wdevs/ResolveSpec
3
0
Fork 0
mirror of https://github.com/bitechdev/ResolveSpec.git synced 2026-01-20 17:44:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #6 from bitechdev/copilot/sub-pr-5

Browse Source 
Implement persistent certificate storage with reuse for self-signed SSL
This commit is contained in:
Hein Puth (Warkanum)
2025-12-30 13:27:50 +02:00
committed by GitHub
parent bc2fdc143b 4f8edd6469
commit 16d416030e
4 changed files with 193 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
go.mod
View File

@@ -12,6 +12,7 @@ require (
github.com/google/uuid v1.6.0 github.com/google/uuid v1.6.0
github.com/gorilla/mux v1.8.1 github.com/gorilla/mux v1.8.1
github.com/jackc/pgx/v5 v5.6.0 github.com/jackc/pgx/v5 v5.6.0
github.com/klauspost/compress v1.18.0
github.com/prometheus/client_golang v1.23.2 github.com/prometheus/client_golang v1.23.2
github.com/redis/go-redis/v9 v9.17.1 github.com/redis/go-redis/v9 v9.17.1
github.com/spf13/viper v1.21.0 github.com/spf13/viper v1.21.0
@@ -29,6 +30,7 @@ require (
go.opentelemetry.io/otel/sdk v1.38.0 go.opentelemetry.io/otel/sdk v1.38.0
go.opentelemetry.io/otel/trace v1.38.0 go.opentelemetry.io/otel/trace v1.38.0
go.uber.org/zap v1.27.0 go.uber.org/zap v1.27.0
golang.org/x/crypto v0.43.0
golang.org/x/time v0.14.0 golang.org/x/time v0.14.0
gorm.io/driver/postgres v1.6.0 gorm.io/driver/postgres v1.6.0
gorm.io/gorm v1.25.12 gorm.io/gorm v1.25.12
@@ -68,7 +70,6 @@ require (
github.com/jackc/puddle/v2 v2.2.2 // indirect github.com/jackc/puddle/v2 v2.2.2 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jinzhu/now v1.1.5 // indirect github.com/jinzhu/now v1.1.5 // indirect
github.com/klauspost/compress v1.18.0 // indirect
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
github.com/magiconair/properties v1.8.10 // indirect github.com/magiconair/properties v1.8.10 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-isatty v0.0.20 // indirect
@@ -117,7 +118,6 @@ require (
go.uber.org/multierr v1.10.0 // indirect go.uber.org/multierr v1.10.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.43.0 // indirect
golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect
golang.org/x/net v0.45.0 // indirect golang.org/x/net v0.45.0 // indirect
golang.org/x/sync v0.18.0 // indirect golang.org/x/sync v0.18.0 // indirect

4
pkg/server/manager.go
View File

@@ -397,8 +397,8 @@ func (sm *serverManager) ServeWithGracefulShutdown() error {
type serverInstance struct { type serverInstance struct {
cfg Config cfg Config
gracefulServer *gracefulServer gracefulServer *gracefulServer
certFile string // Path to certificate file (may be temporary for self-signed) certFile string // Path to certificate file (may be persistent for self-signed)
keyFile string // Path to key file (may be temporary for self-signed) keyFile string // Path to key file (may be persistent for self-signed)
mu sync.RWMutex mu sync.RWMutex
running bool running bool
serverErr chan error serverErr chan error

