futu_server/

ws_listener.rs

// WebSocket 监听器：接受 WebSocket 连接，复用 TCP 的请求路由和连接池
//
// 每个 WebSocket 二进制消息 = 一个完整的 FutuAPI 帧（44 字节帧头 + body）。
// 与 TCP 共享同一个 connections DashMap、RequestRouter、SubscriptionManager。
//
// ## v1.0 鉴权
//
// 握手阶段（accept_hdr_async）校验 HTTP `Authorization: Bearer <token>` 或
// `?token=<plaintext>` query —— 通过 `KeyStore::verify` 得到 `KeyRecord`，
// 把 scope 集合和 key_id 存到 `ClientConn`。每条消息进 `ws_process_requests`
// 时按 `futu_auth::scope_for_proto_id(proto_id)` 查所需 scope，不匹配 → 不 dispatch、
// 记 audit reject。`trade:real` 额外跑 `check_and_commit` 过一道 rate + hours
// 全局闸门。未注入 KeyStore（TCP listener 或 legacy 模式）→ scopes 空集被
// 解释为"全放行"，保持向后兼容。

use std::collections::{HashMap, HashSet};
use std::sync::Arc;
use std::time::Instant;

use bytes::BytesMut;
use chrono::Utc;
use dashmap::DashMap;
use futures::{SinkExt, StreamExt};
use tokio::net::TcpListener;
use tokio::sync::mpsc;
use tokio_tungstenite::tungstenite::handshake::server::{ErrorResponse, Request, Response};
use tokio_tungstenite::tungstenite::http::StatusCode;
use tokio_tungstenite::tungstenite::protocol::Message;

use futu_auth::{CheckCtx, KeyRecord, KeyStore, LimitOutcome, RuntimeCounters, Scope};
use futu_codec::frame::FutuFrame;
use futu_codec::header::{FutuHeader, ProtoFmtType, HEADER_SIZE};
use futu_core::proto_id;

use crate::conn::{ClientConn, ConnState, DisconnectNotify, IncomingRequest};
use crate::listener::{ServerConfig, MAX_CONNECTIONS};
use crate::router::RequestRouter;

/// WebSocket 服务端
pub struct WsServer {
    listen_addr: String,
    config: ServerConfig,
    connections: Arc<DashMap<u64, ClientConn>>,
    router: Arc<RequestRouter>,
    subscriptions: Option<Arc<crate::subscription::SubscriptionManager>>,
    /// v1.0：握手时做 Bearer token 鉴权。None 或 `!is_configured()` → legacy 模式放行
    key_store: Option<Arc<KeyStore>>,
    /// v1.0：跨 REST / gRPC / WS 共享的限额 counters
    counters: Option<Arc<RuntimeCounters>>,
}

impl WsServer {
    /// 创建 WsServer，共享 TCP 的连接池、路由器、订阅管理器（无鉴权，向后兼容）
    pub fn new(
        listen_addr: String,
        config: ServerConfig,
        connections: Arc<DashMap<u64, ClientConn>>,
        router: Arc<RequestRouter>,
        subscriptions: Option<Arc<crate::subscription::SubscriptionManager>>,
    ) -> Self {
        Self::with_auth(
            listen_addr,
            config,
            connections,
            router,
            subscriptions,
            None,
            None,
        )
    }

    /// v1.0 入口：同时接入 KeyStore + 共享 RuntimeCounters 做握手鉴权和 per-message
    /// scope / 限额检查。`key_store = None` 或未配置时保持 legacy（全放行）。
    #[allow(clippy::too_many_arguments)]
    pub fn with_auth(
        listen_addr: String,
        config: ServerConfig,
        connections: Arc<DashMap<u64, ClientConn>>,
        router: Arc<RequestRouter>,
        subscriptions: Option<Arc<crate::subscription::SubscriptionManager>>,
        key_store: Option<Arc<KeyStore>>,
        counters: Option<Arc<RuntimeCounters>>,
    ) -> Self {
        Self {
            listen_addr,
            config,
            connections,
            router,
            subscriptions,
            key_store,
            counters,
        }
    }

