feat(sdk)!: allow setting CA cert

[lklimek]

Issue being fixed or feature implemented

To intercept traffic, I use mitmproxy.
However, it doesn't support http/3 without tls, and to work with tls I need to set ca certificate inside SDK.

What was done?

Developers can use SdkBuilder::with_ca_certificate to provide CA certificate to use when verifying DAPI certificates.

Added CA cert to DapiClient and AppliedRequestSettings.

This means that AppliedRequestSettings no longer implements Copy trait.

How Has This Been Tested?

1. Setup local devnet with mitm proxy running with ssl/tls support
2. In packages/rs-sdk/tests/.env set DASH_SDK_PLATFORM_SSL=true but no SSL cert
3. Test using cargo test -p dash-sdk --no-default-features -F network-testing test_data_contract_read_not_found; result: error
4. In packages/rs-sdk/tests/.env set DASH_SDK_PLATFORM_CA_CERT_PATH=/path/to/mitmproxy/cacrt.pem
5. Run the test again using cargo test -p dash-sdk --no-default-features -F network-testing test_data_contract_read_not_found; result: OK

Breaking Changes

AppliedRequestSettings have one additional field that must be filled (can be None).

AppliedRequestSettings no longer implement Copy trait.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Summary by CodeRabbit

• New Features

  • Introduced support for specifying a Certificate Authority (CA) certificate in the DAPI client and SDK for improved security in TLS connections.
  • Added methods to set CA certificates in both the DapiClient and SdkBuilder.
  • Enhanced gRPC client capabilities for TLS settings and request configurations.
  • New optional field for specifying the CA certificate path in the SDK configuration.

• Bug Fixes

  • Adjusted timeout settings for specific requests to enhance performance.

• Documentation

  • Updated example configuration to include a path for the CA certificate.

• Tests

  • Enhanced test coverage for data contract fetching operations, including both existing and non-existent contracts.
  • Added logging setup in tests to improve visibility during execution.

[coderabbitai]

Walkthrough

The changes in this pull request enhance the DapiClient, RequestSettings, and SdkBuilder structures by introducing support for Certificate Authority (CA) certificates. A new field for CA certificates is added to these structures, along with methods to set them during initialization. The execute method in DapiClient and the create_channel function in grpc.rs are updated to utilize the CA certificate for secure communications. Additionally, modifications are made to configuration files and tests to support this new functionality.

Changes

File Path	Change Summary
packages/rs-dapi-client/src/dapi_client.rs	Added field ca_certificate: Option<Certificate> and method with_ca_certificate. Updated execute to use CA certificate.
packages/rs-dapi-client/src/request_settings.rs	Added field ca_certificate: Option<Certificate> in AppliedRequestSettings and method with_ca_certificate. Updated finalize.
packages/rs-dapi-client/src/transport/grpc.rs	Updated create_channel to handle CA certificate. Modified RequestSettings for various requests to adjust timeouts and settings.
packages/rs-sdk/src/sdk.rs	Added field ca_certificate: Option<Certificate> in SdkBuilder. Introduced methods with_ca_certificate and with_ca_certificate_file. Updated build method.
packages/rs-sdk/tests/.env.example	Added commented-out configuration option DASH_SDK_PLATFORM_CA_CERT_PATH for CA certificate path.
packages/rs-sdk/tests/fetch/config.rs	Added field platform_ca_cert_path: Option<PathBuf> in Config. Updated setup_api to include CA certificate handling.
packages/rs-sdk/tests/fetch/data_contract.rs	Enhanced test suite for data contracts, including logging setup and various test scenarios.
packages/rs-sdk/Cargo.toml	Added dependency rustls-pemfile = { version = "2.0.0" }. Updated default features from ["mocks", "offline-testing"] to ["mocks", "network-testing"].

Possibly related PRs

• feat(sdk): fix client tls connections #2223: This PR involves modifications to the DapiClient implementation in dapi_client.rs, enhancing error handling within the execute method, which is directly related to the changes made in the main PR regarding the DapiClient structure and methods.
• feat(sdk)!: detect stale nodes #2254: This PR updates the error handling and retry logic in the DapiClient, which is closely related to the changes made in the main PR regarding the DapiClient structure and its methods.
• test(sdk): generate test vectors using testnet #2381: This PR introduces a new configuration setting for the SDK tests and a script for generating a .env file, which enhances the testing capabilities for the SDK. While it does not directly modify the DapiClient, it relates to the overall SDK functionality and testing environment, which may indirectly involve the DapiClient.

