github: Use async reqwest client (#7478)

Turbo87 · web-flow · commit 4e1c640ffd93 · 2023-11-09T22:24:42.000+01:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -76,7 +76,7 @@ p256 = "=0.13.2"
 parking_lot = "=0.12.1"
 prometheus = { version = "=0.13.3", default-features = false }
 rand = "=0.8.5"
-reqwest = { version = "=0.11.22", features = ["blocking", "gzip", "json"] }
+reqwest = { version = "=0.11.22", features = ["gzip", "json"] }
 retry = "=2.0.0"
 scheduled-thread-pool = "=0.2.7"
 secrecy = "=0.8.0"
diff --git a/src/app.rs b/src/app.rs
@@ -16,7 +16,7 @@ use axum::extract::{FromRef, FromRequestParts, State};
 use diesel::r2d2;
 use moka::future::{Cache, CacheBuilder};
 use oauth2::basic::BasicClient;
-use reqwest::blocking::Client;
+use reqwest::Client;
 use scheduled_thread_pool::ScheduledThreadPool;
 
 /// The `App` struct holds the main components of the application like
diff --git a/src/bin/server.rs b/src/bin/server.rs
@@ -10,7 +10,7 @@ use std::{sync::Arc, time::Duration};
 use axum::ServiceExt;
 use futures_util::future::FutureExt;
 use prometheus::Encoder;
-use reqwest::blocking::Client;
+use reqwest::Client;
 use std::io::{self, Write};
 use std::net::SocketAddr;
 use tokio::signal::unix::{signal, SignalKind};
diff --git a/src/controllers/crate_owner_invitation.rs b/src/controllers/crate_owner_invitation.rs
@@ -14,6 +14,7 @@ use chrono::{Duration, Utc};
 use diesel::{pg::Pg, sql_types::Bool};
 use indexmap::IndexMap;
 use std::collections::{HashMap, HashSet};
+use tokio::runtime::Handle;
 
 /// Handles the `GET /api/v1/me/crate_owner_invitations` route.
 pub async fn list(app: AppState, req: Parts) -> AppResult<Json<Value>> {
@@ -106,7 +107,7 @@ fn prepare_list(
                 // Only allow crate owners to query pending invitations for their crate.
                 let krate: Crate = Crate::by_name(&crate_name).first(conn)?;
                 let owners = krate.owners(conn)?;
-                if user.rights(state, &owners)? != Rights::Full {
+                if Handle::current().block_on(user.rights(state, &owners))? != Rights::Full {
                     return Err(forbidden());
                 }
 
diff --git a/src/controllers/github/secret_scanning.rs b/src/controllers/github/secret_scanning.rs
@@ -11,9 +11,9 @@ use once_cell::sync::Lazy;
 use p256::ecdsa::signature::Verifier;
 use p256::ecdsa::VerifyingKey;
 use p256::PublicKey;
-use parking_lot::Mutex;
 use serde_json as json;
 use std::str::FromStr;
+use tokio::sync::Mutex;
 
 // Minimum number of seconds to wait before refreshing cache of GitHub's public keys
 static PUBLIC_KEY_CACHE_LIFETIME_SECONDS: i64 = 60 * 60 * 24; // 24 hours
@@ -55,18 +55,17 @@ fn is_cache_valid(timestamp: Option<chrono::DateTime<chrono::Utc>>) -> bool {
 }
 
 // Fetches list of public keys from GitHub API
-fn get_public_keys(state: &AppState) -> Result<Vec<GitHubPublicKey>, BoxedAppError> {
+async fn get_public_keys(state: &AppState) -> Result<Vec<GitHubPublicKey>, BoxedAppError> {
     // Return list from cache if populated and still valid
-    let mut cache = PUBLIC_KEY_CACHE.lock();
+    let mut cache = PUBLIC_KEY_CACHE.lock().await;
     if is_cache_valid(cache.timestamp) {
         return Ok(cache.keys.clone());
     }
 
