chore: remove unnecessary self sign related functionality in appflowy cloud

src/application.rs

@@ -27,8 +27,6 @@ use aws_sdk_s3::types::{
   BucketInfo, BucketLocationConstraint, BucketType, CreateBucketConfiguration,
 };
 use mailer::config::MailerSetting;
-use openssl::ssl::{SslAcceptor, SslAcceptorBuilder, SslFiletype, SslMethod};
-use openssl::x509::X509;
 use secrecy::{ExposeSecret, Secret};
 use sqlx::{postgres::PgPoolOptions, PgPool};
 use tokio::sync::RwLock;
@@ -72,7 +70,6 @@ use crate::config::config::{
 use crate::mailer::AFCloudMailer;
 use crate::middleware::metrics_mw::MetricsMiddleware;
 use crate::middleware::request_id::RequestIdMiddleware;
-use crate::self_signed::create_self_signed_certificate;
 use crate::state::{AppMetrics, AppState, GoTrueAdmin, UserCache};
 
 pub struct Application {
@@ -119,11 +116,6 @@ pub async fn run_actix_server(
         e
       )
     })?;
-  let pair = get_certificate_and_server_key(&config);
-  let key = pair
-    .as_ref()
-    .map(|(_, server_key)| Key::from(server_key.expose_secret().as_bytes()))
-    .unwrap_or_else(Key::generate);
 
   let storage = state.collab_access_control_storage.clone();
 
@@ -150,7 +142,7 @@ pub async fn run_actix_server(
       .wrap(MetricsMiddleware)
       .wrap(IdentityMiddleware::default())
       .wrap(
-        SessionMiddleware::builder(redis_store.clone(), key.clone())
+        SessionMiddleware::builder(redis_store.clone(), Key::generate())
           .build(),
       )
       .wrap(RequestIdMiddleware)
@@ -178,24 +170,11 @@ pub async fn run_actix_server(
       .app_data(Data::new(state.published_collab_store.clone()))
   });
 
-  server = match pair {
+  server = server.listen(listener)?;
-    None => server.listen(listener)?,
-    Some((certificate, _)) => {
-      server.listen_openssl(listener, make_ssl_acceptor_builder(certificate))?
-    },
-  };
 
   Ok(server.run())
 }
 
-fn get_certificate_and_server_key(config: &Config) -> Option<(Secret<String>, Secret<String>)> {
-  if config.application.use_tls {
-    Some(create_self_signed_certificate().unwrap())
-  } else {
-    None
-  }
-}
-
 pub async fn init_state(config: &Config, rt_cmd_tx: CLCommandSender) -> Result<AppState, Error> {
   // Print the feature flags
 
@@ -523,22 +502,3 @@ async fn get_gotrue_client(setting: &GoTrueSetting) -> Result<gotrue::api::Clien
     .map_err(|e| anyhow::anyhow!("Failed to connect to GoTrue: {}", e));
   Ok(gotrue_client)
 }
-
-fn make_ssl_acceptor_builder(certificate: Secret<String>) -> SslAcceptorBuilder {
-  let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
-  let x509_cert = X509::from_pem(certificate.expose_secret().as_bytes()).unwrap();
-  builder.set_certificate(&x509_cert).unwrap();
-  builder
-    .set_private_key_file("./cert/key.pem", SslFiletype::PEM)
-    .unwrap();
-  builder
-    .set_certificate_chain_file("./cert/cert.pem")
-    .unwrap();
-  builder
-    .set_min_proto_version(Some(openssl::ssl::SslVersion::TLS1_2))
-    .unwrap();
-  builder
-    .set_max_proto_version(Some(openssl::ssl::SslVersion::TLS1_3))
-    .unwrap();
-  builder
-}

src/config/config.rs

@@ -97,8 +97,6 @@ impl AppFlowyAISetting {
 pub struct ApplicationSetting {
   pub port: u16,
   pub host: String,
-  pub server_key: Secret<String>,
-  pub use_tls: bool,
 }
 
