Skip to content

Commit

Permalink
Merge pull request #43 from dfinity/igornovg/default-cert
Browse files Browse the repository at this point in the history 
Add --cert-default option
  • Loading branch information
@blind-oracle
blind-oracle authored Sep 24, 2024
2 parents 7df0c6b + d73e75d commit 6cb2b75
Show file tree
Hide file tree
Showing 5 changed files with 59 additions and 40 deletions.
54 changes: 27 additions & 27 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions src/cli.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,12 @@ pub struct Cert {
#[clap(env, long, default_value = "5s", value_parser = parse_duration)]
pub cert_provider_poll_interval: Duration,

/// Default certificate to serve when there's no SNI in the request.
/// Tries to find a certificate that covers given FQDN.
/// If not found or not specified - picks the first one available.
#[clap(env, long)]
pub cert_default: Option<FQDN>,

/// Disable OCSP stapling
#[clap(env, long)]
pub cert_ocsp_stapling_disable: bool,
Expand Down
7 changes: 4 additions & 3 deletions src/tls/cert/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,9 +341,10 @@ pub mod test {
AtomicUsize::new(0),
);

let storage = Arc::new(storage::StorageKey::new(storage::Metrics::new(
&Registry::new(),
)));
let storage = Arc::new(storage::StorageKey::new(
None,
storage::Metrics::new(&Registry::new()),
));
let aggregator = Aggregator::new(
vec![Arc::new(prov1), Arc::new(prov2)],
storage,
Expand Down
27 changes: 18 additions & 9 deletions src/tls/cert/storage.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ struct StorageInner<T: Clone + Send + Sync> {
pub struct Storage<T: Clone + Send + Sync> {
#[new(default)]
inner: ArcSwapOption<StorageInner<T>>,
cert_default: Option<FQDN>,
metrics: Metrics,
}

Expand Down Expand Up @@ -75,12 +76,19 @@ impl<T: Clone + Send + Sync> Storage<T> {
let inner = self.inner.load_full()?;

// Try to find some certificate
inner
.certs
.first_key_value()
.or_else(|| inner.certs_wildcard.first_key_value())
.map(|x| x.1)
.cloned()
self.cert_default
.as_ref()
// Try to find the default one if specified first
.and_then(|x| self.lookup_cert(x))
// Then just pick first available
.or_else(|| {
inner
.certs
.first_key_value()
.or_else(|| inner.certs_wildcard.first_key_value())
.map(|x| x.1)
.cloned()
})
}
}

Expand Down Expand Up @@ -160,7 +168,8 @@ pub mod test {
use super::*;

pub fn create_test_storage() -> Storage<String> {
let storage: Storage<String> = Storage::new(Metrics::new(&Registry::new()));
let storage: Storage<String> =
Storage::new(Some(fqdn!("foo.baz")), Metrics::new(&Registry::new()));

let certs = vec![
Cert {
Expand Down Expand Up @@ -244,8 +253,8 @@ pub mod test {
"foo.bar.cert"
);

// Check any
assert_eq!(storage.any().unwrap().cert, "foo.bar.cert");
// Check any, make sure it returns the cert_default
assert_eq!(storage.any().unwrap().cert, "foo.baz.cert");

Ok(())
}
Expand Down
5 changes: 4 additions & 1 deletion src/tls/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,10 @@ pub async fn setup(
registry: &Registry,
) -> Result<(ServerConfig, Vec<Arc<dyn ProvidesCustomDomains>>), Error> {
// Prepare certificate storage
let cert_storage = Arc::new(storage::Storage::new(storage::Metrics::new(registry)));
let cert_storage = Arc::new(storage::Storage::new(
cli.cert.cert_default.clone(),
storage::Metrics::new(registry),
));

let mut cert_providers: Vec<Arc<dyn ProvidesCertificates>> = vec![];
let mut custom_domain_providers: Vec<Arc<dyn ProvidesCustomDomains>> = vec![];
Expand Down

0 comments on commit 6cb2b75

Please sign in to comment.