mirror of
https://github.com/TwiN/gatus.git
synced 2024-12-14 11:58:04 +00:00
refactor: Modify implementation of TLS (#457)
* refactor: Don't generate certificates programmatically * build: Add testdata folder to .dockerignore
This commit is contained in:
parent
636688b43e
commit
83edca6e80
10 changed files with 109 additions and 143 deletions
|
@ -5,3 +5,4 @@ Dockerfile
|
||||||
.git
|
.git
|
||||||
web/app
|
web/app
|
||||||
*.db
|
*.db
|
||||||
|
testdata
|
|
@ -2,6 +2,7 @@ package web
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"math"
|
"math"
|
||||||
)
|
)
|
||||||
|
@ -23,20 +24,18 @@ type Config struct {
|
||||||
// Port to listen on (default to 8080 specified by DefaultPort)
|
// Port to listen on (default to 8080 specified by DefaultPort)
|
||||||
Port int `yaml:"port"`
|
Port int `yaml:"port"`
|
||||||
|
|
||||||
// TLS configuration
|
// TLS configuration (optional)
|
||||||
Tls TLSConfig `yaml:"tls"`
|
TLS *TLSConfig `yaml:"tls,omitempty"`
|
||||||
|
|
||||||
tlsConfig *tls.Config
|
|
||||||
tlsConfigError error
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type TLSConfig struct {
|
type TLSConfig struct {
|
||||||
|
// CertificateFile is the public certificate for TLS in PEM format.
|
||||||
// Optional public certificate for TLS in PEM format.
|
|
||||||
CertificateFile string `yaml:"certificate-file,omitempty"`
|
CertificateFile string `yaml:"certificate-file,omitempty"`
|
||||||
|
|
||||||
// Optional private key file for TLS in PEM format.
|
// PrivateKeyFile is the private key file for TLS in PEM format.
|
||||||
PrivateKeyFile string `yaml:"private-key-file,omitempty"`
|
PrivateKeyFile string `yaml:"private-key-file,omitempty"`
|
||||||
|
|
||||||
|
tlsConfig *tls.Config
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetDefaultConfig returns a Config struct with the default values
|
// GetDefaultConfig returns a Config struct with the default values
|
||||||
|
@ -57,10 +56,11 @@ func (web *Config) ValidateAndSetDefaults() error {
|
||||||
return fmt.Errorf("invalid port: value should be between %d and %d", 0, math.MaxUint16)
|
return fmt.Errorf("invalid port: value should be between %d and %d", 0, math.MaxUint16)
|
||||||
}
|
}
|
||||||
// Try to load the TLS certificates
|
// Try to load the TLS certificates
|
||||||
_, err := web.TLSConfig()
|
if web.TLS != nil {
|
||||||
if err != nil {
|
if err := web.TLS.loadConfig(); err != nil {
|
||||||
return fmt.Errorf("invalid tls config: %w", err)
|
return fmt.Errorf("invalid tls config: %w", err)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -69,18 +69,21 @@ func (web *Config) SocketAddress() string {
|
||||||
return fmt.Sprintf("%s:%d", web.Address, web.Port)
|
return fmt.Sprintf("%s:%d", web.Address, web.Port)
|
||||||
}
|
}
|
||||||
|
|
||||||
// TLSConfig returns a tls.Config object for serving over an encrypted channel
|
func (t *TLSConfig) loadConfig() error {
|
||||||
func (web *Config) TLSConfig() (*tls.Config, error) {
|
if len(t.CertificateFile) > 0 && len(t.PrivateKeyFile) > 0 {
|
||||||
if web.tlsConfig == nil && len(web.Tls.CertificateFile) > 0 && len(web.Tls.PrivateKeyFile) > 0 {
|
certificate, err := tls.LoadX509KeyPair(t.CertificateFile, t.PrivateKeyFile)
|
||||||
web.loadTLSConfig()
|
if err != nil {
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
return web.tlsConfig, web.tlsConfigError
|
t.tlsConfig = &tls.Config{Certificates: []tls.Certificate{certificate}}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return errors.New("certificate-file and private-key-file must be specified")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (web *Config) loadTLSConfig() {
|
func (web *Config) TLSConfig() *tls.Config {
|
||||||
cer, err := tls.LoadX509KeyPair(web.Tls.CertificateFile, web.Tls.PrivateKeyFile)
|
if web.TLS != nil {
|
||||||
if err != nil {
|
return web.TLS.tlsConfig
|
||||||
web.tlsConfigError = err
|
|
||||||
}
|
}
|
||||||
web.tlsConfig = &tls.Config{Certificates: []tls.Certificate{cer}}
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,8 +2,6 @@ package web
