From d16a060073872a7dffa106168521c2c73b6a8c83 Mon Sep 17 00:00:00 2001
From: Vitor Lima <vitor@ferreiradelima.com>
Date: Wed, 25 Sep 2024 14:56:57 -0300
Subject: [PATCH 1/2] feat: add unsafe mode flag to disable SSL verification in
 the relay service

---
 src/main.rs  |  7 ++++++-
 src/relay.rs | 30 +++++++++++++++++-------------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index c4fe7d1..7c05d6a 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -66,6 +66,10 @@ enum Commands {
     /// Path to the configuration file
     #[arg(short, long)]
     config_path: Option<String>,
+
+    /// Unsafe mode: disable SSL verification
+    #[arg(long)]
+    unsafe_mode: bool,
   },
 }
 
@@ -97,6 +101,7 @@ async fn main() {
     Commands::Start {
       verbose: _,
       config_path,
+      unsafe_mode,
     } => {
       let config = utils::fetch_config_file(config_path.clone());
       if let Some(config) = config {
@@ -106,7 +111,7 @@ async fn main() {
         std::process::exit(1);
       }
 
-      if let Err(e) = relay::start_relay().await {
+      if let Err(e) = relay::start_relay(*unsafe_mode).await {
         log::error!("Error starting relay: {}", e);
       }
     }
diff --git a/src/relay.rs b/src/relay.rs
index 27a3dff..9fffd66 100644
--- a/src/relay.rs
+++ b/src/relay.rs
@@ -40,7 +40,7 @@ const HOST_ADDRESS: &str = "127.0.0.1";
 #[cfg(not(debug_assertions))]
 const HOST_ADDRESS: &str = "::"; // ? External IPv4/IPv6 support
 
-fn create_ssl_acceptor() -> Result<Arc<SslAcceptor>, openssl::error::ErrorStack> {
+fn create_ssl_acceptor(unsafe_mode: bool) -> Result<Arc<SslAcceptor>, openssl::error::ErrorStack> {
   // Certificates contents are stored in the environment variables
   let cert = dotenv!("CARGO_SERVER_SSL_CERT").as_bytes();
   let key = dotenv!("CARGO_SERVER_SSL_KEY").as_bytes();
@@ -53,28 +53,32 @@ fn create_ssl_acceptor() -> Result<Arc<SslAcceptor>, openssl::error::ErrorStack>
   let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?;
   acceptor.set_private_key(&key)?;
   acceptor.set_certificate(&cert)?;
-  // acceptor.add_client_ca(&ca)?;
   acceptor.check_private_key()?;
 
-  // Create a new X509Store and add the CA certificate to it
-  let mut store_builder = X509StoreBuilder::new()?;
-  store_builder.add_cert(ca.clone())?;
-  let store = store_builder.build();
+  if !unsafe_mode {
+    // Create a new X509Store and add the CA certificate to it
+    let mut store_builder = X509StoreBuilder::new()?;
+    store_builder.add_cert(ca.clone())?;
+    let store = store_builder.build();
 
-  // Set the CA store for the acceptor
-  acceptor.set_cert_store(store);
+    // Set the CA store for the acceptor
+    acceptor.set_cert_store(store);
 
-  // Add the CA certificate as a client CA
-  acceptor.add_client_ca(&ca)?;
+    // Add the CA certificate as a client CA
+    acceptor.add_client_ca(&ca)?;
 
-  acceptor.set_verify(SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT);
+    acceptor.set_verify(SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT);
+  } else {
+    log::warn!(target: "security", "Running in unsafe mode: SSL Certificates verification disabled");
+    acceptor.set_verify(SslVerifyMode::NONE);
+  }
   Ok(Arc::new(acceptor.build()))
 }
 
 /**
  * Start the MQTT Relay service
  */
-pub async fn start_relay() -> Result<()> {
+pub async fn start_relay(unsafe_mode: bool) -> Result<()> {
   // Simulate fetching relay configurations
   let relay_list = get_relay_list().await?;
   let relay_list = Arc::new(RwLock::new(relay_list));
@@ -99,7 +103,7 @@ pub async fn start_relay() -> Result<()> {
     config_file.as_ref().unwrap().downlink_port.unwrap_or(3000)
   };
 
-  let test = create_ssl_acceptor().unwrap();
+  let test = create_ssl_acceptor(unsafe_mode).unwrap();
   let acceptor = OpenSSLConfig::from_acceptor(test);
 
   // let listener = match tokio::net::TcpListener::bind(format!("{}:{}", HOST_ADDRESS, api_port)).await {

From ac3563175a17feb8c1b2b3445e47189d871958c4 Mon Sep 17 00:00:00 2001
From: Vitor Lima <vitor@ferreiradelima.com>
Date: Wed, 25 Sep 2024 15:01:39 -0300
Subject: [PATCH 2/2] docs: update README for local testing to include
 `--unsafe-mode` flag usage with relay service

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6abf6ec..2658763 100644
--- a/README.md
+++ b/README.md
@@ -204,7 +204,11 @@ The Relay comes with pre-set TLS certificates configured during build time, so y
   The default port for the Middleware Endpoint is 3001, but you can change this by setting the downlink_port in your (configuration file)[#configuration-file-and-environment-variables].
 Repl
 3. **Local Testing**:
-  For local testing, you can use tools like ngrok or tailscale to expose your local server to the internet securely.
+  For local testing, you can use tools like ngrok or tailscale to expose your local server to the internet securely. Ensure to run the relay with the `--unsafe-mode` flag.
+
+  ```sh
+  tagoio-relay start --unsafe-mode
+  ```
 
   **Using Ngrok:**
   ```bash