Commit Graph

97 Commits

Author SHA1 Message Date
Sergio Benitez 44ac3f1eb6 Move to 0.6.0-dev on master. 2023-11-18 11:30:50 +01:00
Sergio Benitez 6d467564d6 Update version numbers for 0.5.0. 2023-11-17 17:04:59 +01:00
Sergio Benitez a1c29c735c New version: 0.5.0-rc.4.
New contrib versions: 0.1.0-rc.4.
2023-11-17 17:04:44 +01:00
Sergio Benitez ae68742048 Update dependencies.
* notify: 5 -> 6
  * indexmap: 1 -> 2
  * cookie: 0.18.0-rc.0 -> 0.18
2023-10-09 17:03:21 -07:00
Sergio Benitez 5d31ad4efb Update 'cookie' to 0.18. 2023-09-28 23:50:29 -07:00
Sergio Benitez e3f1b53efa Update 'state' to 0.6. 2023-05-25 11:54:27 -07:00
Sergio Benitez fbb0ace529 Update 'rustls' to 0.21, 'tokio-rustls' to 0.24. 2023-03-31 12:08:45 -07:00
Sergio Benitez 91f6288ea4 New version: 0.5.0-rc.3.
New contrib versions: 0.1.0-rc.3.
2023-03-23 16:56:17 -07:00
Sergio Benitez 0a0f540988 Support TLS keys in SEC1 format. 2023-03-23 14:57:54 -07:00
Sergio Benitez bbbb927ac2 Update dependencies without observable breakages.
The following dependencies were updated:
  * `criterion` from 0.3 to 0.4
  * `deadpool-redis` from 0.10 to 0.11
  * `normpath` from 0.3 to 1
  * `cookie` from 0.16 to 0.17
2023-03-22 13:44:16 -07:00
Konrad Borowski e390423083 Enable 'cookie' 'secure' feature conditionally.
This was incorrectly enabled unconditionally in 442b668.
2022-05-18 17:29:52 -07:00
Sergio Benitez 4dcd92837f New version: 0.5.0-rc.2.
New contrib versions: 0.1.0-rc.2.
2022-05-09 06:32:46 -05:00
Sergio Benitez 54224618b2 Switch to upstream 'tokio-rustls'. 2022-05-04 09:44:26 -07:00
Sergio Benitez 07460df279 Rework TLS listener/connection implementations.
The previous implementation allowed a trivial DoS attack in which the
client need simply maintain open connections with incomplete handshakes.
This commit resolves that by allowing a server worker to progress as
soon as a TCP connection has been established. This comes at the expense
of a more complex implementation necessitated by deficiencies in Hyper.

Potentially resolves #2118.
2022-05-03 13:56:25 -07:00
Sergio Benitez e9d46b917e Fully 'drop()' I/O struct in 'CancellableIo'.
This should improve the reliability of graceful shutdown.
2022-05-03 13:55:43 -07:00
Sergio Benitez b117210ca6 Update 'rustls-pemfile' to 1.0. 2022-04-26 22:09:10 -07:00
Sergio Benitez 810f472524 Update 'uuid' to 1.0. 2022-04-26 22:04:47 -07:00
Konrad Borowski 4d258739f5 Migrate Rocket to Rust 2021 edition. 2022-04-19 18:35:38 -07:00
Edgar Onghena ff7cf68461 Make HTTP/2 optional via 'http2' feature.
Closes #2030.
2022-03-08 15:13:24 -08:00
Sergio Benitez fda05bddd2 Update 'rustls' to 0.20.
Also updates 'tokio-rustls' to a compatible version.

Additionally depends on 'rustls-pemfile' which includes functionality
that was previously part of 'rustls' itself.
2022-02-22 17:30:42 -08:00
Sergio Benitez 502b11c177 Update 'x509-parser' to 0.13. 2022-02-22 13:01:05 -08:00
Sergio Benitez 2f59515752 Update 'x509-parser' to 0.12.
Closes #2100.
2022-02-22 12:51:59 -08:00
arlecchino 1ba41b3990 Remove 'CookieJar::get_private_pending()'.
This commit removes the 'CookieJar::get_private_pending()' method in
favor of the already existing and correct 'CookieJar::get_pending()'
method. Previously, the 'CookieJar::get_private_pending()' method
attempted to decrypt the value of a pending cookie, which in reality is
plaintext, thus failing. Because the pending value is plaintext, the
'CookieJar::get_pending()' method suffices.

