From 21d282e30790f2ba740fd9da090734ca1f54db47 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Fri, 9 Feb 2024 17:22:11 -0500 Subject: [PATCH] Add Rust scaffolding This adds all the various configuration and tooling to have a proxy written in Rust, some of which is copied from SecureDrop server. --- .cargo/audit.toml | 13 +++++++++++++ .github/workflows/cargo-vet.yml | 26 ++++++++++++++++++++++++++ .github/workflows/ci.yml | 15 +++++++++++++++ .github/workflows/security.yml | 16 ++++++++++++++++ Cargo.lock | 7 +++++++ Cargo.toml | 5 +++++ Makefile | 9 +++++++++ proxy/Cargo.toml | 8 ++++++++ proxy/src/main.rs | 5 +++++ rust-toolchain.toml | 2 ++ rustfmt.toml | 1 + supply-chain/audits.toml | 4 ++++ supply-chain/config.toml | 26 ++++++++++++++++++++++++++ supply-chain/imports.lock | 14 ++++++++++++++ 14 files changed, 151 insertions(+) create mode 100644 .cargo/audit.toml create mode 100644 .github/workflows/cargo-vet.yml create mode 100644 .github/workflows/security.yml create mode 100644 Cargo.lock create mode 100644 Cargo.toml create mode 100644 proxy/Cargo.toml create mode 100644 proxy/src/main.rs create mode 100644 rust-toolchain.toml create mode 100644 rustfmt.toml create mode 100644 supply-chain/audits.toml create mode 100644 supply-chain/config.toml create mode 100644 supply-chain/imports.lock diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 000000000..8d3a93f2b --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,13 @@ +[advisories] +# advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...] +ignore = [] + +# Output Configuration +[output] +deny = ["warnings"] +quiet = false + +# Target Configuration +[target] +arch = "x86_64" # Ignore advisories for CPU architectures other than this one +os = "linux" # Ignore advisories for operating systems other than this one diff --git a/.github/workflows/cargo-vet.yml b/.github/workflows/cargo-vet.yml new file mode 100644 index 000000000..49626a3a1 --- /dev/null +++ b/.github/workflows/cargo-vet.yml @@ -0,0 +1,26 @@ +# Roughly based off of https://mozilla.github.io/cargo-vet/configuring-ci.html + +name: cargo vet + +on: [push, pull_request] + +jobs: + cargo-vet: + name: Vet Dependencies + runs-on: ubuntu-latest + # Keep version in sync with rust-toolchain.toml + container: rust:1.74.1 + env: + CARGO_VET_VERSION: 0.9.0 + steps: + - uses: actions/checkout@v4 + - uses: actions/cache@v2 + id: cache-vet + with: + path: /usr/local/cargo/bin/cargo-vet + key: cargo-vet-${{ env.CARGO_VET_VERSION }} + - name: Install the cargo-vet binary, if needed + if: ${{ steps.cache-vet.outputs.cache-hit != 'true' }} + run: cargo install --version ${{ env.CARGO_VET_VERSION }} cargo-vet + - name: Invoke cargo-vet + run: cargo vet --locked diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c4b2cc38..ea75e90e0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -64,3 +64,18 @@ jobs: poetry install poetry update safety make safety + + rust: + runs-on: ubuntu-latest + # Keep version in sync with rust-toolchain.toml + container: rust:1.74.1 + steps: + - uses: actions/checkout@v4 + - name: Install dependencies + run: | + rustup component add rustfmt + rustup component add clippy + - name: Lint and test Rust code + run: | + make rust-lint + make rust-test diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 000000000..d805ebc6a --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,16 @@ +name: Security (cron) +on: + schedule: + - cron: '0 3 * * *' + +jobs: + rust-audit: + runs-on: ubuntu-latest + # Keep version in sync with rust-toolchain.toml + container: rust:1.74.1 + steps: + - uses: actions/checkout@v3 + - name: Check Rust dependencies + run: | + cargo install cargo-audit + cargo audit diff --git a/Cargo.lock b/Cargo.lock new file mode 100644 index 000000000..af3bb1ddc --- /dev/null +++ b/Cargo.lock @@ -0,0 +1,7 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "securedrop-proxy" +version = "0.1.0" diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 000000000..a45ea05dc --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,5 @@ +[workspace] +members = [ + "proxy" +] +resolver = "2" diff --git a/Makefile b/Makefile index 6706e758b..e68664145 100644 --- a/Makefile +++ b/Makefile @@ -24,6 +24,15 @@ safety: ## Run safety dependency checks on build dependencies --ignore 62044 \ -r +.PHONY: rust-lint +rust-lint: ## Lint Rust code + cargo fmt --check + cargo clippy + +.PHONY: rust-test +rust-test: ## Run Rust tests + cargo test + # Explanation of the below shell command should it ever break. # 1. Set the field separator to ": ##" and any make targets that might appear between : and ## # 2. Use sed-like syntax to remove the make targets diff --git a/proxy/Cargo.toml b/proxy/Cargo.toml new file mode 100644 index 000000000..e53e6e48a --- /dev/null +++ b/proxy/Cargo.toml @@ -0,0 +1,8 @@ +[package] +name = "securedrop-proxy" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] diff --git a/proxy/src/main.rs b/proxy/src/main.rs new file mode 100644 index 000000000..148d5204f --- /dev/null +++ b/proxy/src/main.rs @@ -0,0 +1,5 @@ +#![deny(clippy::all)] + +fn main() { + println!("Hello, world!"); +} diff --git a/rust-toolchain.toml b/rust-toolchain.toml new file mode 100644 index 000000000..27ae62c5b --- /dev/null +++ b/rust-toolchain.toml @@ -0,0 +1,2 @@ +[toolchain] +channel = "1.74.1" diff --git a/rustfmt.toml b/rustfmt.toml new file mode 100644 index 000000000..df99c6919 --- /dev/null +++ b/rustfmt.toml @@ -0,0 +1 @@ +max_width = 80 diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml new file mode 100644 index 000000000..2772ccb21 --- /dev/null +++ b/supply-chain/audits.toml @@ -0,0 +1,4 @@ + +# cargo-vet audits file + +[audits] diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 000000000..ab67610e6 --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,26 @@ + +# cargo-vet config file + +[cargo-vet] +version = "0.9" + +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + +[imports.securedrop] +url = "https://raw.githubusercontent.com/freedomofpress/securedrop-supply-chain/main/audits.toml" + +[imports.zcash] +url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" + +[policy.securedrop-proxy] +criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock new file mode 100644 index 000000000..916aeb90e --- /dev/null +++ b/supply-chain/imports.lock @@ -0,0 +1,14 @@ + +# cargo-vet imports lock + +[audits.bytecode-alliance.audits] + +[audits.google.audits] + +[audits.isrg.audits] + +[audits.mozilla.audits] + +[audits.securedrop.audits] + +[audits.zcash.audits]