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/TwiN/gatus/v5/test"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestGetDefaultConfig(t *testing.T) {
|
func TestGetDefaultConfig(t *testing.T) {
|
||||||
|
@ -14,7 +12,7 @@ func TestGetDefaultConfig(t *testing.T) {
|
||||||
if defaultConfig.Address != DefaultAddress {
|
if defaultConfig.Address != DefaultAddress {
|
||||||
t.Error("expected default config to have the default address")
|
t.Error("expected default config to have the default address")
|
||||||
}
|
}
|
||||||
if defaultConfig.Tls != (TLSConfig{}) {
|
if defaultConfig.TLS != nil {
|
||||||
t.Error("expected default config to have TLS disabled")
|
t.Error("expected default config to have TLS disabled")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -70,38 +68,51 @@ func TestConfig_SocketAddress(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestConfig_TLSConfig(t *testing.T) {
|
func TestConfig_TLSConfig(t *testing.T) {
|
||||||
privateKeyPath, publicKeyPath := test.UnsafeSelfSignedCertificates(t.TempDir())
|
|
||||||
|
|
||||||
scenarios := []struct {
|
scenarios := []struct {
|
||||||
name string
|
name string
|
||||||
cfg *Config
|
cfg *Config
|
||||||
expectedErr bool
|
expectedErr bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "including TLS",
|
name: "good-tls-config",
|
||||||
cfg: &Config{Tls: (TLSConfig{CertificateFile: publicKeyPath, PrivateKeyFile: privateKeyPath})},
|
cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/cert.pem", PrivateKeyFile: "../../testdata/cert.key"}},
|
||||||
expectedErr: false,
|
expectedErr: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "TLS with missing crt file",
|
name: "missing-crt-file",
|
||||||
cfg: &Config{Tls: (TLSConfig{CertificateFile: "doesnotexist", PrivateKeyFile: privateKeyPath})},
|
cfg: &Config{TLS: &TLSConfig{CertificateFile: "doesnotexist", PrivateKeyFile: "../../testdata/cert.key"}},
|
||||||
expectedErr: true,
|
expectedErr: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "TLS with missing key file",
|
name: "bad-crt-file",
|
||||||
cfg: &Config{Tls: (TLSConfig{CertificateFile: publicKeyPath, PrivateKeyFile: "doesnotexist"})},
|
cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/badcert.pem", PrivateKeyFile: "../../testdata/cert.key"}},
|
||||||
|
expectedErr: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "missing-private-key-file",
|
||||||
|
cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/cert.pem", PrivateKeyFile: "doesnotexist"}},
|
||||||
|
expectedErr: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "bad-private-key-file",
|
||||||
|
cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/cert.pem", PrivateKeyFile: "../../testdata/badcert.key"}},
|
||||||
|
expectedErr: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "bad-cert-and-private-key-file",
|
||||||
|
cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/badcert.pem", PrivateKeyFile: "../../testdata/badcert.key"}},
|
||||||
expectedErr: true,
|
expectedErr: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, scenario := range scenarios {
|
for _, scenario := range scenarios {
|
||||||
t.Run(scenario.name, func(t *testing.T) {
|
t.Run(scenario.name, func(t *testing.T) {
|
||||||
cfg, err := scenario.cfg.TLSConfig()
|
err := scenario.cfg.ValidateAndSetDefaults()
|
||||||
if (err != nil) != scenario.expectedErr {
|
if (err != nil) != scenario.expectedErr {
|
||||||
t.Errorf("expected the existence of an error to be %v, got %v", scenario.expectedErr, err)
|
t.Errorf("expected the existence of an error to be %v, got %v", scenario.expectedErr, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if !scenario.expectedErr {
|
if !scenario.expectedErr {
|
||||||
if cfg == nil {
|
if scenario.cfg.TLS.tlsConfig == nil {
|
||||||
t.Error("TLS configuration was not correctly loaded although no error was returned")
|
t.Error("TLS configuration was not correctly loaded although no error was returned")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,11 +24,7 @@ func Handle(cfg *config.Config) {
