violet/certs/certs.go

package certs

import (
	"crypto/tls"
	"crypto/x509/pkix"
	"fmt"
	"github.com/1f349/violet/logger"
	"github.com/1f349/violet/utils"
	"github.com/mrmelon54/certgen"
	"github.com/mrmelon54/rescheduler"
	"io/fs"
	"math/big"
	"os"
	"strings"
	"sync"
	"sync/atomic"
	"time"
)

var Logger = logger.Logger.WithPrefix("Violet Certs")

// Certs is the certificate loader and management system.
type Certs struct {
	cDir fs.FS
	kDir fs.FS
	ss   bool
	s    *sync.RWMutex
	m    map[string]*tls.Certificate
	ca   *certgen.CertGen
	sn   atomic.Int64
	r    *rescheduler.Rescheduler
	t    *time.Ticker
	ts   chan struct{}
}

// New creates a new cert list
func New(certDir fs.FS, keyDir fs.FS, selfCert bool) *Certs {
	c := &Certs{
		cDir: certDir,
		kDir: keyDir,
		ss:   selfCert,
		s:    &sync.RWMutex{},
		m:    make(map[string]*tls.Certificate),
		ts:   make(chan struct{}, 1),
	}

	if !selfCert {
		// the rescheduler isn't even used in self cert mode so why initialise it
		c.r = rescheduler.NewRescheduler(c.threadCompile)

		c.t = time.NewTicker(2 * time.Hour)
		go func() {
			for {
				select {
				case <-c.t.C:
					c.Compile()
				case <-c.ts:
					return
				}
			}
		}()
	} else {
		// in self-signed mode generate a CA certificate to sign other certificates
		ca, err := certgen.MakeCaTls(4096, pkix.Name{
			Country:            []string{"GB"},
			Organization:       []string{"Violet"},
			OrganizationalUnit: []string{"Development"},
			SerialNumber:       "0",
			CommonName:         fmt.Sprintf("%d.violet.test", time.Now().Unix()),
		}, big.NewInt(0), func(now time.Time) time.Time {
			return now.AddDate(10, 0, 0)
		})
		if err != nil {
			logger.Logger.Fatal("Failed to generate CA cert for self-signed mode", "err", err)
		}
		c.ca = ca
	}
	return c
}

func (c *Certs) GetCertForDomain(domain string) *tls.Certificate {
	// safety read lock
	c.s.RLock()
	defer c.s.RUnlock()

	// lookup and return cert
	if cert, ok := c.m[domain]; ok {
		return cert
	}

	// if self-signed certificate is enabled then generate a certificate
	if c.ss {
		sn := c.sn.Add(1)
		serverTls, err := certgen.MakeServerTls(c.ca, 4096, pkix.Name{
			Country:            []string{"GB"},
			Organization:       []string{domain},
			OrganizationalUnit: []string{domain},
			SerialNumber:       fmt.Sprintf("%d", sn),
			CommonName:         domain,
		}, big.NewInt(sn), func(now time.Time) time.Time {
			return now.AddDate(10, 0, 0)
		}, []string{domain}, nil)
		if err != nil {
			return nil
		}

		// save the generated leaf for loading if the domain is requested again
		leaf := serverTls.GetTlsLeaf()
		c.m[domain] = &leaf
		return &leaf
	}

	// lookup and return wildcard cert
	if wildcardDomain, ok := utils.ReplaceSubdomainWithWildcard(domain); ok {
		if cert, ok := c.m[wildcardDomain]; ok {
			return cert
		}
	}

	// no cert found
	return nil
}

// Compile loads the certificates and keys from the directories.
//
// This method makes use of the rescheduler instead of just ignoring multiple
// calls.
func (c *Certs) Compile() {
	// don't bother compiling in self-signed mode
	if c.ss {
		return
	}
	c.r.Run()
}

func (c *Certs) Stop() {
	if c.t != nil {
		c.t.Stop()
	}
	close(c.ts)
}

func (c *Certs) threadCompile() {
	// new map
	certMap := make(map[string]*tls.Certificate)

	// compile map and check errors
	err := c.internalCompile(certMap)
	if err != nil {
		Logger.Infof("Compile failed: %s\n", err)
		return
	}