     // Fetch from GitHub API
-    let keys = state.github.public_keys(
-        &state.config.gh_client_id,
-        state.config.gh_client_secret.secret(),
-    )?;
+    let client_id = &state.config.gh_client_id;
+    let client_secret = state.config.gh_client_secret.secret();
+    let keys = state.github.public_keys(client_id, client_secret).await?;
 
     // Populate cache
     cache.keys = keys.clone();
@@ -76,7 +75,7 @@ fn get_public_keys(state: &AppState) -> Result<Vec<GitHubPublicKey>, BoxedAppErr
 }
 
 /// Verifies that the GitHub signature in request headers is valid
-fn verify_github_signature(
+async fn verify_github_signature(
     headers: &HeaderMap,
     state: &AppState,
     json: &[u8],
@@ -98,6 +97,7 @@ fn verify_github_signature(
         .map_err(|e| bad_request(&format!("failed to parse signature from ASN.1 DER: {e:?}")))?;
 
     let public_keys = get_public_keys(state)
+        .await
         .map_err(|e| bad_request(&format!("failed to fetch GitHub public keys: {e:?}")))?;
 
     let key = public_keys
@@ -222,13 +222,14 @@ pub async fn verify(
     headers: HeaderMap,
     body: Bytes,
 ) -> AppResult<Json<Vec<GitHubSecretAlertFeedback>>> {
-    conduit_compat(move || {
-        verify_github_signature(&headers, &state, &body)
-            .map_err(|e| bad_request(&format!("failed to verify request signature: {e:?}")))?;
+    verify_github_signature(&headers, &state, &body)
+        .await
+        .map_err(|e| bad_request(&format!("failed to verify request signature: {e:?}")))?;
 
-        let alerts: Vec<GitHubSecretAlert> = json::from_slice(&body)
-            .map_err(|e| bad_request(&format!("invalid secret alert request: {e:?}")))?;
+    let alerts: Vec<GitHubSecretAlert> = json::from_slice(&body)
+        .map_err(|e| bad_request(&format!("invalid secret alert request: {e:?}")))?;
 
+    conduit_compat(move || {
         let feedback = alerts
             .into_iter()
             .map(|alert| {
diff --git a/src/controllers/krate/owners.rs b/src/controllers/krate/owners.rs
@@ -6,6 +6,7 @@ use crate::models::token::EndpointScope;
 use crate::models::{Crate, Owner, Rights, Team, User};
 use crate::views::EncodableOwner;
 use axum::body::Bytes;
+use tokio::runtime::Handle;
 
 /// Handles the `GET /crates/:crate_id/owners` route.
 pub async fn owners(state: AppState, Path(crate_name): Path<String>) -> AppResult<Json<Value>> {
@@ -113,7 +114,7 @@ fn modify_owners(
         let krate: Crate = Crate::by_name(crate_name).first(conn)?;
         let owners = krate.owners(conn)?;
 
-        match user.rights(app, &owners)? {
+        match Handle::current().block_on(user.rights(app, &owners))? {
             Rights::Full => {}
             // Yes!
             Rights::Publish => {
diff --git a/src/controllers/krate/publish.rs b/src/controllers/krate/publish.rs
@@ -295,7 +295,7 @@ pub async fn publish(app: AppState, req: BytesRequest) -> AppResult<Json<GoodCra
             };
 
             let owners = krate.owners(conn)?;
-            if user.rights(&app, &owners)? < Rights::Publish {
+            if Handle::current().block_on(user.rights(&app, &owners))? < Rights::Publish {
                 return Err(cargo_err(MISSING_RIGHTS_ERROR_MESSAGE));
             }
 
diff --git a/src/controllers/user/session.rs b/src/controllers/user/session.rs
@@ -2,6 +2,7 @@ use crate::controllers::frontend_prelude::*;
 
 use oauth2::reqwest::http_client;
 use oauth2::{AuthorizationCode, Scope, TokenResponse};
+use tokio::runtime::Handle;
 
 use crate::email::Emails;
 use crate::github::GithubUser;
@@ -100,7 +101,7 @@ pub async fn authorize(
         let token = token.access_token();
 