|
||||||
if os.Getenv("ENVIRONMENT") == "dev" {
|
if os.Getenv("ENVIRONMENT") == "dev" {
|
||||||
router = handler.DevelopmentCORS(router)
|
router = handler.DevelopmentCORS(router)
|
||||||
}
|
}
|
||||||
tlsConfig, err := cfg.Web.TLSConfig()
|
tlsConfig := cfg.Web.TLSConfig()
|
||||||
if err != nil {
|
|
||||||
panic(err) // Should be unreachable, because the config is validated before
|
|
||||||
}
|
|
||||||
|
|
||||||
server = &http.Server{
|
server = &http.Server{
|
||||||
Addr: fmt.Sprintf("%s:%d", cfg.Web.Address, cfg.Web.Port),
|
Addr: fmt.Sprintf("%s:%d", cfg.Web.Address, cfg.Web.Port),
|
||||||
TLSConfig: tlsConfig,
|
TLSConfig: tlsConfig,
|
||||||
|
|
|
@ -10,7 +10,6 @@ import (
|
||||||
"github.com/TwiN/gatus/v5/config"
|
"github.com/TwiN/gatus/v5/config"
|
||||||
"github.com/TwiN/gatus/v5/config/web"
|
"github.com/TwiN/gatus/v5/config/web"
|
||||||
"github.com/TwiN/gatus/v5/core"
|
"github.com/TwiN/gatus/v5/core"
|
||||||
"github.com/TwiN/gatus/v5/test"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestHandle(t *testing.T) {
|
func TestHandle(t *testing.T) {
|
||||||
|
@ -46,25 +45,30 @@ func TestHandle(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestHandleTls(t *testing.T) {
|
func TestHandleTLS(t *testing.T) {
|
||||||
privateKeyPath, publicKeyPath := test.UnsafeSelfSignedCertificates(t.TempDir())
|
scenarios := []struct {
|
||||||
|
name string
|
||||||
|
tls *web.TLSConfig
|
||||||
|
expectedStatusCode int
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "good-tls-config",
|
||||||
|
tls: &web.TLSConfig{CertificateFile: "../testdata/cert.pem", PrivateKeyFile: "../testdata/cert.key"},
|
||||||
|
expectedStatusCode: 200,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, scenario := range scenarios {
|
||||||
|
t.Run(scenario.name, func(t *testing.T) {
|
||||||
cfg := &config.Config{
|
cfg := &config.Config{
|
||||||
Web: &web.Config{
|
Web: &web.Config{Address: "0.0.0.0", Port: rand.Intn(65534), TLS: scenario.tls},
|
||||||
Address: "0.0.0.0",
|
|
||||||
Port: rand.Intn(65534),
|
|
||||||
Tls: (web.TLSConfig{CertificateFile: publicKeyPath, PrivateKeyFile: privateKeyPath}),
|
|
||||||
},
|
|
||||||
Endpoints: []*core.Endpoint{
|
Endpoints: []*core.Endpoint{
|
||||||
{
|
{Name: "frontend", Group: "core"},
|
||||||
Name: "frontend",
|
{Name: "backend", Group: "core"},
|
||||||
Group: "core",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
Name: "backend",
|
|
||||||
Group: "core",
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
if err := cfg.Web.ValidateAndSetDefaults(); err != nil {
|
||||||
|
t.Error("expected no error from web (TLS) validation, got", err)
|
||||||
|
}
|
||||||
_ = os.Setenv("ROUTER_TEST", "true")
|
_ = os.Setenv("ROUTER_TEST", "true")
|
||||||
_ = os.Setenv("ENVIRONMENT", "dev")
|
_ = os.Setenv("ENVIRONMENT", "dev")
|
||||||
defer os.Clearenv()
|
defer os.Clearenv()
|
||||||
|
@ -73,12 +77,14 @@ func TestHandleTls(t *testing.T) {
|
||||||
request, _ := http.NewRequest("GET", "/health", http.NoBody)
|
request, _ := http.NewRequest("GET", "/health", http.NoBody)
|
||||||
responseRecorder := httptest.NewRecorder()
|
responseRecorder := httptest.NewRecorder()
|
||||||
server.Handler.ServeHTTP(responseRecorder, request)
|
server.Handler.ServeHTTP(responseRecorder, request)
|
||||||
if responseRecorder.Code != http.StatusOK {
|
if responseRecorder.Code != scenario.expectedStatusCode {
|
||||||
t.Error("expected GET /health to return status code 200")
|
t.Errorf("expected GET /health to return status code %d, got %d", scenario.expectedStatusCode, responseRecorder.Code)
|
||||||
}
|
}
|
||||||
if server == nil {
|
if server == nil {
|
||||||
t.Fatal("server should've been set (but because we set ROUTER_TEST, it shouldn't have been started)")
|
t.Fatal("server should've been set (but because we set ROUTER_TEST, it shouldn't have been started)")
|
||||||
}
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestShutdown(t *testing.T) {
|
func TestShutdown(t *testing.T) {
|
||||||
|
|
72
test/tls.go
72
test/tls.go
|