	// lock while replacing the map
	c.s.Lock()
	c.m = certMap
	c.s.Unlock()
}

// internalCompile is a hidden internal method for loading the certificate and
// key files
func (c *Certs) internalCompile(m map[string]*tls.Certificate) error {
	if c.cDir == nil {
		return nil
	}

	// try to read dir
	files, err := fs.ReadDir(c.cDir, ".")
	if err != nil {
		return fmt.Errorf("failed to read cert dir: %w", err)
	}

	Logger.Infof("Compiling lookup table for %d certificates\n", len(files))

	// find and parse certs
	for _, i := range files {
		// skip dirs
		if i.IsDir() {
			continue
		}

		// get file name and extension
		name := i.Name()
		if !strings.HasSuffix(name, ".cert.pem") {
			continue
		}
		keyName := name[:len(name)-len("cert.pem")] + "key.pem"

		// try to read cert file
		certData, err := fs.ReadFile(c.cDir, name)
		if err != nil {
			return fmt.Errorf("failed to read cert file '%s': %w", name, err)
		}

		// try to read key file
		keyData, err := fs.ReadFile(c.kDir, keyName)
		if err != nil {
			// ignore the file if the certificate doesn't exist
			if os.IsNotExist(err) {
				continue
			}
			return fmt.Errorf("failed to read key file '%s': %w", keyName, err)
		}

		// load key pair
		pair, err := tls.X509KeyPair(certData, keyData)
		if err != nil {
			return fmt.Errorf("failed to load x509 key pair '%s + %s': %w", name, keyName, err)
		}

		// load tls leaf
		cert := &pair
		leaf := certgen.TlsLeaf(cert)

		// save in map under each dns name
		for _, j := range leaf.DNSNames {
			m[j] = cert
		}
	}

	// well no errors happened
	return nil
}
Server config and comments 2023-04-22 18:11:21 +01:00			`package certs`

			`import (`
			`"crypto/tls"`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`"crypto/x509/pkix"`
Server config and comments 2023-04-22 18:11:21 +01:00			`"fmt"`
Transition to new logger 2024-05-13 19:33:33 +01:00			`"github.com/1f349/violet/logger"`
Rename module 2023-07-22 01:11:47 +01:00			`"github.com/1f349/violet/utils"`
Update dependencies 2024-04-20 16:17:32 +01:00			`"github.com/mrmelon54/certgen"`
			`"github.com/mrmelon54/rescheduler"`
Server config and comments 2023-04-22 18:11:21 +01:00			`"io/fs"`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`"math/big"`
Fix certificates not loading when key file exists 2023-07-16 21:17:15 +01:00			`"os"`
Read certificate and key for domain correctly 2023-07-11 15:12:59 +01:00			`"strings"`
Server config and comments 2023-04-22 18:11:21 +01:00			`"sync"`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`"sync/atomic"`
			`"time"`
Server config and comments 2023-04-22 18:11:21 +01:00			`)`

Transition to new logger 2024-05-13 19:33:33 +01:00			`var Logger = logger.Logger.WithPrefix("Violet Certs")`

Comments! 2023-04-24 01:35:23 +01:00			`// Certs is the certificate loader and management system.`
Server config and comments 2023-04-22 18:11:21 +01:00			`type Certs struct {`
			`cDir fs.FS`
			`kDir fs.FS`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`ss bool`
Server config and comments 2023-04-22 18:11:21 +01:00			`s *sync.RWMutex`
			`m map[string]*tls.Certificate`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`ca *certgen.CertGen`
			`sn atomic.Int64`
Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00			`r *rescheduler.Rescheduler`
Try to reload certificates every 2 hours 2024-01-14 14:00:54 +00:00			`t *time.Ticker`
			`ts chan struct{}`
Server config and comments 2023-04-22 18:11:21 +01:00			`}`

