forked from cloudflare/certinel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcertinel.go
107 lines (94 loc) · 2.68 KB
/
certinel.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package certinel
import (
"crypto/tls"
"sync"
"sync/atomic"
)
// Certinel is a container for zero-hit tls.Certificate changes, by
// receiving new certificates from sentries and presenting the functions
// expected by Go's tls.Config{}.
// Reading certificates from a Certinel instance is safe across multiple
// goroutines.
type Certinel struct {
certificate atomic.Value // *tls.Certificate
watcher Watcher
errBack func(error)
watchOnce sync.Once
closeOnce sync.Once
done chan struct{}
}
// Watchers provide a way to construct (and close!) channels that
// bind a Certinel to a changing certificate.
type Watcher interface {
Watch() (<-chan tls.Certificate, <-chan error)
Close() error
}
// New creates a Certinel that watches for changes with the provided
// Watcher.
func New(w Watcher, errBack func(error)) *Certinel {
if errBack == nil {
errBack = func(error) {}
}
return &Certinel{
watcher: w,
errBack: errBack,
}
}
// Watch setups the Certinel's channel handles and calls Watch on the
// held Watcher instance.
func (c *Certinel) Watch() {
c.watchOnce.Do(func() {
c.done = make(chan struct{})
go func() {
defer close(c.done)
tlsChan, errChan := c.watcher.Watch()
for tlsChan != nil && errChan != nil {
select {
case certificate, ok := <-tlsChan:
if ok {
c.certificate.Store(&certificate)
} else {
tlsChan = nil
}
case err, ok := <-errChan:
if ok {
c.errBack(err)
} else {
errChan = nil
}
}
}
}()
})
}
// Close calls Close on the held Watcher instance. After closing it
// is no longer safe to use this Certinel instance.
func (c *Certinel) Close() (err error) {
// Prevent Watch after Close, since it launches the watcher routine.
c.watchOnce.Do(func() {})
c.closeOnce.Do(func() {
err = c.watcher.Close()
})
if c.done != nil {
<-c.done
}
return err
}
// GetCertificate returns the current tls.Certificate instance. The function
// can be passed as the GetCertificate member in a tls.Config object. It is
// safe to call across multiple goroutines.
func (c *Certinel) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
cert, _ := c.certificate.Load().(*tls.Certificate)
return cert, nil
}
// GetClientCertificate returns the current tls.Certificate instance. The function
// can be passed as the GetClientCertificate member in a tls.Config object. It is
// safe to call across multiple goroutines.
func (c *Certinel) GetClientCertificate(certificateRequest *tls.CertificateRequestInfo) (*tls.Certificate, error) {
cert, _ := c.certificate.Load().(*tls.Certificate)
if cert == nil {
return &tls.Certificate{}, nil
} else {
return cert, nil
}
}