    /// 启动 WebSocket 服务端监听
    pub async fn run(&self) -> anyhow::Result<()> {
        let listener = TcpListener::bind(&self.listen_addr).await?;
        tracing::info!(addr = %self.listen_addr, "WebSocket server listening");

        let (req_tx, req_rx) = mpsc::unbounded_channel::<IncomingRequest>();
        let (disconnect_tx, mut disconnect_rx) = mpsc::unbounded_channel::<DisconnectNotify>();

        // 启动请求处理任务（与 TCP 共享同一逻辑）
        let connections = Arc::clone(&self.connections);
        let router = Arc::clone(&self.router);
        let config = self.config.clone();
        let counters_for_process = self.counters.clone();
        let key_store_for_process = self.key_store.clone();
        let scope_mode = self.key_store.as_ref().is_some_and(|ks| ks.is_configured());
        tokio::spawn(async move {
            ws_process_requests(
                req_rx,
                connections,
                router,
                config,
                counters_for_process,
                key_store_for_process,
                scope_mode,
            )
            .await;
        });

        // 启动连接清理任务
        let cleanup_connections = Arc::clone(&self.connections);
        let cleanup_subs = self.subscriptions.clone();
        tokio::spawn(async move {
            while let Some(notify) = disconnect_rx.recv().await {
                let removed = cleanup_connections.remove(&notify.conn_id);
                if removed.is_some() {
                    if let Some(ref subs) = cleanup_subs {
                        subs.on_disconnect(notify.conn_id);
                    }
                    tracing::info!(
                        conn_id = notify.conn_id,
                        remaining = cleanup_connections.len(),
                        "ws connection removed from pool"
                    );
                }
            }
        });

        // 接受连接循环
        let connections = Arc::clone(&self.connections);
        let key_store_accept = self.key_store.clone();
        if !scope_mode {
            tracing::warn!(
                "WS server running WITHOUT API key auth (legacy mode); \
                 all WS clients are open. Pass KeyStore via with_auth() to enable."
            );
        }
        loop {
            let (stream, peer_addr) = listener.accept().await?;

            if connections.len() >= MAX_CONNECTIONS {
                tracing::warn!(
                    peer = %peer_addr,
                    "max connections reached ({}), rejecting ws client",
                    MAX_CONNECTIONS,
                );
                drop(stream);
                continue;
            }

            let conn_id = ClientConn::generate_conn_id();
            let aes_key = ClientConn::generate_aes_key();
            stream.set_nodelay(true).ok();

            tracing::info!(
                conn_id = conn_id,
                peer = %peer_addr,
                total = connections.len() + 1,
                "ws client connected"
            );

            let (tx, authed) = run_ws_connection(
                stream,
                conn_id,
                aes_key,
                req_tx.clone(),
                disconnect_tx.clone(),
                key_store_accept.clone(),
            )
            .await;

            // 握手鉴权失败 → run_ws_connection 已经 drop 连接；这里什么都不做
            let Some(authed) = authed else {
                continue;
            };

            let (key_id, scopes) = match authed {
                AuthResult::Authenticated(rec) => (Some(rec.id.clone()), rec.scopes.clone()),
                AuthResult::Legacy => (None, HashSet::new()),
            };

            let conn = ClientConn {
                conn_id,
                state: ConnState::Connected,
                aes_key,
                aes_encrypt_enabled: false,
                proto_fmt_type: ProtoFmtType::Protobuf,
                last_keepalive: Instant::now(),
                keepalive_count: std::sync::atomic::AtomicU32::new(0),
                tx,
                key_id,
                scopes,
            };

            connections.insert(conn_id, conn);
        }
    }
}

/// 握手鉴权结果：scope 模式下的 KeyRecord 或 legacy 全放行
enum AuthResult {
    Authenticated(Arc<KeyRecord>),
    Legacy,
}

