feat: add mtls support for request

Sakilmostak · Sakilmostak · commit 658c95c07302 · 2024-08-22T01:59:09.000+05:30
diff --git a/crates/common_utils/src/request.rs b/crates/common_utils/src/request.rs
@@ -24,6 +24,12 @@ pub enum ContentType {
     Xml,
 }
 
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+pub enum VerificationType {
+    Tls,
+    Mtls,
+}
+
 fn default_request_headers() -> [(String, Maskable<String>); 1] {
     use http::header;
 
@@ -38,6 +44,7 @@ pub struct Request {
     pub certificate: Option<Secret<String>>,
     pub certificate_key: Option<Secret<String>>,
     pub body: Option<RequestContent>,
+    pub verificaton_type: Option<VerificationType>,
 }
 
 impl std::fmt::Debug for RequestContent {
@@ -81,6 +88,7 @@ impl Request {
             certificate: None,
             certificate_key: None,
             body: None,
+            verificaton_type: None,
         }
     }
 
@@ -113,6 +121,7 @@ pub struct RequestBuilder {
     pub certificate: Option<Secret<String>>,
     pub certificate_key: Option<Secret<String>>,
     pub body: Option<RequestContent>,
+    pub verificaton_type: Option<VerificationType>,
 }
 
 impl RequestBuilder {
@@ -124,6 +133,7 @@ impl RequestBuilder {
             certificate: None,
             certificate_key: None,
             body: None,
+            verificaton_type: None,
         }
     }
 
@@ -157,8 +167,13 @@ impl RequestBuilder {
         self
     }
 
-    pub fn add_certificate(mut self, certificate: Option<Secret<String>>) -> Self {
+    pub fn add_certificate(
+        mut self,
+        certificate: Option<Secret<String>>,
+        verification_type: VerificationType,
+    ) -> Self {
         self.certificate = certificate;
+        self.verificaton_type = Some(verification_type);
         self
     }
 
