[poc] SSL/TLS for standalone server

Cargo.toml

@@ -66,7 +66,8 @@ lto = "thin"
 
 [profile.dev]
 opt-level = 0
-debug = true
+debug = 1
+#debug = true #FIXME: put this back
 debug-assertions = true
 overflow-checks = true
 lto = false
@@ -129,7 +130,12 @@ arrayvec = "0.7.2"
 async-stream = "0.3.6"
 async-trait = "0.1.68"
 axum = { version = "0.7", features = ["tracing"] }
+axum-server = { version = "0.7.2", features = ["tls-rustls"] }
 axum-extra = { version = "0.9", features = ["typed-header"] }
+#rustls-platform-verifier = "0.5"
+x509-parser = "0.17"
+sha2="0.10.8"
+rustls-native-certs = "0.8"
 backtrace = "0.3.66"
 base64 = "0.21.2"
 bigdecimal = "0.4.7"
@@ -178,8 +184,8 @@ home = "0.5"
 hostname = "^0.3"
 http = "1.0"
 humantime = "2.1.0"
-hyper = "1.0"
-hyper-util = { version = "0.1", features = ["tokio"] }
+hyper = "1.6"
+hyper-util = { version = "0.1.11", features = ["tokio"] }
 imara-diff = "0.1.3"
 indexmap = "2.0.0"
 indicatif = "0.17"
@@ -214,7 +220,12 @@ rand = "0.9"
 rayon = "1.8"
 rayon-core = "1.11.0"
 regex = "1"
-reqwest = { version = "0.12", features = ["stream", "json"] }
+reqwest = { version = "0.12", features = ["stream", "json", "native-tls"] }
+rustls-pemfile = "2.2"
+#rustls = "0.23"
+rustls= { version="0.23", default-features = true, features=[ "ring" ] }
+native-tls = "0.2"  # Explicitly add for Connector::NativeTls
+ring = "0.17"  # explicitly add this for the CryptoProvider, even tho it's included transitively.
 ron = "0.8"
 rusqlite = { version = "0.29.0", features = ["bundled", "column_decltype"] }
 rust_decimal = { version = "1.29.1", features = ["db-tokio-postgres"] }

crates/cli/Cargo.toml

@@ -74,6 +74,12 @@ wasmbin.workspace = true
 wasmtime.workspace = true
 webbrowser.workspace = true
 clap-markdown.workspace = true
+#native-tls = "0.2"
+native-tls.workspace=true
+rustls-pemfile.workspace=true
+x509-parser.workspace=true
+sha2.workspace=true
+#hyper.workspace=true
 
 [target.'cfg(not(target_env = "msvc"))'.dependencies]
 tikv-jemallocator = { workspace = true }

crates/cli/src/api.rs

@@ -8,7 +8,11 @@ use spacetimedb_lib::db::raw_def::v9::RawModuleDefV9;
 use spacetimedb_lib::de::serde::DeserializeWrapper;
 use spacetimedb_lib::Identity;
 
-use crate::util::{AuthHeader, ResponseExt};
+use crate::util::{AuthHeader, ResponseExt,
+map_request_error // fn and macro
+};
+use crate::util;
+use std::path::PathBuf;
 
 static APP_USER_AGENT: &str = concat!(env!("CARGO_PKG_NAME"), "/", env!("CARGO_PKG_VERSION"),);
 
@@ -18,6 +22,11 @@ pub struct Connection {
     pub(crate) database_identity: Identity,
     pub(crate) database: String,
     pub(crate) auth_header: AuthHeader,
+    // FIXME: bad idea to put these next ones here? else pass'em as arg?
+    pub(crate) trust_server_cert_path: Option<PathBuf>,
+    pub(crate) client_cert_path: Option<PathBuf>,
+    pub(crate) client_key_path: Option<PathBuf>,
+    pub(crate) trust_system: bool,
 }
 
 impl Connection {
@@ -34,15 +43,38 @@ impl Connection {
 }
 
 pub fn build_client(con: &Connection) -> Client {
-    let mut builder = Client::builder().user_agent(APP_USER_AGENT);
+    let trust_server_cert_path=con.trust_server_cert_path.as_deref();
+    let client_cert_path=con.client_cert_path.as_deref();
+    let client_key_path=con.client_key_path.as_deref();
+    let trust_system=con.trust_system;
+    //XXX: alternatively make this async and then make new() async, and ensure callers do .await on it
+    let mut builder = tokio::task::block_in_place(|| {
+        tokio::runtime::Handle::current()
+            .block_on(util::configure_tls(
+                    trust_server_cert_path,
+                    client_cert_path,
+                    client_key_path,
+                    trust_system
+                    ))
+    })
+    .unwrap();
+    builder = builder.user_agent(APP_USER_AGENT);
 
     if let Some(auth_header) = con.auth_header.to_header() {
         let headers = http::HeaderMap::from_iter([(header::AUTHORIZATION, auth_header)]);
 
         builder = builder.default_headers(headers);
     }
 
-    builder.build().unwrap()
+    map_request_error!(
+        util::build_client_with_context(builder,
+            trust_server_cert_path,
+            client_cert_path,
+            client_key_path,
+            trust_system,
+        ), con.host, client_cert_path, client_key_path
+    )
+    .unwrap()
 }
 
 pub struct ClientApi {

crates/cli/src/common_args.rs

@@ -1,5 +1,6 @@
 use clap::Arg;
 use clap::ArgAction::SetTrue;
+pub use spacetimedb_lib::{no_trust_system_root_store, trust_system_root_store, trust_server_cert, client_key, client_cert};
 
 pub fn server() -> Arg {
     Arg::new("server")