fix: pass certificate as env variable (#10)

breez · Dec 19, 2024 · 73fea1f · 73fea1f
1 parent 420a90b
commit 73fea1f
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 21 deletions.
diff --git a/config/config.go b/config/config.go
@@ -4,26 +4,16 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"log"
-	"os"
 
 	"github.com/Netflix/go-env"
 )
 
-type Config struct {
-	GrpcListenAddress string  `env:"GRPC_LISTEN_ADDRESS,default=0.0.0.0:8080"`
-	SQLiteDirPath     string  `env:"SQLITE_DIR_PATH,default=db"`
-	PgDatabaseUrl     string  `env:"DATABASE_URL"`
-	CACertPath        *string `env:"CA_CERT_PATH"`
-	CACert            *x509.Certificate
+type Certificate struct {
+	Raw *x509.Certificate
 }
 
-func initializeCACert(certPath string) *x509.Certificate {
-	certData, err := os.ReadFile(certPath)
-	if err != nil {
-		log.Fatal("CA certificate not found")
-	}
-
-	CACertBlock, _ := pem.Decode(certData)
+func (c *Certificate) UnmarshalEnvironmentValue(data string) error {
+	CACertBlock, _ := pem.Decode([]byte(data))
 	if CACertBlock == nil {
 		log.Fatal("CA certificate is invalid")
 	}
@@ -33,17 +23,23 @@ func initializeCACert(certPath string) *x509.Certificate {
 		log.Fatal("Could not parse CA cert:", err)
 	}
 
-	return CACert
+	c.Raw = CACert
+
+	return nil
+}
+
+type Config struct {
+	GrpcListenAddress string       `env:"GRPC_LISTEN_ADDRESS,default=0.0.0.0:8080"`
+	SQLiteDirPath     string       `env:"SQLITE_DIR_PATH,default=db"`
+	PgDatabaseUrl     string       `env:"DATABASE_URL"`
+	CACert            *Certificate `env:"CA_CERT"`
 }
 
 func NewConfig() (*Config, error) {
 	var config Config
 	if _, err := env.UnmarshalFromEnviron(&config); err != nil {
 		return nil, err
 	}
-	if config.CACertPath != nil {
-		config.CACert = initializeCACert(*config.CACertPath)
-	}
 
 	return &config, nil
 }
diff --git a/middleware/auth.go b/middleware/auth.go
@@ -27,7 +27,7 @@ var ErrInvalidSignature = fmt.Errorf("invalid signature")
 var SignedMsgPrefix = []byte("realtimesync:")
 
 func checkApiKey(config *config.Config, ctx context.Context, req interface{}) error {
-	if config.CACert == nil {
+	if config.CACert.Raw == nil {
 		return nil
 	}
 
@@ -53,15 +53,15 @@ func checkApiKey(config *config.Config, ctx context.Context, req interface{}) er
 	}
 
 	rootPool := x509.NewCertPool()
-	rootPool.AddCert(config.CACert)
+	rootPool.AddCert(config.CACert.Raw)
 
 	chains, err := cert.Verify(x509.VerifyOptions{
 		Roots: rootPool,
 	})
 	if err != nil {
 		return fmt.Errorf("Certificate verification error: %v", err)
 	}
-	if len(chains) != 1 || len(chains[0]) != 2 || !chains[0][0].Equal(cert) || !chains[0][1].Equal(config.CACert) {
+	if len(chains) != 1 || len(chains[0]) != 2 || !chains[0][0].Equal(cert) || !chains[0][1].Equal(config.CACert.Raw) {
 		return fmt.Errorf("Certificate verification error: invalid chain of trust")
 	}