Documentation has been updated to refer to 'CookieJar::get_pending()'.

Fixes #2063.
2022-02-17 11:04:30 -08:00
arlecchino 442b668a7a Update 'cookie' to '0.16'. 2022-02-17 10:57:37 -08:00
Sergio Benitez 3616f25c0b Update 'time' to 0.3, 'cookie' to 0.16.
Also reexport 'time' from the crate root.
2021-08-19 19:49:23 -07:00
Sergio Benitez 6d2059f9eb Remove unused 'mime' dependency. 2021-08-19 19:49:23 -07:00
Sergio Benitez 1a8574e491 Remove unused 'parking_lot' 'http' dependency. 2021-08-19 19:43:34 -07:00
Sergio Benitez bbc36ba27f Initial implementation of mTLS.
Co-authored-by: Howard Su <howard0su@gmail.com>
Co-authored-by: Mikail Bagishov <bagishov.mikail@yandex.ru>
2021-07-09 00:05:20 -07:00
Sergio Benitez b5e3569554 Split TLS module into logical submodules. 2021-07-04 15:25:49 -07:00
Sergio Benitez c028d63e5b New version: 0.5.0-rc.1.
New contrib versions: 0.1.0-rc.1.
2021-06-09 09:52:37 -07:00
Sergio Benitez 6961a717d8 Use crates.io compatible internal package names. 2021-06-09 09:47:21 -07:00
Sergio Benitez 6206a46222 Try to preserve header casing in HTTP/1.1.
Unfortunately, this doesn't actually do anything at the moment due to
what appears to be a bug in hyper.
2021-06-08 23:00:59 -07:00
Sergio Benitez 7595450adc Use published 'state'. 2021-06-07 20:34:27 -07:00
Sergio Benitez 6b4c1b71d7 Update 'tokio' to 1.6.1. 2021-05-29 15:33:15 -07:00
Sergio Benitez 1f1976f8bf Avoid Tokio 1.6 due to tokio-rs/tokio#3803. 2021-05-27 15:25:57 -07:00
Sergio Benitez a78814f1c5 Graduate contrib 'uuid' into core.
This has the following nice benefits:

  * The 'Uuid' wrapper type is gone.
  * 'Uuid' implements 'UriDisplay', 'FromUriParam'.
  * The 'serialization' example merges in 'uuid'.

Resolves #1299.
2021-05-22 11:01:00 -07:00
Sergio Benitez fa3e0334c1 Overhaul URI types, parsers, 'uri!' macro.
This commit entirely rewrites Rocket's URI parsing routines and
overhauls the 'uri!' macro resolving all known issues and removing any
potential limitations for compile-time URI creation. This commit:

  * Introduces a new 'Reference' URI variant for URI-references.
  * Modifies 'Redirect' to accept 'TryFrom<Reference>'.
  * Introduces a new 'Asterisk' URI variant for parity.
  * Allows creation of any URI type from a string literal via 'uri!'.
  * Enables dynamic/static prefixing/suffixing of route URIs in 'uri!'.
  * Unifies 'Segments' and 'QuerySegments' into one generic 'Segments'.
  * Consolidates URI formatting types/traits into a 'uri::fmt' module.
  * Makes APIs more symmetric across URI types.

It also includes the following less-relevant changes:

  * Implements 'FromParam' for a single-segment 'PathBuf'.
  * Adds 'FileName::is_safe()'.
  * No longer reparses upstream request URIs.

Resolves #842.
Resolves #853.
Resolves #998.
2021-05-19 18:47:11 -07:00
Sergio Benitez 4f3511786c Introduce statically-enforced 'Rocket' phasing.
The core 'Rocket' type is parameterized: 'Rocket<P: Phase>', where
'Phase' is a newly introduced, sealed marker trait. The trait is
implemented by three new marker types representing the three launch
phases: 'Build', 'Ignite', and 'Orbit'. Progression through these three
phases, in order, is enforced, as are the invariants guaranteed by each
phase. In particular, an instance of 'Rocket' is guaranteed to be in its
final configuration after the 'Build' phase and represent a running
local or public server in the 'Orbit' phase. The 'Ignite' phase serves
as an intermediate, enabling inspection of a finalized but stationary
instance. Transition between phases validates the invariants required
by the transition.