/// 运行单个 WebSocket 连接的收发循环
///
/// 接收端：WS Binary Message → 解析为 FutuFrame → 发到 req_tx
/// 发送端：frame_rx 收到 FutuFrame → 编码为字节 → 发送 WS Binary Message
///
/// 返回 `(frame_tx, Option<AuthResult>)` —— `None` 表示握手 / 鉴权失败，调用方
/// 不应把这个 conn_id 加入连接池。
async fn run_ws_connection(
    stream: tokio::net::TcpStream,
    conn_id: u64,
    _aes_key: [u8; 16],
    req_tx: mpsc::UnboundedSender<IncomingRequest>,
    disconnect_tx: mpsc::UnboundedSender<DisconnectNotify>,
    key_store: Option<Arc<KeyStore>>,
) -> (mpsc::Sender<FutuFrame>, Option<AuthResult>) {
    let (frame_tx, mut frame_rx) = mpsc::channel::<FutuFrame>(256);

    // 握手回调里验证 token + scope，结果存到 authed_slot；accept_hdr_async 内部
    // 只读 callback 的 Ok/Err 决定要不要升级，所以 KeyRecord 要借 Mutex 传出来
    let authed_slot: Arc<std::sync::Mutex<Option<AuthResult>>> =
        Arc::new(std::sync::Mutex::new(None));
    let slot_cb = Arc::clone(&authed_slot);
    let store_cb = key_store.clone();

    #[allow(clippy::result_large_err)] // ErrorResponse 是 tungstenite 的类型，我们无法改其大小
    let callback = move |req: &Request, resp: Response| -> Result<Response, ErrorResponse> {
        // legacy：未注入 KeyStore 或未配置 keys.json → 全放行
        let Some(store) = store_cb.as_ref() else {
            *slot_cb.lock().unwrap() = Some(AuthResult::Legacy);
            return Ok(resp);
        };
        if !store.is_configured() {
            *slot_cb.lock().unwrap() = Some(AuthResult::Legacy);
            return Ok(resp);
        }

        // 提取 token：?token=... 或 Authorization: Bearer ...
        let token = extract_ws_token(req);
        let Some(token) = token else {
            futu_auth::audit::reject("ws", "/ws", "<missing>", "missing token");
            return Err(make_err_response(
                StatusCode::UNAUTHORIZED,
                "missing api key (use ?token=... or Authorization: Bearer ...)",
            ));
        };

        let Some(rec) = store.verify(&token) else {
            futu_auth::audit::reject("ws", "/ws", "<invalid>", "invalid api key");
            return Err(make_err_response(
                StatusCode::UNAUTHORIZED,
                "invalid api key",
            ));
        };

        if rec.is_expired(Utc::now()) {
            futu_auth::audit::reject("ws", "/ws", &rec.id, "key expired");
            return Err(make_err_response(StatusCode::UNAUTHORIZED, "key expired"));
        }

        // 最低门槛：qot:read。真正按 proto_id 的细粒度检查留给 process_requests
        if !rec.scopes.contains(&Scope::QotRead) {
            futu_auth::audit::reject("ws", "/ws", &rec.id, "missing qot:read");
            return Err(make_err_response(
                StatusCode::FORBIDDEN,
                "missing qot:read scope",
            ));
        }

        futu_auth::audit::allow("ws", "/ws", &rec.id, Some("qot:read"));
        *slot_cb.lock().unwrap() = Some(AuthResult::Authenticated(rec));
        Ok(resp)
    };

    let ws_stream = match tokio_tungstenite::accept_hdr_async(stream, callback).await {
        Ok(ws) => ws,
        Err(e) => {
            tracing::warn!(conn_id = conn_id, error = %e, "ws handshake failed");
            let _ = disconnect_tx.send(DisconnectNotify { conn_id });
            return (frame_tx, None);
        }
    };

