diff --git a/src/main.rs b/src/main.rs index 20f0dba..b335016 100644 --- a/src/main.rs +++ b/src/main.rs @@ -223,7 +223,11 @@ async fn main() -> numa::Result<()> { ) { Ok(tls_config) => Some(ArcSwap::from(tls_config)), Err(e) => { - log::warn!("TLS setup failed, HTTPS proxy disabled: {}", e); + if let Some(advisory) = numa::tls::try_data_dir_advisory(&e, &resolved_data_dir) { + eprint!("{}", advisory); + } else { + log::warn!("TLS setup failed, HTTPS proxy disabled: {}", e); + } None } } @@ -233,17 +237,15 @@ async fn main() -> numa::Result<()> { let socket = match UdpSocket::bind(&config.server.bind_addr).await { Ok(s) => s, - Err(e) - if e.kind() == std::io::ErrorKind::AddrInUse - && numa::system_dns::is_port_53(&config.server.bind_addr) => - { - eprint!( - "{}", - numa::system_dns::port53_conflict_advisory(&config.server.bind_addr) - ); - std::process::exit(1); + Err(e) => { + if let Some(advisory) = + numa::system_dns::try_port53_advisory(&config.server.bind_addr, &e) + { + eprint!("{}", advisory); + std::process::exit(1); + } + return Err(e.into()); } - Err(e) => return Err(e.into()), }; let ctx = Arc::new(ServerCtx { diff --git a/src/system_dns.rs b/src/system_dns.rs index fcb17fa..f77d820 100644 --- a/src/system_dns.rs +++ b/src/system_dns.rs @@ -46,28 +46,32 @@ pub fn discover_system_dns() -> SystemDnsInfo { } } -/// True if `bind_addr` targets DNS port 53. Used to scope the port-53 -/// conflict advisory — we only want to print the systemd-resolved / -/// Dnscache hint when the user is actually trying to bind the DNS port. -pub fn is_port_53(bind_addr: &str) -> bool { - bind_addr - .parse::() - .map(|s| s.port() == 53) - .unwrap_or(false) -} - -/// Human-readable diagnostic for port-53 bind conflicts. Offers two -/// concrete fixes: install Numa as the system resolver, or bind to a -/// non-privileged port. -pub fn port53_conflict_advisory(bind_addr: &str) -> String { +/// Advisory for port-53 bind failures (EADDRINUSE or EACCES); `None` +/// if not applicable so the caller can fall back to the raw error. +pub fn try_port53_advisory(bind_addr: &str, err: &std::io::Error) -> Option { + if !is_port_53(bind_addr) { + return None; + } + let (title, cause) = match err.kind() { + std::io::ErrorKind::AddrInUse => ( + "port 53 is already in use", + "Another process is already bound to port 53. On Linux this is\n \ + typically systemd-resolved; on Windows, the DNS Client service.", + ), + std::io::ErrorKind::PermissionDenied => ( + "permission denied", + "Port 53 is privileged — binding it requires root on Linux/macOS\n \ + or Administrator on Windows.", + ), + _ => return None, + }; let o = "\x1b[1;38;2;192;98;58m"; // bold orange let r = "\x1b[0m"; - format!( + Some(format!( " -{o}Numa{r} — cannot bind to {bind_addr}: port 53 is already in use. +{o}Numa{r} — cannot bind to {bind_addr}: {title}. - Another process is already bound to port 53. On Linux this is - typically systemd-resolved; on Windows, the DNS Client service. + {cause} Fix — pick one: @@ -86,7 +90,14 @@ pub fn port53_conflict_advisory(bind_addr: &str) -> String { Test with: dig @127.0.0.1 -p 5354 example.com " - ) + )) +} + +fn is_port_53(bind_addr: &str) -> bool { + bind_addr + .parse::() + .map(|s| s.port() == 53) + .unwrap_or(false) } #[cfg(target_os = "macos")] @@ -1796,4 +1807,43 @@ Wireless LAN adapter Wi-Fi: assert_eq!(result.len(), 1); assert!(result.contains_key("Wi-Fi")); } + + #[test] + fn try_port53_advisory_addr_in_use() { + let err = std::io::Error::from(std::io::ErrorKind::AddrInUse); + let msg = try_port53_advisory("0.0.0.0:53", &err).expect("should advise on port 53"); + assert!