All APIs have been adjusted appropriately, requiring either an instance
of 'Rocket' in a particular phase ('Rocket<Build>', 'Rocket<Ignite>', or
'Rocket<Orbit>') or operating generically on a 'Rocket<P>'.
Documentation is also updated and substantially improved to mention
required and guaranteed invariants.

Additionally, this commit makes the following relevant changes:

  * 'Rocket::ignite()' is now a public interface.
  * 'Rocket::{build,custom}' methods can no longer panic.
  * 'Launch' fairings are now 'ignite' fairings.
  * 'Liftoff' fairings are always run, even in local mode.
  * All 'ignite' fairings run concurrently at ignition.
  * Launch logging occurs on launch, not any point prior.
  * Launch log messages have improved formatting.
  * A new launch error kind, 'Config', was added.
  * A 'fairing::Result' type alias was introduced.
  * 'Shutdown::shutdown()' is now 'Shutdown::notify()'.

Some internal changes were also introduced:

  * Fairing 'Info' name for 'Templates' is now 'Templating'.
  * Shutdown is implemented using 'tokio::sync::Notify'.
  * 'Client::debug()' is used nearly universally in tests.

Resolves #1154.
Resolves #1136.
2021-04-13 19:26:45 -07:00
Sergio Benitez e157904524 Parse empty bool values as 'true'.
This allows a field 'f: bool' to parse as true for the query '?f'.
2021-04-07 23:09:05 -07:00
Sergio Benitez f254504dc9 Depend on a single revision of 'state'.
Closes #1577.
2021-03-15 02:46:34 -07:00
Sergio Benitez 83ffe0f7bc Remove 'Config::profile()'. CFG 'secret_key' field.
This commit makes the `Config.secret_key` conditionally compile on the
`secrets` feature. The net effect is simplified internal code, fewer
corner-cases, and easier to write tests.

This commit removes the `Provider::profile()` implementation of
`Config`. This means that the `Config` provider no longer sets a
profile, a likely confusing behavior. The `Config::figment()` continues
to function as before.
2021-03-09 21:40:53 -08:00
Sergio Benitez 78e2f8a3c9 Revamp codegen, fixing inconscpicuous bugs.
This commit completely revamps the way that codegen handles route URI
"parameters". The changes are largely internal. In summary, codegen code
is better organized, better written, and less subject to error.

There are three breaking changes:
  * `path` is now `uri` in `route` attribute: `#[route(GET, path = "..")]`
    becomes `#[route(GET, uri = "..")]`.
  * the order of execution for path and query guards relative to
    each-other is now unspecified
  * URI normalization now normalizes the query part as well.

Several error messages were improved. A couple of bugs were fixed:
  * Prior to this commit, Rocket would optimistically try to parse every
    segment of a URI as an ident, in case one was needed in the future.
    A bug in rustc results in codegen "panicking" if the segment
    couldn't _lex_ as an ident. This panic didn't manifest until far
    after expansion, unfortunately. This wasn't a problem before as we
    only allowed ident-like segments (ASCII), but now that we allow any
    UTF-8, the bug surfaced. This was fixed by never attempting to parse
    non-idents as idents.
  * Prior to this commit, it was impossible to generate typed URIs for
    paths that ignored path parameters via the recently added syntax
    `<_>`: the macro would panic. This was fixed by, well, handling
    these ignored parameters.

Some minor additions:
  * Added `RawStr::find()`, expanding its `Pattern`-based API.
  * Added an internal mechanism to dynamically determine if a `UriPart`
    is `Path` or `Query`.
2021-03-04 02:01:25 -08:00
Sergio Benitez 63a14525d8 UTF-8 routes. Forms revamp. Temp files. Capped.
So. Many. Changes.

This is an insane commit: simultaneously one of the best (because of all
the wonderful improvements!) and one of the worst (because it is just
massive) in the project's history.

