservice::ClientError),
307

            
308
    /// Encountered an error trying to tell the remote onion service client that
309
    /// we have accepted their connection.
310
    #[error("Unable to accept onion service connection")]
311
    AcceptRemote(#[source] tor_hsservice::ClientError),
312

            
313
    /// The runtime refused to spawn a task for us.
314
    #[error("Unable to spawn task")]
315
    Spawn(#[source] Arc<futures::task::SpawnError>),
316
}
317

            
318
impl HasKind for RequestFailed {
319
    fn kind(&self) -> ErrorKind {
320
        match self {
321
            RequestFailed::CantDestroy(e) => e.kind(),
322
            RequestFailed::CantReject(e) => e.kind(),
323
            RequestFailed::AcceptRemote(e) => e.kind(),
324
            RequestFailed::Spawn(e) => e.kind(),
325
        }
326
    }
327
}
328

            
329
/// Size of buffer to use for communication between Arti and the
330
/// target service.
331
//
332
// This particular value is chosen more or less arbitrarily.
333
// Larger values let us do fewer reads from the application,
334
// but consume more memory.
335
//
336
// (The default value for BufReader is 8k as of this writing.)
337
const STREAM_BUF_LEN: usize = 4096;
338

            
339
/// Try to open a connection to an appropriate local target using
340
/// `target_stream_future`.  If successful, try to report success on `request`
341
/// and transmit data between the two stream indefinitely.  On failure, close
342
/// `request`.
343
///
344
/// Only return an error if we were unable to behave as intended due to a
345
/// problem we did not already report.
346
async fn forward_connection<R, FUT, TS>(
347
    runtime: R,
348
    request: StreamRequest,
349
    target_stream_future: FUT,
350
    nickname: &HsNickname,
351
    addr: &TargetAddr,
352
) -> Result<(), RequestFailed>
353
where
354
    R: Runtime,
355
    FUT: Future<Output = Result<TS, IoError>>,
356
    TS: AsyncRead + AsyncWrite + Send + 'static,
357
{
358
    let local_stream = target_stream_future.await.map_err(Arc::new);
359

            
360
    // TODO: change this to "log_ratelim!(nickname=%nickname, ..." when log_ratelim can do that
361
    // (we should search for HSS log messages and make them all be in the same form)
362
    log_ratelim!(
363
        "Connecting to {} for onion service {}", sv(addr), nickname;
364
        local_stream
365
    );
366

            
367
    let local_stream = match local_stream {
368
        Ok(s) => s,
369
        Err(_) => {
370
            let end = relaymsg::End::new_with_reason(relaymsg::EndReason::DONE);
371
            if let Err(e_rejecting) = request.reject(end).await {
372
                debug_report!(
373
                    &e_rejecting,
374
                    "Unable to reject onion service request from client"
375
                );
376
                return Err(RequestFailed::CantReject(e_rejecting));
377
            }
378
            // We reported the (rate-limited) error from local_stream in
379
            // DEBUG_REPORT above.
380
            return Ok(());
381
        }
382
    };
383

            
384
    let onion_service_stream: DataStream = {
385
        let connected = relaymsg::Connected::new_empty();
386
        request
387
            .accept(connected)
388
            .await
389
            .map_err(RequestFailed::AcceptRemote)?
390
    };
391

            
392
    let onion_service_stream = BufReader::with_capacity(STREAM_BUF_LEN, onion_service_stream);
393
    let local_stream = BufReader::with_capacity(STREAM_BUF_LEN, local_stream);
394

            
395
    runtime
396
        .spawn(
397
            futures_copy::copy_buf_bidirectional(
398
                onion_service_stream,
399
                local_stream,
400
                futures_copy::eof::Close,
401
                futures_copy::eof::Close,
402
            )
403
            .map(|_| ()),
404
        )
405
        .map_err(|e| RequestFailed::Spawn(Arc::new(e)))?;
406

            
407
    Ok(())
408
}