feat: support grpc sds server

Author: LDLDL

.gitignore

@@ -34,4 +34,5 @@ release/certdx_*
 *.service.toml
 *_config.service.toml
 /private
-/cert
+/sds
+cache.json

.vscode/launch.json

@@ -0,0 +1,17 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "server debug",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/exec/server/main.go",
+            "args": ["-c", "${workspaceFolder}/server-test.toml"],
+            "cwd": "${workspaceFolder}"
+        }
+    ]
+}

exec/server/main.go

@@ -5,6 +5,8 @@ import (
 	"io"
 	"log"
 	"os"
+	"os/signal"
+	"syscall"
 	"time"
 
 	"github.com/BurntSushi/toml"
@@ -96,6 +98,25 @@ func init() {
 
 func main() {
 	if config.HttpServer.Enabled {
-		server.HttpSrv()
+		go server.HttpSrv()
+	}
+
+	stopSDS := make(chan struct{}, 1)
+	if config.GRPCSDSServer.Enabled {
+		go server.SDSSrv(stopSDS)
+	}
+
+	stop := make(chan os.Signal, 1)
+	signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
+
+	<-stop
+
+	go func() {
+		<-stop
+		log.Fatalln("[ERR] Fast dying...")
+	}()
+
+	if config.GRPCSDSServer.Enabled {
+		stopSDS <- struct{}{}
 	}
 }

exec/tools/make-server.go

@@ -14,7 +14,7 @@ func makeServer() {
 
 		srvDomains      = srvCMD.StringSliceP("dns-names", "d", []string{}, "CertDX grpc server certificate dns names, combine multiple names with \",\"")
 		srvOrganization = srvCMD.StringP("organization", "o", "CertDX Private", "Subject Organization")
-		srvCommonName   = srvCMD.StringP("common-name", "c", "CertDX Service", "Subject Common Name")
+		srvCommonName   = srvCMD.StringP("common-name", "c", "CertDX Secret Discovery Service", "Subject Common Name")
 		srvHelp         = srvCMD.BoolP("help", "h", false, "Print help")
 	)
 	srvCMD.Parse(os.Args[2:])

go.mod

@@ -7,19 +7,16 @@ require (
 	github.com/go-acme/lego/v4 v4.16.1
 	github.com/spf13/pflag v1.0.5
 	google.golang.org/appengine v1.6.8
-)
-
-require (
-	github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
+	google.golang.org/grpc v1.64.0
+	google.golang.org/protobuf v1.34.1
 )
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cloudflare/cloudflare-go v0.96.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50 // indirect
 	github.com/envoyproxy/go-control-plane v0.12.0
+	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -37,6 +34,6 @@ require (
 	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.21.0 // indirect
-	google.golang.org/grpc v1.64.0
-	google.golang.org/protobuf v1.34.1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
 )

pkg/client/client.go

@@ -5,8 +5,10 @@ import (
 	"log"
 	"os"
 	"os/exec"
+	"os/signal"
 	"path/filepath"
 	"strings"
+	"syscall"
 	"time"
 
 	"pkg.para.party/certdx/pkg/config"
@@ -150,6 +152,9 @@ func (r *CertDXClientDaemon) HttpMain() {
 			<-t
 		}
 	}
-	blockingChan := make(chan struct{})
+	blockingChan := make(chan os.Signal, 1)
+	signal.Notify(blockingChan, syscall.SIGINT, syscall.SIGTERM)
+
 	<-blockingChan
+	log.Println("[INF] Stopping client")
 }

pkg/config/config.go

@@ -2,9 +2,10 @@ package config
 
 import (
 	"fmt"
-	"google.golang.org/appengine"
 	"path"
 	"time"
+
+	"google.golang.org/appengine"
 )
 
 const (
@@ -25,15 +26,15 @@ type DnsProvider struct {
 	SecretKey string `toml:"secretKey" json:"secret_key,omitempty"`
 }
 
