Extract common server encryption logic (#65)

* refactor: extract common message encryption logic * refactor: move letsencrypt logic to common * refactor: rename common package to encryption * test: add encryption tests
2026-04-16 15:26:40 +00:00 · 2021-07-22 15:23:24 +02:00
parent c98be683bf
commit 2172d6f1b9
16 changed files with 343 additions and 141 deletions
--- a/cmd/management.go
+++ b/cmd/management.go
@@ -1,21 +1,18 @@
 package cmd

 import (
-	"crypto/tls"
 	"flag"
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/encryption"
 	mgmt "github.com/wiretrustee/wiretrustee/management"
 	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
-	"golang.org/x/crypto/acme/autocert"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/keepalive"
 	"net"
-	"net/http"
 	"os"
-	"path/filepath"
 	"time"
 )

@@ -52,34 +49,8 @@ var (
 			var opts []grpc.ServerOption

 			if mgmtLetsencryptDomain != "" {
-
-				certDir := filepath.Join(mgmtDataDir, "letsencrypt")
-
-				if _, err := os.Stat(certDir); os.IsNotExist(err) {
-					err = os.MkdirAll(certDir, os.ModeDir)
-					if err != nil {
-						log.Fatalf("failed creating Let's encrypt certdir: %s: %v", certDir, err)
-					}
-				}
-
-				log.Infof("running with Let's encrypt with domain %s. Cert will be stored in %s", mgmtLetsencryptDomain, certDir)
-
-				certManager := autocert.Manager{
-					Prompt:     autocert.AcceptTOS,
-					Cache:      autocert.DirCache(certDir),
-					HostPolicy: autocert.HostWhitelist(mgmtLetsencryptDomain),
-				}
-				tls := &tls.Config{GetCertificate: certManager.GetCertificate}
-
-				credentials := credentials.NewTLS(tls)
-				opts = append(opts, grpc.Creds(credentials))
-
-				// listener to handle Let's encrypt certificate challenge
-				go func() {
-					if err := http.Serve(certManager.Listener(), certManager.HTTPHandler(nil)); err != nil {
-						log.Fatalf("failed to serve letsencrypt handler: %v", err)
-					}
-				}()
+				transportCredentials := credentials.NewTLS(encryption.EnableLetsEncrypt(mgmtDataDir, mgmtLetsencryptDomain))
+				opts = append(opts, grpc.Creds(transportCredentials))
 			}

 			opts = append(opts, grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,16 +1,11 @@
 package cmd

 import (
-	"crypto/tls"
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"golang.org/x/crypto/acme/autocert"
-	"google.golang.org/grpc/credentials"
-	"net/http"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"runtime"
 )

@@ -79,31 +74,3 @@ func InitLog(logLevel string) {
 	}
 	log.SetLevel(level)
 }
-
-func enableLetsEncrypt(datadir string, letsencryptDomain string) credentials.TransportCredentials {
-	certDir := filepath.Join(datadir, "letsencrypt")
-
-	if _, err := os.Stat(certDir); os.IsNotExist(err) {
-		err = os.MkdirAll(certDir, os.ModeDir)
-		if err != nil {
-			log.Fatalf("failed creating Let's encrypt certdir: %s: %v", certDir, err)
-		}
-	}
-
-	log.Infof("running with Let's encrypt with domain %s. Cert will be stored in %s", letsencryptDomain, certDir)
-
-	certManager := autocert.Manager{
-		Prompt:     autocert.AcceptTOS,
-		Cache:      autocert.DirCache(certDir),
-		HostPolicy: autocert.HostWhitelist(letsencryptDomain),
-	}
-
-	// listener to handle Let's encrypt certificate challenge
-	go func() {
-		if err := http.Serve(certManager.Listener(), certManager.HTTPHandler(nil)); err != nil {
-			log.Fatalf("failed to serve letsencrypt handler: %v", err)
-		}
-	}()
-
-	return credentials.NewTLS(&tls.Config{GetCertificate: certManager.GetCertificate})
-}
--- a/cmd/signal.go
+++ b/cmd/signal.go
@@ -5,9 +5,11 @@ import (
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/encryption"
 	sig "github.com/wiretrustee/wiretrustee/signal"
 	sigProto "github.com/wiretrustee/wiretrustee/signal/proto"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/keepalive"
 	"net"
 	"os"
@@ -45,8 +47,8 @@ var (
 			}

 			var opts []grpc.ServerOption
-			if mgmtLetsencryptDomain != "" {
-				transportCredentials := enableLetsEncrypt(signalDataDir, signalLetsencryptDomain)
+			if signalLetsencryptDomain != "" {
+				transportCredentials := credentials.NewTLS(encryption.EnableLetsEncrypt(signalDataDir, signalLetsencryptDomain))
 				opts = append(opts, grpc.Creds(transportCredentials))
 			}