1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

//! LDAP connection options

#[cfg(feature = "tls-native-tls")]
pub use native_tls::{Certificate, Identity};

#[cfg(feature = "tls-rustls")]
pub use rustls::{Certificate, PrivateKey};

#[cfg(feature = "tls-rustls")]
#[derive(Clone)]
pub(crate) struct Identity {
    pub(crate) private_key: PrivateKey,
    pub(crate) certificates: Vec<Certificate>,
}

#[derive(Clone, PartialEq)]
pub(crate) enum TlsKind {
    Plain,
    #[cfg(tls)]
    Tls,
    #[cfg(tls)]
    StartTls,
}

/// TLS options
#[derive(Clone)]
pub struct TlsOptions {
    pub(crate) kind: TlsKind,
    #[cfg(tls)]
    pub(crate) ca_certs: Vec<Certificate>,
    #[cfg(feature = "tls-native-tls")]
    pub(crate) verify_hostname: bool,
    #[cfg(tls)]
    pub(crate) verify_certs: bool,
    #[cfg(tls)]
    pub(crate) identity: Option<Identity>,
    #[cfg(tls)]
    pub(crate) domain_name: Option<String>,
}

impl TlsOptions {
    fn new(kind: TlsKind) -> Self {
        Self {
            kind,
            #[cfg(tls)]
            ca_certs: Vec::new(),
            #[cfg(feature = "tls-native-tls")]
            verify_hostname: true,
            #[cfg(tls)]
            verify_certs: true,
            #[cfg(tls)]
            identity: None,
            #[cfg(tls)]
            domain_name: None,
        }
    }

    /// Use plain connection without transport security
    pub fn plain() -> Self {
        Self::new(TlsKind::Plain)
    }

    #[cfg(tls)]
    /// Connect using TLS transport
    pub fn tls() -> Self {
        Self::new(TlsKind::Tls)
    }

    #[cfg(tls)]
    /// Connect using STARTTLS negotiation
    pub fn start_tls() -> Self {
        Self::new(TlsKind::StartTls)
    }

    #[cfg(tls)]
    /// Add CA root certificate to use during TLS handshake
    pub fn ca_cert(mut self, cert: Certificate) -> Self {
        self.ca_certs.push(cert);
        self
    }

    #[cfg(feature = "tls-native-tls")]
    /// Set client identity for mutual TLS authentication
    pub fn identity(mut self, identity: Identity) -> Self {
        self.identity = Some(identity);
        self
    }

    #[cfg(feature = "tls-rustls")]
    /// Set client identity for mutual TLS authentication
    pub fn identity(mut self, private_key: PrivateKey, certificates: Vec<Certificate>) -> Self {
        self.identity = Some(Identity {
            private_key,
            certificates,
        });
        self
    }

    #[cfg(tls)]
    /// Specify custom domain name to use for SNI match. The default is the connection host name
    pub fn domain_name<S: AsRef<str>>(mut self, domain_name: S) -> Self {
        self.domain_name = Some(domain_name.as_ref().to_owned());
        self
    }

    #[cfg(feature = "tls-native-tls")]
    /// Enable or disable host name validation in the server certificate.
    /// By default host name validation is enabled.
    /// This option is only used when certificate verification is enabled.
    pub fn verify_hostname(mut self, flag: bool) -> Self {
        self.verify_hostname = flag;
        self
    }

    #[cfg(tls)]
    /// Enable or disable server certificate validation.
    /// By default server certificate validation is enabled.
    pub fn verify_certs(mut self, flag: bool) -> Self {
        self.verify_certs = flag;
        self
    }
}