-func (p DnsProvider) Validate() error {
+func (p *DnsProvider) Validate() error {
 	switch p.Type {
 	case DnsProviderTypeCloudflare:
 		if p.Email == "" || p.APIKey == "" {
-			return fmt.Errorf("DnsProvider Cloudflare: empty email or key")
+			return fmt.Errorf("DnsProvider Cloudflare: empty Email or APIKey")
 		}
 	case DnsProviderTypeTencentCloud:
 		if p.SecretID == "" || p.SecretKey == "" {
-			return fmt.Errorf("DnsProvider TencentCloud: empty email or key")
+			return fmt.Errorf("DnsProvider TencentCloud: empty SecretID or SecretKey")
 		}
 	}
 	return nil
@@ -44,7 +45,8 @@ type ServerConfigT struct {
 
 	DnsProvider DnsProvider `toml:"DnsProvider" json:"dns_provider,omitempty"`
 
-	HttpServer HttpServerConfig `toml:"HttpServer" json:"http_server,omitempty"`
+	HttpServer    HttpServerConfig `toml:"HttpServer" json:"http_server,omitempty"`
+	GRPCSDSServer GRPCServerConfig `toml:"gRPCSDSServer" json:"grpc_sds_server,omitempty"`
 }
 
 type ACMEConfig struct {
@@ -59,7 +61,7 @@ type ACMEConfig struct {
 	RenewTimeLeftDuration time.Duration `toml:"-" json:"-"`
 }
 
-func (c ACMEConfig) Validate() error {
+func (c *ACMEConfig) Validate() error {
 	if len(c.AllowedDomains) == 0 {
 		return fmt.Errorf("AllowedDomains is empty")
 	}
@@ -75,19 +77,33 @@ type HttpServerConfig struct {
 	Token   string   `toml:"token" json:"token,omitempty"`
 }
 
-func (c HttpServerConfig) Validate() error {
+func (c *HttpServerConfig) Validate() error {
+	if !c.Enabled {
+		return nil
+	}
+
 	if c.Secure && len(c.Names) == 0 {
 		return fmt.Errorf("secure http server with no name")
 	}
 	return nil
 }
 
-// type GRPCServerConfig struct {
-// 	Listen string `toml:"listen"`
-// 	Secure bool   `toml:"secure"`
-// 	Name   string `toml:"name"`
-// 	Token  string `toml:"token"`
-// }
+type GRPCServerConfig struct {
+	Enabled bool     `toml:"enabled" json:"enabled,omitempty"`
+	Listen  string   `toml:"listen" json:"listen,omitempty"`
+	Names   []string `toml:"names" json:"names,omitempty"`
+}
+
+func (c *GRPCServerConfig) Validate() error {
+	if !c.Enabled {
+		return nil
+	}
+
+	if len(c.Names) == 0 {
+		return fmt.Errorf("no grpc server name")
+	}
+	return nil
+}
 
 func (c *ServerConfigT) SetDefault() {
 	c.ACME = ACMEConfig{
@@ -101,6 +117,10 @@ func (c *ServerConfigT) SetDefault() {
 		APIPath: "/",
 		Secure:  false,
 	}
+
+	c.GRPCSDSServer = GRPCServerConfig{
+		Listen: ":10002",
+	}
 }
 
 func (c *ServerConfigT) Validate() error {
@@ -118,6 +138,10 @@ func (c *ServerConfigT) Validate() error {
 		ret = append(ret, err)
 	}
 
+	if err := c.GRPCSDSServer.Validate(); err != nil {
+		ret = append(ret, err)
+	}
+
 	if len(ret) > 0 {
 		return ret
 	}
@@ -132,11 +156,6 @@ type ClientConfigT struct {
 		StandbyServer ClientHttpServer `toml:"StandbyServer" json:"standby_server,omitempty"`
 	} `toml:"Http" json:"http,omitempty"`
 
-	// GRPC struct {
-	// 	MainServer    ClientGRPCServer `toml:"MainServer"`
-	// 	StandbyServer ClientGRPCServer `toml:"StandbyServer"`
-	// } `toml:"GRPC"`
-
 	Certifications []ClientCertification `toml:"Certifications" json:"certifications,omitempty"`
 }
 