(msg.contains("cannot bind to")); + assert!(msg.contains("already in use")); + assert!(msg.contains("numa install")); + assert!(msg.contains("bind_addr")); + } + + #[test] + fn try_port53_advisory_permission_denied() { + let err = std::io::Error::from(std::io::ErrorKind::PermissionDenied); + let msg = try_port53_advisory("0.0.0.0:53", &err).expect("should advise on port 53"); + assert!(msg.contains("cannot bind to")); + assert!(msg.contains("permission denied")); + assert!(msg.contains("numa install")); + assert!(msg.contains("bind_addr")); + } + + #[test] + fn try_port53_advisory_skips_non_53_ports() { + let err = std::io::Error::from(std::io::ErrorKind::AddrInUse); + assert!(try_port53_advisory("127.0.0.1:5354", &err).is_none()); + assert!(try_port53_advisory("[::]:853", &err).is_none()); + } + + #[test] + fn try_port53_advisory_skips_unrelated_error_kinds() { + let err = std::io::Error::from(std::io::ErrorKind::NotFound); + assert!(try_port53_advisory("0.0.0.0:53", &err).is_none()); + } + + #[test] + fn try_port53_advisory_skips_malformed_bind_addr() { + let err = std::io::Error::from(std::io::ErrorKind::AddrInUse); + assert!(try_port53_advisory("not-an-address", &err).is_none()); + } } diff --git a/src/tls.rs b/src/tls.rs index 7c7620a..7ba96b6 100644 --- a/src/tls.rs +++ b/src/tls.rs @@ -40,6 +40,40 @@ pub fn regenerate_tls(ctx: &ServerCtx) { } } +/// Advisory for TLS-setup failures caused by a non-writable data dir; +/// `None` if not applicable so the caller can fall back to the raw error. +pub fn try_data_dir_advisory(err: &crate::Error, data_dir: &Path) -> Option { + let io_err = err.downcast_ref::()?; + if io_err.kind() != std::io::ErrorKind::PermissionDenied { + return None; + } + let o = "\x1b[1;38;2;192;98;58m"; + let r = "\x1b[0m"; + Some(format!( + " +{o}Numa{r} — HTTPS proxy disabled: cannot write TLS CA to {}. + + The data directory is not writable by the current user. Numa needs + to persist a local Certificate Authority there to serve .numa over + HTTPS. DNS resolution and plain-HTTP proxy continue to work. + + Fix — pick one: + + 1. Install Numa as the system resolver (sets up a writable data dir): + + sudo numa install (on Windows, run as Administrator) + + 2. Point data_dir at a path you can write. + Create ~/.config/numa/numa.toml with: + + [server] + data_dir = \"/path/you/can/write\" + +", + data_dir.display() + )) +} + /// Build a TLS config with a cert covering all provided service names. /// Wildcards under single-label TLDs (*.numa) are rejected by browsers, /// so we list each service explicitly as a SAN. @@ -170,3 +204,33 @@ fn generate_service_cert( Ok((vec![cert_der, ca_der], key_der)) } + +#[cfg(test)] +mod tests { + use super::*; + use std::path::PathBuf; + + #[test] + fn try_data_dir_advisory_permission_denied() { + let err: crate::Error = + Box::new(std::io::Error::from(std::io::ErrorKind::PermissionDenied)); + let path = PathBuf::from("/usr/local/var/numa"); + let msg = try_data_dir_advisory(&err, &path).expect("should advise"); + assert!(msg.contains("HTTPS proxy disabled")); + assert!(msg.contains("/usr/local/var/numa")); + assert!(msg.contains("numa install")); + assert!(msg.contains("data_dir")); + } + + #[test] + fn try_data_dir_advisory_skips_other_io_kinds() { + let err: crate::Error = Box::new(std::io::Error::from(std::io::ErrorKind::NotFound)); + assert!(try_data_dir_advisory(&err, &PathBuf::from("/x")).is_none()); + } + + #[test] + fn try_data_dir_advisory_skips_non_io_errors() { + let err: crate::Error = "rcgen failure".into(); + assert!(try_data_dir_advisory(&err, &PathBuf::from("/x")).is_none()); + } +}