-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add acceptor support for receiving pre-loaded certificates #284
Changes from 3 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -38,8 +38,7 @@ type TCPAcceptor struct { | |
connChan chan PlayerConn | ||
listener net.Listener | ||
running bool | ||
certFile string | ||
keyFile string | ||
certs []tls.Certificate | ||
proxyProtocol bool | ||
} | ||
|
||
|
@@ -78,21 +77,26 @@ func (t *tcpPlayerConn) GetNextMessage() (b []byte, err error) { | |
|
||
// NewTCPAcceptor creates a new instance of tcp acceptor | ||
func NewTCPAcceptor(addr string, certs ...string) *TCPAcceptor { | ||
keyFile := "" | ||
certFile := "" | ||
certificates := []tls.Certificate{} | ||
if len(certs) != 2 && len(certs) != 0 { | ||
panic(constants.ErrInvalidCertificates) | ||
} else if len(certs) == 2 { | ||
certFile = certs[0] | ||
keyFile = certs[1] | ||
cert, err := tls.LoadX509KeyPair(certs[0], certs[1]) | ||
if err != nil { | ||
panic(constants.ErrInvalidCertificates) | ||
} | ||
certificates = append(certificates, cert) | ||
} | ||
|
||
return NewTCP(addr, certificates...) | ||
} | ||
|
||
func NewTCP(addr string, certs ...tls.Certificate) *TCPAcceptor { | ||
reinaldooli marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This name seems fairly ambiguous, could we name it something like NewTLSAcceptor or something like that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's a good question, I always struggle with naming in Golang. I defined it as Another option could be What do you think? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Given the current naming standards, I agree with Rafa on changing to NewTLSAcceptor |
||
return &TCPAcceptor{ | ||
addr: addr, | ||
connChan: make(chan PlayerConn), | ||
running: false, | ||
certFile: certFile, | ||
keyFile: keyFile, | ||
certs: certs, | ||
proxyProtocol: false, | ||
} | ||
} | ||
|
@@ -117,13 +121,13 @@ func (a *TCPAcceptor) Stop() { | |
} | ||
|
||
func (a *TCPAcceptor) hasTLSCertificates() bool { | ||
return a.certFile != "" && a.keyFile != "" | ||
return len(a.certs) > 0 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't this be == 2 ? Otherwise it will return true if it only has 1 cert or if it has 10 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If I recall correctly, I think that the TLS API supports multiple certificates. So in order to make the "new" tcp acceptor API fully functional, I left it as a more generic checking. The constraint for 2 files is only related to the "legacy" API that loads the files itself. I think we can remove this altogether in the future, making the code much more generic. What do you think? |
||
} | ||
|
||
// ListenAndServe using tcp acceptor | ||
func (a *TCPAcceptor) ListenAndServe() { | ||
if a.hasTLSCertificates() { | ||
a.ListenAndServeTLS(a.certFile, a.keyFile) | ||
a.listenAndServeTLS() | ||
return | ||
} | ||
|
||
|
@@ -143,7 +147,14 @@ func (a *TCPAcceptor) ListenAndServeTLS(cert, key string) { | |
logger.Log.Fatalf("Failed to listen: %s", err.Error()) | ||
} | ||
|
||
tlsCfg := &tls.Config{Certificates: []tls.Certificate{crt}} | ||
a.certs = append(a.certs, crt) | ||
|
||
a.listenAndServeTLS() | ||
} | ||
|
||
// ListenAndServeTLS listens using tls | ||
func (a *TCPAcceptor) listenAndServeTLS() { | ||
tlsCfg := &tls.Config{Certificates: a.certs} | ||
|
||
listener, err := tls.Listen("tcp", a.addr, tlsCfg) | ||
if err != nil { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be good to add a test validating this behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some already: https://github.com/topfreegames/pitaya/pull/284/files#diff-91d8960c4bbf5e4ec59f1cc6232c15ea612244fef31e5a2e8c49edbd4c348997L52
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These current tests only seem to assert the case when it panics when
len(certs)
is 0 or different than 2. I believe we need to add a new entry to the test table with two invalid entries incerts
so it tries to load the certificate and then panics.