Suggested labels

rs-sdk, enhancement

Suggested reviewers

• QuantumExplorer
• shumkov

🐰 In the meadow, bright and free,
A CA cert brings security!
With each request, we hop with glee,
For safe connections, just like tea!
So let us code, and celebrate,
The changes made, oh how great! 🌼

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 383b6cc and a376886.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• packages/rs-sdk/Cargo.toml (1 hunks)
• packages/rs-sdk/tests/.env.example (1 hunks)
• packages/rs-sdk/tests/fetch/config.rs (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/rs-sdk/tests/.env.example
• packages/rs-sdk/tests/fetch/config.rs
• packages/rs-sdk/Cargo.toml

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (5)

packages/rs-dapi-client/src/transport/grpc.rs (1)

25-31: Review the usage of both with_native_roots() and with_webpki_roots()

Using both with_native_roots() and with_webpki_roots() may be redundant, as they both provide root certificates for TLS verification. Consider whether both are necessary or if one suffices for your use case to simplify the TLS configuration.

packages/rs-sdk/src/sdk.rs (2)

784-784: Typo in comment: 'conttact' should be 'contract'

There's a typo in the comment on line 784. Please correct 'conttact' to 'contract' for clarity.

---

Line range hint 916-916: Typo in error message: 'connot' should be 'cannot'

In the error message on line 916, correct 'connot' to 'cannot' for proper spelling.

packages/rs-dapi-client/src/dapi_client.rs (2)

79-80: Consider enhancing field documentation with example usage.

The field documentation is clear but could be more helpful with an example showing how to create a Certificate from PEM data.

-    /// Certificate Authority certificate to use for verifying the server's certificate.
+    /// Certificate Authority certificate to use for verifying the server's certificate.
+    /// 
+    /// # Example
+    /// ```
+    /// use tonic::transport::Certificate;
+    /// 
+    /// let pem = std::fs::read("ca.pem").unwrap();
+    /// let cert = Certificate::from_pem(pem);
+    /// ```

---

Line range hint 1-324: Consider documenting the TLS configuration workflow.

The implementation successfully adds CA certificate support, but consider adding high-level documentation explaining:

1. The TLS configuration workflow
2. How CA certificates are used in the DAPI client
3. Common use cases (e.g., mitmproxy integration)

This would help users understand when and how to use this feature effectively.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between d8eb951 and 6447dae.

📒 Files selected for processing (7)

• packages/rs-dapi-client/src/dapi_client.rs (7 hunks)
• packages/rs-dapi-client/src/request_settings.rs (3 hunks)
• packages/rs-dapi-client/src/transport/grpc.rs (4 hunks)
• packages/rs-sdk/src/sdk.rs (5 hunks)
• packages/rs-sdk/tests/.env.example (1 hunks)
• packages/rs-sdk/tests/fetch/config.rs (2 hunks)
• packages/rs-sdk/tests/fetch/data_contract.rs (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• packages/rs-sdk/tests/.env.example

🔇 Additional comments (19)

packages/rs-dapi-client/src/transport/grpc.rs (4)

11-11: Import added correctly

The import statement for Certificate, ClientTlsConfig, and Uri has been correctly added to support TLS configuration enhancements.

---

38-41: Correctly applied custom CA certificate and domain name

The custom CA certificate and domain name are appropriately set in the TLS configuration, enabling secure connections with specified CA certificates.

---

269-272: Verify the impact of setting retries to 0 and reducing the timeout

Setting retries to 0 and reducing the timeout to 80 seconds for WaitForStateTransitionResultRequest may affect the robustness of this request. Please verify if this change is intentional and aligns with the desired behavior, ensuring it does not negatively impact request reliability.

---

502-504: Clarify the reasoning for setting fields to None

Setting ban_failed_address, connect_timeout, and retries to None for TransactionsWithProofsRequest alters the default behavior of these settings. Please confirm that this change is intentional and verify that it doesn't introduce unintended side effects or affect the request's reliability.

packages/rs-sdk/src/sdk.rs (3)

13-13: Import added for certificate handling

The import statement for Certificate has been correctly added to support CA certificate configuration in the SDK.

---

837-846: CA certificate configuration methods added appropriately

The methods with_ca_certificate and with_ca_certificate_file have been correctly added to SdkBuilder, allowing users to specify a CA certificate directly or via a file.

---

999-1002: Applied CA certificate to DapiClient correctly

The CA certificate is appropriately applied to the DapiClient when building the SDK, ensuring secure connections with the specified certificate.

packages/rs-dapi-client/src/request_settings.rs (4)

3-3: Import added for Certificate handling

The import of Certificate from tonic::transport has been correctly added to support CA certificate functionality in request settings.

---

68-68: Initialized ca_certificate field in AppliedRequestSettings

The ca_certificate field is correctly initialized to None in the finalize method, ensuring a default state when no CA certificate is provided.

---

74-74: Updated AppliedRequestSettings to include ca_certificate

The AppliedRequestSettings struct has been properly updated to include the ca_certificate field. Note that the Copy trait has been removed due to the addition of the Certificate type, which is not Copy.

