🍹 api, tlscerts: support reloading TLS certificates via API

Author: database64128

api/api.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	"github.com/database64128/shadowsocks-go"
+	"github.com/database64128/shadowsocks-go/api/certmgr"
 	"github.com/database64128/shadowsocks-go/api/internal/restapi"
 	"github.com/database64128/shadowsocks-go/api/ssm"
 	"github.com/database64128/shadowsocks-go/conn"
@@ -189,12 +190,11 @@ func (c *Config) NewServer(
 			var tlsConfig tls.Config
 
 			if lnc.CertList != "" {
-				certs, getCert, ok := tlsCertStore.GetCertList(lnc.CertList)
+				certList, ok := tlsCertStore.GetCertList(lnc.CertList)
 				if !ok {
 					return nil, fmt.Errorf("certificate list %q not found", lnc.CertList)
 				}
-				tlsConfig.Certificates = certs
-				tlsConfig.GetCertificate = getCert
+				tlsConfig.Certificates, tlsConfig.GetCertificate = certList.GetCertificateFunc()
 			}
 
 			if lnc.ClientCAs != "" {
@@ -259,6 +259,14 @@ func (c *Config) NewServer(
 		mux.Handle(pattern, realIP(logAPIRequests(logger, handler)))
 	})
 
+	// /api/tlscerts/v1
+	apiTLSCertsV1Path := joinPatternPath(basePath, "/api/tlscerts/v1")
+	cm := certmgr.NewCertificateManager(tlsCertStore)
+	cm.RegisterHandlers(func(method, path string, handler restapi.HandlerFunc) {
+		pattern := method + " " + joinPatternPath(apiTLSCertsV1Path, path)
+		mux.Handle(pattern, realIP(logAPIRequests(logger, handler)))
+	})
+
 	if c.StaticPath != "" {
 		mux.Handle("GET /", realIP(logFileServerRequests(logger, http.FileServer(http.Dir(c.StaticPath)))))
 	}

api/certmgr/certmgr.go

@@ -0,0 +1,82 @@
+// Package certmgr provides a REST API for managing TLS certificates.
+package certmgr
+
+import (
+	"net/http"
+
+	"github.com/database64128/shadowsocks-go/api/internal/restapi"
+	"github.com/database64128/shadowsocks-go/tlscerts"
+)
+
+// StandardError is the standard error response.
+type StandardError struct {
+	Message string `json:"error"`
+}
+
+// CertificateManager handles TLS certificate management API requests.
+type CertificateManager struct {
+	store *tlscerts.Store
+}
+
+// NewCertificateManager returns a new certificate manager.
+func NewCertificateManager(store *tlscerts.Store) *CertificateManager {
+	return &CertificateManager{
+		store: store,
+	}
+}
+
+// RegisterHandlers sets up handlers for the /certlists and /x509certpools endpoints.
+func (cm *CertificateManager) RegisterHandlers(register func(method string, path string, handler restapi.HandlerFunc)) {
+	register(http.MethodGet, "/certlists", cm.newListCertListsHandler())
+	register(http.MethodGet, "/certlists/{name}", newGetCertListHandler(cm.store))
+	register(http.MethodPost, "/certlists/{name}/reload", newReloadCertListHandler(cm.store))
+
+	register(http.MethodGet, "/x509certpools", cm.newListX509CertPoolsHandler())
+}
+
+func (cm *CertificateManager) newListCertListsHandler() restapi.HandlerFunc {
+	certLists := &cm.store.Config().CertLists
+	return func(w http.ResponseWriter, _ *http.Request) (int, error) {
+		return restapi.EncodeResponse(w, http.StatusOK, certLists)
+	}
+}
+
+func (cm *CertificateManager) newListX509CertPoolsHandler() restapi.HandlerFunc {
+	certPools := &cm.store.Config().X509CertPools
+	return func(w http.ResponseWriter, _ *http.Request) (int, error) {
+		return restapi.EncodeResponse(w, http.StatusOK, certPools)
+	}
+}
+
+var (
+	certListNotFoundJSON      = []byte(`{"error":"certificate list not found"}`)
+	certListNotReloadableJSON = []byte(`{"error":"certificate list is not reloadable"}`)
+)
+
+func newGetCertListHandler(store *tlscerts.Store) restapi.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) (int, error) {
+		name := r.PathValue("name")
+		certList, ok := store.GetCertList(name)
+		if !ok {
+			return restapi.EncodeResponse(w, http.StatusNotFound, &certListNotFoundJSON)
+		}
+		return restapi.EncodeResponse(w, http.StatusOK, certList.Config())
+	}
+}
+
+func newReloadCertListHandler(store *tlscerts.Store) restapi.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) (int, error) {
+		name := r.PathValue("name")
+		certList, ok := store.GetCertList(name)
+		if !ok {
+			return restapi.EncodeResponse(w, http.StatusNotFound, &certListNotFoundJSON)
+		}
+		if err := certList.Reload(); err != nil {
+			if err == (tlscerts.ReloadDisabledError{}) {
+				return restapi.EncodeResponse(w, http.StatusNotFound, &certListNotReloadableJSON)
+			}
+			return restapi.EncodeResponse(w, http.StatusInternalServerError, StandardError{Message: err.Error()})
+		}
+		return restapi.EncodeResponse(w, http.StatusNoContent, nil)
+	}
+}

docs/config.json

@@ -726,7 +726,8 @@
                         "certPath": "/etc/letsencrypt/live/example.com/fullchain.pem",
                         "keyPath": "/etc/letsencrypt/live/example.com/privkey.pem"
                     }
-                ]
+                ],
+                "reloadable": true
             },
             {
                 "name": "my-client-cert",

service/client.go

@@ -295,12 +295,11 @@ func (cc *ClientConfig) TCPClient() (netio.StreamClient, error) {
 		}
 
 		if cc.HTTP.CertList != "" {
-			certs, getClientCert, ok := cc.tlsCertStore.GetClientCertList(cc.HTTP.CertList)
+			certList, ok := cc.tlsCertStore.GetCertList(cc.HTTP.CertList)
 			if !ok {
 				return nil, fmt.Errorf("certificate list not found: %q", cc.HTTP.CertList)
 			}
-			hpcc.Certificates = certs
-			hpcc.GetClientCertificate = getClientCert
+			hpcc.Certificates, hpcc.GetClientCertificate = certList.GetClientCertificateFunc()
 		}
 
 		if cc.HTTP.RootCAs != "" {

service/server.go

@@ -449,12 +449,11 @@ func (sc *ServerConfig) TCPRelay() (*TCPRelay, error) {
 		}
 
 		if sc.HTTP.CertList != "" {
-			certs, getCert, ok := sc.tlsCertStore.GetCertList(sc.HTTP.CertList)
+			certList, ok := sc.tlsCertStore.GetCertList(sc.HTTP.CertList)
 			if !ok {
 				return nil, fmt.Errorf("certificate list %q not found", sc.HTTP.CertList)
 			}
-			hpsc.Certificates = certs
-			hpsc.GetCertificate = getCert
+			hpsc.Certificates, hpsc.GetCertificate = certList.GetCertificateFunc()
 		}
 
 		if sc.HTTP.ClientCAs != "" {