michal.humpula/route-switcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: michal.humpula:5fbd72b370573a69ef93cff6b1c3ca7aa09d9186
Branches Tags
michal.humpula:master
..
compare: michal.humpula:0cff05d62335bdbac14575e8e6722a746fa49a96
Branches Tags
michal.humpula:master

2 Commits
5fbd72b370 ... 0cff05d623

Author SHA1 Message Date
Michal Humpula
0cff05d623 add builders, fix sleep 2026-03-01 07:28:56 +01:00
Michal Humpula
940a86ff8c api 2026-02-16 07:23:36 +01:00
11 changed files with 1484 additions and 22 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1 +1,2 @@
/target
.cargo-cache

824
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

9
Cargo.toml
View File

@@ -19,3 +19,12 @@ anyhow = "1.0.98"
bytes = "1.10.1"
tokio = { version = "1.42", features = ["full"] }
clap = { version = "4.5", features = ["derive"] }
axum = "0.7"
axum-extra = { version = "0.9", features = ["typed-header"] }
tower = "0.4"
tower-http = { version = "0.5", features = ["cors", "auth"] }
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
chrono = { version = "0.4", features = ["serde"] }
bcrypt = "0.15"
base64 = "0.22"

5
Dockerfile.arm Normal file
View File

@@ -0,0 +1,5 @@
FROM rust:1.93.1-bullseye
RUN rustup target add aarch64-unknown-linux-gnu \
&& apt update \
&& apt install -y gcc-aarch64-linux-gnu

7
Makefile Normal file
View File

@@ -0,0 +1,7 @@
build: image
podman run -it --rm -v $(PWD):/app -v $(PWD)/.cargo-cache:/usr/local/cargo/registry -w /app route-switcher-builder:latest cargo build --target aarch64-unknown-linux-gnu
image:
podman build -f Dockerfile.arm -t route-switcher-builder:latest .