---

89-92: Added with_ca_certificate method

The with_ca_certificate method allows setting a custom CA certificate in AppliedRequestSettings, enhancing TLS configuration capabilities.

packages/rs-sdk/tests/fetch/data_contract.rs (1)

11-12: Added logging setup to improve test output

The addition of super::common::setup_logs(); enhances the test by enabling detailed logging, which aids in debugging test failures.

packages/rs-sdk/tests/fetch/config.rs (2)

52-54: Extended Config struct to include platform_ca_cert_path

The new optional platform_ca_cert_path field allows specifying a CA certificate path when platform_ssl is enabled, enhancing SSL configuration flexibility.

---

191-195: Conditionally included CA certificate in SDK builder

The code correctly integrates the CA certificate into the SDK builder when platform_ca_cert_path is provided, ensuring secure connections when SSL is enabled.

packages/rs-dapi-client/src/dapi_client.rs (5)

6-6: LGTM!

The Certificate import from tonic transport is correctly added and necessary for the new CA certificate functionality.

---

97-97: LGTM!

The ca_certificate field is correctly initialized to None in the constructor.

---

135-144: LGTM! Settings modification is properly handled.

The CA certificate is correctly applied to the settings when present.

---

101-113: Consider validating the CA certificate.

While the builder pattern implementation is correct, consider adding validation of the certificate to ensure it's properly formatted and valid before storing it.

Let's check if certificate validation is handled elsewhere in the codebase:

 pub fn with_ca_certificate(mut self, ca_cert: Certificate) -> Self {
+    // Attempt to validate the certificate
+    if let Err(e) = ca_cert.validate() {
+        tracing::warn!("Invalid CA certificate provided: {}", e);
+    }
     self.ca_certificate = Some(ca_cert);

     self
 }

---

Line range hint 214-224: Verify transport compatibility with CA certificates.

Ensure that the transport layer properly handles the CA certificate during TLS handshake.

Let's check the transport implementation:

✅ Verification successful

Let me gather more context about the transport implementation and certificate handling:

---

Let me check one more aspect of the TLS configuration implementation:

---

TLS configuration and certificate handling is properly implemented

Based on the code analysis, the transport layer correctly handles TLS certificates through:

• Proper TLS configuration with native and webpki roots
• Explicit CA certificate handling with domain name verification
• Comprehensive error handling for transport and TLS-related issues
• Proper connection pooling with TLS settings

The implementation in packages/rs-dapi-client/src/transport/grpc.rs shows that:

let mut tls_config = ClientTlsConfig::new()
    .with_native_roots()
    .with_webpki_roots()
    .assume_http2(true);

And when custom certificates are provided:

tls_config = tls_config.ca_certificate(cert).domain_name(host);

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for transport TLS configuration
rg -g '!target' -g '*.rs' "tls.*config|transport.*tls|certificate.*tls" -A 5

Length of output: 1266

---

Script:

#!/bin/bash
# Search for transport and certificate related code
ast-grep --pattern 'fn $_(transport|certificate|tls|cert)$_($$$) {
  $$$
}'

# Also check for any certificate-related structs or types
rg -g '!target' -g '*.rs' "struct.*Transport|struct.*Certificate|type.*Transport|type.*Certificate" -A 3

Length of output: 4304

---

Script:

#!/bin/bash
# Check for certificate validation and error handling
rg -g '!target' -g '*.rs' "fn.*create_transport|fn.*create_client" -A 10

# Also check for any TLS-related error handling
rg -g '!target' -g '*.rs' "TlsError|CertificateError|TransportError" -A 3

Length of output: 10650

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between c573807 and 34c4776.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• packages/rs-dapi-client/src/dapi_client.rs (8 hunks)
• packages/rs-dapi-client/src/request_settings.rs (3 hunks)
• packages/rs-sdk/Cargo.toml (1 hunks)
• packages/rs-sdk/src/sdk.rs (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/rs-sdk/Cargo.toml

🧰 Additional context used

📓 Learnings (1)

packages/rs-sdk/src/sdk.rs (1)

Learnt from: lklimek
PR: dashpay/platform#1924
File: packages/rs-sdk/src/sdk.rs:855-870
Timestamp: 2024-12-03T15:00:50.385Z
Learning: In `packages/rs-sdk/src/sdk.rs`, remember that `rustls_pemfile::certs` returns an iterator over `Result`, not a `Result` directly. Handle it accordingly in future code reviews.

🔇 Additional comments (8)

packages/rs-dapi-client/src/request_settings.rs (1)

88-94: LGTM! Well-documented builder method

The with_ca_certificate method follows the builder pattern correctly and includes clear documentation explaining its purpose and behavior.

packages/rs-dapi-client/src/dapi_client.rs (3)

80-81: LGTM! Well-documented field addition

The ca_certificate field is properly documented and initialized to None by default.