         // Fetch the user info from GitHub using the access token we just got and create a user record
-        let ghuser = app.github.current_user(token)?;
+        let ghuser = Handle::current().block_on(app.github.current_user(token))?;
         let user =
             save_user_to_database(&ghuser, token.secret(), &app.emails, &mut *app.db_write()?)?;
 
diff --git a/src/controllers/version/yank.rs b/src/controllers/version/yank.rs
@@ -9,6 +9,7 @@ use crate::models::{insert_version_owner_action, VersionAction};
 use crate::rate_limiter::LimitedAction;
 use crate::schema::versions;
 use crate::worker::jobs;
+use tokio::runtime::Handle;
 
 /// Handles the `DELETE /crates/:crate_id/:version/yank` route.
 /// This does not delete a crate version, it makes the crate
@@ -67,7 +68,7 @@ fn modify_yank(
     let user = auth.user();
     let owners = krate.owners(conn)?;
 
-    if user.rights(state, &owners)? < Rights::Publish {
+    if Handle::current().block_on(user.rights(state, &owners))? < Rights::Publish {
         return Err(cargo_err("must already be an owner to yank or unyank"));
     }
 
diff --git a/src/github.rs b/src/github.rs
@@ -9,31 +9,37 @@ use std::str;
 
 use crate::controllers::github::secret_scanning::{GitHubPublicKey, GitHubPublicKeyList};
 use crate::util::errors::{cargo_err, internal, not_found, AppResult, BoxedAppError};
-use reqwest::blocking::Client;
+use async_trait::async_trait;
+use reqwest::Client;
 
+#[async_trait]
 pub trait GitHubClient: Send + Sync {
-    fn current_user(&self, auth: &AccessToken) -> AppResult<GithubUser>;
-    fn org_by_name(&self, org_name: &str, auth: &AccessToken) -> AppResult<GitHubOrganization>;
-    fn team_by_name(
+    async fn current_user(&self, auth: &AccessToken) -> AppResult<GithubUser>;
+    async fn org_by_name(
+        &self,
+        org_name: &str,
+        auth: &AccessToken,
+    ) -> AppResult<GitHubOrganization>;
+    async fn team_by_name(
         &self,
         org_name: &str,
         team_name: &str,
         auth: &AccessToken,
     ) -> AppResult<GitHubTeam>;
-    fn team_membership(
+    async fn team_membership(
         &self,
         org_id: i32,
         team_id: i32,
         username: &str,
         auth: &AccessToken,
     ) -> AppResult<GitHubTeamMembership>;
-    fn org_membership(
+    async fn org_membership(
         &self,
         org_id: i32,
         username: &str,
         auth: &AccessToken,
     ) -> AppResult<GitHubOrgMembership>;
-    fn public_keys(&self, username: &str, password: &str) -> AppResult<Vec<GitHubPublicKey>>;
+    async fn public_keys(&self, username: &str, password: &str) -> AppResult<Vec<GitHubPublicKey>>;
 }
 
 #[derive(Debug)]
@@ -47,7 +53,7 @@ impl RealGitHubClient {
     }
 
     /// Does all the nonsense for sending a GET to Github.
-    fn _request<T>(&self, url: &str, auth: &str) -> AppResult<T>
+    async fn _request<T>(&self, url: &str, auth: &str) -> AppResult<T>
     where
         T: DeserializeOwned,
     {
@@ -59,27 +65,31 @@ impl RealGitHubClient {
             .header(header::ACCEPT, "application/vnd.github.v3+json")
             .header(header::AUTHORIZATION, auth)
             .header(header::USER_AGENT, "crates.io (https://crates.io)")
-            .send()?
+            .send()
+            .await?
             .error_for_status()
             .map_err(|e| handle_error_response(&e))?
             .json()
+            .await
             .map_err(Into::into)
     }
 
     /// Sends a GET to GitHub using OAuth access token authentication
-    pub fn request<T>(&self, url: &str, auth: &AccessToken) -> AppResult<T>
+    pub async fn request<T>(&self, url: &str, auth: &AccessToken) -> AppResult<T>
     where
         T: DeserializeOwned,
     {
         self._request(url, &format!("token {}", auth.secret()))
+            .await
     }
 