231
doc/API_DESIGN.md Normal file
View File

@@ -0,0 +1,231 @@
# Route-Switcher API Design
## Overview
HTTP REST API with Basic Authentication for Home Assistant integration, exposing state machine state and ping statistics.
## Design Principles
- **Minimal surface area**: Only expose necessary information
- **Simple authentication**: HTTP Basic Auth (no JWT complexity)
- **State-focused**: Centered on state machine state and ping history
- **Home Assistant friendly**: Structured for HA REST integration
- **Opt-in**: API disabled by default
## API Endpoints
### GET /api/state
Returns current state machine state with ping statistics.
**Response:**
```json
{
"state": "Primary",
"primary_stats": {
"success_rate": 95.5,
"failures": 2,
"total_pings": 44,
"last_ping": "Ok"
},
"secondary_stats": {
"success_rate": 98.2,
"failures": 1,
"total_pings": 56,
"last_ping": "Ok"
},
"last_failover": "2024-02-15T10:30:00Z"
}
```
**Fields:**
- `state`: Current state machine state (Boot/Primary/Fallback)
- `primary_stats`: Ping statistics for primary interface
- `secondary_stats`: Ping statistics for secondary interface
- `last_failover`: ISO 8601 timestamp of last failover (null if never)
### POST /api/state
Manually set state machine state.
**Request:**
```json
{
"state": "fallback"
}
```
**Response:**
```json
{
"state": "Fallback",
"previous_state": "Primary",
"primary_stats": { ... },
"secondary_stats": { ... },
"last_failover": "2024-02-15T10:30:00Z"
}
```
**Valid states:** `primary`, `fallback`
## Authentication
HTTP Basic Authentication with username/password configured via environment variables.
**Security considerations:**
- Passwords stored as bcrypt hash
- HTTPS recommended for production
- Local network access only
- No token management (stateless)
## Data Structures
### PingStats
Calculated from state machine ping history (60 entries per interface):
```rust
struct PingStats {
success_rate: f64, // Percentage of successful pings
failures: usize, // Number of failed pings in history
total_pings: usize, // Total pings in history
last_ping: String, // "Ok" or "Failed"
}
```
### StateResponse
```rust
struct StateResponse {
state: String,
primary_stats: PingStats,
secondary_stats: PingStats,
last_failover: Option<String>,
}
```
## Home Assistant Integration
### REST Sensor Configuration
```yaml
sensor:
- platform: rest
name: Route Switcher State
resource: http://route-switcher.local:8080/api/state
username: !secret route_switcher_user
password: !secret route_switcher_pass
value_template: "{{ value_json.state }}"
json_attributes:
- primary_stats
- secondary_stats
- last_failover
- platform: template
sensors:
route_switcher_primary_success_rate:
value_template: "{{ state_attr('sensor.route_switcher_state', 'primary_stats').success_rate | default(0) }}"
unit_of_measurement: "%"
route_switcher_secondary_success_rate:
value_template: "{{ state_attr('sensor.route_switcher_state', 'secondary_stats').success_rate | default(0) }}"
unit_of_measurement: "%"
route_switcher_primary_failures:
value_template: "{{ state_attr('sensor.route_switcher_state', 'primary_stats').failures | default(0) }}"
route_switcher_secondary_failures:
value_template: "{{ state_attr('sensor.route_switcher_state', 'secondary_stats').failures | default(0) }}"
switch:
- platform: rest
name: Route Switcher Control
resource: http://route-switcher.local:8080/api/state
username: !secret route_switcher_user
password: !secret route_switcher_pass
body_on: '{"state": "fallback"}'
body_off: '{"state": "primary"}'
is_on_template: "{{ value_json.state == 'fallback' }}"
```
## Configuration
### Environment Variables
```bash
# API Configuration
API_ENABLED=true
API_BIND_ADDRESS=0.0.0.0
API_PORT=8080
API_USERNAME=admin
API_PASSWORD_HASH=<bcrypt-hash>
# CORS Configuration
API_CORS_ORIGINS=http://homeassistant.local:8123
```
### Password Hash Generation
```bash
# Generate bcrypt hash
echo -n "your-password" | bcrypt
```
## Implementation Details
### Dependencies
```toml
axum = "0.7"
tokio = { version = "1.42", features = ["full"] }
tower = "0.4"
tower-http = { version = "0.5", features = ["cors", "auth"] }
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
chrono = { version = "0.4", features = ["serde"] }
bcrypt = "0.15"
base64 = "0.22"
```
### Architecture
- **API Module**: `src/api.rs` - HTTP server and endpoints
- **State Sharing**: Thread-safe access to state machine and ping history
- **Authentication**: Basic Auth middleware with bcrypt validation
- **Error Handling**: Standardized JSON error responses
- **Integration**: Minimal changes to existing state machine
### Thread Safety
- `Arc<Mutex<StateMachine>>` for shared state access
- Non-blocking async operations
- Minimal locking duration
## Error Handling
Standardized error responses:
```json
{
"error": "Invalid state",
"message": "State must be 'primary' or 'fallback'"
}
```
HTTP Status Codes:
- 200: Success
- 400: Bad Request (invalid state)
- 401: Unauthorized (invalid credentials)
- 500: Internal Server Error
## Security Considerations
- Network access restrictions (local only recommended)
- HTTPS for credential protection
- Rate limiting considerations
- Audit logging for manual state changes
- No configuration exposure (state only)
## Backward Compatibility
- API disabled by default
- No changes to existing CLI functionality
- Service continues without API if disabled
- Graceful degradation on API errors

13
docker-compose.yml
View File

@@ -20,6 +20,11 @@ services:
- PRIMARY_GATEWAY=192.168.200.11
- SECONDARY_GATEWAY=192.168.201.11
- PING_TARGET=192.168.202.100
- API_ENABLED=true
- API_BIND_ADDRESS=0.0.0.0
- API_PORT=8080
- API_USERNAME=admin
- API_PASSWORD_HASH=$2b$12$placeholder_hash_replace_with_actual_bcrypt_hash
cap_add:
- NET_ADMIN
- SYS_ADMIN
@@ -33,7 +38,8 @@ services:
command: |
sh -c "
echo nameserver 192.168.10.1 > /etc/resolv.conf &&
/bin/sleep infinity
apt update && apt install -y iproute2 curl net-tools &&
/bin/sleep infinity
"
networks:
primary-net:
@@ -50,6 +56,11 @@ services:
- PRIMARY_GATEWAY=192.168.200.11
- SECONDARY_GATEWAY=192.168.201.11
- PING_TARGET=192.168.202.100
- API_ENABLED=true
- API_BIND_ADDRESS=0.0.0.0
- API_PORT=8080
- API_USERNAME=admin
- API_PASSWORD_HASH=$2b$12$placeholder_hash_replace_with_actual_bcrypt_hash
cap_add:
- NET_ADMIN
- SYS_ADMIN

7
route-switcher.service
View File

@@ -21,6 +21,13 @@ Environment=PRIMARY_GATEWAY=192.168.1.1
Environment=SECONDARY_GATEWAY=192.168.2.1
Environment=PING_TARGET=8.8.8.8
# API Configuration
Environment=API_ENABLED=true
Environment=API_BIND_ADDRESS=0.0.0.0
Environment=API_PORT=8080
Environment=API_USERNAME=admin
Environment=API_PASSWORD_HASH=$2b$12$placeholder_hash_replace_with_actual_bcrypt_hash
User=root
Group=root
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW

