From 5296e09a2e694763e793f36e5004b0a443eaeae0 Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Fri, 8 Jul 2022 09:34:17 +0200
Subject: [PATCH] grpc: Always use reloadable credentials.

Settings the callaback functions on tls.Config seems to causes issues on
slow CPUs (e.g. GitHub actions) where old certificates might be reused.
---
 grpc_common.go | 44 ++++++++++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 18 deletions(-)

diff --git a/grpc_common.go b/grpc_common.go
index 62bd437..4846179 100644
--- a/grpc_common.go
+++ b/grpc_common.go
@@ -36,13 +36,19 @@ import (
 type reloadableCredentials struct {
 	config *tls.Config
 
-	pool *CertPoolReloader
+	loader *CertificateReloader
+	pool   *CertPoolReloader
 }
 
 func (c *reloadableCredentials) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
 	// use local cfg to avoid clobbering ServerName if using multiple endpoints
 	cfg := c.config.Clone()
-	cfg.RootCAs = c.pool.GetCertPool()
+	if c.loader != nil {
+		cfg.GetClientCertificate = c.loader.GetClientCertificate
+	}
+	if c.pool != nil {
+		cfg.RootCAs = c.pool.GetCertPool()
+	}
 	if cfg.ServerName == "" {
 		serverName, _, err := net.SplitHostPort(authority)
 		if err != nil {
@@ -78,7 +84,12 @@ func (c *reloadableCredentials) ClientHandshake(ctx context.Context, authority s
 
 func (c *reloadableCredentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
 	cfg := c.config.Clone()
-	cfg.ClientCAs = c.pool.GetCertPool()
+	if c.loader != nil {
+		cfg.GetCertificate = c.loader.GetCertificate
+	}
+	if c.pool != nil {
+		cfg.ClientCAs = c.pool.GetCertPool()
+	}
 
 	conn := tls.Server(rawConn, cfg)
 	if err := conn.Handshake(); err != nil {
@@ -130,21 +141,18 @@ func NewReloadableCredentials(config *goconf.ConfigFile, server bool) (credentia
 	cfg := &tls.Config{
 		NextProtos: []string{"h2"},
 	}
+	var loader *CertificateReloader
+	var err error
 	if certificateFile != "" && keyFile != "" {
-		loader, err := NewCertificateReloader(certificateFile, keyFile)
+		loader, err = NewCertificateReloader(certificateFile, keyFile)
 		if err != nil {
 			return nil, fmt.Errorf("invalid GRPC %s certificate / key in %s / %s: %w", prefix, certificateFile, keyFile, err)
 		}
-
-		if server {
-			cfg.GetCertificate = loader.GetCertificate
-		} else {
-			cfg.GetClientCertificate = loader.GetClientCertificate
-		}
 	}
 
+	var pool *CertPoolReloader
 	if caFile != "" {
-		pool, err := NewCertPoolReloader(caFile)
+		pool, err = NewCertPoolReloader(caFile)
 		if err != nil {
 			return nil, err
 		}
@@ -152,14 +160,9 @@ func NewReloadableCredentials(config *goconf.ConfigFile, server bool) (credentia
 		if server {
 			cfg.ClientAuth = tls.RequireAndVerifyClientCert
 		}
-		creds := &reloadableCredentials{
-			config: cfg,
-			pool:   pool,
-		}
-		return creds, nil
 	}
 
-	if cfg.GetCertificate == nil {
+	if loader == nil && pool == nil {
 		if server {
 			log.Printf("WARNING: No GRPC server certificate and/or key configured, running unencrypted")
 		} else {
@@ -168,5 +171,10 @@ func NewReloadableCredentials(config *goconf.ConfigFile, server bool) (credentia
 		return insecure.NewCredentials(), nil
 	}
 
-	return credentials.NewTLS(cfg), nil
+	creds := &reloadableCredentials{
+		config: cfg,
+		loader: loader,
+		pool:   pool,
+	}
+	return creds, nil
 }