Setup cargo-deny

Also try to remove a bunch of duplicate crates

.github/workflows/ci.yaml

@@ -109,6 +109,21 @@ jobs:
       - name: Check style
         run: cargo fmt --all -- --check
 
+
+  cargo-deny:
+    name: Run `cargo deny` checks
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v3.5.3
+
+      - name: Run `cargo-deny`
+        uses: EmbarkStudios/cargo-deny-action@v1.5.4
+
   
   check-schema:
     name: Check schema
@@ -376,6 +391,7 @@ jobs:
       - frontend-lint
       - frontend-test
       - rustfmt
+      - cargo-deny
       - clippy
       - check-schema
       - test

Cargo.toml

@@ -2,6 +2,13 @@
 default-members = ["crates/cli"]
 members = ["crates/*"]
 
+[workspace.dependencies]
+
+[workspace.dependencies.chrono]
+version = "0.4.26"
+default-features = false
+features = ["serde", "clock"]
+
 [profile.dev.package.num-bigint-dig]
 opt-level = 3
 

crates/axum-utils/Cargo.toml

@@ -9,7 +9,7 @@ license = "Apache-2.0"
 async-trait = "0.1.72"
 axum = { version = "0.6.20", features = ["headers"] }
 axum-extra = { version = "0.7.7", features = ["cookie-private"] }
-chrono = "0.4.26"
+chrono.workspace = true
 data-encoding = "2.4.0"
 futures-util = "0.3.28"
 headers = "0.3.8"

crates/cli/Cargo.toml

@@ -11,7 +11,7 @@ anyhow = "1.0.72"
 axum = "0.6.20"
 camino = "1.1.6"
 clap = { version = "4.3.21", features = ["derive"] }
-dotenv = "0.15.0"
+dotenvy = "0.15.7"
 httpdate = "1.0.2"
 hyper = { version = "0.14.27", features = ["full"] }
 itertools = "0.11.0"
@@ -26,7 +26,6 @@ tokio = { version = "1.30.0", features = ["full"] }
 tower = { version = "0.4.13", features = ["full"] }
 tower-http = { version = "0.4.3", features = ["fs"] }
 url = "2.4.0"
-watchman_client = "0.8.0"
 zeroize = "1.6.0"
 
 tracing = "0.1.37"

crates/cli/src/commands/server.rs

@@ -32,7 +32,7 @@ use tracing::{info, info_span, warn, Instrument};
 
 use crate::util::{
     database_from_config, mailer_from_config, password_manager_from_config,
-    policy_factory_from_config, templates_from_config, watch_templates,
+    policy_factory_from_config, register_sighup, templates_from_config,
 };
 
 #[derive(Parser, Debug, Default)]
@@ -44,10 +44,6 @@ pub(super) struct Options {
     /// Do not start the task worker
     #[arg(long)]
     no_worker: bool,
-
-    /// Watch for changes for templates on the filesystem
-    #[arg(short, long)]
-    watch: bool,
 }
 
 impl Options {
@@ -134,10 +130,8 @@ impl Options {
         // Explicitly the config to properly zeroize secret keys
         drop(config);
 
-        // Watch for changes in templates if the --watch flag is present
-        if self.watch {
-            watch_templates(&templates).await?;
-        }
+        // Listen for SIGHUP
+        register_sighup(&templates)?;
 
         let graphql_schema = mas_handlers::graphql_schema(&pool, conn);
 

crates/cli/src/main.rs

@@ -48,7 +48,7 @@ async fn main() -> anyhow::Result<()> {
 async fn try_main() -> anyhow::Result<()> {
     // Load environment variables from .env files
     // We keep the path to log it afterwards
-    let dotenv_path: Result<Option<_>, _> = dotenv::dotenv()
+    let dotenv_path: Result<Option<_>, _> = dotenvy::dotenv()
         .map(Some)
         // Display the error if it is something other than the .env file not existing
         .or_else(|e| if e.not_found() { Ok(None) } else { Err(e) });

crates/cli/src/util.rs

@@ -179,60 +179,27 @@ pub async fn database_from_config(config: &DatabaseConfig) -> Result<PgPool, any
         .context("could not connect to the database")
 }
 
