write ReplaceCertificate in protobuf

sozu-proxy · Apr 4, 2023 · 5a77faf · 5a77faf
1 parent 9a37917
commit 5a77faf
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 36 deletions.
diff --git a/bin/src/acme.rs b/bin/src/acme.rs
@@ -11,9 +11,10 @@ use sozu_command_lib::{
     channel::Channel,
     config::Config,
     proto::command::{
-        AddCertificate, CertificateAndKey, PathRule, RequestHttpFrontend, RulePosition, TlsVersion,
+        AddCertificate, CertificateAndKey, PathRule, ReplaceCertificate, RequestHttpFrontend,
+        RulePosition, TlsVersion,
     },
-    request::{AddBackend, RemoveBackend, ReplaceCertificate, Request},
+    request::{AddBackend, RemoveBackend, Request},
     response::{Response, ResponseStatus},
 };
 
@@ -382,7 +383,7 @@ fn add_certificate(
                 key,
                 versions,
             },
-            old_fingerprint: Fingerprint(f),
+            old_fingerprint: Fingerprint(f).to_string(),
             new_names: vec![hostname.to_string()],
             new_expired_at: None,
         }),

diff --git a/bin/src/ctl/request_builder.rs b/bin/src/ctl/request_builder.rs
@@ -7,12 +7,12 @@ use sozu_command_lib::{
     config::{Config, ListenerBuilder, ProxyProtocolConfig},
     proto::command::{
         AddCertificate, CertificateAndKey, FrontendFilters, PathRule, RemoveCertificate,
-        RequestHttpFrontend, RulePosition, TlsVersion,
+        ReplaceCertificate, RequestHttpFrontend, RulePosition, TlsVersion,
     },
     request::{
         ActivateListener, AddBackend, Cluster, DeactivateListener, ListenerType,
-        LoadBalancingParams, MetricsConfiguration, RemoveBackend, RemoveListener,
-        ReplaceCertificate, Request, RequestTcpFrontend,
+        LoadBalancingParams, MetricsConfiguration, RemoveBackend, RemoveListener, Request,
+        RequestTcpFrontend,
     },
 };
 
@@ -484,7 +484,7 @@ impl CommandManager {
         self.order_request(Request::ReplaceCertificate(ReplaceCertificate {
             address,
             new_certificate,
-            old_fingerprint,
+            old_fingerprint: old_fingerprint.to_string(),
             new_names: vec![],
             new_expired_at: None,
         }))?;

diff --git a/command/src/command.proto b/command/src/command.proto
@@ -44,6 +44,7 @@ enum RulePosition {
     TREE = 2;
 }
 
+// Add a new TLS certificate to an HTTPs listener
 message AddCertificate {
     required string address = 1;
     required CertificateAndKey certificate = 2;
@@ -54,10 +55,20 @@ message AddCertificate {
 
 message RemoveCertificate {
     required string address = 1;
-    // a hex-encoded TLS fingerprint
+    // a hex-encoded TLS fingerprint to identify the certificate to remove
     required string fingerprint = 2;
 }
 
+message ReplaceCertificate {
+    required string address = 1;
+    required CertificateAndKey new_certificate = 2;
+    // a hex-encoded TLS fingerprint to identify the old certificate
+    required string old_fingerprint = 3;
+    repeated string new_names = 4;
+    // A unix timestamp. Overrides certificate expiration.
+    optional int64 new_expired_at = 5;
+}
+
 message CertificateAndKey {
     required string certificate = 1;
     repeated string certificate_chain = 2;

diff --git a/command/src/request.rs b/command/src/request.rs
@@ -12,7 +12,7 @@ use crate::{
     certificate::Fingerprint,
     config::ProxyProtocolConfig,
     proto::command::{
-        AddCertificate, CertificateAndKey, FrontendFilters, PathRuleKind, RemoveCertificate,
+        AddCertificate, FrontendFilters, PathRuleKind, RemoveCertificate, ReplaceCertificate,
         RequestHttpFrontend, RulePosition,
     },
     response::{
@@ -276,25 +276,6 @@ pub struct DeactivateListener {
     pub to_scm: bool,
 }
 
