mirror of
https://github.com/strukturag/nextcloud-spreed-signaling
synced 2024-06-02 14:02:23 +02:00
Use new file watcher to detect changed files.
This commit is contained in:
parent
c325fbeae6
commit
cc7625c544
|
@ -27,26 +27,17 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
"os"
|
"os"
|
||||||
"sync"
|
"sync/atomic"
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
|
||||||
// CertificateCheckInterval defines the interval in which certificate files
|
|
||||||
// are checked for modifications.
|
|
||||||
CertificateCheckInterval = time.Minute
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type CertificateReloader struct {
|
type CertificateReloader struct {
|
||||||
mu sync.Mutex
|
certFile string
|
||||||
|
certWatcher *FileWatcher
|
||||||
|
|
||||||
certFile string
|
keyFile string
|
||||||
keyFile string
|
keyWatcher *FileWatcher
|
||||||
|
|
||||||
certificate *tls.Certificate
|
certificate atomic.Pointer[tls.Certificate]
|
||||||
lastModified time.Time
|
|
||||||
|
|
||||||
nextCheck time.Time
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewCertificateReloader(certFile string, keyFile string) (*CertificateReloader, error) {
|
func NewCertificateReloader(certFile string, keyFile string) (*CertificateReloader, error) {
|
||||||
|
@ -55,52 +46,37 @@ func NewCertificateReloader(certFile string, keyFile string) (*CertificateReload
|
||||||
return nil, fmt.Errorf("could not load certificate / key: %w", err)
|
return nil, fmt.Errorf("could not load certificate / key: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
stat, err := os.Stat(certFile)
|
reloader := &CertificateReloader{
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("could not stat %s: %w", certFile, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
return &CertificateReloader{
|
|
||||||
certFile: certFile,
|
certFile: certFile,
|
||||||
keyFile: keyFile,
|
keyFile: keyFile,
|
||||||
|
}
|
||||||
|
reloader.certificate.Store(&pair)
|
||||||
|
reloader.certWatcher, err = NewFileWatcher(certFile, reloader.reload)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
reloader.keyWatcher, err = NewFileWatcher(keyFile, reloader.reload)
|
||||||
|
if err != nil {
|
||||||
|
reloader.certWatcher.Close() // nolint
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
certificate: &pair,
|
return reloader, nil
|
||||||
lastModified: stat.ModTime(),
|
}
|
||||||
|
|
||||||
nextCheck: time.Now().Add(CertificateCheckInterval),
|
func (r *CertificateReloader) reload(filename string) {
|
||||||
}, nil
|
log.Printf("reloading certificate from %s with %s", r.certFile, r.keyFile)
|
||||||
|
pair, err := tls.LoadX509KeyPair(r.certFile, r.keyFile)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("could not load certificate / key: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
r.certificate.Store(&pair)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *CertificateReloader) getCertificate() (*tls.Certificate, error) {
|
func (r *CertificateReloader) getCertificate() (*tls.Certificate, error) {
|
||||||
r.mu.Lock()
|
return r.certificate.Load(), nil
|
||||||
defer r.mu.Unlock()
|
|
||||||
|
|
||||||
now := time.Now()
|
|
||||||
if now.Before(r.nextCheck) {
|
|
||||||
return r.certificate, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
r.nextCheck = now.Add(CertificateCheckInterval)
|
|
||||||
|
|
||||||
stat, err := os.Stat(r.certFile)
|
|
||||||
if err != nil {
|
|
||||||
log.Printf("could not stat %s: %s", r.certFile, err)
|
|
||||||
return r.certificate, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if !stat.ModTime().Equal(r.lastModified) {
|
|
||||||
log.Printf("reloading certificate from %s with %s", r.certFile, r.keyFile)
|
|
||||||
pair, err := tls.LoadX509KeyPair(r.certFile, r.keyFile)
|
|
||||||
if err != nil {
|
|
||||||
log.Printf("could not load certificate / key: %s", err)
|
|
||||||
return r.certificate, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
r.certificate = &pair
|
|
||||||
r.lastModified = stat.ModTime()
|
|
||||||
}
|
|
||||||
|
|
||||||
return r.certificate, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *CertificateReloader) GetCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
func (r *CertificateReloader) GetCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
@ -112,14 +88,10 @@ func (r *CertificateReloader) GetClientCertificate(i *tls.CertificateRequestInfo
|
||||||
}
|
}
|
||||||
|
|
||||||
type CertPoolReloader struct {
|