332
src/api.rs Normal file
View File

@@ -0,0 +1,332 @@
use anyhow::Result;
use axum::middleware::Next;
use axum::{
Json, Router,
extract::State,
http::StatusCode,
middleware,
response::{IntoResponse, Response},
routing::get,
};
use axum_extra::{
TypedHeader,
headers::{Authorization, authorization::Basic},
};
use bcrypt::verify;
use chrono::{DateTime, Utc};
use log::{debug, error, info, warn};
use serde::{Deserialize, Serialize};
use std::collections::VecDeque;
use std::env;
use std::net::SocketAddr;
use std::sync::Arc;
use tokio::sync::Mutex;
use tower_http::cors::{Any, CorsLayer};
use crate::pinger::PingResult;
use crate::state_machine::{State as MachineState, StateMachine};
#[derive(Debug, Clone, Serialize)]
pub struct PingStats {
pub success_rate: f64,
pub failures: usize,
pub total_pings: usize,
pub last_ping: String,
}
impl PingStats {
pub fn from_history(history: &VecDeque<PingResult>) -> Self {
let total_pings = history.len();
if total_pings == 0 {
return Self {
success_rate: 0.0,
failures: 0,
total_pings: 0,
last_ping: "Unknown".to_string(),
};
}
let failures = history.iter().filter(|&x| *x == PingResult::Failed).count();
let successes = total_pings - failures;
let success_rate = if total_pings > 0 {
(successes as f64 / total_pings as f64) * 100.0
} else {
0.0
};
let last_ping = match history.front() {
Some(PingResult::Ok) => "Ok".to_string(),
Some(PingResult::Failed) => "Failed".to_string(),
None => "Unknown".to_string(),
};
Self {
success_rate,
failures,
total_pings,
last_ping,
}
}
}
#[derive(Debug, Clone, Serialize)]
pub struct StateResponse {
pub state: String,
pub primary_stats: PingStats,
pub secondary_stats: PingStats,
pub last_failover: Option<String>,
}
#[derive(Debug, Deserialize)]
pub struct StateRequest {
pub state: String,
}
#[derive(Debug, Serialize)]
pub struct ErrorResponse {
pub error: String,
pub message: String,
}
impl IntoResponse for ErrorResponse {
fn into_response(self) -> Response {
let status = if self.error.contains("Authentication") || self.error.contains("credentials")
{
StatusCode::UNAUTHORIZED
} else {
StatusCode::BAD_REQUEST
};
(status, Json(self)).into_response()
}
}
#[derive(Clone)]
pub struct AppState {
pub state_machine: Arc<Mutex<StateMachine>>,
pub last_failover: Arc<Mutex<Option<DateTime<Utc>>>>,
}
pub struct ApiServer {
app: Router,
}
impl ApiServer {
pub fn new(
state_machine: Arc<Mutex<StateMachine>>,
last_failover: Arc<Mutex<Option<DateTime<Utc>>>>,
) -> Result<Self> {
let state = AppState {
state_machine,
last_failover,
};
// Check if API is enabled
let api_enabled = env::var("API_ENABLED").unwrap_or_else(|_| "false".to_string()) == "true";
if !api_enabled {
return Err(anyhow::anyhow!("API is disabled"));
}
// Check if API authentication is configured
if env::var("API_PASSWORD_HASH").is_err() {
return Err(anyhow::anyhow!(
"API_PASSWORD_HASH must be set when API is enabled"
));
}
info!("API authentication configured");
let cors = CorsLayer::new()
.allow_origin(Any)
.allow_methods(Any)
.allow_headers(Any);
let app = Router::new()
.route("/api/state", get(get_state).post(set_state))
.layer(middleware::from_fn(auth_middleware))
.layer(cors)
.with_state(state);
Ok(Self { app })
}
pub async fn run(self) -> Result<()> {
let bind_address = env::var("API_BIND_ADDRESS").unwrap_or_else(|_| "0.0.0.0".to_string());
let port = env::var("API_PORT")
.unwrap_or_else(|_| "8080".to_string())
.parse::<u16>()
.map_err(|e| anyhow::anyhow!("Invalid API_PORT: {}", e))?;
let addr = SocketAddr::from(([127, 0, 0, 1], port));
if bind_address != "127.0.0.1" {
let addr_str = format!("{}:{}", bind_address, port);
match addr_str.parse::<SocketAddr>() {
Ok(parsed_addr) => {
info!("Starting API server on {}", parsed_addr);
let listener = tokio::net::TcpListener::bind(parsed_addr).await?;
axum::serve(listener, self.app.into_make_service()).await?;
}
Err(e) => {
error!("Invalid bind address {}: {}", addr_str, e);
return Err(anyhow::anyhow!("Invalid bind address: {}", e));
}
}
} else {
info!("Starting API server on {}", addr);
let listener = tokio::net::TcpListener::bind(addr).await?;
axum::serve(listener, self.app.into_make_service()).await?;
}
Ok(())
}
}
#[derive(Clone)]
pub struct AuthState {