    // 握手成功 → slot_cb 已填，否则是严重 bug
    let authed = authed_slot
        .lock()
        .unwrap()
        .take()
        .expect("authed_slot must be filled after successful handshake");

    let (mut ws_sink, mut ws_stream_rx) = ws_stream.split();

    // 发送任务：FutuFrame → 编码为字节 → WS Binary
    tokio::spawn(async move {
        while let Some(frame) = frame_rx.recv().await {
            let mut buf = BytesMut::new();
            frame.header.encode(&mut buf);
            buf.extend_from_slice(&frame.body);
            let msg = Message::Binary(buf.freeze().into());
            if let Err(e) = ws_sink.send(msg).await {
                tracing::warn!(conn_id = conn_id, error = %e, "ws send failed");
                break;
            }
        }
    });

    // 接收任务：WS Binary → 解析 FutuFrame → req_tx
    tokio::spawn(async move {
        while let Some(result) = ws_stream_rx.next().await {
            match result {
                Ok(msg) => {
                    let data = match msg {
                        Message::Binary(data) => data,
                        Message::Close(_) => {
                            tracing::info!(conn_id = conn_id, "ws client sent close");
                            break;
                        }
                        Message::Ping(_) | Message::Pong(_) => {
                            // tokio-tungstenite 自动处理 ping/pong
                            continue;
                        }
                        _ => {
                            // 忽略 Text 等其他类型
                            continue;
                        }
                    };

                    // 解析 FutuAPI 帧（44 字节帧头 + body）
                    if data.len() < HEADER_SIZE {
                        tracing::warn!(
                            conn_id = conn_id,
                            len = data.len(),
                            "ws message too short for futu header"
                        );
                        continue;
                    }

                    let header_buf = BytesMut::from(&data[..]);
                    let header = match FutuHeader::peek(&header_buf) {
                        Ok(Some(h)) => h,
                        Ok(None) => {
                            tracing::warn!(conn_id = conn_id, "ws header peek returned None");
                            continue;
                        }
                        Err(e) => {
                            tracing::warn!(conn_id = conn_id, error = %e, "ws invalid futu header");
                            continue;
                        }
                    };

                    let expected_len = HEADER_SIZE + header.body_len as usize;
                    if data.len() < expected_len {
                        tracing::warn!(
                            conn_id = conn_id,
                            expected = expected_len,
                            actual = data.len(),
                            "ws message shorter than expected frame size"
                        );
                        continue;
                    }

                    let body = bytes::Bytes::copy_from_slice(&data[HEADER_SIZE..expected_len]);

                    let req = IncomingRequest {
                        conn_id,
                        proto_id: header.proto_id,
                        serial_no: header.serial_no,
                        proto_fmt_type: header.proto_fmt_type,
                        body,
                    };

                    if req_tx.send(req).is_err() {
                        break;
                    }
                }
                Err(e) => {
                    tracing::warn!(conn_id = conn_id, error = %e, "ws recv error");
                    break;
                }
            }
        }
        tracing::info!(conn_id = conn_id, "ws connection closed");
        let _ = disconnect_tx.send(DisconnectNotify { conn_id });
    });

    (frame_tx, Some(authed))
}

/// 从握手 Request 里提取 token：优先 ?token=...，再 Authorization: Bearer ...
///
/// 浏览器 WS API 不允许设置自定义 header，所以优先支持 query；原生客户端
/// （curl / Futu SDK 之类）两种都可以
fn extract_ws_token(req: &Request) -> Option<String> {
    if let Some(q) = req.uri().query() {
        // 手写 query 解析，避免引 url / percent-encoding 新依赖
        let params: HashMap<&str, &str> =
            q.split('&').filter_map(|kv| kv.split_once('=')).collect();
        if let Some(v) = params.get("token") {
            if !v.is_empty() {
                return Some((*v).to_string());
            }
        }
    }
    req.headers()
        .get("authorization")
        .and_then(|v| v.to_str().ok())
        .and_then(|v| v.strip_prefix("Bearer ").map(|s| s.trim().to_string()))
        .filter(|s| !s.is_empty())
}

