Add RunTLS (#120)

redecs · web-flow · commit 79d2c63ec95b · 2024-04-19T11:37:59.000-04:00
* added run tls * setup run tls bool flag * options update for tls config and files; server adjustments for tls * serve updated after rebase * removed RunTLS to simplify API and updated tests * chore: typo fix for WithoutStartupMessages * functional test for tls servers * graceful shutdown for http server too * moved TestServer_Run at the end of file above TestServer_RunTLS * removed options add RunTLS back in; updated log messages with proto * acme-tls example with certmagic (#1) * certmagic poc * add missing flag parse * add with tls config from acme client * listen on http too * manage sync + https redir * updated acme tls example * acme tls update with comments * remove debug log from acme-tls example * acme-tls RunTLS * chore: acme-tls comment update * tls test without logger * removed acme-tls example
diff --git a/openapi.go b/openapi.go
@@ -120,8 +120,12 @@ func (s *Server) registerOpenAPIRoutes(jsonSpec []byte) {
 		Path:   s.OpenAPIConfig.SwaggerUrl + "/",
 	}, s.OpenAPIConfig.UIHandler(s.OpenAPIConfig.JsonUrl))
 
-	s.printOpenAPIMessage(fmt.Sprintf("JSON spec: http://%s%s", s.Server.Addr, s.OpenAPIConfig.JsonUrl))
-	s.printOpenAPIMessage(fmt.Sprintf("OpenAPI UI: http://%s%s/index.html", s.Server.Addr, s.OpenAPIConfig.SwaggerUrl))
+	proto := "http"
+	if s.isTLS {
+		proto = "https"
+	}
+	s.printOpenAPIMessage(fmt.Sprintf("JSON spec: %s://%s%s", proto, s.Server.Addr, s.OpenAPIConfig.JsonUrl))
+	s.printOpenAPIMessage(fmt.Sprintf("OpenAPI UI: %s://%s%s/index.html", proto, s.Server.Addr, s.OpenAPIConfig.SwaggerUrl))
 }
 
 func (s *Server) printOpenAPIMessage(msg string) {
diff --git a/options.go b/options.go
@@ -42,7 +42,7 @@ type Server struct {
 	// [http.ServeMux.Handle] can also be used to register routes.
 	Mux *http.ServeMux
 
-	// Not stored with the oter middlewares because it is a special case :
+	// Not stored with the other middlewares because it is a special case :
 	// it applies on routes that are not registered.
 	// For example, it allows OPTIONS /foo even if it is not declared (only GET /foo is declared).
 	corsMiddleware func(http.Handler) http.Handler
@@ -68,14 +68,16 @@ type Server struct {
 	template *template.Template // TODO: use preparsed templates
 
 	DisallowUnknownFields bool // If true, the server will return an error if the request body contains unknown fields. Useful for quick debugging in development.
-	DisableOpenapi        bool // If true, the the routes within the server will not generate an openapi spec.
+	DisableOpenapi        bool // If true, the routes within the server will not generate an openapi spec.
 	maxBodySize           int64
 	Serialize             func(w http.ResponseWriter, ans any)   // Used to serialize the response. Defaults to [SendJSON].
 	SerializeError        func(w http.ResponseWriter, err error) // Used to serialize the error response. Defaults to [SendJSONError].
 	ErrorHandler          func(err error) error                  // Used to transform any error into a unified error type structure with status code. Defaults to [ErrorHandler]
 	startTime             time.Time
 
 	OpenAPIConfig OpenAPIConfig
+
+	isTLS bool
 }
 
 // NewServer creates a new server with the given options.
@@ -284,7 +286,7 @@ func WithErrorHandler(errorHandler func(err error) error) func(*Server) {
 	return func(c *Server) { c.ErrorHandler = errorHandler }
 }
 
-// WithoutStartupMessage disables the startup message
+// WithoutStartupMessages disables the startup message
 func WithoutStartupMessages() func(*Server) {
 	return func(c *Server) { c.disableStartupMessages = true }
 }
diff --git a/serve.go b/serve.go
@@ -26,11 +26,33 @@ func (s *Server) Run() error {
 	return s.Server.ListenAndServe()
 }
 
+// RunTLS starts the server with a TLS listener
+// It is blocking.
+// It returns an error if the server could not start (it could not bind to the port for example).
+// It also generates the OpenAPI spec and outputs it to a file, the UI, and a handler (if enabled).
+func (s *Server) RunTLS(certFile, keyFile string) error {
+	s.isTLS = true
+	go s.OutputOpenAPISpec()
+
+	s.printStartupMessage()
+
+	s.Server.Handler = s.Mux
+	if s.corsMiddleware != nil {
+		s.Server.Handler = s.corsMiddleware(s.Server.Handler)
+	}
+
+	return s.Server.ListenAndServeTLS(certFile, keyFile)
+}
+
 func (s *Server) printStartupMessage() {
 	if !s.disableStartupMessages {
 		elapsed := time.Since(s.startTime)
 		slog.Debug("Server started in "+elapsed.String(), "info", "time between since server creation (fuego.NewServer) and server startup (fuego.Run). Depending on your implementation, there might be things that do not depend on fuego slowing start time")
-		slog.Info("Server running ✅ on http://"+s.Server.Addr, "started in", elapsed.String())
+		proto := "http"
+		if s.isTLS {
+			proto = "https"
+		}
+		slog.Info("Server running ✅ on "+proto+"://"+s.Server.Addr, "started in", elapsed.String())
 	}
 }
 
diff --git a/serve_test.go b/serve_test.go
@@ -2,10 +2,20 @@ package fuego
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"errors"
+	"fmt"
 	"io"
+	"math/big"
+	"net"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 	"time"
 