Comments! 2023-04-24 01:35:23 +01:00			`// New creates a new cert list`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`func New(certDir fs.FS, keyDir fs.FS, selfCert bool) *Certs {`
			`c := &Certs{`
Server config and comments 2023-04-22 18:11:21 +01:00			`cDir: certDir,`
			`kDir: keyDir,`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`ss: selfCert,`
Server config and comments 2023-04-22 18:11:21 +01:00			`s: &sync.RWMutex{},`
			`m: make(map[string]*tls.Certificate),`
Try to reload certificates every 2 hours 2024-01-14 14:00:54 +00:00			`ts: make(chan struct{}, 1),`
Server config and comments 2023-04-22 18:11:21 +01:00			`}`
Read start up config from a config file 2023-06-21 11:20:20 +01:00
			`if !selfCert {`
Try to reload certificates every 2 hours 2024-01-14 14:00:54 +00:00			`// the rescheduler isn't even used in self cert mode so why initialise it`
Read start up config from a config file 2023-06-21 11:20:20 +01:00			`c.r = rescheduler.NewRescheduler(c.threadCompile)`
Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00
Try to reload certificates every 2 hours 2024-01-14 14:00:54 +00:00			`c.t = time.NewTicker(2 * time.Hour)`
			`go func() {`
			`for {`
			`select {`
			`case <-c.t.C:`
			`c.Compile()`
			`case <-c.ts:`
			`return`
			`}`
			`}`
			`}()`
			`} else {`
			`// in self-signed mode generate a CA certificate to sign other certificates`
Add wildcard route test and update certgen library 2023-06-19 16:27:36 +01:00			`ca, err := certgen.MakeCaTls(4096, pkix.Name{`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`Country: []string{"GB"},`
			`Organization: []string{"Violet"},`
			`OrganizationalUnit: []string{"Development"},`
			`SerialNumber: "0",`
			`CommonName: fmt.Sprintf("%d.violet.test", time.Now().Unix()),`
Add wildcard route test and update certgen library 2023-06-19 16:27:36 +01:00			`}, big.NewInt(0), func(now time.Time) time.Time {`
			`return now.AddDate(10, 0, 0)`
			`})`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`if err != nil {`
Transition to new logger 2024-05-13 19:33:33 +01:00			`logger.Logger.Fatal("Failed to generate CA cert for self-signed mode", "err", err)`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`}`
			`c.ca = ca`
			`}`
			`return c`
Server config and comments 2023-04-22 18:11:21 +01:00			`}`

			`func (c Certs) GetCertForDomain(domain string) tls.Certificate {`
			`// safety read lock`
			`c.s.RLock()`
			`defer c.s.RUnlock()`

			`// lookup and return cert`
			`if cert, ok := c.m[domain]; ok {`
			`return cert`
			`}`

Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`// if self-signed certificate is enabled then generate a certificate`
			`if c.ss {`
			`sn := c.sn.Add(1)`
Add wildcard route test and update certgen library 2023-06-19 16:27:36 +01:00			`serverTls, err := certgen.MakeServerTls(c.ca, 4096, pkix.Name{`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`Country: []string{"GB"},`
			`Organization: []string{domain},`
			`OrganizationalUnit: []string{domain},`
			`SerialNumber: fmt.Sprintf("%d", sn),`
			`CommonName: domain,`
Add wildcard route test and update certgen library 2023-06-19 16:27:36 +01:00			`}, big.NewInt(sn), func(now time.Time) time.Time {`
			`return now.AddDate(10, 0, 0)`
			`}, []string{domain}, nil)`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`if err != nil {`
			`return nil`
			`}`
Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00
			`// save the generated leaf for loading if the domain is requested again`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`leaf := serverTls.GetTlsLeaf()`
			`c.m[domain] = &leaf`
			`return &leaf`
			`}`

Server config and comments 2023-04-22 18:11:21 +01:00			`// lookup and return wildcard cert`
			`if wildcardDomain, ok := utils.ReplaceSubdomainWithWildcard(domain); ok {`
			`if cert, ok := c.m[wildcardDomain]; ok {`
			`return cert`
			`}`
			`}`

