feat: Switch default features so a user must select SSL backend

Author: dsteeley

.github/workflows/samples-rust-server.yaml

@@ -64,11 +64,13 @@ jobs:
             if cargo read-manifest | grep -q '"validate"'; then
               cargo build --features validate --all-targets
             fi
-            # Client without TLS (HTTP-only)
+            # Test TLS features if they exist
             if cargo read-manifest | grep -q '"client-tls"'; then
+              # Client without TLS (HTTP-only)
               cargo build --no-default-features --features=client --lib
-              # Client with selective TLS backend
+              # Client with TLS (using native-tls)
               cargo build --no-default-features --features=client,client-tls --lib
+              # Server without TLS
               cargo build --no-default-features --features=server --lib
             fi
             cargo fmt

modules/openapi-generator/src/main/resources/rust-server/Cargo.mustache

@@ -32,7 +32,7 @@ homepage = "{{.}}"
 {{/homePageUrl}}
 
 [features]
-default = ["client", "server", "client-tls", "client-openssl"]
+default = ["client", "server"]
 client = [
 {{#apiUsesMultipartFormData}}
     "multipart", "multipart/client", "swagger/multipart_form",
@@ -49,16 +49,16 @@ client = [
 {{! Anything added to the list below, should probably be added to the callbacks list below }}
     "hyper", "percent-encoding", "hyper-util/http1", "hyper-util/http2", "url"
 ]
-# TLS support using native-tls (macOS/Windows/iOS) or hyper-tls
+# TLS support - automatically selects backend based on target OS:
+# - macOS/Windows/iOS: native-tls via hyper-tls
+# - Other platforms: OpenSSL via hyper-openssl
+# Dependencies are in target-specific sections below
 client-tls = [
     "client",
-    "hyper-tls", "native-tls",
-    "swagger/tls"
-]
-# TLS support using OpenSSL (Linux and other platforms)
-client-openssl = [
-    "client",
-    "hyper-openssl", "openssl",
+    "dep:native-tls",
+    "dep:hyper-tls",
+    "dep:openssl",
+    "dep:hyper-openssl",
     "swagger/tls"
 ]
 server = [
@@ -69,7 +69,6 @@ server = [
     "mime_multipart", "swagger/multipart_related",
 {{/apiUsesMultipartRelated}}
 {{#hasCallbacks}}
-    "client-tls",
 {{/hasCallbacks}}
 {{! Anything added to the list below, should probably be added to the callbacks list above }}
    "serde_ignored", "hyper", "percent-encoding", "url",
@@ -86,14 +85,6 @@ conversion = ["frunk", "frunk_derives", "frunk_core", "frunk-enum-core", "frunk-
 mock = ["mockall"]
 validate = [{{^apiUsesByteArray}}"regex",{{/apiUsesByteArray}} "serde_valid", "swagger/serdevalid"]
 
-[target.'cfg(any(target_os = "macos", target_os = "windows", target_os = "ios"))'.dependencies]
-native-tls = { version = "0.2", optional = true }
-hyper-tls = { version = "0.6", optional = true }
-
-[target.'cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))'.dependencies]
-hyper-openssl = { version = "0.10", optional = true }
-openssl = { version = "0.10", optional = true }
-
 [dependencies]
 # Common
 async-trait = "0.1.88"
@@ -145,6 +136,12 @@ serde_urlencoded = { version = "0.7.1", optional = true }
 {{/usesUrlEncodedForm}}
 tower-service = "0.3.3"
 
+# TLS support - all listed here, actual usage determined by cfg attributes in code
+native-tls = { version = "0.2", optional = true }
+hyper-tls = { version = "0.6", optional = true }
+openssl = { version = "0.10", optional = true }
+hyper-openssl = { version = "0.10", optional = true }
+
 # Server, and client callback-specific
 {{^apiUsesByteArray}}
 lazy_static = { version = "1.5", optional = true }
@@ -175,15 +172,13 @@ clap = "4.5"
 env_logger = "0.11"
 tokio = { version = "1.49", features = ["full"] }
 native-tls = "0.2"
+openssl = "0.10"
+tokio-openssl = "0.6"
 pin-project = "1.1.10"
 
