From 53940d51ab25d48242c910acfc0359c564c012a9 Mon Sep 17 00:00:00 2001
From: Cam Otts <otts.cameron@gmail.com>
Date: Wed, 17 Jan 2024 15:37:46 -0600
Subject: [PATCH] Tls supprt (#540)

* added tls support to controller and access proxies

* few pr comments
---
 CHANGELOG.md                    |  4 ++++
 controller/config/config.go     |  6 ++++++
 controller/controller.go        | 13 +++++++++++--
 endpoints/config.go             |  6 ++++++
 endpoints/proxy/frontend.go     |  4 ++++
 endpoints/publicProxy/config.go |  2 ++
 endpoints/publicProxy/http.go   |  5 ++++-
 etc/ctrl.yml                    |  6 ++++++
 etc/frontend.yml                |  8 +++++++-
 9 files changed, 50 insertions(+), 4 deletions(-)
 create mode 100644 endpoints/config.go

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d23e1308..ee11b0c3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,10 @@ FEATURE: Python SDK now has a decorator for integrating with various server side
 
 FEATURE: Python SDK share and access handling now supports context management.
 
+FEATURE: TLS for `zrok` controller and acces endpoints. Add the specified stanza to your controller file (see `etc/ctrl.yml`). Your controller will now listen over TLS. (Note: you will need to update your client environments/configs to use the new https:// url). Likewise with `access` add the stanza to your frontend configuration (see `etc/frontend.yml`). Additionally you will have to update the frontend url template to emit a https:// scheme.
+
+FEATURE: TLS for `zrok` controller and frontends. Add the `tls:` stanza to your controller configuration (see `etc/ctrl.yml`) to enable TLS support for the controller API. Add the `tls:` stanza to your frontend configuration (see `etc/frontend.yml`) to enable TLS support for frontends (be sure to check your `public` frontend template) (#24)(https://github.com/openziti/zrok/issues/24)
+
 ## v0.4.22
 
 FIX: The goreleaser action is not updated to work with the latest golang build. Modifed `go.mod` to comply with what goreleaser expects
diff --git a/controller/config/config.go b/controller/config/config.go
index 396bd3d1..8e67f8c0 100644
--- a/controller/config/config.go
+++ b/controller/config/config.go
@@ -31,6 +31,7 @@ type Config struct {
 	ResetPassword *ResetPasswordConfig
 	Store         *store.Config
 	Ziti          *zrokEdgeSdk.Config
+	Tls           *TlsConfig
 }
 
 type AdminConfig struct {
@@ -83,6 +84,11 @@ type ResetPasswordMaintenanceConfig struct {
 	BatchLimit        int
 }
 
+type TlsConfig struct {
+	CertPath string
+	KeyPath  string
+}
+
 func DefaultConfig() *Config {
 	return &Config{
 		Limits: limits.DefaultConfig(),
diff --git a/controller/controller.go b/controller/controller.go
index 5c41ab4e..0663f995 100644
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -2,6 +2,7 @@ package controller
 
 import (
 	"context"
+	"github.com/jessevdk/go-flags"
 	"github.com/openziti/zrok/controller/config"
 	"github.com/openziti/zrok/controller/limits"
 	"github.com/openziti/zrok/controller/metrics"
@@ -128,8 +129,16 @@ func Run(inCfg *config.Config) error {
 
 	server := rest_server_zrok.NewServer(api)
 	defer func() { _ = server.Shutdown() }()
-	server.Host = cfg.Endpoint.Host
-	server.Port = cfg.Endpoint.Port
+	if cfg.Tls != nil {
+		server.TLSHost = cfg.Endpoint.Host
+		server.TLSPort = cfg.Endpoint.Port
+		server.TLSCertificate = flags.Filename(cfg.Tls.CertPath)
+		server.TLSCertificateKey = flags.Filename(cfg.Tls.KeyPath)
+		server.EnabledListeners = []string{"https"}
+	} else {
+		server.Host = cfg.Endpoint.Host
+		server.Port = cfg.Endpoint.Port
+	}
 	rest_server_zrok.HealthCheck = HealthCheckHTTP
 	server.ConfigureAPI()
 	if err := server.Serve(); err != nil {
diff --git a/endpoints/config.go b/endpoints/config.go
new file mode 100644
index 00000000..aa9c7b44
--- /dev/null
+++ b/endpoints/config.go
@@ -0,0 +1,6 @@
+package endpoints
+
+type TlsConfig struct {
+	CertPath string
+	KeyPath  string
+}
diff --git a/endpoints/proxy/frontend.go b/endpoints/proxy/frontend.go
index 09ea200a..bd31b36b 100644
--- a/endpoints/proxy/frontend.go
+++ b/endpoints/proxy/frontend.go
@@ -22,6 +22,7 @@ type FrontendConfig struct {
 	IdentityName string
 	ShrToken     string
 	Address      string
+	Tls          *endpoints.TlsConfig
 	RequestsChan chan *endpoints.Request
 }
 