@@ -162,32 +172,6 @@ func TestHttpHandler(t *testing.T) {
 	})
 }
 
-func TestServer_Run(t *testing.T) {
-	// This is not a standard test, it is here to ensure that the server can run.
-	// Please do not run this kind of test for your controllers, it is NOT unit testing.
-	t.Run("can run server", func(t *testing.T) {
-		s := NewServer(
-			WithoutLogger(),
-		)
-
-		Get(s, "/test", func(ctx *ContextNoBody) (string, error) {
-			return "OK", nil
-		})
-
-		go func() {
-			s.Run()
-		}()
-
-		require.Eventually(t, func() bool {
-			req := httptest.NewRequest("GET", "/test", nil)
-			w := httptest.NewRecorder()
-			s.Mux.ServeHTTP(w, req)
-
-			return w.Body.String() == `OK`
-		}, 5*time.Millisecond, 500*time.Microsecond)
-	})
-}
-
 func TestSetStatusBeforeSend(t *testing.T) {
 	s := NewServer()
 
@@ -400,3 +384,182 @@ func TestIni(t *testing.T) {
 		})
 	})
 }
+
+func TestServer_Run(t *testing.T) {
+	// This is not a standard test, it is here to ensure that the server can run.
+	// Please do not run this kind of test for your controllers, it is NOT unit testing.
+	t.Run("can run server", func(t *testing.T) {
+		s := NewServer(
+			WithoutLogger(),
+		)
+
+		Get(s, "/test", func(ctx *ContextNoBody) (string, error) {
+			return "OK", nil
+		})
+
+		go func() {
+			s.Run()
+		}()
+		defer func() { // stop our test server when we are done
+			ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+			if err := s.Server.Shutdown(ctx); err != nil {
+				t.Log(err)
+			}
+			cancel()
+		}()
+
+		require.Eventually(t, func() bool {
+			req := httptest.NewRequest("GET", "/test", nil)
+			w := httptest.NewRecorder()
+			s.Mux.ServeHTTP(w, req)
+
+			return w.Body.String() == `OK`
+		}, 5*time.Millisecond, 500*time.Microsecond)
+	})
+}
+
+func TestServer_RunTLS(t *testing.T) {
+	// This is not a standard test, it is here to ensure that the server can run.
+	// Please do not run this kind of test for your controllers, it is NOT unit testing.
+	testHelper, err := newTLSTestHelper()
+	if err != nil {
+		t.Fatal(err)
+	}
+	testTLSConfig, err := testHelper.getTLSConfig()
+	if err != nil {
+		t.Fatal(err)
+	}
+	testCertFile, testKeyFile, err := testHelper.getTLSFiles()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(testCertFile)
+	defer os.Remove(testKeyFile)
+
+	tt := []struct {
+		name      string
+		tlsConfig *tls.Config
+		certFile  string
+		keyFile   string
+	}{
+		{
+			name:      "can run TLS server with TLS config and empty files",
+			tlsConfig: testTLSConfig,
+		},
+		{
+			name:     "can run TLS server with TLS files",
+			certFile: testCertFile,
+			keyFile:  testKeyFile,
+		},
+	}
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			s := NewServer(WithoutLogger())
+
+			if tc.tlsConfig != nil {
+				s.Server.TLSConfig = tc.tlsConfig
+			}
+
+			Get(s, "/test", func(ctx *ContextNoBody) (string, error) {
+				return "OK", nil
+			})
+
+			go func() { // start our test server async
+				_ = s.RunTLS(tc.certFile, tc.keyFile)
+			}()
+			defer func() { // stop our test server when we are done
+				ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+				if err := s.Server.Shutdown(ctx); err != nil {
+					t.Log(err)
+				}
+				cancel()
+			}()
+
+			// wait for the server to start
+			conn, err := net.DialTimeout("tcp", s.Server.Addr, 1*time.Second)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer conn.Close()
+
+			client := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+			resp, err := client.Get(fmt.Sprintf("https://%s/test", s.Server.Addr))
+			if err != nil {
+				t.Fatal(err)
+			}
+			body, err := io.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatal(err)
+			}
+			require.Equal(t, []byte("OK"), body)
+		})
+	}
+}
+
+type tlsTestHelper struct {
+	cert []byte
+	key  []byte
+}
+
+func (h *tlsTestHelper) getTLSConfig() (*tls.Config, error) {
+	cert, err := tls.X509KeyPair(h.cert, h.key)
+	if err != nil {
+		return nil, err
+	}
+	return &tls.Config{Certificates: []tls.Certificate{cert}}, nil
+}
+
+func (h *tlsTestHelper) getTLSFiles() (string, string, error) {
+	certFile, err := os.CreateTemp("", "fuego-test-cert-")
+	if err != nil {
+		return "", "", err
+	}
+	defer certFile.Close()
+
+	keyFile, err := os.CreateTemp("", "fuego-test-key-")
+	if err != nil {
+		return "", "", err
+	}
+	defer keyFile.Close()
+
+	if _, err := certFile.Write(h.cert); err != nil {
+		return "", "", err
+	}
+
+	if _, err := keyFile.Write(h.key); err != nil {
+		return "", "", err
+	}
+
+	return certFile.Name(), keyFile.Name(), nil
+}
+
+func newTLSTestHelper() (*tlsTestHelper, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Example Org"},
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(1 * time.Minute),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		return nil, err
+	}
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return nil, err
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: privateKeyBytes})
+	return &tlsTestHelper{cert: certPEM, key: keyPEM}, nil
+}
