From efc9a00e9781c9a813e4b5b0adf5d82e63e6b329 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 9 Feb 2024 17:22:11 -0500
Subject: [PATCH] WIP: Add Rust scaffolding

This adds all the various configuration and tooling to have a
proxy written in Rust.
---
 .cargo/audit.toml               | 13 +++++++++++++
 .github/workflows/cargo-vet.yml | 26 ++++++++++++++++++++++++++
 .github/workflows/ci.yml        | 15 +++++++++++++++
 .github/workflows/security.yml  | 16 ++++++++++++++++
 Cargo.lock                      |  7 +++++++
 Cargo.toml                      |  5 +++++
 Makefile                        |  8 ++++++++
 proxy/Cargo.toml                |  8 ++++++++
 proxy/src/main.rs               |  5 +++++
 rust-toolchain.toml             |  2 ++
 rustfmt.toml                    |  1 +
 supply-chain/audits.toml        |  4 ++++
 supply-chain/config.toml        | 26 ++++++++++++++++++++++++++
 supply-chain/imports.lock       | 14 ++++++++++++++
 14 files changed, 150 insertions(+)
 create mode 100644 .cargo/audit.toml
 create mode 100644 .github/workflows/cargo-vet.yml
 create mode 100644 .github/workflows/security.yml
 create mode 100644 Cargo.lock
 create mode 100644 Cargo.toml
 create mode 100644 proxy/Cargo.toml
 create mode 100644 proxy/src/main.rs
 create mode 100644 rust-toolchain.toml
 create mode 100644 rustfmt.toml
 create mode 100644 supply-chain/audits.toml
 create mode 100644 supply-chain/config.toml
 create mode 100644 supply-chain/imports.lock

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
new file mode 100644
index 0000000000..8d3a93f2bc
--- /dev/null
+++ b/.cargo/audit.toml
@@ -0,0 +1,13 @@
+[advisories]
+# advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
+ignore = []
+
+# Output Configuration
+[output]
+deny = ["warnings"]
+quiet = false
+
+# Target Configuration
+[target]
+arch = "x86_64" # Ignore advisories for CPU architectures other than this one
+os = "linux" # Ignore advisories for operating systems other than this one
diff --git a/.github/workflows/cargo-vet.yml b/.github/workflows/cargo-vet.yml
new file mode 100644
index 0000000000..49626a3a13
--- /dev/null
+++ b/.github/workflows/cargo-vet.yml
@@ -0,0 +1,26 @@
+# Roughly based off of https://mozilla.github.io/cargo-vet/configuring-ci.html
+
+name: cargo vet
+
+on: [push, pull_request]
+
+jobs:
+  cargo-vet:
+    name: Vet Dependencies
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    env:
+      CARGO_VET_VERSION: 0.9.0
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/cache@v2
+      id: cache-vet
+      with:
+        path: /usr/local/cargo/bin/cargo-vet
+        key: cargo-vet-${{ env.CARGO_VET_VERSION }}
+    - name: Install the cargo-vet binary, if needed
+      if: ${{ steps.cache-vet.outputs.cache-hit != 'true' }}
+      run: cargo install --version ${{ env.CARGO_VET_VERSION }} cargo-vet
+    - name: Invoke cargo-vet
+      run: cargo vet --locked
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5a976dec23..b8a2bb5a93 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,3 +21,18 @@ jobs:
       - name: Lint .desktop files
         run: |
           make lint-desktop
+
+  rust:
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+          rustup component add rustfmt
+          rustup component add clippy
+      - name: Lint and test Rust code
+        run: |
+          make rust-lint
+          make rust-test
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000000..d805ebc6a8
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,16 @@
+name: Security (cron)
+on:
+  schedule:
+    - cron: '0 3 * * *'
+
+jobs:
+  rust-audit:
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check Rust dependencies
+        run: |
+          cargo install cargo-audit
+          cargo audit
diff --git a/Cargo.lock b/Cargo.lock
new file mode 100644
index 0000000000..af3bb1ddc8
--- /dev/null
+++ b/Cargo.lock
@@ -0,0 +1,7 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "securedrop-proxy"
+version = "0.1.0"
diff --git a/Cargo.toml b/Cargo.toml
new file mode 100644
index 0000000000..a45ea05dcd
--- /dev/null
+++ b/Cargo.toml
@@ -0,0 +1,5 @@
+[workspace]
+members = [
+    "proxy"
+]
+resolver = "2"
diff --git a/Makefile b/Makefile
index 246675e18a..208607049a 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,14 @@ lint-desktop: ## Lint .desktop files
 	# See: https://www.freedesktop.org/wiki/Software/desktop-file-utils/
 	find . -name *.desktop -type f -not -path '*/\.git/*' | xargs desktop-file-validate
 
+.PHONY: rust-lint
+rust-lint: ## Lint Rust code
+	cargo fmt --check
+	cargo clippy
+
+.PHONY: rust-test
+rust-test: ## Run Rust tests
+	cargo test
 
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
diff --git a/proxy/Cargo.toml b/proxy/Cargo.toml
new file mode 100644
index 0000000000..e53e6e48a8
--- /dev/null
+++ b/proxy/Cargo.toml
@@ -0,0 +1,8 @@
+[package]
+name = "securedrop-proxy"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
diff --git a/proxy/src/main.rs b/proxy/src/main.rs
new file mode 100644
index 0000000000..148d5204f7
--- /dev/null
+++ b/proxy/src/main.rs
@@ -0,0 +1,5 @@
+#![deny(clippy::all)]
+
+fn main() {
+    println!("Hello, world!");
+}
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
new file mode 100644
index 0000000000..27ae62c5bc
--- /dev/null
+++ b/rust-toolchain.toml
@@ -0,0 +1,2 @@
+[toolchain]
+channel = "1.74.1"
diff --git a/rustfmt.toml b/rustfmt.toml
new file mode 100644
index 0000000000..df99c69198
--- /dev/null
+++ b/rustfmt.toml
@@ -0,0 +1 @@
+max_width = 80
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
new file mode 100644
index 0000000000..2772ccb21f
--- /dev/null
+++ b/supply-chain/audits.toml
@@ -0,0 +1,4 @@
+
+# cargo-vet audits file
+
+[audits]
diff --git a/supply-chain/config.toml b/supply-chain/config.toml
new file mode 100644
index 0000000000..ab67610e6e
--- /dev/null
+++ b/supply-chain/config.toml
@@ -0,0 +1,26 @@
+
+# cargo-vet config file
+
+[cargo-vet]
+version = "0.9"
+
+[imports.bytecode-alliance]
+url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
+
+[imports.google]
+url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
+
+[imports.isrg]
+url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
+
+[imports.mozilla]
+url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
+
+[imports.securedrop]
+url = "https://raw.githubusercontent.com/freedomofpress/securedrop-supply-chain/main/audits.toml"
+
+[imports.zcash]
+url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml"
+
+[policy.securedrop-proxy]
+criteria = "safe-to-run"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
new file mode 100644
index 0000000000..916aeb90e2
--- /dev/null
+++ b/supply-chain/imports.lock
@@ -0,0 +1,14 @@
+
+# cargo-vet imports lock
+
+[audits.bytecode-alliance.audits]
+
+[audits.google.audits]
+
+[audits.isrg.audits]
+
+[audits.mozilla.audits]
+
+[audits.securedrop.audits]
+
+[audits.zcash.audits]