/// 构造 tungstenite 握手失败的 HTTP 响应
fn make_err_response(code: StatusCode, msg: &str) -> ErrorResponse {
    let body = Some(format!(r#"{{"error":"{msg}"}}"#));
    let mut resp = tokio_tungstenite::tungstenite::http::Response::new(body);
    *resp.status_mut() = code;
    resp.headers_mut().insert(
        "content-type",
        tokio_tungstenite::tungstenite::http::HeaderValue::from_static("application/json"),
    );
    resp
}

/// 处理 WebSocket 连接的请求（逻辑与 TCP 的 process_requests 相同，额外做 scope / 限额）
///
/// `scope_mode`：KeyStore 配置了时为 true，此时按 proto_id 查 scope 并与
/// 连接里存的 scopes 比对；未匹配直接丢弃请求 + 写 audit reject，不发响应。
/// `counters`：trade:real 请求通过 scope 后再跑一次 check_and_commit。
async fn ws_process_requests(
    mut req_rx: mpsc::UnboundedReceiver<IncomingRequest>,
    connections: Arc<DashMap<u64, ClientConn>>,
    router: Arc<RequestRouter>,
    config: ServerConfig,
    counters: Option<Arc<RuntimeCounters>>,
    key_store: Option<Arc<KeyStore>>,
    scope_mode: bool,
) {
    use crate::listener::ApiServer;

    while let Some(mut req) = req_rx.recv().await {
        let conn_id = req.conn_id;
        let proto_id_val = req.proto_id;
        let serial_no = req.serial_no;

        // 更新 last_keepalive（任何包都算活跃）
        if let Some(mut conn) = connections.get_mut(&conn_id) {
            conn.last_keepalive = Instant::now();
        }

        // v1.0 per-message scope gate —— 只在 scope_mode 启用
        if scope_mode {
            if let Some(needed) = futu_auth::scope_for_proto_id(proto_id_val) {
                // 取该连接的 scope 集合和 key_id 快照（拿完锁就释放）
                let (scopes, key_id_snap) = match connections.get(&conn_id) {
                    Some(conn) => (conn.scopes.clone(), conn.key_id.clone()),
                    None => {
                        tracing::warn!(conn_id, proto_id = proto_id_val, "ws req on unknown conn");
                        continue;
                    }
                };
                let key_id_str = key_id_snap.as_deref().unwrap_or("<none>");
                // 从 KeyStore 按 id 查最新 limits（SIGHUP reload 后能立刻生效，
                // 对齐 MCP 的 SIGHUP-aware 行为）
                let limits_snap = match (&key_store, &key_id_snap) {
                    (Some(ks), Some(id)) => {
                        ks.get_by_id(id).map(|r| r.limits()).unwrap_or_default()
                    }
                    _ => futu_auth::Limits::default(),
                };
                if !scopes.contains(&needed) {
                    futu_auth::audit::reject(
                        "ws",
                        &format!("proto_id={proto_id_val}"),
                        key_id_str,
                        &format!("missing scope {needed}"),
                    );
                    continue;
                }
                // trade:real 多跑一次 rate + hours 全局闸门
                if needed == Scope::TradeReal {
                    if let Some(c) = &counters {
                        let ctx = CheckCtx {
                            market: String::new(),
                            symbol: String::new(),
                            order_value: None,
                            trd_side: None,
                        };
                        if let LimitOutcome::Reject(reason) =
                            c.check_and_commit(key_id_str, &limits_snap, &ctx, Utc::now())
                        {
                            futu_auth::audit::reject(
                                "ws",
                                &format!("proto_id={proto_id_val}"),
                                key_id_str,
                                &format!("limit: {reason}"),
                            );
                            continue;
                        }
                    }
                }
                futu_auth::audit::allow(
                    "ws",
                    &format!("proto_id={proto_id_val}"),
                    key_id_str,
                    Some(needed.as_str()),
                );
            }
            // scope_for_proto_id 返回 None（1xxx 系统）→ 放行不 audit
        }