Routing:
  * All UTF-8 characters are accepted everywhere in route paths. (#998)
  * `path` is now `uri` in `route` attribute: `#[route(GET, path = "..")]`
    becomes `#[route(GET, uri = "..")]`.

Forms Revamp
  * All form related types now reside in a new `form` module.
  * Multipart forms are supported. (resolves #106)
  * Collections are supported in forms and queries. (resolves #205)
  * Nested structures in forms and queries are supported. (resolves #313)
  * Form fields can be ad-hoc validated with `#[field(validate = expr)]`.
  * `FromFormValue` is now `FromFormField`, blanket implements `FromForm`.
  * Form field values are always percent-decoded apriori.

Temporary Files
  * A new `TempFile` data and form guard allows streaming data directly to a
    file which can then be persisted.
  * A new `temp_dir` config parameter specifies where to store `TempFile`.
  * The limits `file` and `file/$ext`, where `$ext` is the file extension,
    determines the data limit for a `TempFile`.

Capped
  * A new `Capped` type is used to indicate when data has been truncated due to
    incoming data limits. It allows checking whether data is complete or
    truncated.
  * `DataStream` methods return `Capped` types.
  * `DataStream` API has been revamped to account for `Capped` types.
  * Several `Capped<T>` types implement `FromData`, `FromForm`.
  * HTTP 413 (Payload Too Large) errors are now returned when data limits are
    exceeded. (resolves #972)

Hierarchical Limits
  * Data limits are now hierarchical, delimited with `/`. A limit of `a/b/c`
    falls back to `a/b` then `a`.

Core
  * `&RawStr` no longer implements `FromParam`.
  * `&str` implements `FromParam`, `FromData`, `FromForm`.
  * `FromTransformedData` was removed.
  * `FromData` gained a lifetime for use with request-local data.
  * The default error HTML is more compact.
  * `&Config` is a request guard.
  * The `DataStream` interface was entirely revamped.
  * `State` is only exported via `rocket::State`.
  * A `request::local_cache!()` macro was added for storing values in
    request-local cache without consideration for type uniqueness by using a
    locally generated anonymous type.
  * `Request::get_param()` is now `Request::param()`.
  * `Request::get_segments()` is now `Request::segments()`, takes a range.
  * `Request::get_query_value()` is now `Request::query_value()`, can parse any
    `FromForm` including sequences.
  * `std::io::Error` implements `Responder` like `Debug<std::io::Error>`.
  * `(Status, R)` where `R: Responder` implements `Responder` by overriding the
    `Status` of `R`.
  * The name of a route is printed first during route matching.
  * `FlashMessage` now only has one lifetime generic.

HTTP
  * `RawStr` implements `serde::{Serialize, Deserialize}`.
  * `RawStr` implements _many_ more methods, in particular, those related to the
    `Pattern` API.
  * `RawStr::from_str()` is now `RawStr::new()`.
  * `RawStr::url_decode()` and `RawStr::url_decode_lossy()` only allocate as
    necessary, return `Cow`.
  * `Status` implements `Default` with `Status::Ok`.
  * `Status` implements `PartialEq`, `Eq`, `Hash`, `PartialOrd`, `Ord`.
  * Authority and origin part of `Absolute` can be modified with new
    `Absolute::{with,set}_authority()`, `Absolute::{with,set}_origin()` methods.
  * `Origin::segments()` was removed in favor of methods split into query and
    path parts and into raw and decoded versions.
  * The `Segments` iterator is smarter, returns decoded `&str` items.
  * `Segments::into_path_buf()` is now `Segments::to_path_buf()`.
  * A new `QuerySegments` is the analogous query segment iterator.
  * Once set, `expires` on private cookies is not overwritten. (resolves #1506)
  * `Origin::path()` and `Origin::query()` return `&RawStr`, not `&str`.

Codegen
  * Preserve more spans in `uri!` macro.
  * Preserve spans `FromForm` field types.
  * All dynamic parameters in a query string must typecheck as `FromForm`.
  * `FromFormValue` derive removed; `FromFormField` added.
  * The `form` `FromForm` and `FromFormField` field attribute is now named
    `field`. `#[form(field = ..)]` is now `#[field(name = ..)]`.

