extern/gatus
1
0
Fork 0
mirror of https://github.com/TwiN/gatus.git synced 2024-11-21 15:33:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

refactor: Modify implementation of TLS (#457)

Browse Source 
* refactor: Don't generate certificates programmatically

* build: Add testdata folder to .dockerignore
This commit is contained in:
TwiN 2023-04-22 15:22:09 -04:00 committed by GitHub
parent 636688b43e
commit 83edca6e80
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 109 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.dockerignore
View File

@ -5,3 +5,4 @@ Dockerfile
.git .git
web/app web/app
*.db *.db
testdata

45
config/web/web.go
View File

@ -2,6 +2,7 @@ package web
import ( import (
"crypto/tls" "crypto/tls"
"errors"
"fmt" "fmt"
"math" "math"
) )
@ -23,20 +24,18 @@ type Config struct {
// Port to listen on (default to 8080 specified by DefaultPort) // Port to listen on (default to 8080 specified by DefaultPort)
Port int `yaml:"port"` Port int `yaml:"port"`
// TLS configuration // TLS configuration (optional)
Tls TLSConfig `yaml:"tls"` TLS *TLSConfig `yaml:"tls,omitempty"`
tlsConfig *tls.Config
tlsConfigError error
} }
type TLSConfig struct { type TLSConfig struct {
// CertificateFile is the public certificate for TLS in PEM format.
// Optional public certificate for TLS in PEM format.
CertificateFile string `yaml:"certificate-file,omitempty"` CertificateFile string `yaml:"certificate-file,omitempty"`
// Optional private key file for TLS in PEM format. // PrivateKeyFile is the private key file for TLS in PEM format.
PrivateKeyFile string `yaml:"private-key-file,omitempty"` PrivateKeyFile string `yaml:"private-key-file,omitempty"`
tlsConfig *tls.Config
} }
// GetDefaultConfig returns a Config struct with the default values // GetDefaultConfig returns a Config struct with the default values
@ -57,9 +56,10 @@ func (web *Config) ValidateAndSetDefaults() error {
return fmt.Errorf("invalid port: value should be between %d and %d", 0, math.MaxUint16) return fmt.Errorf("invalid port: value should be between %d and %d", 0, math.MaxUint16)
} }
// Try to load the TLS certificates // Try to load the TLS certificates
_, err := web.TLSConfig() if web.TLS != nil {
if err != nil { if err := web.TLS.loadConfig(); err != nil {
return fmt.Errorf("invalid tls config: %w", err) return fmt.Errorf("invalid tls config: %w", err)
}
} }
return nil return nil
} }
@ -69,18 +69,21 @@ func (web *Config) SocketAddress() string {
return fmt.Sprintf("%s:%d", web.Address, web.Port) return fmt.Sprintf("%s:%d", web.Address, web.Port)
} }
// TLSConfig returns a tls.Config object for serving over an encrypted channel func (t *TLSConfig) loadConfig() error {
func (web *Config) TLSConfig() (*tls.Config, error) { if len(t.CertificateFile) > 0 && len(t.PrivateKeyFile) > 0 {
if web.tlsConfig == nil && len(web.Tls.CertificateFile) > 0 && len(web.Tls.PrivateKeyFile) > 0 { certificate, err := tls.LoadX509KeyPair(t.CertificateFile, t.PrivateKeyFile)
web.loadTLSConfig() if err != nil {
return err
}
t.tlsConfig = &tls.Config{Certificates: []tls.Certificate{certificate}}
return nil
} }
return web.tlsConfig, web.tlsConfigError return errors.New("certificate-file and private-key-file must be specified")
} }
func (web *Config) loadTLSConfig() { func (web *Config) TLSConfig() *tls.Config {
cer, err := tls.LoadX509KeyPair(web.Tls.CertificateFile, web.Tls.PrivateKeyFile) if web.TLS != nil {
if err != nil { return web.TLS.tlsConfig
web.tlsConfigError = err
} }
web.tlsConfig = &tls.Config{Certificates: []tls.Certificate{cer}} return nil
} }