     /// Sends a GET to GitHub using basic authentication
-    pub fn request_basic<T>(&self, url: &str, username: &str, password: &str) -> AppResult<T>
+    pub async fn request_basic<T>(&self, url: &str, username: &str, password: &str) -> AppResult<T>
     where
         T: DeserializeOwned,
     {
         self._request(url, &format!("basic {username}:{password}"))
+            .await
     }
 
     /// Returns a client for making HTTP requests to upload crate files.
@@ -98,38 +108,43 @@ impl RealGitHubClient {
     }
 }
 
+#[async_trait]
 impl GitHubClient for RealGitHubClient {
-    fn current_user(&self, auth: &AccessToken) -> AppResult<GithubUser> {
-        self.request("/user", auth)
+    async fn current_user(&self, auth: &AccessToken) -> AppResult<GithubUser> {
+        self.request("/user", auth).await
     }
 
-    fn org_by_name(&self, org_name: &str, auth: &AccessToken) -> AppResult<GitHubOrganization> {
+    async fn org_by_name(
+        &self,
+        org_name: &str,
+        auth: &AccessToken,
+    ) -> AppResult<GitHubOrganization> {
         let url = format!("/orgs/{org_name}");
-        self.request(&url, auth)
+        self.request(&url, auth).await
     }
 
-    fn team_by_name(
+    async fn team_by_name(
         &self,
         org_name: &str,
         team_name: &str,
         auth: &AccessToken,
     ) -> AppResult<GitHubTeam> {
         let url = format!("/orgs/{org_name}/teams/{team_name}");
-        self.request(&url, auth)
+        self.request(&url, auth).await
     }
 
-    fn team_membership(
+    async fn team_membership(
         &self,
         org_id: i32,
         team_id: i32,
         username: &str,
         auth: &AccessToken,
     ) -> AppResult<GitHubTeamMembership> {
         let url = format!("/organizations/{org_id}/team/{team_id}/memberships/{username}");
-        self.request(&url, auth)
+        self.request(&url, auth).await
     }
 
-    fn org_membership(
+    async fn org_membership(
         &self,
         org_id: i32,
         username: &str,
@@ -139,12 +154,16 @@ impl GitHubClient for RealGitHubClient {
             &format!("/organizations/{org_id}/memberships/{username}"),
             auth,
         )
+        .await
     }
 
     /// Returns the list of public keys that can be used to verify GitHub secret alert signatures
-    fn public_keys(&self, username: &str, password: &str) -> AppResult<Vec<GitHubPublicKey>> {
+    async fn public_keys(&self, username: &str, password: &str) -> AppResult<Vec<GitHubPublicKey>> {
         let url = "/meta/public_keys/secret_scanning";
-        match self.request_basic::<GitHubPublicKeyList>(url, username, password) {
+        match self
+            .request_basic::<GitHubPublicKeyList>(url, username, password)
+            .await
+        {
             Ok(v) => Ok(v.public_keys),
             Err(e) => Err(e),
         }
diff --git a/src/models/team.rs b/src/models/team.rs
diff --git a/src/models/user.rs b/src/models/user.rs
diff --git a/src/tests/util/github.rs b/src/tests/util/github.rs
diff --git a/src/tests/util/test_app.rs b/src/tests/util/test_app.rs

Original file line number	Diff line number	Diff line change
`@@ -295,7 +295,7 @@ pub async fn publish(app: AppState, req: BytesRequest) -> AppResult<Json<GoodCra`
`295`	`295`	`};`
`296`	`296`
`297`	`297`	`let owners = krate.owners(conn)?;`
`298`		`- if user.rights(&app, &owners)? < Rights::Publish {`
	`298`	`+ if Handle::current().block_on(user.rights(&app, &owners))? < Rights::Publish {`
`299`	`299`	`return Err(cargo_err(MISSING_RIGHTS_ERROR_MESSAGE));`
`300`	`300`	`}`
`301`	`301`