@@ -151,12 +170,6 @@ type ClientHttpServer struct {
 	Token string `toml:"token" json:"token,omitempty"`
 }
 
-// type ClientGRPCServer struct {
-// 	Secure bool   `toml:"secure"`
-// 	Server string `toml:"server"`
-// 	Token  string `toml:"token"`
-// }
-
 type ClientCertification struct {
 	Name          string   `toml:"name" json:"name,omitempty"`
 	SavePath      string   `toml:"savePath" json:"save_path,omitempty"`

pkg/server/acme.go

@@ -124,15 +124,26 @@ func RegisterAccount(ACMEProvider, Email, Kid, Hmac string) error {
 		return fmt.Errorf("failed constructing acme client: %w", err)
 	}
 
-	var eabOptions = registration.RegisterEABOptions{
-		TermsOfServiceAgreed: true,
-		Kid:                  Kid,
-		HmacEncoded:          Hmac,
-	}
-	myUser.Registration, err = client.Registration.RegisterWithExternalAccountBinding(eabOptions)
-	if err != nil {
-		os.Remove(keyPath)
-		return fmt.Errorf("failed register: %s", err)
+	if Hmac != "" && Kid != "" {
+		var eabOptions = registration.RegisterEABOptions{
+			TermsOfServiceAgreed: true,
+			Kid:                  Kid,
+			HmacEncoded:          Hmac,
+		}
+		myUser.Registration, err = client.Registration.RegisterWithExternalAccountBinding(eabOptions)
+		if err != nil {
+			os.Remove(keyPath)
+			return fmt.Errorf("failed register: %s", err)
+		}
+	} else {
+		var regOptions = registration.RegisterOptions{
+			TermsOfServiceAgreed: true,
+		}
+		myUser.Registration, err = client.Registration.Register(regOptions)
+		if err != nil {
+			os.Remove(keyPath)
+			return fmt.Errorf("failed register: %s", err)
+		}
 	}
 
 	reg, err := json.Marshal(myUser.Registration)

pkg/server/http.go

@@ -1,10 +1,10 @@
 package server
 
 import (
-	"fmt"
-	"io"
 	"crypto/tls"
 	"encoding/json"
+	"fmt"
+	"io"
 	"log"
 	"net/http"
 	"strings"
@@ -66,7 +66,7 @@ func handleCertReq(w *http.ResponseWriter, r *http.Request) {
 	}
 
 	cachedCert = ServerCertCache.GetEntry(req.Domains)
-	if !cachedCert.Listening.Load() {
+	if !cachedCert.IsSubcribing() {
 		_, err = cachedCert.Renew(false)
 		if err != nil {
 			goto ERR
@@ -98,8 +98,7 @@ func serveHttps() {
 	cert_ := entry.Cert()
 	certValid := cert_.IsValid()
 
-	// when starting up, no cert is listening, just start a watch dog anyway
-	go entry.CertWatchDog()
+	entry.Subscrib()
 
 	if !certValid {
 		<-*entry.Updated.Load()
@@ -136,7 +135,8 @@ func HttpSrv() {
 
 	if !Config.HttpServer.Secure {
 		log.Printf("[INF] Http server started")
-		http.ListenAndServe(Config.HttpServer.Listen, nil)
+		err := http.ListenAndServe(Config.HttpServer.Listen, nil)
+		log.Printf("[INF] Http server stopped: %s", err)
 	} else {
 		serveHttps()
 	}

pkg/server/path.go

@@ -15,7 +15,7 @@ func getPrivateKeySavePath(email string, ACMEProvider string) (string, error) {
 	keyName := fmt.Sprintf("%s_%s.key", email, ACMEProvider)
 
 	if _, err := os.Stat(saveDir); os.IsNotExist(err) {
-		err := os.Mkdir(saveDir, 0o600)
+		err := os.Mkdir(saveDir, 0o755)
 		if err != nil {
 			return "", fmt.Errorf("cannot create path: %s to save account key: %w", saveDir, err)
 		}