 #[derive(Clone, Debug)]
@@ -209,10 +207,6 @@ pub fn get_configuration() -> Result<Config, anyhow::Error> {
     application: ApplicationSetting {
       port: get_env_var("APPFLOWY_APPLICATION_PORT", "8000").parse()?,
       host: get_env_var("APPFLOWY_APPLICATION_HOST", "0.0.0.0"),
-      use_tls: get_env_var("APPFLOWY_APPLICATION_USE_TLS", "false")
-        .parse()
-        .context("fail to get APPFLOWY_APPLICATION_USE_TLS")?,
-      server_key: get_env_var("APPFLOWY_APPLICATION_SERVER_KEY", "server_key").into(),
     },
     websocket: WebsocketSetting {
       heartbeat_interval: get_env_var("APPFLOWY_WEBSOCKET_HEARTBEAT_INTERVAL", "6").parse()?,

src/lib.rs

@@ -5,6 +5,5 @@ pub mod config;
 pub mod domain;
 pub mod mailer;
 pub mod middleware;
-mod self_signed;
 pub mod state;
 pub mod telemetry;

src/middleware/encrypt_mw.rs

@@ -1,61 +0,0 @@
-use actix_http::Payload;
-use actix_service::{forward_ready, Service, Transform};
-use actix_web::{dev::ServiceRequest, dev::ServiceResponse, Error};
-use bytes::Bytes;
-use bytes::BytesMut;
-use futures::future::Ready;
-use futures_util::future::{ready, LocalBoxFuture};
-use futures_util::{stream, StreamExt};
-
-pub struct DecryptPayloadMiddleware;
-
-impl<S, B> Transform<S, ServiceRequest> for DecryptPayloadMiddleware
-where
-  S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
-  S::Future: 'static,
-  B: 'static,
-{
-  type Response = ServiceResponse<B>;
-  type Error = Error;
-  type Transform = DecryptPayloadMiddlewareService<S>;
-  type InitError = ();
-  type Future = Ready<Result<Self::Transform, Self::InitError>>;
-
-  fn new_transform(&self, service: S) -> Self::Future {
-    ready(Ok(DecryptPayloadMiddlewareService { service }))
-  }
-}
-
-pub struct DecryptPayloadMiddlewareService<S> {
-  service: S,
-}
-
-impl<S, B> Service<ServiceRequest> for DecryptPayloadMiddlewareService<S>
-where
-  S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
-  S::Future: 'static,
-  B: 'static,
-{
-  type Response = ServiceResponse<B>;
-  type Error = Error;
-  type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
-
-  forward_ready!(service);
-
-  fn call(&self, req: ServiceRequest) -> Self::Future {
-    let (http_req, mut payload) = req.into_parts();
-    let payload_stream = stream::once(async move {
-      let mut body = BytesMut::new();
-      while let Some(chunk) = payload.next().await {
-        body.extend_from_slice(&chunk?);
-      }
-
-      Ok(Bytes::from(body))
-    });
-
-    let payload = Box::pin(payload_stream);
-    let new_req = ServiceRequest::from_parts(http_req, Payload::Stream { payload });
-    let fut = self.service.call(new_req);
-    Box::pin(fut)
-  }
-}

src/middleware/mod.rs

@@ -1,3 +1,2 @@
-pub mod encrypt_mw;
 pub mod metrics_mw;
 pub mod request_id;

src/self_signed.rs

@@ -1,30 +0,0 @@
-use rcgen::{Certificate, CertificateParams, KeyPair, RcgenError, SanType};
-use secrecy::Secret;
-
-pub const CA_CRT: &str = include_str!("../cert/cert.pem");
-pub const CA_KEY: &str = include_str!("../cert/key.pem");
-
-pub fn create_self_signed_certificate() -> Result<(Secret<String>, Secret<String>), RcgenError> {
-  let key = KeyPair::from_pem(CA_KEY)?;
-  let params = CertificateParams::from_ca_cert_pem(CA_CRT, key)?;
-  let ca_cert = Certificate::from_params(params)?;
-
-  let mut params = CertificateParams::default();
-  params
-    .subject_alt_names
-    .push(SanType::IpAddress("127.0.0.1".parse().unwrap()));
-  params
-    .subject_alt_names
-    .push(SanType::IpAddress("0.0.0.0".parse().unwrap()));
-  params
-    .subject_alt_names
-    .push(SanType::DnsName("localhost".to_string()));
-
-  // Generate a certificate that's valid for:
-  // 1. localhost
-  // 2. 127.0.0.1
-  let gen_cert = Certificate::from_params(params)?;
-  let server_crt = Secret::new(gen_cert.serialize_pem_with_signer(&ca_cert)?);
-  let server_key = Secret::new(gen_cert.serialize_private_key_pem());
-  Ok((server_crt, server_key))
-}