Reload certificates automatically (#38)

* Add auto reloader for tls conf

Signed-off-by: Jan Steffen <[email protected]>

* Add getclient cert

Signed-off-by: Jan Steffen <[email protected]>

* Start watch

Signed-off-by: Jan Steffen <[email protected]>

* Add root

Signed-off-by: Jan Steffen <[email protected]>

* Fix tls conf

Signed-off-by: Jan Steffen <[email protected]>

* Fix logging

Signed-off-by: Jan Steffen <[email protected]>

* fix level

Signed-off-by: Jan Steffen <[email protected]>

* Add test

Signed-off-by: Jan Steffen <[email protected]>

* Rename file

Signed-off-by: Jan Steffen <[email protected]>

Author: jastBytes

go.mod

@@ -54,7 +54,9 @@ require (
 	github.com/elimity-com/scim v0.0.0-20211119105057-007f1a2691f0
 	github.com/envoyproxy/protoc-gen-validate v0.6.2
 	github.com/heptiolabs/healthcheck v0.0.0-20180807145615-6ff867650f40
+	github.com/pkg/errors v0.9.1
 	github.com/scim2/filter-parser/v2 v2.2.0
+	gopkg.in/fsnotify.v1 v1.4.7
 )
 
 require (
@@ -99,7 +101,6 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/opencontainers/runc v1.0.3 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect

go.sum

@@ -1182,6 +1182,7 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8X
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE=
 gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=

pkg/eventsourcing/messaging/bus_rabbitmq_config.go

@@ -15,9 +15,7 @@
 package messaging
 
 import (
-	"crypto/tls"
-	"crypto/x509"
-	"io/ioutil"
+	m8tls "github.com/finleap-connect/monoskope/pkg/tls"
 
 	"github.com/finleap-connect/monoskope/pkg/eventsourcing/errors"
 	amqp "github.com/rabbitmq/amqp091-go"
@@ -68,33 +66,22 @@ func NewRabbitEventBusConfig(name, url, routingKeyPrefix string) (*RabbitEventBu
 
 // ConfigureTLS adds the configuration for TLS secured connection/auth
 func (conf *RabbitEventBusConfig) configureTLS() error {
-	var err error
-	caCertPool := x509.NewCertPool()
-	ca, err := ioutil.ReadFile(CACertPath)
+	loader, err := m8tls.NewTLSConfigLoader(CACertPath, TLSCertPath, TLSKeyPath)
 	if err != nil {
 		return err
 	}
-	caCertPool.AppendCertsFromPEM(ca)
 
-	conf.amqpConfig.TLSClientConfig = &tls.Config{
-		RootCAs:              caCertPool,
-		GetClientCertificate: getClientCertificate,
+	err = loader.Watch()
+	if err != nil {
+		return err
 	}
+
+	conf.amqpConfig.TLSClientConfig = loader.GetTLSConfig()
 	conf.amqpConfig.SASL = []amqp.Authentication{&CertAuth{}}
 
 	return nil
 }
 
-// getClientCertificate returns the loaded certificate for use by
-// the TLSConfig fields getClientCertificate.
-func getClientCertificate(hello *tls.CertificateRequestInfo) (*tls.Certificate, error) {
-	cert, err := tls.LoadX509KeyPair(TLSCertPath, TLSKeyPath)
-	if err != nil {
-		return nil, err
-	}
-	return &cert, nil
-}
-
 // Validate validates the configuration
 func (conf *RabbitEventBusConfig) Validate() error {
 	if conf.name == "" {

…sourcing/storage/store_posgres_config.go …ourcing/storage/store_postgres_config.gopkg/eventsourcing/storage/store_posgres_config.go renamed to pkg/eventsourcing/storage/store_postgres_config.go pkg/eventsourcing/storage/store_posgres_config.go renamed to pkg/eventsourcing/storage/store_postgres_config.go

@@ -15,13 +15,12 @@
 package storage
 
 import (
-	"crypto/tls"
-	"crypto/x509"
 	"errors"
-	"io/ioutil"
 	"strings"
 	"time"
 
+	m8tls "github.com/finleap-connect/monoskope/pkg/tls"
+
 	"github.com/go-pg/pg/v10"
 )
 