37
config/web/web_test.go
View File

@ -2,8 +2,6 @@ package web
import ( import (
"testing" "testing"
"github.com/TwiN/gatus/v5/test"
) )
func TestGetDefaultConfig(t *testing.T) { func TestGetDefaultConfig(t *testing.T) {
@ -14,7 +12,7 @@ func TestGetDefaultConfig(t *testing.T) {
if defaultConfig.Address != DefaultAddress { if defaultConfig.Address != DefaultAddress {
t.Error("expected default config to have the default address") t.Error("expected default config to have the default address")
} }
if defaultConfig.Tls != (TLSConfig{}) { if defaultConfig.TLS != nil {
t.Error("expected default config to have TLS disabled") t.Error("expected default config to have TLS disabled")
} }
} }
@ -70,38 +68,51 @@ func TestConfig_SocketAddress(t *testing.T) {
} }
func TestConfig_TLSConfig(t *testing.T) { func TestConfig_TLSConfig(t *testing.T) {
privateKeyPath, publicKeyPath := test.UnsafeSelfSignedCertificates(t.TempDir())
scenarios := []struct { scenarios := []struct {
name string name string
cfg *Config cfg *Config
expectedErr bool expectedErr bool
}{ }{
{ {
name: "including TLS", name: "good-tls-config",
cfg: &Config{Tls: (TLSConfig{CertificateFile: publicKeyPath, PrivateKeyFile: privateKeyPath})}, cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/cert.pem", PrivateKeyFile: "../../testdata/cert.key"}},
expectedErr: false, expectedErr: false,
}, },
{ {
name: "TLS with missing crt file", name: "missing-crt-file",
cfg: &Config{Tls: (TLSConfig{CertificateFile: "doesnotexist", PrivateKeyFile: privateKeyPath})}, cfg: &Config{TLS: &TLSConfig{CertificateFile: "doesnotexist", PrivateKeyFile: "../../testdata/cert.key"}},
expectedErr: true, expectedErr: true,
}, },
{ {
name: "TLS with missing key file", name: "bad-crt-file",
cfg: &Config{Tls: (TLSConfig{CertificateFile: publicKeyPath, PrivateKeyFile: "doesnotexist"})}, cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/badcert.pem", PrivateKeyFile: "../../testdata/cert.key"}},
expectedErr: true,
},
{
name: "missing-private-key-file",
cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/cert.pem", PrivateKeyFile: "doesnotexist"}},
expectedErr: true,
},
{
name: "bad-private-key-file",
cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/cert.pem", PrivateKeyFile: "../../testdata/badcert.key"}},
expectedErr: true,
},
{
name: "bad-cert-and-private-key-file",
cfg: &Config{TLS: &TLSConfig{CertificateFile: "../../testdata/badcert.pem", PrivateKeyFile: "../../testdata/badcert.key"}},
expectedErr: true, expectedErr: true,
}, },
} }
for _, scenario := range scenarios { for _, scenario := range scenarios {
t.Run(scenario.name, func(t *testing.T) { t.Run(scenario.name, func(t *testing.T) {
cfg, err := scenario.cfg.TLSConfig() err := scenario.cfg.ValidateAndSetDefaults()
if (err != nil) != scenario.expectedErr { if (err != nil) != scenario.expectedErr {
t.Errorf("expected the existence of an error to be %v, got %v", scenario.expectedErr, err) t.Errorf("expected the existence of an error to be %v, got %v", scenario.expectedErr, err)
return return
} }
if !scenario.expectedErr { if !scenario.expectedErr {
if cfg == nil { if scenario.cfg.TLS.tlsConfig == nil {
t.Error("TLS configuration was not correctly loaded although no error was returned") t.Error("TLS configuration was not correctly loaded although no error was returned")
} }
} }

6
controller/controller.go
View File

@ -24,11 +24,7 @@ func Handle(cfg *config.Config) {
if os.Getenv("ENVIRONMENT") == "dev" { if os.Getenv("ENVIRONMENT") == "dev" {
router = handler.DevelopmentCORS(router) router = handler.DevelopmentCORS(router)
} }
tlsConfig, err := cfg.Web.TLSConfig() tlsConfig := cfg.Web.TLSConfig()
if err != nil {
panic(err) // Should be unreachable, because the config is validated before
}
server = &http.Server{ server = &http.Server{
Addr: fmt.Sprintf("%s:%d", cfg.Web.Address, cfg.Web.Port), Addr: fmt.Sprintf("%s:%d", cfg.Web.Address, cfg.Web.Port),
TLSConfig: tlsConfig, TLSConfig: tlsConfig,

