feat(web): Support TLS encryption (#322)

* Basic setup to serve HTTPS * Correctly handle the case of missing TLS configs * Documenting TLS * Refactor TLS configuration setup * Add TLS Encryption section again to README * Extending TOC in README * Moving TLS settings to subsection of web settings * Adding tests for config/web * Add test for handling TLS * Rename some variables as suggested * Corrected error formatting * Update test module import * Polishing the readme file * Error handling for TLSConfig() --------- Co-authored-by: TwiN <twin@linux.com>
2023-04-22 18:12:56 +02:00
parent 0bd0c1fd15
commit a05daeda2e
6 changed files with 241 additions and 27 deletions
--- a/config/web/web.go
+++ b/config/web/web.go
@ -1,6 +1,7 @@
 package web

 import (
+	"crypto/tls"
 	"fmt"
 	"math"
 )
@ -21,6 +22,21 @@ type Config struct {

 	// Port to listen on (default to 8080 specified by DefaultPort)
 	Port int `yaml:"port"`
+
+	// TLS configuration
+	Tls TLSConfig `yaml:"tls"`
+
+	tlsConfig      *tls.Config
+	tlsConfigError error
+}
+
+type TLSConfig struct {
+
+	// Optional public certificate for TLS in PEM format.
+	CertificateFile string `yaml:"certificate-file,omitempty"`
+
+	// Optional private key file for TLS in PEM format.
+	PrivateKeyFile string `yaml:"private-key-file,omitempty"`
 }

 // GetDefaultConfig returns a Config struct with the default values
@ -40,6 +56,11 @@ func (web *Config) ValidateAndSetDefaults() error {
 	} else if web.Port < 0 || web.Port > math.MaxUint16 {
 		return fmt.Errorf("invalid port: value should be between %d and %d", 0, math.MaxUint16)
 	}
+	// Try to load the TLS certificates
+	_, err := web.TLSConfig()
+	if err != nil {
+		return fmt.Errorf("invalid tls config: %w", err)
+	}
 	return nil
 }

@ -47,3 +68,19 @@ func (web *Config) ValidateAndSetDefaults() error {
 func (web *Config) SocketAddress() string {
 	return fmt.Sprintf("%s:%d", web.Address, web.Port)
 }
+
+// TLSConfig returns a tls.Config object for serving over an encrypted channel
+func (web *Config) TLSConfig() (*tls.Config, error) {
+	if web.tlsConfig == nil && len(web.Tls.CertificateFile) > 0 && len(web.Tls.PrivateKeyFile) > 0 {
+		web.loadTLSConfig()
+	}
+	return web.tlsConfig, web.tlsConfigError
+}
+
+func (web *Config) loadTLSConfig() {
+	cer, err := tls.LoadX509KeyPair(web.Tls.CertificateFile, web.Tls.PrivateKeyFile)
+	if err != nil {
+		web.tlsConfigError = err
+	}
+	web.tlsConfig = &tls.Config{Certificates: []tls.Certificate{cer}}
+}
--- a/config/web/web_test.go
+++ b/config/web/web_test.go
@ -2,6 +2,8 @@ package web

 import (
 	"testing"
+
+	"github.com/TwiN/gatus/v5/test"
 )

 func TestGetDefaultConfig(t *testing.T) {
@ -12,6 +14,9 @@ func TestGetDefaultConfig(t *testing.T) {
 	if defaultConfig.Address != DefaultAddress {
 		t.Error("expected default config to have the default address")
 	}
+	if defaultConfig.Tls != (TLSConfig{}) {
+		t.Error("expected default config to have TLS disabled")
+	}
 }

 func TestConfig_ValidateAndSetDefaults(t *testing.T) {
@ -63,3 +68,43 @@ func TestConfig_SocketAddress(t *testing.T) {
 		t.Errorf("expected %s, got %s", "0.0.0.0:8081", web.SocketAddress())
 	}
 }
+
+func TestConfig_TLSConfig(t *testing.T) {
+	privateKeyPath, publicKeyPath := test.UnsafeSelfSignedCertificates(t.TempDir())
+
+	scenarios := []struct {
+		name        string
+		cfg         *Config
+		expectedErr bool
+	}{
+		{
+			name:        "including TLS",
+			cfg:         &Config{Tls: (TLSConfig{CertificateFile: publicKeyPath, PrivateKeyFile: privateKeyPath})},
+			expectedErr: false,
+		},
+		{
+			name:        "TLS with missing crt file",
+			cfg:         &Config{Tls: (TLSConfig{CertificateFile: "doesnotexist", PrivateKeyFile: privateKeyPath})},
+			expectedErr: true,
+		},
+		{
+			name:        "TLS with missing key file",
+			cfg:         &Config{Tls: (TLSConfig{CertificateFile: publicKeyPath, PrivateKeyFile: "doesnotexist"})},
+			expectedErr: true,
+		},
+	}
+	for _, scenario := range scenarios {
+		t.Run(scenario.name, func(t *testing.T) {
+			cfg, err := scenario.cfg.TLSConfig()
+			if (err != nil) != scenario.expectedErr {
+				t.Errorf("expected the existence of an error to be %v, got %v", scenario.expectedErr, err)
+				return
+			}
+			if !scenario.expectedErr {
+				if cfg == nil {
+					t.Error("TLS configuration was not correctly loaded although no error was returned")
+				}
+			}
+		})
+	}
+}