@@ -76,6 +77,9 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
 }
 
 func (h *Frontend) Run() error {
+	if h.cfg.Tls != nil {
+		return http.ListenAndServeTLS(h.cfg.Address, h.cfg.Tls.CertPath, h.cfg.Tls.KeyPath, h.handler)
+	}
 	return http.ListenAndServe(h.cfg.Address, h.handler)
 }
 
diff --git a/endpoints/publicProxy/config.go b/endpoints/publicProxy/config.go
index 67206db6..54710c0b 100644
--- a/endpoints/publicProxy/config.go
+++ b/endpoints/publicProxy/config.go
@@ -3,6 +3,7 @@ package publicProxy
 import (
 	"context"
 	"github.com/michaelquigley/cf"
+	"github.com/openziti/zrok/endpoints"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	zhttp "github.com/zitadel/oidc/v2/pkg/http"
@@ -16,6 +17,7 @@ type Config struct {
 	Address   string
 	HostMatch string
 	Oauth     *OauthConfig
+	Tls       *endpoints.TlsConfig
 }
 
 type OauthConfig struct {
diff --git a/endpoints/publicProxy/http.go b/endpoints/publicProxy/http.go
index 1753e34b..c372d380 100644
--- a/endpoints/publicProxy/http.go
+++ b/endpoints/publicProxy/http.go
@@ -69,7 +69,7 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
 		return nil, err
 	}
 	proxy.Transport = zTransport
-	if err := configureOauthHandlers(context.Background(), cfg, false); err != nil {
+	if err := configureOauthHandlers(context.Background(), cfg, cfg.Tls != nil); err != nil {
 		return nil, err
 	}
 	handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx)
@@ -81,6 +81,9 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
 }
 
 func (f *HttpFrontend) Run() error {
+	if f.cfg.Tls != nil {
+		return http.ListenAndServeTLS(f.cfg.Address, f.cfg.Tls.CertPath, f.cfg.Tls.KeyPath, f.handler)
+	}
 	return http.ListenAndServe(f.cfg.Address, f.handler)
 }
 
diff --git a/etc/ctrl.yml b/etc/ctrl.yml
index b3207ad8..e2c06c5d 100644
--- a/etc/ctrl.yml
+++ b/etc/ctrl.yml
@@ -181,6 +181,12 @@ store:
   path:                           zrok.db
   type:                           sqlite3
 
+# The `tls` section sets the cert and key to use and enables serving over HTTPS
+#
+#tls:
+#  cert_path: "/Path/To/Cert/zrok.crt"
+#  key_path:  "/Path/To/Cert/zrok.key"
+
 # Ziti configuration.
 #
 ziti:
diff --git a/etc/frontend.yml b/etc/frontend.yml
index 13c78bad..ad90a9ff 100644
--- a/etc/frontend.yml
+++ b/etc/frontend.yml
@@ -41,4 +41,10 @@ v: 3
 #      client_secret: <client-secret>
 #    - name: github
 #      client_id: <client-id>
-#      client_secret: <client-secret>
\ No newline at end of file
+#      client_secret: <client-secret>
+#
+# The `tls` section sets the cert and key to use and enables serving over HTTPS
+#
+#tls:
+#  cert_path: "/Path/To/Cert/zrok.crt"
+#  key_path:  "/Path/To/Cert/zrok.key"
\ No newline at end of file