-/// Watch for changes in the templates folders
-pub async fn watch_templates(templates: &Templates) -> anyhow::Result<()> {
-    use watchman_client::{prelude::*, SubscriptionData};
-
-    let client = Connector::new()
-        .connect()
-        .await
-        .context("could not connect to watchman")?;
-
-    let templates = templates.clone();
-
-    // Find which root we're supposed to watch
-    let root = templates.watch_root();
-
-    // Create a subscription on the root
-    let resolved = client
-        .resolve_root(CanonicalPath::canonicalize(root)?)
-        .await?;
-
-    // Only look for *.txt, *.html and *.subject files
-    let request = SubscribeRequest {
-        expression: Some(Expr::Suffix(vec![
-            "txt".into(),
-            "html".into(),
-            "subject".into(),
-        ])),
-        ..SubscribeRequest::default()
-    };
-
-    let (mut subscription, _) = client.subscribe::<NameOnly>(&resolved, request).await?;
-
-    tokio::spawn(async move {
-        loop {
-            let event = match subscription.next().await {
-                Ok(event) => event,
-                Err(error) => {
-                    error!(%error, "Stopped watching templates because of an error in the watchman subscription");
+/// Reload templates on SIGHUP
+pub fn register_sighup(templates: &Templates) -> anyhow::Result<()> {
+    #[cfg(unix)]
+    {
+        let mut signal = tokio::signal::unix::signal(tokio::signal::unix::SignalKind::hangup())?;
+        let templates = templates.clone();
+        tokio::spawn(async move {
+            loop {
+                if signal.recv().await.is_none() {
+                    // No more signals will be received, breaking
                     break;
-                }
-            };
+                };
 
-            if let SubscriptionData::FilesChanged(QueryResult {
-                files: Some(files), ..
-            }) = event
-            {
-                let files: Vec<_> = files.into_iter().map(|f| f.name.into_inner()).collect();
-                info!(?files, "Files changed, reloading templates");
+                info!("SIGHUP received, reloading templates");
 
                 templates.clone().reload().await.unwrap_or_else(|err| {
                     error!(?err, "Error while reloading templates");
                 });
             }
-        }
-    });
+        });
+    }
 
     Ok(())
 }

crates/config/Cargo.toml

@@ -14,7 +14,7 @@ thiserror = "1.0.44"
 anyhow = "1.0.72"
 
 camino = { version = "1.1.6", features = ["serde1"] }
-chrono = { version = "0.4.26", features = ["serde"] }
+chrono.workspace = true
 figment = { version = "0.10.10", features = ["env", "yaml", "test"] }
 schemars = { version = "0.8.12", features = ["url", "chrono"] }
 ulid = { version = "1.0.0", features = ["serde"] }

crates/data-model/Cargo.toml

@@ -6,7 +6,7 @@ edition = "2021"
 license = "Apache-2.0"
 
 [dependencies]
-chrono = "0.4.26"
+chrono.workspace = true
 thiserror = "1.0.44"
 serde = "1.0.183"
 url = { version = "2.4.0", features = ["serde"] }

crates/graphql/Cargo.toml

@@ -9,7 +9,7 @@ license = "Apache-2.0"
 anyhow = "1.0.72"
 async-graphql = { version = "6.0.1", features = ["chrono", "url"] }
 async-trait = "0.1.72"
-chrono = "0.4.26"
+chrono.workspace = true
 lettre = { version = "0.10.4", default-features = false  }
 serde = { version = "1.0.183", features = ["derive"] }
 thiserror = "1.0.44"

crates/handlers/Cargo.toml

@@ -50,7 +50,7 @@ zeroize = "1.6.0"
 