			`// no cert found`
			`return nil`
			`}`

Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00			`// Compile loads the certificates and keys from the directories.`
			`//`
			`// This method makes use of the rescheduler instead of just ignoring multiple`
			`// calls.`
Server config and comments 2023-04-22 18:11:21 +01:00			`func (c *Certs) Compile() {`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00			`// don't bother compiling in self-signed mode`
			`if c.ss {`
			`return`
			`}`
Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00			`c.r.Run()`
			`}`
Add Ctrl+C handling, self-signed mode for devs and fix some bugs in routing 2023-04-24 15:36:21 +01:00
Try to reload certificates every 2 hours 2024-01-14 14:00:54 +00:00			`func (c *Certs) Stop() {`
			`if c.t != nil {`
			`c.t.Stop()`
			`}`
			`close(c.ts)`
			`}`

Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00			`func (c *Certs) threadCompile() {`
			`// new map`
			`certMap := make(map[string]*tls.Certificate)`
Create tables and load favicons 2023-04-22 22:18:39 +01:00
Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00			`// compile map and check errors`
			`err := c.internalCompile(certMap)`
			`if err != nil {`
Transition to new logger 2024-05-13 19:33:33 +01:00			`Logger.Infof("Compile failed: %s\n", err)`
Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00			`return`
			`}`
Comments! 2023-04-24 01:35:23 +01:00
Rework compilable system with the rescheduler library 2023-06-20 16:48:04 +01:00			`// lock while replacing the map`
			`c.s.Lock()`
			`c.m = certMap`
			`c.s.Unlock()`
Server config and comments 2023-04-22 18:11:21 +01:00			`}`

Comments! 2023-04-24 01:35:23 +01:00			`// internalCompile is a hidden internal method for loading the certificate and`
			`// key files`
Server config and comments 2023-04-22 18:11:21 +01:00			`func (c Certs) internalCompile(m map[string]tls.Certificate) error {`
Write lots of tests 2023-06-04 22:28:48 +01:00			`if c.cDir == nil {`
			`return nil`
			`}`

Server config and comments 2023-04-22 18:11:21 +01:00			`// try to read dir`
Add certificate tests 2023-06-05 22:23:28 +01:00			`files, err := fs.ReadDir(c.cDir, ".")`
Server config and comments 2023-04-22 18:11:21 +01:00			`if err != nil {`
			`return fmt.Errorf("failed to read cert dir: %w", err)`
			`}`

Transition to new logger 2024-05-13 19:33:33 +01:00			`Logger.Infof("Compiling lookup table for %d certificates\n", len(files))`
Server config and comments 2023-04-22 18:11:21 +01:00
			`// find and parse certs`
			`for _, i := range files {`
			`// skip dirs`
			`if i.IsDir() {`
			`continue`
			`}`

			`// get file name and extension`
			`name := i.Name()`
Read certificate and key for domain correctly 2023-07-11 15:12:59 +01:00			`if !strings.HasSuffix(name, ".cert.pem") {`
			`continue`
			`}`
			`keyName := name[:len(name)-len("cert.pem")] + "key.pem"`
Server config and comments 2023-04-22 18:11:21 +01:00
			`// try to read cert file`
			`certData, err := fs.ReadFile(c.cDir, name)`
			`if err != nil {`
			`return fmt.Errorf("failed to read cert file '%s': %w", name, err)`
			`}`

			`// try to read key file`
			`keyData, err := fs.ReadFile(c.kDir, keyName)`
			`if err != nil {`
Fix certificates not loading when key file exists 2023-07-16 21:17:15 +01:00			`// ignore the file if the certificate doesn't exist`
			`if os.IsNotExist(err) {`
			`continue`
			`}`
Server config and comments 2023-04-22 18:11:21 +01:00			`return fmt.Errorf("failed to read key file '%s': %w", keyName, err)`
			`}`

			`// load key pair`
			`pair, err := tls.X509KeyPair(certData, keyData)`
			`if err != nil {`
			`return fmt.Errorf("failed to load x509 key pair '%s + %s': %w", name, keyName, err)`
			`}`

			`// load tls leaf`
			`cert := &pair`
			`leaf := certgen.TlsLeaf(cert)`

			`// save in map under each dns name`
			`for _, j := range leaf.DNSNames {`
			`m[j] = cert`
			`}`
			`}`

			`// well no errors happened`
			`return nil`
			`}`