feat(package): make it so

Author: terinjokes

.gitignore

@@ -0,0 +1 @@
+vendor/

.travis.yml

@@ -0,0 +1,12 @@
+language: go
+
+go:
+  - 1.7.x
+  - 1.8.x
+
+install:
+  - go get github.com/Masterminds/glide
+  - glide install
+
+script:
+  - go test -v $(glide nv)

LICENSE.md

@@ -0,0 +1,25 @@
+> Copyright (c) 2017, Cloudflare. All rights reserved.
+>
+> Redistribution and use in source and binary forms, with or without
+> modification, are permitted provided that the following conditions are mept:
+>
+> 1. Redistributions of source code must retain the above copyright notice,
+>    this list of conditions and the following disclaimer.
+> 2. Redistributions in binary form must reproduce the above copyright notice,
+>    this list of conditions and the following disclaimer in the documentation
+>    and/or other materials provided with the distribution.
+> 3. Neither the name of the copyright holder nor the names of its contributors
+>    may be used to endorse or promote products derived from this software
+>    without specific prior written permission.
+>
+> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+> AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+> IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+> ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+> LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+> CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+> SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+> INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+> CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+> ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+> POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,52 @@
+# certinel
+
+Certinel is a Go library that makes it even easier to implement zero-hit
+TLS certificate changes by watching for certificate changes for you. The
+methods required by `tls.TLSConfig` are already implemented for you.
+
+Right now there's support for listening to file system events on Linux,
+BSDs, and Windows using the [fsnotify][fsnotify] library.
+
+[fsnotify]: https://github.com/fsnotify/fsnotify
+
+## Usage
+
+Create the certinel instance, start it with `Watch`, then pass the
+`GetCertificate` method to your `tls.TLSConfig` instance.
+
+```go
+package main
+
+import (
+	"crypto/tls"
+	"log"
+	"net/http"
+
+	"github.com/cloudflare/certinel"
+	"github.com/cloudflare/certinel/fswatcher"
+)
+
+func main() {
+	watcher, err := fswatcher.New("/etc/ssl/app.pem", "/etc/ssl/app.key")
+	if err != nil {
+		log.Fatalf("fatal: unable to read server certificate. err='%s'", err)
+	}
+	sentinel := certinel.New(watcher, func(err error) {
+		log.Printf("error: certinel was unable to reload the certificate. err='%s'", err)
+	})
+
+	sentinel.Watch()
+
+	server := http.Server{
+		Addr: ":8000",
+		TLSConfig: &tls.Config{
+			GetCertificate: sentinel.GetCertificate,
+		},
+	}
+	
+	server.ListenAndServeTLS("", "")
+}
+```
+
+On Go 1.8+, `GetClientCertificate` is also implemented to support
+rotating the client certificate.

certinel.go

@@ -0,0 +1,79 @@
+package certinel
+
+import (
+	"crypto/tls"
+	"sync"
+)
+
+// Certinel is a container for zero-hit tls.Certificate changes, by
+// receiving new certificates from sentries and presenting the functions
+// expected by Go's tls.Config{}.
+// Reading certificates from a Certinel instance is safe across multiple
+// goroutines.
+type Certinel struct {
+	mu          sync.RWMutex
+	certificate *tls.Certificate
+	watcher     Watcher
+	errBack     func(error)
+}
+
+// Watchers provide a way to construct (and close!) channels that
+// bind a Certinel to a changing certificate.
+type Watcher interface {
+	Watch() (<-chan tls.Certificate, <-chan error)
+	Close() error
+}
+
+// New creates a Certinel that watches for changes with the provided
+// Watcher.
+func New(w Watcher, errBack func(error)) *Certinel {
+	if errBack == nil {
+		errBack = func(error) {}
+	}
+
+	return &Certinel{
+		watcher: w,
+		errBack: errBack,
+	}
+}
+
+// Watch setups the Certinel's channel handles and calls Watch on the
+// held Watcher instance.
+func (c *Certinel) Watch() {
+	go func() {
+		tlsChan, errChan := c.watcher.Watch()
+		for {
+			select {
+			case certificate := <-tlsChan:
+				c.loadCertificate(certificate)
+			case err := <-errChan:
+				c.errBack(err)
+			}
+		}
+	}()
+
+	return
+}
+
+// Close calls Close on the held Watcher instance. After closing it
+// is no longer safe to use this Certinel instance.
+func (c *Certinel) Close() error {
+	return c.watcher.Close()
+}
+
+// GetCertificate returns the current tls.Certificate instance. The function
+// can be passed as the GetCertificate member in a tls.Config object. It is
+// safe to call across multiple goroutines.
+func (c *Certinel) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	return c.certificate, nil
+}
+
+func (c *Certinel) loadCertificate(certificate tls.Certificate) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.certificate = &certificate
+}

certinel_go1.8.go

@@ -0,0 +1,17 @@
+// +build go1.8
+
+package certinel
+
+import (
+	"crypto/tls"
+)
+
+// GetClientCertificate returns the current tls.Certificate instance. The function
+// can be passed as the GetClientCertificate member in a tls.Config object. It is
+// safe to call across multiple goroutines.
+func (c *Certinel) GetClientCertificate(certificateRequest *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	return c.certificate, nil
+}