username: String,
password_hash: String,
}
impl AuthState {
pub fn new() -> Result<Self> {
let username = env::var("API_USERNAME").unwrap_or_else(|_| "admin".to_string());
let password_hash = env::var("API_PASSWORD_HASH")?;
// Validate password hash format
if password_hash.len() < 60 || !password_hash.starts_with("$2") {
return Err(anyhow::anyhow!("Invalid password hash format"));
}
Ok(Self {
username,
password_hash,
})
}
}
fn verify_credentials(creds: &Basic) -> Result<(), StatusCode> {
let auth_state = match AuthState::new() {
Ok(state) => state,
Err(_) => return Err(StatusCode::INTERNAL_SERVER_ERROR),
};
if creds.username() != auth_state.username {
warn!("Invalid username: {}", creds.username());
return Err(StatusCode::UNAUTHORIZED);
}
match verify(creds.password(), &auth_state.password_hash) {
Ok(true) => {
debug!("Authentication successful for user: {}", creds.username());
Ok(())
}
Ok(false) => {
warn!("Invalid password for user: {}", creds.username());
Err(StatusCode::UNAUTHORIZED)
}
Err(e) => {
error!("Password verification error: {}", e);
Err(StatusCode::INTERNAL_SERVER_ERROR)
}
}
}
async fn auth_middleware(
auth: TypedHeader<Authorization<Basic>>,
request: axum::extract::Request,
next: Next,
) -> Result<Response, ErrorResponse> {
let TypedHeader(Authorization(creds)) = auth;
if let Err(_) = verify_credentials(&creds) {
return Err(ErrorResponse {
error: "Authentication required".to_string(),
message: "Invalid credentials".to_string(),
});
}
Ok(next.run(request).await)
}
async fn get_state(
State(app_state): State<AppState>,
) -> Result<Json<StateResponse>, ErrorResponse> {
let state_machine = app_state.state_machine.lock().await;
let last_failover = app_state.last_failover.lock().await;
let current_state = state_machine.get_state();
let state_str = match current_state {
MachineState::Boot => "Boot",
MachineState::Primary => "Primary",
MachineState::Fallback => "Secondary",
};
// Get ping statistics from state machine
let primary_stats = PingStats::from_history(&state_machine.primary_history);
let secondary_stats = PingStats::from_history(&state_machine.secondary_history);
let last_failover_str = last_failover.map(|dt| dt.to_rfc3339());
Ok(Json(StateResponse {
state: state_str.to_string(),
primary_stats,
secondary_stats,
last_failover: last_failover_str,
}))
}
async fn set_state(
State(app_state): State<AppState>,
Json(payload): Json<StateRequest>,
) -> Result<Json<StateResponse>, ErrorResponse> {
let target_state = payload.state.to_lowercase();
if target_state != "primary" && target_state != "secondary" {
return Err(ErrorResponse {
error: "Invalid state".to_string(),
message: "State must be 'primary' or 'secondary'".to_string(),
});
}
let state_machine = app_state.state_machine.lock().await;
let mut last_failover = app_state.last_failover.lock().await;
let old_state = state_machine.get_state().clone();
let new_state = match target_state.as_str() {
"primary" => MachineState::Primary,
"secondary" => MachineState::Fallback,
_ => unreachable!(), // Already validated above
};
// Only update if state is actually changing
if old_state != new_state {
// Manually set the state (bypassing normal state machine logic)
// This requires access to internal state machine state
// For now, we'll log and update the failover timestamp
info!("Manual state change: {:?} -> {:?}", old_state, new_state);
if new_state == MachineState::Fallback && old_state != MachineState::Fallback {
*last_failover = Some(Utc::now());
}
// Note: In a full implementation, we'd need to add a method to StateMachine
// to manually set state and trigger the appropriate route changes
// For now, this returns the current state with updated timestamp
}
let state_str = match new_state {
MachineState::Boot => "Boot",
MachineState::Primary => "Primary",
MachineState::Fallback => "Secondary",
};
let primary_stats = PingStats::from_history(&state_machine.primary_history);
let secondary_stats = PingStats::from_history(&state_machine.secondary_history);
let last_failover_str = last_failover.map(|dt| dt.to_rfc3339());
Ok(Json(StateResponse {
state: state_str.to_string(),
primary_stats,
secondary_stats,
last_failover: last_failover_str,
}))
}