68
controller/controller_test.go
View File

@ -10,7 +10,6 @@ import (
"github.com/TwiN/gatus/v5/config" "github.com/TwiN/gatus/v5/config"
"github.com/TwiN/gatus/v5/config/web" "github.com/TwiN/gatus/v5/config/web"
"github.com/TwiN/gatus/v5/core" "github.com/TwiN/gatus/v5/core"
"github.com/TwiN/gatus/v5/test"
) )
func TestHandle(t *testing.T) { func TestHandle(t *testing.T) {
@ -46,38 +45,45 @@ func TestHandle(t *testing.T) {
} }
} }
func TestHandleTls(t *testing.T) { func TestHandleTLS(t *testing.T) {
privateKeyPath, publicKeyPath := test.UnsafeSelfSignedCertificates(t.TempDir()) scenarios := []struct {
cfg := &config.Config{ name string
Web: &web.Config{ tls *web.TLSConfig
Address: "0.0.0.0", expectedStatusCode int
Port: rand.Intn(65534), }{
Tls: (web.TLSConfig{CertificateFile: publicKeyPath, PrivateKeyFile: privateKeyPath}), {
}, name: "good-tls-config",
Endpoints: []*core.Endpoint{ tls: &web.TLSConfig{CertificateFile: "../testdata/cert.pem", PrivateKeyFile: "../testdata/cert.key"},
{ expectedStatusCode: 200,
Name: "frontend",
Group: "core",
},
{
Name: "backend",
Group: "core",
},
}, },
} }
_ = os.Setenv("ROUTER_TEST", "true") for _, scenario := range scenarios {
_ = os.Setenv("ENVIRONMENT", "dev") t.Run(scenario.name, func(t *testing.T) {
defer os.Clearenv() cfg := &config.Config{
Handle(cfg) Web: &web.Config{Address: "0.0.0.0", Port: rand.Intn(65534), TLS: scenario.tls},
defer Shutdown() Endpoints: []*core.Endpoint{
request, _ := http.NewRequest("GET", "/health", http.NoBody) {Name: "frontend", Group: "core"},
responseRecorder := httptest.NewRecorder() {Name: "backend", Group: "core"},
server.Handler.ServeHTTP(responseRecorder, request) },
if responseRecorder.Code != http.StatusOK { }
t.Error("expected GET /health to return status code 200") if err := cfg.Web.ValidateAndSetDefaults(); err != nil {
} t.Error("expected no error from web (TLS) validation, got", err)
if server == nil { }
t.Fatal("server should've been set (but because we set ROUTER_TEST, it shouldn't have been started)") _ = os.Setenv("ROUTER_TEST", "true")
_ = os.Setenv("ENVIRONMENT", "dev")
defer os.Clearenv()
Handle(cfg)
defer Shutdown()
request, _ := http.NewRequest("GET", "/health", http.NoBody)
responseRecorder := httptest.NewRecorder()
server.Handler.ServeHTTP(responseRecorder, request)
if responseRecorder.Code != scenario.expectedStatusCode {
t.Errorf("expected GET /health to return status code %d, got %d", scenario.expectedStatusCode, responseRecorder.Code)
}
if server == nil {
t.Fatal("server should've been set (but because we set ROUTER_TEST, it shouldn't have been started)")
}
})
} }
} }

72
test/tls.go
View File

@ -1,72 +0,0 @@
package test
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"log"
"math/big"
"os"
"time"
)
// UnsafeSelfSignedCertificates creates a pair of test certificates in the given test folder
func UnsafeSelfSignedCertificates(testfolder string) (privateKeyPath string, publicKeyPath string) {
privateKeyPath = fmt.Sprintf("%s/cert.key", testfolder)
publicKeyPath = fmt.Sprintf("%s/cert.pem", testfolder)
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
log.Fatalf("Failed to generatekey: %v", err)
}
template := x509.Certificate{
SerialNumber: big.NewInt(1234),
Subject: pkix.Name{
Organization: []string{"Gatus test"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour * 24),
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
DNSNames: []string{"localhost"},
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
if err != nil {
log.Fatalf("Failed to create certificate: %v", err)
}
certOut, err := os.Create(publicKeyPath)
if err != nil {
log.Fatalf("Failed to open cert.pem for writing: %v", err)
}
if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
log.Fatalf("Failed to write data to cert.pem: %v", err)
}
if err := certOut.Close(); err != nil {
log.Fatalf("Error closing cert.pem: %v", err)
}
keyOut, err := os.OpenFile(privateKeyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
log.Fatalf("Failed to open %s for writing: %v", privateKeyPath, err)
}
privBytes, err := x509.MarshalPKCS8PrivateKey(key)
if err != nil {
log.Fatalf("Unable to marshal private key: %v", err)
}
if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil {
log.Fatalf("Failed to write data to key.pem: %v", err)
}
if err := keyOut.Close(); err != nil {
log.Fatalf("Error closing key.pem: %v", err)
}
log.Print("wrote key.pem\n")
return
}

3
testdata/badcert.key vendored Normal file
View File

@ -0,0 +1,3 @@
-----BEGIN PRIVATE KEY-----
wat
-----END PRIVATE KEY-----

3
testdata/badcert.pem vendored Normal file
View File

@ -0,0 +1,3 @@
-----BEGIN CERTIFICATE-----
wat
-----END CERTIFICATE-----

5
testdata/cert.key vendored Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgJh67FWpz8wrN1mM/
CebkZN0zF83691ZVD83XlbNLRUqhRANCAAScfyPxScqz+Z/yNtAID/FOORy9J6LM
DUAJevGDvAZCMp/nh+Ps3nLrMoRlykcux3mq+N8HPlJ8R3eetB4S1tHY
-----END PRIVATE KEY-----

10
testdata/cert.pem vendored Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN CERTIFICATE-----
MIIBaDCCAQ2gAwIBAgICBNIwCgYIKoZIzj0EAwIwFTETMBEGA1UEChMKR2F0dXMg
dGVzdDAgFw0yMzA0MjIxODUwMDVaGA8yMjk3MDIwNDE4NTAwNVowFTETMBEGA1UE
ChMKR2F0dXMgdGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJx/I/FJyrP5
n/I20AgP8U45HL0noswNQAl68YO8BkIyn+eH4+zecusyhGXKRy7Hear43wc+UnxH
d560HhLW0dijSzBJMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggqhkjOPQQD
AgNJADBGAiEA/SdthKOoNw3azSHuPid7XJsXYB8DisIC9LBwcb/QTMECIQCAB36Y
OI15ao+J/RUz2sXdPXCAN8hlohi6OnmZmJB32g==
-----END CERTIFICATE-----