71
pkg/server/manager_test.go
View File

@@ -6,6 +6,8 @@ import (
"io" "io"
"net" "net"
"net/http" "net/http"
"os"
"path/filepath"
"sync" "sync"
"testing" "testing"
"time" "time"
@@ -326,3 +328,72 @@ func TestShutdownCallbacks(t *testing.T) {
assert.True(t, executed, "Shutdown callback should have been executed") assert.True(t, executed, "Shutdown callback should have been executed")
} }
func TestSelfSignedSSLCertificateReuse(t *testing.T) {
logger.Init(true)
// Get expected cert directory location
cacheDir, err := os.UserCacheDir()
require.NoError(t, err)
certDir := filepath.Join(cacheDir, "resolvespec", "certs")
host := "localhost"
certFile := filepath.Join(certDir, fmt.Sprintf("%s-cert.pem", host))
keyFile := filepath.Join(certDir, fmt.Sprintf("%s-key.pem", host))
// Clean up any existing cert files from previous tests
os.Remove(certFile)
os.Remove(keyFile)
// First server creation - should generate new certificates
sm1 := NewManager()
testPort1 := getFreePort(t)
_, err = sm1.Add(Config{
Name: "SSLTestServer1",
Host: host,
Port: testPort1,
Handler: http.NewServeMux(),
SelfSignedSSL: true,
ShutdownTimeout: 5 * time.Second,
})
require.NoError(t, err)
// Verify certificates were created
_, err = os.Stat(certFile)
require.NoError(t, err, "certificate file should exist after first creation")
_, err = os.Stat(keyFile)
require.NoError(t, err, "key file should exist after first creation")
// Get modification time of cert file
info1, err := os.Stat(certFile)
require.NoError(t, err)
modTime1 := info1.ModTime()
// Wait a bit to ensure different modification times
time.Sleep(100 * time.Millisecond)
// Second server creation - should reuse existing certificates
sm2 := NewManager()
testPort2 := getFreePort(t)
_, err = sm2.Add(Config{
Name: "SSLTestServer2",
Host: host,
Port: testPort2,
Handler: http.NewServeMux(),
SelfSignedSSL: true,
ShutdownTimeout: 5 * time.Second,
})
require.NoError(t, err)
// Get modification time of cert file after second creation
info2, err := os.Stat(certFile)
require.NoError(t, err)
modTime2 := info2.ModTime()
// Verify the certificate was reused (same modification time)
assert.Equal(t, modTime1, modTime2, "certificate should be reused, not regenerated")
// Clean up
sm1.StopAll()
sm2.StopAll()
}