 # Various data types and utilities
 camino = "1.1.6"
-chrono = { version = "0.4.26", features = ["serde"] }
+chrono.workspace = true
 time = "0.3.25"
 url = { version = "2.4.0", features = ["serde"] }
 mime = "0.3.17"

crates/jose/Cargo.toml

@@ -7,7 +7,7 @@ license = "Apache-2.0"
 
 [dependencies]
 base64ct = { version = "1.6.0", features = ["std"] }
-chrono = { version = "0.4.26", features = ["serde"] }
+chrono.workspace = true
 digest = "0.10.7"
 ecdsa = { version = "0.16.8", features = ["signing", "verifying"] }
 elliptic-curve = "0.13.5"

crates/oauth2-types/Cargo.toml

@@ -14,7 +14,7 @@ url = { version = "2.4.0", features = ["serde"] }
 parse-display = "0.8.2"
 indoc = "2.0.3"
 serde_with = { version = "3.2.0", features = ["chrono"] }
-chrono = "0.4.26"
+chrono.workspace = true
 sha2 = "0.10.7"
 data-encoding = "2.4.0"
 thiserror = "1.0.44"

crates/oidc-client/Cargo.toml

@@ -20,7 +20,7 @@ keystore = ["dep:mas-keystore"]
 [dependencies]
 base64ct = { version = "1.6.0", features = ["std"] }
 bytes = "1.4.0"
-chrono = "0.4.26"
+chrono.workspace = true
 form_urlencoded = "1.2.0"
 futures = "0.3.28"
 futures-util = "0.3.28"

crates/storage-pg/Cargo.toml

@@ -10,7 +10,7 @@ async-trait = "0.1.72"
 sqlx = { version = "0.7.1", features = ["runtime-tokio-rustls", "postgres", "migrate", "chrono", "json", "uuid"] }
 sea-query = { version = "0.30.0", features = ["derive", "attr", "with-uuid", "with-chrono"] }
 sea-query-binder = { version = "0.5.0", features = ["sqlx-postgres", "with-uuid", "with-chrono"] }
-chrono = { version = "0.4.26", features = ["serde"] }
+chrono.workspace = true
 serde = { version = "1.0.183", features = ["derive"] }
 serde_json = "1.0.104"
 thiserror = "1.0.44"

crates/storage/Cargo.toml

@@ -7,7 +7,7 @@ license = "Apache-2.0"
 
 [dependencies]
 async-trait = "0.1.72"
-chrono = "0.4.26"
+chrono.workspace = true
 thiserror = "1.0.44"
 futures-util = "0.3.28"
 

crates/tasks/Cargo.toml

@@ -1,9 +1,9 @@
 [package]
 name = "mas-tasks"
 version = "0.1.0"
-authors = ["quentin gliech <quenting@element.io>"]
+authors = ["Quentin Gliech <quenting@element.io>"]
 edition = "2021"
-license = "apache-2.0"
+license = "Apache-2.0"
 
 [dependencies]
 anyhow = "1.0.72"
@@ -11,7 +11,7 @@ apalis-core = { version = "0.4.4", features = ["extensions", "tokio-comp", "stor
 apalis-cron = "0.4.4"
 async-stream = "0.3.5"
 async-trait = "0.1.72"
-chrono = "0.4.26"
+chrono.workspace = true
 event-listener = "2.5.3"
 futures-lite = "1.13.0"
 rand = "0.8.5"

crates/templates/Cargo.toml

@@ -12,13 +12,13 @@ tokio = { version = "1.30.0", features = ["macros", "rt", "fs"] }
 anyhow = "1.0.72"
 thiserror = "1.0.44"
 
