Merge branch 'main' into peg/attestation-type-detection

* main:
  Rm logging
  Typo
  Update readme
  Write to standard output regardless of binary or text response
  Rm unused import
  Rm logging
  Attested get and static file server CLI commands
  Add attested get
  Error handling
  Add simple static file server
  The option `--log-debug` should only enable debug logging for this crate

Author: ameba23

Cargo.lock

@@ -9,7 +9,9 @@ license = "MIT"
 
 [dependencies]
 tokio = { version = "1.48.0", features = ["full"] }
-tokio-rustls = { version = "0.26.4", default-features = false, features = ["ring"] }
+tokio-rustls = { version = "0.26.4", default-features = false, features = [
+  "ring",
+] }
 sha2 = "0.10.9"
 x509-parser = "0.18.0"
 thiserror = "2.0.17"
@@ -31,7 +33,9 @@ http = "1.3.1"
 serde_json = "1.0.145"
 serde = "1.0.228"
 base64 = "0.22.1"
-reqwest = { version = "0.12.23", default-features = false, features = ["rustls-tls-webpki-roots-no-provider"] }
+reqwest = { version = "0.12.23", default-features = false, features = [
+  "rustls-tls-webpki-roots-no-provider",
+] }
 tracing = "0.1.41"
 tracing-subscriber = { version = "0.3.20", features = ["env-filter", "json"] }
 parity-scale-codec = "3.7.5"
@@ -42,10 +46,12 @@ num-bigint = "0.4.6"
 webpki = { package = "rustls-webpki", version = "0.103.8" }
 time = "0.3.44"
 once_cell = "1.21.3"
+axum = "0.8.6"
+tower-http = { version = "0.6.7", features = ["fs"] }
 
 [dev-dependencies]
 rcgen = "0.14.5"
-axum = "0.8.6"
+tempfile = "3.23.0"
 
 [features]
 default = ["azure"]

Cargo.toml

@@ -93,6 +93,7 @@ Header value: an attestation type given as a string as described below.
 
 These are the attestation type names used in the HTTP headers, and the measurements file, and when specifying a local attestation type with the `--client-attestation-type` or `--server-attestation-type` command line options.
 
+- `auto` - detect attestation type (used only when specifying the local attestation type as a command-line argument)
 - `none` - No attestation provided
 - `dummy` - Forwards the attestation to a remote service (for testing purposes, not yet supported)
 - `gcp-tdx` - DCAP TDX on Google Cloud Platform
@@ -138,7 +139,13 @@ Following a successful attestation exchange, the client can make HTTP requests u
 
 As described above, the server will inject measurement data into the request headers before forwarding them to the target service, and the client will inject measurement data into the response headers before forwarding them to the source client.
 
-### CLI differences from `cvm-reverse-proxy`
+## Dependencies and feature flags
+
+The `azure` feature, for Microsoft Azure attestation requires [tpm2](https://tpm2-software.github.io) to be installed. On Debian-based systems this is provided by [`libtss2-dev`](https://packages.debian.org/trixie/libtss2-dev), and on nix `tpm2-tss`.
+
+This feature is enabled by default. For non-azure deployments you can compile without this requirement by specifying `--no-default-features`. But note that this is will disable both generation and verification of azure attestations.
+
+## CLI differences from `cvm-reverse-proxy`
 
 This aims to have a similar command line interface to `cvm-reverse-proxy` but there are some differences:
 

README.md

@@ -0,0 +1,126 @@
+use crate::{AttestationGenerator, AttestationVerifier, ProxyClient, ProxyError};
+use tokio_rustls::rustls::pki_types::CertificateDer;
+
+/// Start a proxy-client, send a single HTTP GET request to the given path and return the
+/// [reqwest::Response]
+pub async fn attested_get(
+    target_addr: String,
+    url_path: &str,
+    attestation_verifier: AttestationVerifier,
+    remote_certificate: Option<CertificateDer<'static>>,
+) -> Result<reqwest::Response, ProxyError> {
+    let proxy_client = ProxyClient::new(
+        None,
+        "127.0.0.1:0".to_string(),
+        target_addr,
+        AttestationGenerator::with_no_attestation(),
+        attestation_verifier,
+        remote_certificate,
+    )
+    .await?;
+
+    attested_get_with_client(proxy_client, url_path).await
+}
+
+/// Given a configured [ProxyClient], make a GET request to the given path and return the
+/// [reqwest::Response]
+async fn attested_get_with_client(
+    proxy_client: ProxyClient,
+    url_path: &str,
+) -> Result<reqwest::Response, ProxyError> {
+    let proxy_client_addr = proxy_client.local_addr().unwrap();
+
+    // Accept a single connection in a separate task
+    tokio::spawn(async move {
+        if let Err(err) = proxy_client.accept().await {
+            tracing::warn!("Atttested get - failed to accept connection: {err}");
+        }
+    });
+
+    // Remove leading '/' if present
+    let url_path = url_path.strip_prefix("/").unwrap_or(url_path);
+
+    // Make a GET request
+    let request = reqwest::Request::new(
+        reqwest::Method::GET,
+        reqwest::Url::parse(&format!("http://{proxy_client_addr}/{url_path}")).unwrap(),
+    );
+    let client = reqwest::Client::new();
+    let response = client.execute(request).await.unwrap();
+    Ok(response)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::{
+        attestation::AttestationType,
+        file_server::static_file_server,
+        test_helpers::{generate_certificate_chain, generate_tls_config},
+        ProxyServer,
+    };
+    use tempfile::tempdir;
+
+    #[tokio::test]
+    async fn test_attested_get() {
+        // Create a temporary directory with a file to serve
+        let dir = tempdir().unwrap();
+        let file_path = dir.path().join("foo.txt");
+        tokio::fs::write(file_path, b"bar").await.unwrap();
+
+        // Start a static file server
+        let target_addr = static_file_server(dir.path().to_path_buf()).await.unwrap();
+
+        // Create TLS configuration
+        let (cert_chain, private_key) = generate_certificate_chain("127.0.0.1".parse().unwrap());
+        let (server_config, client_config) = generate_tls_config(cert_chain.clone(), private_key);
+
+        // Setup a proxy server targetting the static file server
+        let proxy_server = ProxyServer::new_with_tls_config(
+            cert_chain,
+            server_config,
+            "127.0.0.1:0",
+            target_addr,
+            AttestationGenerator::new_not_dummy(AttestationType::DcapTdx).unwrap(),
+            AttestationVerifier::expect_none(),
+        )
+        .await
+        .unwrap();
+
+        let proxy_addr = proxy_server.local_addr().unwrap();
+
+        // Accept a single connction
+        tokio::spawn(async move {
+            proxy_server.accept().await.unwrap();
+        });
+
+        // Setup a proxy client
+        let proxy_client = ProxyClient::new_with_tls_config(
+            client_config,
+            "127.0.0.1:0".to_string(),
+            proxy_addr.to_string(),
+            AttestationGenerator::with_no_attestation(),
+            AttestationVerifier::mock(),
+            None,
+        )
+        .await
+        .unwrap();
+
+        // Make a GET request
+        let response = attested_get_with_client(proxy_client, "foo.txt")
+            .await
+            .unwrap();
+
+        // Check the response
+        let content_type = response
+            .headers()
+            .get(reqwest::header::CONTENT_TYPE)
+            .and_then(|h| h.to_str().ok())
+            .unwrap()
+            .to_string();
+
+        let body = response.bytes().await.unwrap();
+        assert_eq!(content_type, "text/plain");
+        assert_eq!(&body.to_vec(), b"bar");
+    }
+}