 # Bearer authentication, used in examples
 jsonwebtoken = {version = "10.0.0", features = ["rust_crypto"]}
 
-[target.'cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))'.dev-dependencies]
-tokio-openssl = "0.6"
-openssl = "0.10"
-
 [[example]]
 name = "client"
 required-features = ["client"]

modules/openapi-generator/src/main/resources/rust-server/README.mustache

@@ -127,11 +127,10 @@ The generated library has a few optional features that can be activated through
     * This defaults to enabled and creates the basic skeleton of a client implementation based on hyper
     * The constructed client implements the API trait by making remote API call.
 * `client-tls`
-    * This defaults to enabled and provides HTTPS support using native-tls (macOS/Windows/iOS).
-    * Enable this feature for TLS support on Apple and Windows platforms.
-* `client-openssl`
-    * This defaults to enabled and provides HTTPS support using OpenSSL (Linux and other platforms).
-    * Enable this feature for TLS support on Linux and other Unix-like platforms.
+    * Optional feature that provides HTTPS support with automatic TLS backend selection:
+        - macOS/Windows/iOS: native-tls + hyper-tls
+        - Linux/Unix/others: OpenSSL + hyper-openssl
+    * Not enabled by default to minimize dependencies.
 * `conversions`
     * This defaults to disabled and creates extra derives on models to allow "transmogrification" between objects of structurally similar types.
 * `cli`
@@ -140,22 +139,27 @@ The generated library has a few optional features that can be activated through
     * This defaults to disabled and allows JSON Schema validation of received data using `MakeService::set_validation` or `Service::set_validation`.
     * Note, enabling validation will have a performance penalty, especially if the API heavily uses regex based checks.
 
-### Minimal dependencies (no TLS)
+### Enabling HTTPS/TLS Support
 
-If you only need HTTP support and want to minimize dependencies (e.g., to avoid OpenSSL build requirements), you can disable the default TLS features:
+By default, only HTTP support is included. To enable HTTPS, add the `client-tls` feature:
 
 ```toml
 [dependencies]
-{{{packageName}}} = { version = "{{{packageVersion}}}", default-features = false, features = ["server"] }
+{{{packageName}}} = { version = "{{{packageVersion}}}", features = ["client-tls"] }
 ```
 
-Or for client-only without TLS:
-
+**For server with callbacks that need HTTPS:**
 ```toml
 [dependencies]
-{{{packageName}}} = { version = "{{{packageVersion}}}", default-features = false, features = ["client"] }
+{{{packageName}}} = { version = "{{{packageVersion}}}", features = ["server", "client-tls"] }
 ```
 
+The TLS backend is automatically selected based on your target platform:
+- **macOS, Windows, iOS**: Uses `native-tls` (system TLS libraries)
+- **Linux, Unix, other platforms**: Uses `openssl`
+
+This ensures the best compatibility and native integration on each platform.
+
 See https://doc.rust-lang.org/cargo/reference/manifest.html#the-features-section for how to use features in your `Cargo.toml`.
 
 ## Documentation for API Endpoints

modules/openapi-generator/src/main/resources/rust-server/bin-cli.mustache

@@ -44,21 +44,6 @@ struct Cli {
     #[clap(short = 'a', long, default_value = "http://localhost")]
     server_address: String,
 
-    /// Path to the client private key if using client-side TLS authentication
-    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
-    #[clap(long, requires_all(&["client_certificate", "server_certificate"]))]
-    client_key: Option<String>,
-
-    /// Path to the client's public certificate associated with the private key
-    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
-    #[clap(long, requires_all(&["client_key", "server_certificate"]))]
-    client_certificate: Option<String>,
-
-    /// Path to CA certificate used to authenticate the server
-    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
-    #[clap(long)]
-    server_certificate: Option<String>,
-
     /// If set, write output to file instead of stdout
     #[clap(short, long)]
     output_file: Option<String>,
@@ -130,34 +115,11 @@ enum Operation {
 {{/apiInfo}}
 }
 