@@ -175,6 +190,7 @@ impl RequestBuilder {
             certificate: self.certificate,
             certificate_key: self.certificate_key,
             body: self.body,
+            verificaton_type: self.verificaton_type,
         }
     }
 }
diff --git a/crates/router/src/connector/gpayments.rs b/crates/router/src/connector/gpayments.rs
@@ -287,7 +287,10 @@ impl
                         self, req, connectors,
                     )?,
                 )
-                .add_certificate(Some(gpayments_auth_type.certificate))
+                .add_certificate(
+                    Some(gpayments_auth_type.certificate),
+                    services::VerificationType::Tls,
+                )
                 .add_certificate_key(Some(gpayments_auth_type.private_key))
                 .build(),
         ))
@@ -374,7 +377,10 @@ impl
                         self, req, connectors,
                     )?,
                 )
-                .add_certificate(Some(gpayments_auth_type.certificate))
+                .add_certificate(
+                    Some(gpayments_auth_type.certificate),
+                    services::VerificationType::Tls,
+                )
                 .add_certificate_key(Some(gpayments_auth_type.private_key))
                 .build(),
         ))
@@ -482,7 +488,10 @@ impl
                         self, req, connectors,
                     )?,
                 )
-                .add_certificate(Some(gpayments_auth_type.certificate))
+                .add_certificate(
+                    Some(gpayments_auth_type.certificate),
+                    services::VerificationType::Tls,
+                )
                 .add_certificate_key(Some(gpayments_auth_type.private_key))
                 .build(),
         ))
@@ -579,7 +588,7 @@ impl
                         self, req, connectors,
                     )?,
                 )
-                .add_certificate(Some(gpayments_auth_type.certificate))
+                .add_certificate(Some(gpayments_auth_type.certificate), services::VerificationType::Tls)
                 .add_certificate_key(Some(gpayments_auth_type.private_key))
                 .build(),
         ))
diff --git a/crates/router/src/connector/itaubank.rs b/crates/router/src/connector/itaubank.rs
@@ -204,7 +204,7 @@ impl ConnectorIntegration<api::AccessTokenAuth, types::AccessTokenRequestData, t
                 .attach_default_headers()
                 .headers(types::RefreshTokenType::get_headers(self, req, connectors)?)
                 .url(&types::RefreshTokenType::get_url(self, req, connectors)?)
-                .add_certificate(auth_details.certificate)
+                .add_certificate(auth_details.certificate, services::VerificationType::Mtls)
                 .add_certificate_key(auth_details.certificate_key)
                 .set_body(types::RefreshTokenType::get_request_body(
                     self, req, connectors,
@@ -340,7 +340,7 @@ impl ConnectorIntegration<api::Authorize, types::PaymentsAuthorizeData, types::P
                 .headers(types::PaymentsAuthorizeType::get_headers(
                     self, req, connectors,
                 )?)
-                .add_certificate(auth_details.certificate)
+                .add_certificate(auth_details.certificate, services::VerificationType::Mtls)
                 .add_certificate_key(auth_details.certificate_key)
                 .set_body(types::PaymentsAuthorizeType::get_request_body(
                     self, req, connectors,
@@ -419,7 +419,7 @@ impl ConnectorIntegration<api::PSync, types::PaymentsSyncData, types::PaymentsRe
                 .url(&types::PaymentsSyncType::get_url(self, req, connectors)?)
                 .attach_default_headers()
                 .headers(types::PaymentsSyncType::get_headers(self, req, connectors)?)
-                .add_certificate(auth_details.certificate)
+                .add_certificate(auth_details.certificate, services::VerificationType::Mtls)
                 .add_certificate_key(auth_details.certificate_key)
                 .build(),
         ))
@@ -498,7 +498,7 @@ impl ConnectorIntegration<api::Capture, types::PaymentsCaptureData, types::Payme
                 .headers(types::PaymentsCaptureType::get_headers(
                     self, req, connectors,
                 )?)