certinel_test.go

@@ -0,0 +1,110 @@
+package certinel
+
+import (
+	"crypto/tls"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+type MockWatcher struct {
+	mock.Mock
+}
+
+func (o *MockWatcher) Watch() (<-chan tls.Certificate, <-chan error) {
+	args := o.Called()
+
+	return args.Get(0).(chan tls.Certificate), args.Get(1).(chan error)
+}
+
+func (o *MockWatcher) Close() error {
+	args := o.Called()
+
+	return args.Error(0)
+}
+
+func TestGetCertificate(t *testing.T) {
+	tlsChan := make(chan tls.Certificate)
+	errChan := make(chan error)
+	cert := tls.Certificate{}
+	clientHello := &tls.ClientHelloInfo{}
+	watcher := &MockWatcher{}
+
+	subject := &Certinel{
+		watcher: watcher,
+		errBack: func(error) {},
+	}
+
+	watcher.On("Watch").Return(tlsChan, errChan)
+	watcher.On("Close").Return(nil)
+
+	gotCert, err := subject.GetCertificate(clientHello)
+	if assert.NoError(t, err) {
+		assert.Nil(t, gotCert)
+	}
+
+	subject.Watch()
+	tlsChan <- cert
+	<-time.After(time.Duration(1) * time.Millisecond)
+
+	gotCert, err = subject.GetCertificate(clientHello)
+	if assert.NoError(t, err) {
+		assert.Equal(t, cert, *gotCert)
+	}
+
+	subject.Close() // nolint: errcheck
+
+	watcher.AssertExpectations(t)
+}
+
+func TestGetCertificateAfterChange(t *testing.T) {
+	tlsChan := make(chan tls.Certificate)
+	errChan := make(chan error)
+	cert1 := tls.Certificate{
+		Certificate: [][]byte{
+			[]byte("Hello"),
+		},
+	}
+	cert2 := tls.Certificate{
+		Certificate: [][]byte{
+			[]byte("Goodbye"),
+		},
+	}
+	clientHello := &tls.ClientHelloInfo{}
+	watcher := &MockWatcher{}
+
+	subject := &Certinel{
+		watcher: watcher,
+		errBack: func(error) {},
+	}
+
+	watcher.On("Watch").Return(tlsChan, errChan)
+	watcher.On("Close").Return(nil)
+
+	gotCert, err := subject.GetCertificate(clientHello)
+	if assert.NoError(t, err) {
+		assert.Nil(t, gotCert)
+	}
+
+	subject.Watch()
+	tlsChan <- cert1
+	<-time.After(time.Duration(1) * time.Millisecond)
+
+	gotCert, err = subject.GetCertificate(clientHello)
+	if assert.NoError(t, err) {
+		assert.Equal(t, cert1, *gotCert)
+	}
+
+	tlsChan <- cert2
+	<-time.After(time.Duration(1) * time.Millisecond)
+	gotCert, err = subject.GetCertificate(clientHello)
+	if assert.NoError(t, err) {
+		assert.Equal(t, cert2, *gotCert)
+	}
+
+	subject.Close() // nolint: errcheck
+
+	watcher.AssertExpectations(t)
+}

fswatcher/fswatcher.go

@@ -0,0 +1,96 @@
+package fswatcher
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+
+	"github.com/fsnotify/fsnotify"
+	"github.com/pkg/errors"
+)
+
+type Sentry struct {
+	fsnotify *fsnotify.Watcher
+	certPath string
+	keyPath  string
+	tlsChan  chan tls.Certificate
+	errChan  chan error
+}
+
+const (
+	errAddWatcher      = "fswatcher: error adding path to watcher"
+	errCreateWatcher   = "fswatcher: error creating watcher"
+	errLoadCertificate = "fswatcher: error loading certificate"
+)
+
+// New creates a Sentry to watch for file system changes.
+func New(cert, key string) (*Sentry, error) {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return nil, errors.Wrap(err, errCreateWatcher)
+	}
+
+	if err != nil {
+		return nil, errors.Wrap(err, errAddWatcher)
+	}
+
+	fsw := &Sentry{
+		fsnotify: watcher,
+		certPath: cert,
+		keyPath:  key,
+		tlsChan:  make(chan tls.Certificate),
+		errChan:  make(chan error),
+	}
+
+	go func() {
+		for {
+			select {
+			case event := <-watcher.Events:
+				if event.Op&fsnotify.Write == fsnotify.Write {
+					fsw.loadCertificate()
+				}
+			case err := <-watcher.Errors:
+				fsw.errChan <- err
+			}
+		}
+	}()
+
+	return fsw, nil
+}
+
+func (w *Sentry) Watch() (<-chan tls.Certificate, <-chan error) {
+	go func() {
+		w.loadCertificate()
+		err := w.fsnotify.Add(w.certPath)
+
+		if err != nil {
+			w.errChan <- err
+		}
+	}()
+	return w.tlsChan, w.errChan
+}
+
+func (w *Sentry) Close() error {
+	err := w.fsnotify.Close()
+
+	close(w.tlsChan)
+	close(w.errChan)
+	return err
+}
+
+func (w *Sentry) loadCertificate() {
+	certificate, err := tls.LoadX509KeyPair(w.certPath, w.keyPath)
+	if err != nil {
+		w.errChan <- errors.Wrap(err, errLoadCertificate)
+		return
+	}
+
+	leaf, err := x509.ParseCertificate(certificate.Certificate[0])
+	if err != nil {
+		w.errChan <- errors.Wrap(err, errLoadCertificate)
+		return
+	}
+
+	certificate.Leaf = leaf
+
+	w.tlsChan <- certificate
+}