        // 非 InitConnect 请求需要 AES 解密
        if proto_id_val != proto_id::INIT_CONNECT {
            if let Some(conn) = connections.get(&conn_id) {
                if conn.aes_encrypt_enabled {
                    match conn.decrypt_body(&req.body) {
                        Ok(decrypted) => {
                            req.body = bytes::Bytes::from(decrypted);
                        }
                        Err(e) => {
                            tracing::warn!(
                                conn_id = conn_id,
                                proto_id = proto_id_val,
                                error = %e,
                                "ws AES decrypt request failed, dropping"
                            );
                            continue;
                        }
                    }
                }
            }
        }

        let response_body = match proto_id_val {
            proto_id::INIT_CONNECT => {
                if let Some(mut conn) = connections.get_mut(&conn_id) {
                    conn.handle_init_connect(
                        &req.body,
                        config.server_ver,
                        config.login_user_id,
                        config.keepalive_interval,
                        config.rsa_private_key.as_deref(),
                    )
                    .ok()
                } else {
                    None
                }
            }
            proto_id::KEEP_ALIVE => {
                if let Some(conn) = connections.get(&conn_id) {
                    conn.handle_keepalive(&req.body).ok()
                } else {
                    None
                }
            }
            _ => router.dispatch(conn_id, &req).await,
        };

        if let Some(body) = response_body {
            ApiServer::send_response(&connections, conn_id, proto_id_val, serial_no, body).await;
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tokio_tungstenite::tungstenite::http::Request as HttpRequest;

    fn mk_req(uri: &str, auth_header: Option<&str>) -> HttpRequest<()> {
        let mut b = HttpRequest::builder().uri(uri);
        if let Some(v) = auth_header {
            b = b.header("authorization", v);
        }
        b.body(()).unwrap()
    }

    #[test]
    fn extract_token_from_query() {
        let r = mk_req("/ws?token=abc123", None);
        assert_eq!(extract_ws_token(&r), Some("abc123".to_string()));
    }

    #[test]
    fn extract_token_from_bearer_header() {
        let r = mk_req("/ws", Some("Bearer xyz789"));
        assert_eq!(extract_ws_token(&r), Some("xyz789".to_string()));
    }

    #[test]
    fn extract_token_query_preferred_over_header() {
        let r = mk_req("/ws?token=from-query", Some("Bearer from-header"));
        assert_eq!(extract_ws_token(&r), Some("from-query".to_string()));
    }

    #[test]
    fn extract_token_empty_query_falls_back_to_header() {
        let r = mk_req("/ws?token=", Some("Bearer from-header"));
        assert_eq!(extract_ws_token(&r), Some("from-header".to_string()));
    }

    #[test]
    fn extract_token_missing_everywhere() {
        let r = mk_req("/ws", None);
        assert_eq!(extract_ws_token(&r), None);
        let r2 = mk_req("/ws?foo=bar", None);
        assert_eq!(extract_ws_token(&r2), None);
    }

    #[test]
    fn extract_token_non_bearer_auth_ignored() {
        let r = mk_req("/ws", Some("Basic asdf"));
        assert_eq!(extract_ws_token(&r), None);
    }

    #[test]
    fn extract_token_bearer_empty_after_prefix() {
        // "Bearer " 后无 token → None（.filter 把空串过滤）
        let r = mk_req("/ws", Some("Bearer "));
        assert_eq!(extract_ws_token(&r), None);
    }
}