-                .add_certificate(auth_details.certificate)
+                .add_certificate(auth_details.certificate, services::VerificationType::Mtls)
                 .add_certificate_key(auth_details.certificate_key)
                 .set_body(types::PaymentsCaptureType::get_request_body(
                     self, req, connectors,
@@ -617,7 +617,7 @@ impl ConnectorIntegration<api::Execute, types::RefundsData, types::RefundsRespon
             .headers(types::RefundExecuteType::get_headers(
                 self, req, connectors,
             )?)
-            .add_certificate(auth_details.certificate)
+            .add_certificate(auth_details.certificate, services::VerificationType::Mtls)
             .add_certificate_key(auth_details.certificate_key)
             .set_body(types::RefundExecuteType::get_request_body(
                 self, req, connectors,
@@ -701,7 +701,7 @@ impl ConnectorIntegration<api::RSync, types::RefundsData, types::RefundsResponse
                 .url(&types::RefundSyncType::get_url(self, req, connectors)?)
                 .attach_default_headers()
                 .headers(types::RefundSyncType::get_headers(self, req, connectors)?)
-                .add_certificate(auth_details.certificate)
+                .add_certificate(auth_details.certificate, services::VerificationType::Mtls)
                 .add_certificate_key(auth_details.certificate_key)
                 .set_body(types::RefundSyncType::get_request_body(
                     self, req, connectors,
diff --git a/crates/router/src/connector/netcetera.rs b/crates/router/src/connector/netcetera.rs
@@ -298,7 +298,10 @@ impl
                         self, req, connectors,
                     )?,
                 )
-                .add_certificate(Some(netcetera_auth_type.certificate))
+                .add_certificate(
+                    Some(netcetera_auth_type.certificate),
+                    services::VerificationType::Tls,
+                )
                 .add_certificate_key(Some(netcetera_auth_type.private_key))
                 .build(),
         ))
@@ -408,7 +411,10 @@ impl
                         self, req, connectors,
                     )?,
                 )
-                .add_certificate(Some(netcetera_auth_type.certificate))
+                .add_certificate(
+                    Some(netcetera_auth_type.certificate),
+                    services::VerificationType::Tls,
+                )
                 .add_certificate_key(Some(netcetera_auth_type.private_key))
                 .build(),
         ))
diff --git a/crates/router/src/core/admin.rs b/crates/router/src/core/admin.rs
@@ -1617,6 +1617,7 @@ impl<'a> ConnectorAuthTypeValidation<'a> {
                 helpers::create_identity_from_certificate_and_key(
                     certificate.to_owned(),
                     private_key.to_owned(),
+                    false,
                 )
                 .change_context(errors::ApiErrorResponse::InvalidDataFormat {
                     field_name:
diff --git a/crates/router/src/core/payments/flows/session_flow.rs b/crates/router/src/core/payments/flows/session_flow.rs
@@ -159,7 +159,10 @@ fn build_apple_pay_session_request(
             "application/json".to_string().into(),
         )])
         .set_body(RequestContent::Json(Box::new(request)))
-        .add_certificate(Some(apple_pay_merchant_cert))
+        .add_certificate(
+            Some(apple_pay_merchant_cert),
+            services::VerificationType::Tls,
+        )
         .add_certificate_key(Some(apple_pay_merchant_cert_key))
         .build();
     Ok(session_request)
diff --git a/crates/router/src/core/payments/helpers.rs b/crates/router/src/core/payments/helpers.rs
@@ -90,6 +90,7 @@ use crate::{
 pub fn create_identity_from_certificate_and_key(
     encoded_certificate: masking::Secret<String>,
     encoded_certificate_key: masking::Secret<String>,
+    should_concate_cert_and_key: bool,
 ) -> Result<reqwest::Identity, error_stack::Report<errors::ApiClientError>> {
     let decoded_certificate = BASE64_ENGINE
         .decode(encoded_certificate.expose())
@@ -105,8 +106,14 @@ pub fn create_identity_from_certificate_and_key(
     let certificate_key = String::from_utf8(decoded_certificate_key)
         .change_context(errors::ApiClientError::CertificateDecodeFailed)?;
 