Also applies to: 98-98

---

102-114: LGTM! Builder method follows best practices

The with_ca_certificate method follows the builder pattern correctly and includes comprehensive documentation.

---

205-208: LGTM! Proper CA certificate propagation

The CA certificate is correctly propagated to the applied settings only when present, addressing the previous concern about certificate override behavior.

packages/rs-sdk/src/sdk.rs (4)

744-746: LGTM! Well-documented field addition

The ca_certificate field is properly documented and initialized to None by default.

Also applies to: 778-778

---

829-837: LGTM! Builder method follows best practices

The with_ca_certificate method follows the builder pattern correctly and includes comprehensive documentation.

---

839-862: LGTM! Proper certificate file validation

The with_ca_certificate_file method correctly validates the certificate file by:

1. Reading the file content
2. Verifying the PEM format using rustls_pemfile
3. Converting to a Certificate instance

The implementation correctly handles the iterator returned by rustls_pemfile::certs, as noted in the previous feedback.

---

991-994: LGTM! Proper CA certificate propagation

The CA certificate is correctly propagated to the DapiClient during build, maintaining the builder pattern's immutability.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

packages/rs-dapi-client/src/dapi_client.rs (2)

80-81: LGTM with documentation enhancement suggestion

The new ca_certificate field is well-defined and properly initialized. Consider enhancing the documentation to include:

• The expected format of the certificate (PEM)
• Any specific requirements or limitations
• Example usage

Also applies to: 98-98

---

102-114: Documentation could be more comprehensive

While the implementation is correct, the documentation could be enhanced with:

• Example usage code
• Notes about the impact on TLS verification
• Whether the certificate needs to be in a specific format
• Error scenarios (if any)

     /// Set CA certificate to use when verifying the server's certificate.
     ///
     /// # Arguments
     ///
     /// * `pem_ca_cert` - CA certificate in PEM format.
     ///
     /// # Returns
     /// [DapiClient] with CA certificate set.
+    ///
+    /// # Example
+    /// ```
+    /// # use std::fs;
+    /// # use dapi_grpc::tonic::transport::Certificate;
+    /// let ca_cert = Certificate::from_pem(fs::read("ca.pem")?);
+    /// let client = DapiClient::new(address_list, settings)
+    ///     .with_ca_certificate(ca_cert);
+    /// ```
+    ///
+    /// # Notes
+    /// - The certificate must be in PEM format
+    /// - This certificate will be used to verify the server's certificate during TLS handshake

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 57c9548 and 26ee053.

📒 Files selected for processing (1)

• packages/rs-dapi-client/src/dapi_client.rs (9 hunks)

🔇 Additional comments (3)

packages/rs-dapi-client/src/dapi_client.rs (3)

6-6: LGTM: Import for Certificate type

The addition of the Certificate import from tonic transport is appropriate for the new CA certificate functionality.

---

203-204: LGTM: Proper handling of settings and CA certificate

The changes appropriately:

• Chain the CA certificate configuration after settings finalization
• Address the previous review comment about shadowing by using references
• Maintain consistent usage of the settings reference throughout the execute method

Also applies to: 220-222, 237-237, 267-267, 277-277, 306-306

---

203-204: Verify error handling for certificate validation failures

Since this involves TLS certificate validation, we should ensure proper error handling when:

• The CA certificate is invalid
• The server's certificate fails validation
• The certificate chain is incomplete

✅ Verification successful

Certificate validation is properly handled with robust error propagation

The code shows proper certificate validation and error handling:

• Certificate validation errors are propagated through the TransportError type
• Invalid certificates are caught during channel creation and result in connection errors
• TLS configuration properly validates certificates against the provided CA certificate
• Errors are properly logged and propagated up the call stack

The implementation follows Rust best practices for error handling and TLS certificate validation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for error handling related to certificate validation
rg -A 5 "Certificate|TLS|tls|ssl|SSL" 

# Look for transport error handling specifically
ast-grep --pattern 'match $_ {
  $$$
  Transport($_) => $$$
  $$$
}'

Length of output: 73661

---

Script:

#!/bin/bash
# Search for error handling in the dapi client code
rg -A 5 "Error|error|fail|Fail" packages/rs-dapi-client/src/dapi_client.rs

# Look for certificate validation error handling specifically
ast-grep --pattern 'match $_ {
  $$$
  Err($_) => $$$,
  $$$
}'  packages/rs-dapi-client/src/dapi_client.rs

Length of output: 6748

---

Script:

#!/bin/bash
# Look for certificate validation code and error handling
rg -A 5 "ca_certificate|certificate|Certificate" packages/rs-dapi-client/src/transport/

# Look for error handling in transport layer
rg -A 5 "TransportError|transport_error" packages/rs-dapi-client/src/transport/

Length of output: 5206

The base branch was changed.