-#[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
-fn create_client(args: &Cli, context: ClientContext) -> Result<Box<dyn ApiNoContext<ClientContext>>> {
-    if args.client_certificate.is_some() {
-        debug!("Using mutual TLS");
-        let client = Client::try_new_https_mutual(
-            &args.server_address,
-            args.server_certificate.clone().unwrap(),
-            args.client_key.clone().unwrap(),
-            args.client_certificate.clone().unwrap(),
-        )
-        .context("Failed to create HTTPS client")?;
-        Ok(Box::new(client.with_context(context)))
-    } else if args.server_certificate.is_some() {
-        debug!("Using TLS with pinned server certificate");
-        let client =
-            Client::try_new_https_pinned(&args.server_address, args.server_certificate.clone().unwrap())
-                .context("Failed to create HTTPS client")?;
-        Ok(Box::new(client.with_context(context)))
-    } else {
-        debug!("Using client without certificates");
-        let client =
-            Client::try_new(&args.server_address).context("Failed to create HTTP(S) client")?;
-        Ok(Box::new(client.with_context(context)))
-    }
-}
-
-#[cfg(any(target_os = "macos", target_os = "windows", target_os = "ios"))]
 fn create_client(args: &Cli, context: ClientContext) -> Result<Box<dyn ApiNoContext<ClientContext>>> {
+    // Client::try_new() automatically detects the URL scheme (http:// or https://)
+    // and creates the appropriate client.
+    // - With client-tls feature: Supports both http:// and https:// URLs
+    // - Without TLS features: Only supports http://, returns error for https://
     let client =
         Client::try_new(&args.server_address).context("Failed to create HTTP(S) client")?;
     Ok(Box::new(client.with_context(context)))

modules/openapi-generator/src/main/resources/rust-server/client-mod.mustache

@@ -121,11 +121,8 @@ impl<Connector, C> Client<
 #[derive(Debug, Clone)]
 pub enum HyperClient {
     Http(hyper_util::client::legacy::Client<hyper_util::client::legacy::connect::HttpConnector, BoxBody<Bytes, Infallible>>),
-    #[cfg(any(
-        all(feature = "client-tls", any(target_os = "macos", target_os = "windows", target_os = "ios")),
-        all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios")))
-    ))]
-    Https(hyper_util::client::legacy::Client<HttpsConnector, BoxBody<Bytes, Infallible>>),
+    #[cfg(feature = "client-tls")]
+    Https(hyper_util::client::legacy::Client<hyper_tls::HttpsConnector<hyper_util::client::legacy::connect::HttpConnector>, BoxBody<Bytes, Infallible>>),
 }
 
 impl Service<Request<BoxBody<Bytes, Infallible>>> for HyperClient {
@@ -136,10 +133,7 @@ impl Service<Request<BoxBody<Bytes, Infallible>>> for HyperClient {
     fn call(&self, req: Request<BoxBody<Bytes, Infallible>>) -> Self::Future {
        match self {
           HyperClient::Http(client) => client.request(req),
-          #[cfg(any(
-              all(feature = "client-tls", any(target_os = "macos", target_os = "windows", target_os = "ios")),
-              all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios")))
-          ))]
+          #[cfg(feature = "client-tls")]
           HyperClient::Https(client) => client.request(req),
        }
     }
@@ -166,20 +160,15 @@ impl<C> Client<DropContextService<HyperClient, C>, C> where
             "http" => {
                 HyperClient::Http(hyper_util::client::legacy::Client::builder(hyper_util::rt::TokioExecutor::new()).build(connector.build()))
             },
-            #[cfg(any(
-                all(feature = "client-tls", any(target_os = "macos", target_os = "windows", target_os = "ios")),
-                all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios")))
-            ))]
+            #[cfg(feature = "client-tls")]
             "https" => {
-                let connector = connector.https()
-                   .build()
-                   .map_err(ClientInitError::SslError)?;
-                HyperClient::Https(hyper_util::client::legacy::Client::builder(hyper_util::rt::TokioExecutor::new()).build(connector))
+                // Build native-tls connector directly to avoid ambiguity with OpenSSL
+                let mut http_connector = hyper_util::client::legacy::connect::HttpConnector::new();
+                http_connector.enforce_http(false);
+                let https_connector = hyper_tls::HttpsConnector::new_with_connector(http_connector);
+                HyperClient::Https(hyper_util::client::legacy::Client::builder(hyper_util::rt::TokioExecutor::new()).build(https_connector))
             },
-            #[cfg(not(any(
-                all(feature = "client-tls", any(target_os = "macos", target_os = "windows", target_os = "ios")),
-                all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios")))
-            )))]
+            #[cfg(not(feature = "client-tls"))]
             "https" => {
                 return Err(ClientInitError::TlsNotEnabled);
             },
@@ -225,21 +214,12 @@ impl<C> Client<
     }
 }
 