-    reqwest::Identity::from_pkcs8_pem(certificate.as_bytes(), certificate_key.as_bytes())
-        .change_context(errors::ApiClientError::CertificateDecodeFailed)
+    if should_concate_cert_and_key {
+        let client_cert = format!("{}{}", certificate_key, certificate);
+        reqwest::Identity::from_pem(client_cert.as_bytes())
+            .change_context(errors::ApiClientError::CertificateDecodeFailed)
+    } else {
+        reqwest::Identity::from_pkcs8_pem(certificate.as_bytes(), certificate_key.as_bytes())
+            .change_context(errors::ApiClientError::CertificateDecodeFailed)
+    }
 }
 
 pub fn create_certificate(
diff --git a/crates/router/src/core/verification.rs b/crates/router/src/core/verification.rs
@@ -1,6 +1,9 @@
 pub mod utils;
 use api_models::verifications::{self, ApplepayMerchantResponse};
-use common_utils::{errors::CustomResult, request::RequestContent};
+use common_utils::{
+    errors::CustomResult,
+    request::{RequestContent, VerificationType},
+};
 use error_stack::ResultExt;
 use masking::ExposeInterface;
 
@@ -41,7 +44,7 @@ pub async fn verify_merchant_creds_for_applepay(
             "application/json".to_string().into(),
         )])
         .set_body(RequestContent::Json(Box::new(request_body)))
-        .add_certificate(Some(cert_data))
+        .add_certificate(Some(cert_data), VerificationType::Tls)
         .add_certificate_key(Some(key_data))
         .build();
 
diff --git a/crates/router/src/services/api.rs b/crates/router/src/services/api.rs
@@ -19,7 +19,7 @@ use actix_web::{
 };
 pub use client::{proxy_bypass_urls, ApiClient, MockApiClient, ProxyClient};
 pub use common_enums::enums::PaymentAction;
-pub use common_utils::request::{ContentType, Method, Request, RequestBuilder};
+pub use common_utils::request::{ContentType, Method, Request, RequestBuilder, VerificationType};
 use common_utils::{
     consts::{DEFAULT_TENANT, TENANT_HEADER, X_HS_LATENCY},
     errors::{ErrorSwitch, ReportSwitchExt},
@@ -433,6 +433,7 @@ pub async fn send_request(
         should_bypass_proxy,
         request.certificate,
         request.certificate_key,
+        request.verificaton_type,
     )?;
 
     let headers = request.headers.construct_header_map()?;
diff --git a/crates/router/src/services/api/client.rs b/crates/router/src/services/api/client.rs
@@ -16,6 +16,7 @@ use crate::{
         payments,
     },
     routes::{app::settings::KeyManagerConfig, SessionState},
+    services::VerificationType,
 };
 
 static NON_PROXIED_CLIENT: OnceCell<reqwest::Client> = OnceCell::new();
@@ -85,14 +86,20 @@ pub fn create_client(
     should_bypass_proxy: bool,
     client_certificate: Option<masking::Secret<String>>,
     client_certificate_key: Option<masking::Secret<String>>,
+    verification_type: Option<VerificationType>,
 ) -> CustomResult<reqwest::Client, ApiClientError> {
-    match (client_certificate, client_certificate_key) {
-        (Some(encoded_certificate), Some(encoded_certificate_key)) => {
+    match (
+        verification_type,
+        client_certificate,
+        client_certificate_key,
+    ) {
+        (Some(VerificationType::Tls), Some(encoded_certificate), Some(encoded_certificate_key)) => {
             let client_builder = get_client_builder(proxy_config, should_bypass_proxy)?;
 
             let identity = payments::helpers::create_identity_from_certificate_and_key(
                 encoded_certificate.clone(),
                 encoded_certificate_key,
+                false,
             )?;
             let certificate_list = payments::helpers::create_certificate(encoded_certificate)?;
             let client_builder = certificate_list
@@ -106,6 +113,31 @@ pub fn create_client(
                 .change_context(ApiClientError::ClientConstructionFailed)
                 .attach_printable("Failed to construct client with certificate and certificate key")
         }
+        (
+            Some(VerificationType::Mtls),
+            Some(encoded_certificate),
+            Some(encoded_certificate_key),
+        ) => {
+            let client_builder = get_client_builder(proxy_config, should_bypass_proxy)?;
+
+            let identity = payments::helpers::create_identity_from_certificate_and_key(
+                encoded_certificate.clone(),
+                encoded_certificate_key,
+                true,
+            )?;
+            let certificate_list = payments::helpers::create_certificate(encoded_certificate)?;
+            let client_builder = certificate_list
+                .into_iter()
+                .fold(client_builder, |client_builder, certificate| {
+                    client_builder.add_root_certificate(certificate)
+                });
+            client_builder
+                .identity(identity)
+                .use_rustls_tls()
+                .build()
+                .change_context(ApiClientError::ClientConstructionFailed)
+                .attach_printable("Failed to construct client with certificate and certificate key")
+        }
         _ => get_base_client(proxy_config, should_bypass_proxy),
     }
 }
@@ -248,6 +280,7 @@ impl ProxyClient {
                 let identity = payments::helpers::create_identity_from_certificate_and_key(
                     certificate,
                     certificate_key,
+                    false,
                 )?;
                 Ok(client_builder
                     .identity(identity)
diff --git a/crates/router/src/services/openidconnect.rs b/crates/router/src/services/openidconnect.rs
@@ -155,7 +155,7 @@ async fn get_oidc_reqwest_client(
     state: &SessionState,
     request: oidc::HttpRequest,
 ) -> Result<oidc::HttpResponse, ApiClientError> {
-    let client = client::create_client(&state.conf.proxy, false, None, None)
+    let client = client::create_client(&state.conf.proxy, false, None, None, None)
         .map_err(|e| e.current_context().to_owned())?;
 