type CertPoolReloader struct {
|
||||||
mu sync.Mutex
|
certFile string
|
||||||
|
certWatcher *FileWatcher
|
||||||
|
|
||||||
certFile string
|
pool atomic.Pointer[x509.CertPool]
|
||||||
|
|
||||||
pool *x509.CertPool
|
|
||||||
lastModified time.Time
|
|
||||||
|
|
||||||
nextCheck time.Time
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func loadCertPool(filename string) (*x509.CertPool, error) {
|
func loadCertPool(filename string) (*x509.CertPool, error) {
|
||||||
|
@ -142,49 +114,29 @@ func NewCertPoolReloader(certFile string) (*CertPoolReloader, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
stat, err := os.Stat(certFile)
|
reloader := &CertPoolReloader{
|
||||||
|
certFile: certFile,
|
||||||
|
}
|
||||||
|
reloader.pool.Store(pool)
|
||||||
|
reloader.certWatcher, err = NewFileWatcher(certFile, reloader.reload)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not stat %s: %w", certFile, err)
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return &CertPoolReloader{
|
return reloader, nil
|
||||||
certFile: certFile,
|
}
|
||||||
|
|
||||||
pool: pool,
|
func (r *CertPoolReloader) reload(filename string) {
|
||||||
lastModified: stat.ModTime(),
|
log.Printf("reloading certificate pool from %s", r.certFile)
|
||||||
|
pool, err := loadCertPool(r.certFile)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("could not load certificate pool: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
nextCheck: time.Now().Add(CertificateCheckInterval),
|
r.pool.Store(pool)
|
||||||
}, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *CertPoolReloader) GetCertPool() *x509.CertPool {
|
func (r *CertPoolReloader) GetCertPool() *x509.CertPool {
|
||||||
r.mu.Lock()
|
return r.pool.Load()
|
||||||
defer r.mu.Unlock()
|
|
||||||
|
|
||||||
now := time.Now()
|
|
||||||
if now.Before(r.nextCheck) {
|
|
||||||
return r.pool
|
|
||||||
}
|
|
||||||
|
|
||||||
r.nextCheck = now.Add(CertificateCheckInterval)
|
|
||||||
|
|
||||||
stat, err := os.Stat(r.certFile)
|
|
||||||
if err != nil {
|
|
||||||
log.Printf("could not stat %s: %s", r.certFile, err)
|
|
||||||
return r.pool
|
|
||||||
}
|
|
||||||
|
|
||||||
if !stat.ModTime().Equal(r.lastModified) {
|
|
||||||
log.Printf("reloading certificate pool from %s", r.certFile)
|
|
||||||
pool, err := loadCertPool(r.certFile)
|
|
||||||
if err != nil {
|
|
||||||
log.Printf("could not load certificate pool: %s", err)
|
|
||||||
return r.pool
|
|
||||||
}
|
|
||||||
|
|
||||||
r.pool = pool
|
|
||||||
r.lastModified = stat.ModTime()
|
|
||||||
}
|
|
||||||
|
|
||||||
return r.pool
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,10 +27,10 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func UpdateCertificateCheckIntervalForTest(t *testing.T, interval time.Duration) {
|
func UpdateCertificateCheckIntervalForTest(t *testing.T, interval time.Duration) {
|
||||||
old := CertificateCheckInterval
|
old := deduplicateWatchEvents
|
||||||
t.Cleanup(func() {
|
t.Cleanup(func() {
|
||||||
CertificateCheckInterval = old
|
deduplicateWatchEvents = old
|
||||||
})
|
})
|
||||||
|
|
||||||
CertificateCheckInterval = interval
|
deduplicateWatchEvents = interval
|
||||||
}
|
}
|
||||||
|
|
|
@ -99,7 +99,7 @@ func Test_GrpcServer_ReloadCerts(t *testing.T) {
|
||||||
config.AddOption("grpc", "servercertificate", certFile)
|
config.AddOption("grpc", "servercertificate", certFile)
|
||||||
config.AddOption("grpc", "serverkey", privkeyFile)
|
config.AddOption("grpc", "serverkey", privkeyFile)
|
||||||
|
|
||||||
UpdateCertificateCheckIntervalForTest(t, time.Millisecond)
|
UpdateCertificateCheckIntervalForTest(t, 0)
|
||||||
_, addr := NewGrpcServerForTestWithConfig(t, config)
|
_, addr := NewGrpcServerForTestWithConfig(t, config)
|
||||||
|
|
||||||
cp1 := x509.NewCertPool()
|
cp1 := x509.NewCertPool()
|
||||||
|
@ -180,7 +180,7 @@ func Test_GrpcServer_ReloadCA(t *testing.T) {
|
||||||
config.AddOption("grpc", "serverkey", privkeyFile)
|
config.AddOption("grpc", "serverkey", privkeyFile)
|
||||||
config.AddOption("grpc", "clientca", caFile)
|
config.AddOption("grpc", "clientca", caFile)
|
||||||
|
|
||||||
UpdateCertificateCheckIntervalForTest(t, time.Millisecond)
|
UpdateCertificateCheckIntervalForTest(t, 0)
|
||||||
_, addr := NewGrpcServerForTestWithConfig(t, config)
|
_, addr := NewGrpcServerForTestWithConfig(t, config)
|
||||||
|
|
||||||
pool := x509.NewCertPool()
|
pool := x509.NewCertPool()
|
||||||
|
|
Loading…
Reference in a new issue