feat: support tls certs reload

Author: mrhaoxx

tls/certificate.go

@@ -13,19 +13,21 @@ import (
 type Cert struct {
 	*tls.Certificate
 	dnsnames utils.GroupRegexp
+
 	certfile string
+	keyfile  string
 }
 
-type tlsMgr struct {
+type TlsMgr struct {
 	certs  map[string]Cert
 	lookup *utils.BufferedLookup
 
 	muCerts sync.RWMutex
 }
 
-func NewTlsMgr() *tlsMgr {
+func NewTlsMgr() *TlsMgr {
 
-	var mgr = tlsMgr{
+	var mgr = TlsMgr{
 		certs: make(map[string]Cert),
 	}
 
@@ -44,15 +46,15 @@ func NewTlsMgr() *tlsMgr {
 	return &mgr
 }
 
-func (m *tlsMgr) getCertificate(dnsname string) *tls.Certificate {
+func (m *TlsMgr) getCertificate(dnsname string) *tls.Certificate {
 	if cert := m.lookup.Lookup(dnsname); cert != nil {
 		return cert.(*tls.Certificate)
 	} else {
 		panic(errors.New("no certificate for " + dnsname))
 	}
 }
 
-func (m *tlsMgr) LoadCertificate(certfile, keyfile string) error {
+func (m *TlsMgr) LoadCertificate(certfile, keyfile string) error {
 	c, e := tls.LoadX509KeyPair(certfile, keyfile)
 	if e != nil {
 		return e
@@ -67,21 +69,22 @@ func (m *tlsMgr) LoadCertificate(certfile, keyfile string) error {
 			Certificate: &c,
 			dnsnames:    utils.MustCompileRegexp(dns.Dnsnames2Regexps(c.Leaf.DNSNames)),
 			certfile:    certfile,
+			keyfile:     keyfile,
 		}
 		m.muCerts.Unlock()
 
 		return nil
 	}
 }
 
-func (m *tlsMgr) ResetCertificates() {
+func (m *TlsMgr) ResetCertificates() {
 	m.muCerts.Lock()
 	m.lookup.Refresh()
 	m.certs = make(map[string]Cert)
 	m.muCerts.Unlock()
 }
 
-func (mgr *tlsMgr) GetActiveCertificates() []Cert {
+func (mgr *TlsMgr) GetActiveCertificates() []Cert {
 	mgr.muCerts.RLock()
 	defer mgr.muCerts.RUnlock()
 	var certs []Cert
@@ -90,3 +93,25 @@ func (mgr *tlsMgr) GetActiveCertificates() []Cert {
 	}
 	return certs
 }
+
+func (m *TlsMgr) Reload() error {
+	m.muCerts.Lock()
+	defer m.muCerts.Unlock()
+
+	for _, v := range m.certs {
+		cert, err := tls.LoadX509KeyPair(v.certfile, v.keyfile)
+		if err != nil {
+			return err
+		}
+		cert.Leaf, _ = x509.ParseCertificate(cert.Certificate[0])
+		v.Certificate = &cert
+
+		v.dnsnames = utils.MustCompileRegexp(dns.Dnsnames2Regexps(cert.Leaf.DNSNames))
+
+		m.certs[v.certfile] = v
+
+	}
+
+	m.lookup.Refresh()
+	return nil
+}

tls/tcp.go

@@ -6,7 +6,7 @@ import (
 	tcp "github.com/mrhaoxx/OpenNG/tcp"
 )
 
-func (mgr *tlsMgr) Handle(c *tcp.Conn) tcp.SerRet {
+func (mgr *TlsMgr) Handle(c *tcp.Conn) tcp.SerRet {
 	hellov, ok := c.Load(tcp.KeyTLS)
 	hello := hellov.(*tls.ClientHelloInfo)
 

ui/builtin.go

@@ -324,7 +324,7 @@ var _builtin_refs_assertions = map[string]Assert{
 			},
 		},
 	},
-	"builtin::tls::watch": {
+	"builtin::tls::reload": {
 		Type:     "ptr",
 		Required: true,
 	},
@@ -830,6 +830,10 @@ var _builtin_refs_assertions = map[string]Assert{
 				Type:     "ptr",
 				Required: true,
 			},
+			"tls": {
+				Type:     "ptr",
+				Required: false,
+			},
 		},
 	},
 	"builtin::wireguard::server": {
@@ -1110,8 +1114,13 @@ var _builtin_refs = map[string]Inst{
 
 		return controller, nil
 	},
-	"builtin::tls::watch": func(spec *ArgNode) (any, error) {
-		panic("not implemented")
+	"builtin::tls::reload": func(spec *ArgNode) (any, error) {
+		tls, err := spec.Value.(*tls.TlsMgr)
+		if !err {
+			return nil, errors.New("ptr is not a tls.TlsMgr")
+		}
+
+		return nil, tls.Reload()
 	},
 
 	"builtin::tcp::listen": func(spec *ArgNode) (any, error) {
@@ -1337,7 +1346,19 @@ var _builtin_refs = map[string]Inst{
 			return nil, errors.New("http midware ptr is not a Reporter")
 		}
 
-		return &UI{tcpcontroller, httpmidware}, nil
+		var webui = &UI{tcpcontroller, httpmidware, nil}
+
+		tlsptr, exists := spec.Get("tls")
+
+		if exists == nil {
+			tlsmgr, ok := tlsptr.Value.(*tls.TlsMgr)
+			if !ok {
+				return nil, errors.New("tls ptr is not a tls.TlsMgr")
+			}
+			webui.TlsMgr = tlsmgr
+		}
+
+		return webui, nil
 	},
 	"builtin::ssh::midware": func(spec *ArgNode) (any, error) {
 		services := spec.MustGet("services").ToList()

ui/ui.go

@@ -16,6 +16,7 @@ import (
 	"github.com/dlclark/regexp2"
 	"github.com/mrhaoxx/OpenNG/http"
 	"github.com/mrhaoxx/OpenNG/log"
+	"github.com/mrhaoxx/OpenNG/tls"
 	utils "github.com/mrhaoxx/OpenNG/utils"
 )
 
@@ -41,6 +42,8 @@ var ReloadCount int = 0
 type UI struct {
 	TcpController Reporter
 	HttpMidware   Reporter
+
+	TlsMgr *tls.TlsMgr
 }
 
 func (*UI) Hosts() utils.GroupRegexp {
@@ -63,6 +66,21 @@ func (u *UI) HandleHTTP(ctx *http.HttpCtx) http.Ret {
 	case "/restart":
 		ctx.Resp.ErrorPage(http.StatusNotImplemented, "Not Implemented")
 
+	case "/api/v1/tls/reload":
+		ctx.Resp.Header().Set("Cache-Control", "no-cache")
+		if u.TlsMgr != nil {
+			err := u.TlsMgr.Reload()
+			if err != nil {
+				ctx.Resp.WriteHeader(http.StatusBadRequest)
+				ctx.WriteString(err.Error())
+			} else {
+				ctx.Resp.WriteHeader(http.StatusAccepted)
+			}
+		} else {
+			ctx.Resp.WriteHeader(http.StatusFailedDependency)
+			ctx.WriteString("TlsMgr not set")
+		}
+
 	case "/api/v1/cfg/reload":
 		ctx.Resp.Header().Set("Cache-Control", "no-cache")
 		err := Reload()