@ -1,72 +0,0 @@
|
||||||
package test
|
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/ecdsa"
|
|
||||||
"crypto/elliptic"
|
|
||||||
"crypto/rand"
|
|
||||||
"crypto/x509"
|
|
||||||
"crypto/x509/pkix"
|
|
||||||
"encoding/pem"
|
|
||||||
"fmt"
|
|
||||||
"log"
|
|
||||||
"math/big"
|
|
||||||
"os"
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
// UnsafeSelfSignedCertificates creates a pair of test certificates in the given test folder
|
|
||||||
func UnsafeSelfSignedCertificates(testfolder string) (privateKeyPath string, publicKeyPath string) {
|
|
||||||
privateKeyPath = fmt.Sprintf("%s/cert.key", testfolder)
|
|
||||||
publicKeyPath = fmt.Sprintf("%s/cert.pem", testfolder)
|
|
||||||
|
|
||||||
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Failed to generatekey: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
template := x509.Certificate{
|
|
||||||
SerialNumber: big.NewInt(1234),
|
|
||||||
Subject: pkix.Name{
|
|
||||||
Organization: []string{"Gatus test"},
|
|
||||||
},
|
|
||||||
NotBefore: time.Now(),
|
|
||||||
NotAfter: time.Now().Add(time.Hour * 24),
|
|
||||||
KeyUsage: x509.KeyUsageDigitalSignature,
|
|
||||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
||||||
BasicConstraintsValid: true,
|
|
||||||
DNSNames: []string{"localhost"},
|
|
||||||
}
|
|
||||||
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Failed to create certificate: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
certOut, err := os.Create(publicKeyPath)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Failed to open cert.pem for writing: %v", err)
|
|
||||||
}
|
|
||||||
if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
|
|
||||||
log.Fatalf("Failed to write data to cert.pem: %v", err)
|
|
||||||
}
|
|
||||||
if err := certOut.Close(); err != nil {
|
|
||||||
log.Fatalf("Error closing cert.pem: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
keyOut, err := os.OpenFile(privateKeyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Failed to open %s for writing: %v", privateKeyPath, err)
|
|
||||||
}
|
|
||||||
privBytes, err := x509.MarshalPKCS8PrivateKey(key)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Unable to marshal private key: %v", err)
|
|
||||||
}
|
|
||||||
if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil {
|
|
||||||
log.Fatalf("Failed to write data to key.pem: %v", err)
|
|
||||||
}
|
|
||||||
if err := keyOut.Close(); err != nil {
|
|
||||||
log.Fatalf("Error closing key.pem: %v", err)
|
|
||||||
}
|
|
||||||
log.Print("wrote key.pem\n")
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
3
testdata/badcert.key
vendored
Normal file
3
testdata/badcert.key
vendored
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
wat
|
||||||
|
-----END PRIVATE KEY-----
|
3
testdata/badcert.pem
vendored
Normal file
3
testdata/badcert.pem
vendored
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
wat
|
||||||
|
-----END CERTIFICATE-----
|
5
testdata/cert.key
vendored
Normal file
5
testdata/cert.key
vendored
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgJh67FWpz8wrN1mM/
|
||||||
|
CebkZN0zF83691ZVD83XlbNLRUqhRANCAAScfyPxScqz+Z/yNtAID/FOORy9J6LM
|
||||||
|
DUAJevGDvAZCMp/nh+Ps3nLrMoRlykcux3mq+N8HPlJ8R3eetB4S1tHY
|
||||||
|
-----END PRIVATE KEY-----
|
10
testdata/cert.pem
vendored
Normal file
10
testdata/cert.pem
vendored
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBaDCCAQ2gAwIBAgICBNIwCgYIKoZIzj0EAwIwFTETMBEGA1UEChMKR2F0dXMg
|
||||||
|
dGVzdDAgFw0yMzA0MjIxODUwMDVaGA8yMjk3MDIwNDE4NTAwNVowFTETMBEGA1UE
|
||||||
|
ChMKR2F0dXMgdGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJx/I/FJyrP5
|
||||||
|
n/I20AgP8U45HL0noswNQAl68YO8BkIyn+eH4+zecusyhGXKRy7Hear43wc+UnxH
|
||||||
|
d560HhLW0dijSzBJMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD
|
||||||
|
ATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggqhkjOPQQD
|
||||||
|
AgNJADBGAiEA/SdthKOoNw3azSHuPid7XJsXYB8DisIC9LBwcb/QTMECIQCAB36Y
|
||||||
|
OI15ao+J/RUz2sXdPXCAN8hlohi6OnmZmJB32g==
|
||||||
|
-----END CERTIFICATE-----
|
Loading…
Reference in a new issue