team_repo: Pin "Let's Encrypt" intermediate certificate

Turbo87 · Turbo87 · commit f4ddedf0bd34 · 2024-01-05T11:51:50.000+01:00
https://team-api.infra.rust-lang.org is hosted on GitHub Pages, which uses Let's Encrypt as CA. The certificates for https://team-api.infra.rust-lang.org itself are short-lived and somewhat out of our control, but the intermediate certificate from Let's Encrypt can at least be pinned to reduce the risk of man in the middle attacks.
diff --git a/src/bin/background-worker.rs b/src/bin/background-worker.rs
@@ -78,7 +78,7 @@ fn main() -> anyhow::Result<()> {
 
     let emails = Emails::from_environment(&config);
     let fastly = Fastly::from_environment(client.clone());
-    let team_repo = TeamRepoImpl::new(client);
+    let team_repo = TeamRepoImpl::default();
 
     let connection_pool = r2d2::Pool::builder()
         .max_size(10)
diff --git a/src/certs/lets-encrypt.pem b/src/certs/lets-encrypt.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
diff --git a/src/certs/mod.rs b/src/certs/mod.rs
@@ -0,0 +1 @@
+pub const LETS_ENCRYPT: &[u8] = include_bytes!("./lets-encrypt.pem");
diff --git a/src/lib.rs b/src/lib.rs
@@ -32,6 +32,7 @@ pub mod admin;
 mod app;
 pub mod auth;
 pub mod boot;
+pub mod certs;
 pub mod ci;
 pub mod cloudfront;
 pub mod config;
diff --git a/src/team_repo.rs b/src/team_repo.rs
@@ -5,9 +5,10 @@
 //! purposes. The [TeamRepoImpl] struct is the actual implementation of
 //! the trait.
 
+use crate::certs;
 use async_trait::async_trait;
 use mockall::automock;
-use reqwest::Client;
+use reqwest::{Certificate, Client};
 
 #[automock]
 #[async_trait]
@@ -35,11 +36,28 @@ pub struct TeamRepoImpl {
 }
 
 impl TeamRepoImpl {
-    pub fn new(client: Client) -> Self {
+    fn new(client: Client) -> Self {
         TeamRepoImpl { client }
     }
 }
 
+impl Default for TeamRepoImpl {
+    fn default() -> Self {
+        let client = build_client();
+        TeamRepoImpl::new(client)
+    }
+}
+
+fn build_client() -> Client {
+    let lets_encrypt_cert = Certificate::from_pem(certs::LETS_ENCRYPT).unwrap();
+
+    Client::builder()
+        .tls_built_in_root_certs(false)
+        .add_root_certificate(lets_encrypt_cert)
+        .build()
+        .unwrap()
+}
+
 #[async_trait]
 impl TeamRepo for TeamRepoImpl {
     async fn get_team(&self, name: &str) -> anyhow::Result<Team> {
@@ -48,3 +66,15 @@ impl TeamRepo for TeamRepoImpl {
         Ok(response.json().await?)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::team_repo::build_client;
+
+    /// This test is here to make sure that the client is built
+    /// correctly without panicking.
+    #[test]
+    fn test_build_client() {
+        let _client = build_client();
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+pub const LETS_ENCRYPT: &[u8] = include_bytes!("./lets-encrypt.pem");`