Contrib
  * `Json` implements `FromForm`.
  * `MsgPack` implements `FromForm`.
  * The `json!` macro is exported as `rocket_contrib::json::json!`.
  * Added clarifying docs to `StaticFiles`.

Examples
  * `form_validation` and `form_kitchen_sink` removed in favor of `forms`.
  * The `hello_world` example uses unicode in paths.
  * The `json` example only allocates as necessary.

Internal
  * Codegen uses new `exports` module with the following conventions:
    - Locals starts with `__` and are lowercased.
    - Rocket modules start with `_` and are lowercased.
    - `std` types start with `_` and are titlecased.
    - Rocket types are titlecased.
  * A `header` module was added to `http`, contains header types.
  * `SAFETY` is used as doc-string keyword for `unsafe` related comments.
  * The `Uri` parser no longer recognizes Rocket route URIs.
2021-03-04 01:51:21 -08:00
Jeb Rosen 92af8fca72 Update to 'tokio' 1.0, 'hyper' 0.14. 2021-01-13 15:22:16 -08:00
Brendon Federko cb33429ce4 Enable 'std' 'indexmap' feature. 2021-01-12 14:52:37 -08:00
Sergio Benitez bbfe2ba5cc Point all docs and doc links to 'master' branch. 2020-10-21 04:54:24 -07:00
Sergio Benitez 1fb061496d Revamp configuration.
This commit completely overhauls Rocket's configuration systems, basing
it on the new Figment library. It includes many breaking changes
pertaining to configuration. They are:

  * "Environments" are replaced by "profiles".
  * 'ROCKET_PROFILE' takes the place of 'ROCKET_ENV'.
  * Profile names are now arbitrary, but 'debug' and 'release' are given
    special treatment as default profiles for the debug and release
    compilation profiles.
  * A 'default' profile now sits along-side the meta 'global' profile.
  * The concept of "extras" is no longer present; users can extract any
    values they want from the configured 'Figment'.
  * The 'Poolable' trait takes an '&Config'.
  * The 'secrets' feature is disabled by default.
  * It is a hard error if 'secrets' is enabled under the 'release'
    profile and no 'secret_key' is configured.
  * 'ConfigBuilder' no longer exists: all fields of 'Config' are public
    with public constructors for each type.
  * 'keep_alive' is disabled with '0', not 'false' or 'off'.
  * Inlined error variants into the 'Error' structure.
  * 'LoggingLevel' is now 'LogLevel'.
  * Limits can now be specified in SI units: "1 MiB".

The summary of other changes are:

  * The default config file can be configured with 'ROCKET_CONFIG'.
  * HTTP/1 and HTTP/2 keep-alive configuration is restored.
  * 'ctrlc' is now a recognized config option.
  * 'serde' is now a core dependency.
  * TLS misconfiguration errors are improved.
  * Several example use '_' as the return type of '#[launch]' fns.
  * 'AdHoc::config()' was added for simple config extraction.
  * Added more documentation for using 'Limits'.
  * Launch information is no longer treated specially.
  * The configuration guide was rewritten.

Resolves #852.
Resolves #209.
Closes #1404.
Closes #652.
2020-10-20 19:21:56 -07:00
Sergio Benitez 5cf249581f Add 'const' constructor for 'MediaType'. 2020-10-14 23:54:37 -07:00
Sergio Benitez 5d9035ddc1 Keep an op-log for sync 'CookieJar'.
In brief, this commit:

  * Updates to the latest upstream 'cookie', fixing a memory leak.
  * Make changes to 'CookieJar' observable only through 'pending()'.
  * Deprecates 'Client::new()' in favor of 'Client::tracked()'.
  * Makes 'dispatch()' on tracked 'Client's synchronize on cookies.
  * Makes 'Client::untracked()' actually untracked.

This commit updates to the latest 'cookie' which removes support for
'Sync' cookie jars. Instead of relying on 'cookie', this commit
implements an op-log based 'CookieJar' which internally keeps track of
changes. The API is such that changes are only observable through
specialized '_pending()' methods.
2020-10-14 21:37:16 -07:00
Sergio Benitez adbf1caab2 Migrate to upstream 'uncased'. 2020-09-11 01:13:55 -07:00