-/*
-#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
-pub struct RemoveCertificate {
-    pub address: String,
-    pub fingerprint: Fingerprint,
-}
-*/
-
-#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
-pub struct ReplaceCertificate {
-    pub address: String,
-    pub new_certificate: CertificateAndKey,
-    pub old_fingerprint: Fingerprint,
-    #[serde(skip_serializing_if = "Vec::is_empty", default = "Vec::new")]
-    pub new_names: Vec<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub new_expired_at: Option<i64>,
-}
-
 /// Meant for outside users, contains a String instead of a SocketAddr
 #[derive(Debug, Clone, PartialOrd, Ord, PartialEq, Eq, Hash, Serialize, Deserialize)]
 pub struct RequestTcpFrontend {
@@ -452,7 +433,7 @@ mod tests {
     use super::*;
     use crate::certificate::split_certificate_chain;
     use crate::config::ProxyProtocolConfig;
-    use crate::proto::command::{PathRule, RulePosition, TlsVersion};
+    use crate::proto::command::{CertificateAndKey, PathRule, RulePosition, TlsVersion};
     use crate::response::HttpFrontend;
     use serde_json;
 

diff --git a/command/src/state.rs b/command/src/state.rs
@@ -14,11 +14,12 @@ use anyhow::{bail, Context};
 use crate::{
     certificate::{calculate_fingerprint, Fingerprint},
     proto::command::{
-        AddCertificate, CertificateAndKey, PathRule, RemoveCertificate, RequestHttpFrontend,
+        AddCertificate, CertificateAndKey, PathRule, RemoveCertificate, ReplaceCertificate,
+        RequestHttpFrontend,
     },
     request::{
         ActivateListener, AddBackend, Cluster, DeactivateListener, ListenerType, RemoveBackend,
-        RemoveListener, ReplaceCertificate, Request, RequestTcpFrontend,
+        RemoveListener, Request, RequestTcpFrontend,
     },
     response::{
         Backend, ClusterInformation, HttpFrontend, HttpListenerConfig, HttpsListenerConfig,
@@ -387,10 +388,15 @@ impl ConfigState {
             .parse()
             .with_context(|| "Could not parse socket address")?;
 
+        let old_fingerprint = Fingerprint(
+            hex::decode(&replace.old_fingerprint)
+                .with_context(|| "Failed at decoding the string (expected hexadecimal data)")?,
+        );
+
         self.certificates
             .get_mut(&address)
             .with_context(|| format!("No certificate to replace for address {}", replace.address))?
-            .remove(&replace.old_fingerprint);
+            .remove(&old_fingerprint);
 
         let new_fingerprint = Fingerprint(
             calculate_fingerprint(replace.new_certificate.certificate.as_bytes())

diff --git a/lib/src/https.rs b/lib/src/https.rs
@@ -33,10 +33,11 @@ use sozu_command::{
     config::DEFAULT_CIPHER_SUITES,
     logging,
     proto::command::{
-        AddCertificate, CertificateSummary, RemoveCertificate, RequestHttpFrontend, TlsVersion,
+        AddCertificate, CertificateSummary, RemoveCertificate, ReplaceCertificate,
+        RequestHttpFrontend, TlsVersion,
     },
     ready::Ready,
-    request::{Cluster, RemoveListener, ReplaceCertificate, Request, WorkerRequest},
+    request::{Cluster, RemoveListener, Request, WorkerRequest},
     response::{HttpFrontend, HttpsListenerConfig, ResponseContent, WorkerResponse},
     scm_socket::ScmSocket,
     state::ClusterId,

diff --git a/lib/src/tls.rs b/lib/src/tls.rs
@@ -24,8 +24,7 @@ use x509_parser::{
 use crate::router::trie::*;
 use sozu_command::{
     certificate::Fingerprint,
-    proto::command::{AddCertificate, CertificateAndKey, TlsVersion},
-    request::ReplaceCertificate,
+    proto::command::{AddCertificate, CertificateAndKey, ReplaceCertificate, TlsVersion},
 };
 
 // -----------------------------------------------------------------------------