-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enhance: add functions for daemon servers for mTLS #87
Merged
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
| package daemon | ||
|
|
||
| import ( | ||
| "crypto/tls" | ||
| "crypto/x509" | ||
| "encoding/base64" | ||
| "errors" | ||
| "fmt" | ||
| "net/http" | ||
| "os" | ||
| ) | ||
|
|
||
| type Server struct { | ||
| mux *http.ServeMux | ||
| tlsConfig *tls.Config | ||
| } | ||
|
|
||
| // CreateServer creates a new HTTP server with TLS configured for GPTScript. | ||
| // This function should be used when creating a new server for a daemon tool. | ||
| // The server should then be started with the StartServer function. | ||
| func CreateServer() (*Server, error) { | ||
| return CreateServerWithMux(http.DefaultServeMux) | ||
| } | ||
|
|
||
| // CreateServerWithMux creates a new HTTP server with TLS configured for GPTScript. | ||
| // This function should be used when creating a new server for a daemon tool with a custom ServeMux. | ||
| // The server should then be started with the StartServer function. | ||
| func CreateServerWithMux(mux *http.ServeMux) (*Server, error) { | ||
| tlsConfig, err := getTLSConfig() | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to get TLS config: %v", err) | ||
| } | ||
|
|
||
| return &Server{ | ||
| mux: mux, | ||
| tlsConfig: tlsConfig, | ||
| }, nil | ||
| } | ||
|
|
||
| // Start starts an HTTP server created by the CreateServer function. | ||
| // This is for use with daemon tools. | ||
| func (s *Server) Start() error { | ||
| server := &http.Server{ | ||
| Addr: fmt.Sprintf("127.0.0.1:%s", os.Getenv("PORT")), | ||
| TLSConfig: s.tlsConfig, | ||
| Handler: s.mux, | ||
| } | ||
|
|
||
| if err := server.ListenAndServeTLS("", ""); err != nil && !errors.Is(err, http.ErrServerClosed) { | ||
| return fmt.Errorf("stopped serving: %v", err) | ||
| } | ||
| return nil | ||
| } | ||
|
|
||
| func (s *Server) HandleFunc(pattern string, handler http.HandlerFunc) { | ||
| s.mux.HandleFunc(pattern, handler) | ||
| } | ||
|
|
||
| func getTLSConfig() (*tls.Config, error) { | ||
| certB64 := os.Getenv("CERT") | ||
| privateKeyB64 := os.Getenv("PRIVATE_KEY") | ||
| gptscriptCertB64 := os.Getenv("GPTSCRIPT_CERT") | ||
|
|
||
| if certB64 == "" { | ||
| return nil, fmt.Errorf("CERT not set") | ||
| } else if privateKeyB64 == "" { | ||
| return nil, fmt.Errorf("PRIVATE_KEY not set") | ||
| } else if gptscriptCertB64 == "" { | ||
| return nil, fmt.Errorf("GPTSCRIPT_CERT not set") | ||
| } | ||
|
|
||
| certBytes, err := base64.StdEncoding.DecodeString(certB64) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to decode cert base64: %v", err) | ||
| } | ||
|
|
||
| privateKeyBytes, err := base64.StdEncoding.DecodeString(privateKeyB64) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to decode private key base64: %v", err) | ||
| } | ||
|
|
||
| gptscriptCertBytes, err := base64.StdEncoding.DecodeString(gptscriptCertB64) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to decode gptscript cert base64: %v", err) | ||
| } | ||
|
|
||
| cert, err := tls.X509KeyPair(certBytes, privateKeyBytes) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to create X509 key pair: %v", err) | ||
| } | ||
|
|
||
| pool := x509.NewCertPool() | ||
| if !pool.AppendCertsFromPEM(gptscriptCertBytes) { | ||
| return nil, fmt.Errorf("failed to append gptscript cert to pool") | ||
| } | ||
|
|
||
| return &tls.Config{ | ||
| Certificates: []tls.Certificate{cert}, | ||
| ClientCAs: pool, | ||
| ClientAuth: tls.RequireAndVerifyClientCert, | ||
| }, nil | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We probably want to make the
porta parameter. Otherwise, you could only ever run one daemon at a time.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But we do only want to run one daemon at a time, at least one per process, and it is required to use the port that GPTScript chose for it. So I don't think there is a point in making this a parameter. This is just a library function to be called in each daemon tool, not something that will get used anywhere else.