     let mut request_builder = client

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,12 @@ pub enum ContentType {`
`24`	`24`	`Xml,`
`25`	`25`	`}`
`26`	`26`
	`27`	`+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]`
	`28`	`+pub enum VerificationType {`
	`29`	`+ Tls,`
	`30`	`+ Mtls,`
	`31`	`+}`
	`32`	`+`
`27`	`33`	`fn default_request_headers() -> [(String, Maskable<String>); 1] {`
`28`	`34`	`use http::header;`
`29`	`35`
`@@ -38,6 +44,7 @@ pub struct Request {`
`38`	`44`	`pub certificate: Option<Secret<String>>,`
`39`	`45`	`pub certificate_key: Option<Secret<String>>,`
`40`	`46`	`pub body: Option<RequestContent>,`
	`47`	`+ pub verificaton_type: Option<VerificationType>,`
`41`	`48`	`}`
`42`	`49`
`43`	`50`	`impl std::fmt::Debug for RequestContent {`
`@@ -81,6 +88,7 @@ impl Request {`
`81`	`88`	`certificate: None,`
`82`	`89`	`certificate_key: None,`
`83`	`90`	`body: None,`
	`91`	`+ verificaton_type: None,`
`84`	`92`	`}`
`85`	`93`	`}`
`86`	`94`
`@@ -113,6 +121,7 @@ pub struct RequestBuilder {`
`113`	`121`	`pub certificate: Option<Secret<String>>,`
`114`	`122`	`pub certificate_key: Option<Secret<String>>,`
`115`	`123`	`pub body: Option<RequestContent>,`
	`124`	`+ pub verificaton_type: Option<VerificationType>,`
`116`	`125`	`}`
`117`	`126`
`118`	`127`	`impl RequestBuilder {`
`@@ -124,6 +133,7 @@ impl RequestBuilder {`
`124`	`133`	`certificate: None,`
`125`	`134`	`certificate_key: None,`
`126`	`135`	`body: None,`
	`136`	`+ verificaton_type: None,`
`127`	`137`	`}`
`128`	`138`	`}`
`129`	`139`
`@@ -157,8 +167,13 @@ impl RequestBuilder {`
`157`	`167`	`self`
`158`	`168`	`}`
`159`	`169`
`160`		`- pub fn add_certificate(mut self, certificate: Option<Secret<String>>) -> Self {`
	`170`	`+ pub fn add_certificate(`
	`171`	`+ mut self,`
	`172`	`+ certificate: Option<Secret<String>>,`
	`173`	`+ verification_type: VerificationType,`
	`174`	`+ ) -> Self {`
`161`	`175`	`self.certificate = certificate;`
	`176`	`+ self.verificaton_type = Some(verification_type);`
`162`	`177`	`self`
`163`	`178`	`}`
`164`	`179`
`@@ -175,6 +190,7 @@ impl RequestBuilder {`
`175`	`190`	`certificate: self.certificate,`
`176`	`191`	`certificate_key: self.certificate_key,`
`177`	`192`	`body: self.body,`
	`193`	`+ verificaton_type: self.verificaton_type,`
`178`	`194`	`}`
`179`	`195`	`}`
`180`	`196`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1617,6 +1617,7 @@ impl<'a> ConnectorAuthTypeValidation<'a> {`
`1617`	`1617`	`helpers::create_identity_from_certificate_and_key(`
`1618`	`1618`	`certificate.to_owned(),`
`1619`	`1619`	`private_key.to_owned(),`
	`1620`	`+ false,`
`1620`	`1621`	`)`
`1621`	`1622`	`.change_context(errors::ApiErrorResponse::InvalidDataFormat {`
`1622`	`1623`	`field_name:`