@@ -30,6 +29,9 @@ const (
 	DefaultReInitDelay    = 5 * time.Second  // When setting up db schema
 	DefaultResendDelay    = 3 * time.Second  // When retrying to read/write
 	DefaultMaxRetries     = 10               // How many times retrying read/write
+	CACertPath            = "/etc/eventstore/certs/db/ca.crt"
+	TLSCertPath           = "/etc/eventstore/certs/db/tls.crt"
+	TLSKeyPath            = "/etc/eventstore/certs/db/tls.key"
 )
 
 type postgresStoreConfig struct {
@@ -64,23 +66,19 @@ func NewPostgresStoreConfig(url string) (*postgresStoreConfig, error) {
 
 // ConfigureTLS adds the configuration for TLS secured connection/auth
 func (conf *postgresStoreConfig) ConfigureTLS() error {
-	cfg := &tls.Config{
-		RootCAs:    x509.NewCertPool(),
-		ServerName: strings.Split(conf.pgOptions.Addr, ":")[0],
-	}
-	if ca, err := ioutil.ReadFile("/etc/eventstore/certs/db/ca.crt"); err != nil {
+	loader, err := m8tls.NewTLSConfigLoader(CACertPath, TLSCertPath, TLSKeyPath)
+	if err != nil {
 		return err
-	} else {
-		cfg.RootCAs.AppendCertsFromPEM(ca)
 	}
 
-	if cert, err := tls.LoadX509KeyPair("/etc/eventstore/certs/db/tls.crt", "/etc/eventstore/certs/db/tls.key"); err != nil {
+	err = loader.Watch()
+	if err != nil {
 		return err
-	} else {
-		cfg.Certificates = append(cfg.Certificates, cert)
 	}
 
-	conf.pgOptions.TLSConfig = cfg
+	conf.pgOptions.TLSConfig = loader.GetTLSConfig()
+	conf.pgOptions.TLSConfig.ServerName = strings.Split(conf.pgOptions.Addr, ":")[0]
+
 	return nil
 }
 

pkg/grpc/connection.go

@@ -16,12 +16,10 @@ package grpc
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"io/ioutil"
 	"time"
 
+	m8tls "github.com/finleap-connect/monoskope/pkg/tls"
+
 	grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -140,28 +138,15 @@ func (factory grpcConnectionFactory) ConnectWithTimeout(ctx context.Context, tim
 
 // loadTLSCredentials actually loads the configured certs
 func (factory *grpcConnectionFactory) loadTLSCredentials() (credentials.TransportCredentials, error) {
-	// Load certificate of the CA who signed server's certificate
-	pemServerCA, err := ioutil.ReadFile(factory.tlsConf.pemServerCAFile)
+	loader, err := m8tls.NewTLSConfigLoader(factory.tlsConf.pemServerCAFile, factory.tlsConf.certFile, factory.tlsConf.keyFile)
 	if err != nil {
 		return nil, err
 	}
 
-	certPool := x509.NewCertPool()
-	if !certPool.AppendCertsFromPEM(pemServerCA) {
-		return nil, fmt.Errorf("failed to add server CA's certificate")
-	}
-
-	// Load client's certificate and private key
-	clientCert, err := tls.LoadX509KeyPair(factory.tlsConf.certFile, factory.tlsConf.keyFile)
+	err = loader.Watch()
 	if err != nil {
 		return nil, err
 	}
 
-	// Create the credentials and return it
-	config := &tls.Config{
-		Certificates: []tls.Certificate{clientCert},
-		RootCAs:      certPool,
-	}
-
-	return credentials.NewTLS(config), nil
+	return credentials.NewTLS(loader.GetTLSConfig()), nil
 }

pkg/tls/suite_test.go

@@ -0,0 +1,51 @@
+// Copyright 2022 Monoskope Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tls
+
+import (
+	"testing"
+
+	"github.com/finleap-connect/monoskope/internal/test"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var testEnv *TestEnv
+
+func TestTLS(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "tls")
+}
+
+var _ = BeforeSuite(func() {
+	done := make(chan interface{})
+
+	go func() {
+		By("bootstrapping test env")
+
+		var err error
+		baseTestEnv := test.NewTestEnv("TestTLS")
+		testEnv, err = NewTestEnv(baseTestEnv)
+		Expect(err).To(Not(HaveOccurred()))
+		close(done)
+	}()
+
+	Eventually(done, 60).Should(BeClosed())
+})
+
+var _ = AfterSuite(func() {
+	By("tearing down the test environment")
+})