spin_factor_outbound_networking/runtime_config.rs
1#[cfg(feature = "spin-cli")]
2pub mod spin;
3
4pub use rustls_pki_types::{CertificateDer, PrivateKeyDer};
5
6/// Runtime configuration for outbound networking.
7#[derive(Debug, Default)]
8pub struct RuntimeConfig {
9 /// Blocked IP networks
10 pub blocked_ip_networks: Vec<ip_network::IpNetwork>,
11 /// If true, non-globally-routable networks are blocked
12 pub block_private_networks: bool,
13 /// TLS client configs
14 pub client_tls_configs: Vec<ClientTlsRuntimeConfig>,
15}
16
17/// TLS configuration for one or more component(s) and host(s).
18#[derive(Debug)]
19pub struct ClientTlsRuntimeConfig {
20 /// The component(s) this configuration applies to.
21 pub components: Vec<String>,
22 /// The host(s) this configuration applies to.
23 pub hosts: Vec<String>,
24 /// A set of CA certs that should be considered valid roots.
25 pub root_certificates: Vec<CertificateDer<'static>>,
26 /// If true, the operating system's certificate store will be used for
27 /// root certificate verification via `rustls-platform-verifier`.
28 pub use_platform_roots: bool,
29 /// If true, the "standard" CA certs defined by `webpki-roots` crate will be
30 /// considered valid roots in addition to `root_certificates`.
31 /// Only used when `use_platform_roots` is false.
32 pub use_webpki_roots: bool,
33 /// A certificate and private key to be used as the client certificate for
34 /// "mutual TLS" (mTLS).
35 pub client_cert: Option<ClientCertRuntimeConfig>,
36}
37
38impl Default for ClientTlsRuntimeConfig {
39 fn default() -> Self {
40 Self {
41 components: vec![],
42 hosts: vec![],
43 root_certificates: vec![],
44 // Use platform roots by default
45 use_platform_roots: true,
46 use_webpki_roots: false,
47 client_cert: None,
48 }
49 }
50}
51
52#[derive(Debug)]
53pub struct ClientCertRuntimeConfig {
54 pub cert_chain: Vec<CertificateDer<'static>>,
55 pub key_der: PrivateKeyDer<'static>,
56}