69
src/main.rs
View File

@@ -1,4 +1,5 @@
use anyhow::Result;
use chrono::Utc;
use clap::Parser;
use env_logger::{Builder, Env};
use log::{debug, error, info};
@@ -12,6 +13,7 @@ use std::time::Duration;
use tokio::signal;
use tokio::sync::broadcast;
mod api;
mod pinger;
mod routing;
mod state_machine;
@@ -166,10 +168,36 @@ async fn main_service(
.await;
// Initialize state machine
let mut state_machine = StateMachine::new(
let state_machine = Arc::new(tokio::sync::Mutex::new(StateMachine::new(
config.failover_threshold,
Duration::from_secs(config.failback_delay),
);
)));
let last_failover = Arc::new(tokio::sync::Mutex::new(None::<chrono::DateTime<Utc>>));
// Start API server if enabled
let api_handle =
if let Ok(api_server) = api::ApiServer::new(state_machine.clone(), last_failover.clone()) {
let handle = tokio::spawn(async move {
if let Err(e) = api_server.run().await {
error!("API server error: {}", e);
}
});
Some(handle)
} else {
info!("API server disabled or not configured");
None
};
// Spawn the termination checker once, outside the select loop
let mut term_checker = tokio::task::spawn_blocking({
let term = Arc::clone(&term);
move || {
while !term.load(Ordering::Relaxed) {
std::thread::sleep(Duration::from_millis(100));
}
}
});
// Main event loop
loop {
@@ -177,9 +205,14 @@ async fn main_service(
// Handle primary ping results
Some(result) = primary_rx.recv() => {
debug!("Primary ping result: {}", result);
state_machine.add_primary_result(result);
let mut sm = state_machine.lock().await;
sm.add_primary_result(result);
if let Some((old_state, new_state)) = state_machine.update_state() {
if let Some((old_state, new_state)) = sm.update_state() {
let mut last_failover_lock = last_failover.lock().await;
if new_state == state_machine::State::Fallback && old_state != state_machine::State::Fallback {
*last_failover_lock = Some(Utc::now());
}
state_machine::handle_state_change(new_state, old_state, &mut route_manager, &primary_gateway, &secondary_gateway, &config)?;
}
}
@@ -187,9 +220,14 @@ async fn main_service(
// Handle secondary ping results
Some(result) = secondary_rx.recv() => {
debug!("Secondary ping result: {}", result);
state_machine.add_secondary_result(result);
let mut sm = state_machine.lock().await;
sm.add_secondary_result(result);
if let Some((old_state, new_state)) = state_machine.update_state() {
if let Some((old_state, new_state)) = sm.update_state() {
let mut last_failover_lock = last_failover.lock().await;
if new_state == state_machine::State::Fallback && old_state != state_machine::State::Fallback {
*last_failover_lock = Some(Utc::now());
}
state_machine::handle_state_change(new_state, old_state, &mut route_manager, &primary_gateway, &secondary_gateway, &config)?;
}
}
@@ -200,23 +238,22 @@ async fn main_service(
break;
}
// Check termination flag
_ = tokio::task::spawn_blocking({
let term = Arc::clone(&term);
move || {
while !term.load(Ordering::Relaxed) {
std::thread::sleep(Duration::from_millis(100));
}
}
}) => {
// Check termination flag (now just waits for the already spawned task)
_ = &mut term_checker => {
info!("Received termination signal");
break;
}
}
}
// Clean up API server if it was started
if let Some(handle) = api_handle {
handle.abort();
}
// Clean up only the failover route on exit if we're in Fallback state
if state_machine.get_state() == &state_machine::State::Fallback {
let sm = state_machine.lock().await;
if sm.get_state() == &state_machine::State::Fallback {
route_manager
.remove_failover_route(secondary_gateway, config.secondary_interface.clone())?;
info!("Failover route cleared on exit");

6
src/state_machine.rs
View File

@@ -13,9 +13,9 @@ pub enum State {
}
pub struct StateMachine {
state: State,
primary_history: VecDeque<pinger::PingResult>,
secondary_history: VecDeque<pinger::PingResult>,
pub state: State,
pub primary_history: VecDeque<pinger::PingResult>,
pub secondary_history: VecDeque<pinger::PingResult>,
failover_threshold: usize,
failback_delay: Duration,
last_failover: Option<std::time::Instant>,