126
pkg/server/tls.go
View File

@@ -13,11 +13,15 @@ import (
"net" "net"
"os" "os"
"path/filepath" "path/filepath"
"sync"
"time" "time"
"golang.org/x/crypto/acme/autocert" "golang.org/x/crypto/acme/autocert"
) )
// certGenerationMutex protects concurrent certificate generation for the same host
var certGenerationMutex sync.Mutex
// generateSelfSignedCert generates a self-signed certificate for the given host. // generateSelfSignedCert generates a self-signed certificate for the given host.
// Returns the certificate and private key in PEM format. // Returns the certificate and private key in PEM format.
func generateSelfSignedCert(host string) (certPEM, keyPEM []byte, err error) { func generateSelfSignedCert(host string) (certPEM, keyPEM []byte, err error) {
@@ -75,27 +79,98 @@ func generateSelfSignedCert(host string) (certPEM, keyPEM []byte, err error) {
return certPEM, keyPEM, nil return certPEM, keyPEM, nil
} }
// saveCertToTempFiles saves certificate and key PEM data to temporary files. // sanitizeHostname converts a hostname to a safe filename by replacing invalid characters.
// Returns the file paths for the certificate and key. func sanitizeHostname(host string) string {
func saveCertToTempFiles(certPEM, keyPEM []byte) (certFile, keyFile string, err error) { // Replace any character that's not alphanumeric, dot, or dash with underscore
// Create temporary directory safe := ""
tmpDir, err := os.MkdirTemp("", "resolvespec-certs-*") for _, r := range host {
if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') || r == '.' || r == '-' {
safe += string(r)
} else {
safe += "_"
}
}
return safe
}
// getCertDirectory returns the directory path for storing self-signed certificates.
// Creates the directory if it doesn't exist.
func getCertDirectory() (string, error) {
// Use a consistent directory in the user's cache directory
cacheDir, err := os.UserCacheDir()
if err != nil { if err != nil {
return "", "", fmt.Errorf("failed to create temp directory: %w", err) // Fallback to current directory if cache dir is not available
cacheDir = "."
} }
certFile = filepath.Join(tmpDir, "cert.pem") certDir := filepath.Join(cacheDir, "resolvespec", "certs")
keyFile = filepath.Join(tmpDir, "key.pem")
// Create directory if it doesn't exist
if err := os.MkdirAll(certDir, 0700); err != nil {
return "", fmt.Errorf("failed to create certificate directory: %w", err)
}
return certDir, nil
}
// isCertificateValid checks if a certificate file exists and is not expired.
func isCertificateValid(certFile string) bool {
// Check if file exists
certData, err := os.ReadFile(certFile)
if err != nil {
return false
}
// Parse certificate
block, _ := pem.Decode(certData)
if block == nil {
return false
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return false
}
// Check if certificate is expired or will expire in the next 30 days
now := time.Now()
expiryThreshold := now.Add(30 * 24 * time.Hour)
if now.Before(cert.NotBefore) || now.After(cert.NotAfter) {
return false
}
// Renew if expiring soon
if expiryThreshold.After(cert.NotAfter) {
return false
}
return true
}
// saveCertToFiles saves certificate and key PEM data to persistent files.
// Returns the file paths for the certificate and key.
func saveCertToFiles(certPEM, keyPEM []byte, host string) (certFile, keyFile string, err error) {
// Get certificate directory
certDir, err := getCertDirectory()
if err != nil {
return "", "", err
}
// Sanitize hostname for safe file naming
safeHost := sanitizeHostname(host)
// Use consistent file names based on host
certFile = filepath.Join(certDir, fmt.Sprintf("%s-cert.pem", safeHost))
keyFile = filepath.Join(certDir, fmt.Sprintf("%s-key.pem", safeHost))
// Write certificate // Write certificate
if err := os.WriteFile(certFile, certPEM, 0600); err != nil { if err := os.WriteFile(certFile, certPEM, 0600); err != nil {
os.RemoveAll(tmpDir)
return "", "", fmt.Errorf("failed to write certificate: %w", err) return "", "", fmt.Errorf("failed to write certificate: %w", err)
} }
// Write key // Write key
if err := os.WriteFile(keyFile, keyPEM, 0600); err != nil { if err := os.WriteFile(keyFile, keyPEM, 0600); err != nil {
os.RemoveAll(tmpDir)
return "", "", fmt.Errorf("failed to write private key: %w", err) return "", "", fmt.Errorf("failed to write private key: %w", err)
} }
@@ -170,12 +245,41 @@ func configureTLS(cfg Config) (*tls.Config, string, string, error) {
host = "localhost" host = "localhost"
} }
// Sanitize hostname for safe file naming
safeHost := sanitizeHostname(host)
// Lock to prevent concurrent certificate generation for the same host
certGenerationMutex.Lock()
defer certGenerationMutex.Unlock()
// Get certificate directory
certDir, err := getCertDirectory()
if err != nil {
return nil, "", "", fmt.Errorf("failed to get certificate directory: %w", err)
}
// Check for existing valid certificates
certFile := filepath.Join(certDir, fmt.Sprintf("%s-cert.pem", safeHost))
keyFile := filepath.Join(certDir, fmt.Sprintf("%s-key.pem", safeHost))
// If valid certificates exist, reuse them
if isCertificateValid(certFile) {
// Verify key file also exists
if _, err := os.Stat(keyFile); err == nil {
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
}
return tlsConfig, certFile, keyFile, nil
}
}
// Generate new certificates
certPEM, keyPEM, err := generateSelfSignedCert(host) certPEM, keyPEM, err := generateSelfSignedCert(host)
if err != nil { if err != nil {
return nil, "", "", fmt.Errorf("failed to generate self-signed certificate: %w", err) return nil, "", "", fmt.Errorf("failed to generate self-signed certificate: %w", err)
} }
certFile, keyFile, err := saveCertToTempFiles(certPEM, keyPEM) certFile, keyFile, err = saveCertToFiles(certPEM, keyPEM, host)
if err != nil { if err != nil {
return nil, "", "", fmt.Errorf("failed to save self-signed certificate: %w", err) return nil, "", "", fmt.Errorf("failed to save self-signed certificate: %w", err)
} }