git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity
Files
aa5b9932052d82bf8edb604b5df94a4ba75a7f93
linux_patch_api/Cargo.toml
git-echo fe9bdce3c1 feat(crl): add CRL consumption and custom verifier for mTLS revocation enforcement 
Implements agent-side CRL consumption for mTLS certificate revocation
checking, as specified in issue #20.

Changes:
- NEW: src/auth/crl.rs - CRL loading, parsing, signature verification,
  in-memory revoked serial index (HashSet), 24h background refresh task
- MODIFY: src/auth/mtls.rs - CrlAwareVerifier wrapping WebPkiClientVerifier
  with post-chain CRL serial lookup; fails closed on invalid signature,
  degrades gracefully when CRL is missing
- MODIFY: src/auth/mod.rs - Register crl module, re-export CrlState/CrlStatus
- MODIFY: src/config/loader.rs - Add crl_path field to TlsConfig
- MODIFY: src/main.rs - Load CRL on startup, spawn refresh task, wire
  SharedCrlState into server and health endpoint
- MODIFY: src/api/handlers/system.rs - Add crl_status and crl_age_seconds
  to health check response
- MODIFY: Cargo.toml - Add arc-swap, base64 deps; enable x509-parser
  verify feature for CRL signature verification

Design decisions:
- ArcSwap for lock-free atomic CRL state swaps on the hot path
- O(1) serial lookup via HashSet<String> of hex-encoded serials
- Stale CRL = continue serving + warn + health reports degraded
- Invalid CRL signature = refuse to start (fail-closed)
- Missing CRL = fall back to WebPKI-only (backward compatible)

Companion to PR #26 in linux-patch-manager (manager-side CRL generation)

Refs: #20
2026-06-05 13:42:35 -05:00

131 lines
2.7 KiB
TOML
Raw Blame History

[package]
name = "linux-patch-api"
version = "1.2.0"
edition = "2021"
authors = ["Echo <echo@moon-dragon.us>"]
description = "Secure remote package management API for Linux systems"
license = "MIT"
repository = "https://gitea.moon-dragon.us/echo/linux_patch_api"
rust-version = "1.75"
[dependencies]
# Web framework (Actix-web for HTTP API)
actix-web = { version = "4", features = ["rustls-0_23"] }
actix-rt = "2"
actix-web-actors = "4"
actix = "0.13"
actix-tls = { version = "3", features = ["rustls-0_23"] }
# Async runtime
tokio = { version = "1", features = ["full"] }
# TLS/mTLS (rustls for modern TLS 1.3)
rustls = { version = "0.23", features = ["aws_lc_rs"] }
rustls-pemfile = "2"
tokio-rustls = "0.26"
x509-parser = { version = "0.16", features = ["verify"] }
# WebSocket support (actix-web-actors provides WebSocket for Actix-web)
tokio-tungstenite = "0.21"
futures-util = "0.3"
# Serialization
serde = { version = "1", features = ["derive"] }
serde_json = "1"
serde_yaml = "0.9"
# Configuration
config = "0.14"
notify = "6"
# Logging
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
tracing-appender = "0.2"
# UUID for request IDs and job IDs
uuid = { version = "1", features = ["v4", "serde"] }
# Time/Date
chrono = { version = "0.4", features = ["serde"] }
time = "0.3"
# Error handling
thiserror = "1"
anyhow = "1"
# Async channels
async-channel = "2"
# Process management (for package operations)
sysinfo = "0.30"
# Network utilities
addr = "0.15"
if-addrs = "0.13"
# HTTP client for enrollment communication
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
# Clap for CLI arguments
clap = { version = "4", features = ["derive", "env"] }
# Systemd integration
systemd = "0.10"
pidlock = "0.2"
# URL parsing
url = "2"
# Socket options (SO_REUSEADDR)
socket2 = { version = "0.5", features = ["all"] }
# File locking for concurrent-safe whitelist modifications
fs2 = "0.4"
# Atomic swapping for CRL state updates without rebuilding ServerConfig
arc-swap = "1"
# Base64 decoding for PEM CRL parsing
base64 = "0.22"
[dev-dependencies]
actix-rt = "2"
tokio-test = "0.4"
wiremock = "0.6"
serial_test = "3"
tempfile = "3"
criterion = { version = "0.5", features = ["html_reports"] }
# Integration tests in subdirectories
[[test]]
name = "enroll_identity"
path = "tests/unit/enroll_identity.rs"
[[test]]
name = "enrollment_test"
path = "tests/integration/enrollment_test.rs"
[[test]]
name = "enrollment_e2e"
path = "tests/e2e/test_enrollment_e2e.rs"
[[bench]]
name = "api_benchmarks"
harness = false
[profile.release]
lto = true
codegen-units = 1
panic = "abort"
strip = true
opt-level = 3
[profile.dev]
opt-level = 0
debug = true
[[bin]]
name = "linux-patch-api"
path = "src/main.rs"
View Git Blame Copy Permalink