fix(client-rust): apply TLS guard to GalaxyClient and add CLI strict flag

Extract the TLS-without-CA guard into a shared `build_tls_config` helper in options.rs so both GatewayClient and GalaxyClient use identical logic. GalaxyClient previously had no guard, so TLS-without-CA produced a cryptic tonic handshake failure; it now returns the same actionable InvalidEndpoint error. The guard message notes that a server-name override affects SNI but does not pin trust. Add --require-certificate-validation to ConnectionArgs in the CLI binary. Add a mirror test for GalaxyClient in tests/tls.rs.
2026-06-01 07:28:16 -04:00
parent 330e665f6b
commit cdfad420bb
5 changed files with 115 additions and 52 deletions
@@ -6,10 +6,8 @@
 //! code should prefer [`GatewayClient::open_session`] and the [`Session`]
 //! handle it returns, rather than the `*_raw` methods.

-use std::fs;
-
 use tonic::codegen::InterceptedService;
-use tonic::transport::{Certificate, Channel, ClientTlsConfig};
+use tonic::transport::Channel;
 use tonic::Request;

 use crate::auth::AuthInterceptor;
@@ -21,7 +19,7 @@ use crate::generated::mxaccess_gateway::v1::{
    OpenSessionReply, OpenSessionRequest, QueryActiveAlarmsRequest, StreamAlarmsRequest,
    StreamEventsRequest,
 };
-use crate::options::ClientOptions;
+use crate::options::{build_tls_config, ClientOptions};
 use crate::session::Session;

 /// Generated gateway client wrapped in the auth interceptor that
@@ -78,38 +76,7 @@ impl GatewayClient {
            })?;
        endpoint = endpoint.connect_timeout(options.connect_timeout());

-        if !options.plaintext() {
-            let mut tls = ClientTlsConfig::new();
-            if let Some(server_name) = options.server_name_override() {
-                tls = tls.domain_name(server_name.to_owned());
-            }
-            if let Some(ca_file) = options.ca_file() {
-                let certificate = fs::read(ca_file).map_err(|source| Error::InvalidEndpoint {
-                    endpoint: options.endpoint().to_owned(),
-                    detail: format!("failed to read CA file {}: {source}", ca_file.display()),
-                })?;
-                tls = tls.ca_certificate(Certificate::from_pem(certificate));
-            } else if !options.require_certificate_validation() {
-                // Lenient-default fallback (Rust pin-only exception): tonic
-                // 0.13's `ClientTlsConfig` builds its rustls verifier inside a
-                // crate-private connector and exposes no hook for a custom
-                // `ServerCertVerifier`, so — unlike the other clients — the
-                // Rust client cannot accept an arbitrary self-signed cert. Pin
-                // the gateway's CA instead, or opt into strict verification
-                // against the system trust roots. We reject here rather than
-                // silently verifying against system roots (which would fail a
-                // self-signed gateway with a confusing handshake error).
-                return Err(Error::InvalidEndpoint {
-                    endpoint: options.endpoint().to_owned(),
-                    detail: "TLS requested without a pinned CA. The Rust client cannot accept an \
-                             arbitrary self-signed certificate (tonic 0.13 exposes no custom \
-                             rustls verifier). Pin the gateway certificate with \
-                             ClientOptions::with_ca_file, or call \
-                             ClientOptions::with_require_certificate_validation(true) to verify \
-                             against the system trust roots."
-                        .to_owned(),
-                });
-            }
+        if let Some(tls) = build_tls_config(&options)? {
            endpoint = endpoint.tls_config(tls)?;
        }