-tera = "1.19.0"
+tera = { version = "1.19.0", default-features = false }
 serde = { version = "1.0.183", features = ["derive"] }
 serde_json = "1.0.104"
 serde_urlencoded = "0.7.1"
 
 camino = "1.1.6"
-chrono = "0.4.26"
+chrono.workspace = true
 url = "2.4.0"
 http = "0.2.9"
 ulid = { version = "1.0.0", features = ["serde"] }

crates/templates/src/lib.rs

@@ -100,12 +100,6 @@ pub enum TemplateLoadingError {
 }
 
 impl Templates {
-    /// Directories to watch
-    #[must_use]
-    pub fn watch_root(&self) -> &Utf8Path {
-        &self.path
-    }
-
     /// Load the templates from the given config
     #[tracing::instrument(
         name = "templates.load",

deny.toml

@@ -0,0 +1,99 @@
+targets = [
+    { triple = "x86_64-unknown-linux-gnu" },
+    { triple = "aarch64-unknown-linux-gnu" },
+    { triple = "x86_64-apple-darwin" },
+    { triple = "aarch64-apple-darwin" },
+]
+
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+ignore = [
+    # `wasmtime` depends on `mach`
+    # PR to migrate to `mach2`: https://github.com/bytecodealliance/wasmtime/pull/6164
+    "RUSTSEC-2020-0168",
+]
+
+[licenses]
+# Deny unlicensed crates and those with a copyleft license
+unlicensed = "deny"
+copyleft = "deny"
+default = "deny"
+
+# By default, allow all licenses that are OSI or FSF approved
+allow-osi-fsf-free = "both"
+allow = [
+    "MPL-2.0",
+    "0BSD", # Used by `quoted_printable`
+    "OpenSSL", # Used by `ring`
+    "Unicode-DFS-2016", # Used by `unicode-ident`
+]
+deny = []
+
+# Ring's license is a bit complicated, so we need to specify it manually
+[[licenses.clarify]]
+name = "ring"
+version = "*"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[bans]
+# List of crates to deny
+deny = [
+    # We should never depend on openssl
+    { name = "openssl" },
+    { name = "openssl-sys" },
+    { name = "native-tls" },
+]
+
+# We try to avoid duplicating crates and track exceptions here
+multiple-versions = "warn"
+
+skip = [
+    { name = "webpki-roots" }, # We, lettre and sqlx have different versions :(
+    { name = "rustls-webpki" },
+    { name = "syn", version = "1.0.109" }, # There are a few crates still depdending on the 1.x
+    { name = "spin", version = "0.5.2" }, # lazy_static and ring depends on the old version
+    { name = "socket2", version = "0.4.9" }, # hyper depends on the old version
+    { name = "regex-syntax", version = "0.6.29" }, # tracing-subscriber[env-filter] -> matchers depends on the old version
+    { name = "regex-automata", version = "0.1.10" }, # ^
+    { name = "ordered-float", version = "2.10.0" }, # opentelemetry-jaeger -> thrift depends on the old version
+    { name = "rustix", version = "0.37.23" }, # wasmtime depends on the old version
+    { name = "object", version = "0.30.4" }, # wasmtime depends on the old version
+    { name = "memoffset", version = "0.8.0" }, # wasmtime depends on the old version
+    { name = "addr2line", version = "0.19.0" }, # wasmtime depends on the old version
+    { name = "itertools", version = "0.10.5" }, # wasmtime & others depends on the old version
+    { name = "idna", version = "0.3.0" }, # lettre depends on an old version
+    { name = "hashbrown" }, # Too many versions :(
+]
+
+skip-tree = [
+    # Let's ignore wiremock for now, we want to get rid of it
+    { name = "wiremock", depth = 3 },
+    { name = "rustix", version = "0.37.23", depth = 2 }, # wasmtime depends on the old version
+    { name = "darling", version = "0.14.4", depth = 2 }, # sea-query-attr depends on an old version
+]
+
+# We should never enable the (default) `oldtime` feature of `chrono`
+[[bans.features]]
+name = "chrono"
+deny = ["oldtime"]
+
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = [
+    # We depend on an unrelease version
+    "https://github.com/dylanhart/ulid-rs",
+]
+
+[sources.allow-org]
+# Allow our own crates
+github = ["matrix-org"]