-#[cfg(all(feature = "client-tls", any(target_os = "macos", target_os = "windows", target_os = "ios")))]
-type HttpsConnector = hyper_tls::HttpsConnector<hyper_util::client::legacy::connect::HttpConnector>;
-
-#[cfg(all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios"))))]
-type HttpsConnector = hyper_openssl::client::legacy::HttpsConnector<hyper_util::client::legacy::connect::HttpConnector>;
-
-#[cfg(any(
-    all(feature = "client-tls", any(target_os = "macos", target_os = "windows", target_os = "ios")),
-    all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios")))
-))]
+#[cfg(feature = "client-tls")]
 impl<C> Client<
     DropContextService<
         hyper_util::service::TowerToHyperService<
             hyper_util::client::legacy::Client<
-                HttpsConnector,
+                hyper_tls::HttpsConnector<hyper_util::client::legacy::connect::HttpConnector>,
                 BoxBody<Bytes, Infallible>
             >
         >,
@@ -252,62 +232,13 @@ impl<C> Client<
     /// Create a client with a TLS connection to the server
     ///
     /// # Arguments
-    /// * `base_path` - base path of the client API, i.e. "<http://www.my-api-implementation.com>"
+    /// * `base_path` - base path of the client API, i.e. "<https://www.my-api-implementation.com>"
     pub fn try_new_https(base_path: &str) -> Result<Self, ClientInitError>
     {
-        let https_connector = Connector::builder()
-            .https()
-            .build()
-            .map_err(ClientInitError::SslError)?;
-        Self::try_new_with_connector(base_path, Some("https"), https_connector)
-    }
-
-    /// Create a client with a TLS connection to the server using a pinned certificate
-    ///
-    /// # Arguments
-    /// * `base_path` - base path of the client API, i.e. "<http://www.my-api-implementation.com>"
-    /// * `ca_certificate` - Path to CA certificate used to authenticate the server
-    #[cfg(all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios"))))]
-    pub fn try_new_https_pinned<CA>(
-        base_path: &str,
-        ca_certificate: CA,
-    ) -> Result<Self, ClientInitError>
-    where
-        CA: AsRef<Path>,
-    {
-        let https_connector = Connector::builder()
-            .https()
-            .pin_server_certificate(ca_certificate)
-            .build()
-            .map_err(ClientInitError::SslError)?;
-        Self::try_new_with_connector(base_path, Some("https"), https_connector)
-    }
-
-    /// Create a client with a mutually authenticated TLS connection to the server.
-    ///
-    /// # Arguments
-    /// * `base_path` - base path of the client API, i.e. "<http://www.my-api-implementation.com>"
-    /// * `ca_certificate` - Path to CA certificate used to authenticate the server
-    /// * `client_key` - Path to the client private key
-    /// * `client_certificate` - Path to the client's public certificate associated with the private key
-    #[cfg(all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios"))))]
-    pub fn try_new_https_mutual<CA, K, D>(
-        base_path: &str,
-        ca_certificate: CA,
-        client_key: K,
-        client_certificate: D,
-    ) -> Result<Self, ClientInitError>
-    where
-        CA: AsRef<Path>,
-        K: AsRef<Path>,
-        D: AsRef<Path>,
-    {
-        let https_connector = Connector::builder()
-            .https()
-            .pin_server_certificate(ca_certificate)
-            .client_authentication(client_key, client_certificate)
-            .build()
-            .map_err(ClientInitError::SslError)?;
+        // Build native-tls connector directly
+        let mut http_connector = hyper_util::client::legacy::connect::HttpConnector::new();
+        http_connector.enforce_http(false);
+        let https_connector = hyper_tls::HttpsConnector::new_with_connector(http_connector);
         Self::try_new_with_connector(base_path, Some("https"), https_connector)
     }
 }
@@ -352,12 +283,8 @@ pub enum ClientInitError {
     TlsNotEnabled,
 
     /// SSL Connection Error
-    #[cfg(all(feature = "client-tls", any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    #[cfg(feature = "client-tls")]
     SslError(native_tls::Error),
-
-    /// SSL Connection Error
-    #[cfg(all(feature = "client-openssl", not(any(target_os = "macos", target_os = "windows", target_os = "ios"))))]
-    SslError(openssl::error::ErrorStack),
 }
 
 impl From<hyper::http::uri::InvalidUri> for ClientInitError {