-
Notifications
You must be signed in to change notification settings - Fork 47
/
cert_file_watcher.go
173 lines (144 loc) · 3.86 KB
/
cert_file_watcher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
/*
Copyright (c) 2021 - Present. Blend Labs, Inc. All rights reserved
Use of this source code is governed by a MIT license that can be found in the LICENSE file.
*/
package certutil
import (
"crypto/tls"
"os"
"time"
"github.com/blend/go-sdk/async"
"github.com/blend/go-sdk/ex"
)
// Error constants.
const (
ErrTLSPathsUnset ex.Class = "tls cert or key path unset; cannot continue"
)
// NewCertFileWatcher creates a new CertReloader object with a reload delay
func NewCertFileWatcher(certPath, keyPath string, opts ...CertFileWatcherOption) (*CertFileWatcher, error) {
if certPath == "" || keyPath == "" {
return nil, ex.New(ErrTLSPathsUnset)
}
cw := &CertFileWatcher{
Latch: async.NewLatch(),
CertPath: certPath,
KeyPath: keyPath,
}
for _, opt := range opts {
if err := opt(cw); err != nil {
return nil, err
}
}
// load cert to make sure the current key pair is valid
if err := cw.Reload(); err != nil {
return nil, err
}
return cw, nil
}
// CertFileWatcherOption is an option for a cert watcher.
type CertFileWatcherOption func(*CertFileWatcher) error
// OptCertFileWatcherOnReload sets the on reload handler.
// If you need to capture *every* reload of the cert, including the initial one in the constructor
// you must use this option.
func OptCertFileWatcherOnReload(handler func(*CertFileWatcher, error)) CertFileWatcherOption {
return func(cfw *CertFileWatcher) error {
cfw.OnReload = handler
return nil
}
}
// OptCertFileWatcherPollInterval sets the poll interval .
func OptCertFileWatcherPollInterval(d time.Duration) CertFileWatcherOption {
return func(cfw *CertFileWatcher) error {
cfw.PollInterval = d
return nil
}
}
// CertFileWatcher reloads a cert key pair when there is a change, e.g. cert renewal
type CertFileWatcher struct {
*async.Latch
Certificate *tls.Certificate
CertPath string
KeyPath string
PollInterval time.Duration
OnReload func(*CertFileWatcher, error)
}
// PollIntervalOrDefault returns the polling interval or a default.
func (cw *CertFileWatcher) PollIntervalOrDefault() time.Duration {
if cw.PollInterval > 0 {
return cw.PollInterval
}
return 500 * time.Millisecond
}
// Reload forces the reload of the underlying certificate.
func (cw *CertFileWatcher) Reload() (err error) {
defer func() {
if cw.OnReload != nil {
cw.OnReload(cw, err)
}
}()
cert, loadErr := tls.LoadX509KeyPair(cw.CertPath, cw.KeyPath)
if loadErr != nil {
err = ex.New(loadErr)
return
}
cw.Certificate = &cert
return
}
// GetCertificate gets the cached certificate, it blocks when the `cert` field is being updated
func (cw *CertFileWatcher) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
return cw.Certificate, nil
}
// Start watches the cert and triggers a reload on change
func (cw *CertFileWatcher) Start() error {
cw.Starting()
certLastMod, keyLastMod, err := cw.keyPairLastModified()
if err != nil {
return err
}
ticker := time.NewTicker(cw.PollIntervalOrDefault())
defer ticker.Stop()
cw.Started()
var certMod, keyMod time.Time
for {
select {
case <-ticker.C:
certMod, keyMod, err = cw.keyPairLastModified()
if err != nil {
return err
}
if keyMod.After(keyLastMod) || certMod.After(certLastMod) {
if err = cw.Reload(); err != nil {
return err
}
keyLastMod = keyMod
certLastMod = certMod
}
case <-cw.NotifyStopping():
cw.Stopped()
return nil
}
}
}
// Stop stops the watcher.
func (cw *CertFileWatcher) Stop() error {
if !cw.CanStop() {
return async.ErrCannotStop
}
cw.Stopping()
<-cw.NotifyStopped()
return nil
}
func (cw *CertFileWatcher) keyPairLastModified() (cert time.Time, key time.Time, err error) {
var certStat, keyStat os.FileInfo
keyStat, err = os.Stat(cw.KeyPath)
if err != nil {
return
}
certStat, err = os.Stat(cw.CertPath)
if err != nil {
return
}
cert = certStat.ModTime()
key = keyStat.ModTime()
return
}