server: generate TLS certificates if not provided

If TLS is enabled, but not TLS key or certificate files are created, make them on the fly. If existing files exist, re-use them. Issue: #255
jasonish · Jun 23, 2023 · 855bf36 · 855bf36
1 parent 0d5306e
commit 855bf36
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 2 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -64,6 +64,8 @@ futures = "0.3.21"
 regex = "1.5.5"
 libc = { version = "0.2.140", default_features = false }
 
+rcgen = { git = "https://github.com/jasonish/rcgen", branch = "0.11.0-disable-botan" }
+
 [patch.crates-io]
 # Patch Rusqlite for now. 0.28.0 uses SQLite 3.39, but 3.40 is much
 # faster for some group by queries used by EveBox.

diff --git a/src/cert.rs b/src/cert.rs
@@ -0,0 +1,56 @@
+// SPDX-FileCopyrightText: (C) 2023 Jason Ish <jason@codemonkey.net>
+//
+// SPDX-License-Identifier: MIT
+
+use crate::prelude::*;
+use anyhow::Result;
+use rcgen::{Certificate, CertificateParams, DistinguishedName, DnType};
+use std::fs;
+use std::path::{Path, PathBuf};
+
+static ORG_NAME: &str = "EveBox Server";
+static CN_NAME: &str = "EveBox Server";
+static CERT_FILENAME: &str = "cert.pem";
+static KEY_FILENAME: &str = "key.pem";
+
+pub(crate) fn create_and_write_cert<P: AsRef<Path>>(dir: P) -> Result<(PathBuf, PathBuf)> {
+    let mut params: CertificateParams = Default::default();
+    params.not_before = rcgen::date_time_ymd(2023, 1, 1);
+    params.not_after = rcgen::date_time_ymd(3023, 1, 1);
+    params.distinguished_name = DistinguishedName::new();
+    params
+        .distinguished_name
+        .push(DnType::OrganizationName, ORG_NAME);
+    params.distinguished_name.push(DnType::CommonName, CN_NAME);
+    params.subject_alt_names = vec![rcgen::SanType::DnsName("localhost".to_string())];
+    let cert = Certificate::from_params(params)?;
+    let dir = dir.as_ref();
+    let cert_path = dir.join(CERT_FILENAME);
+    let key_path = dir.join(KEY_FILENAME);
+    fs::write(&cert_path, cert.serialize_pem()?.as_bytes())?;
+    fs::write(&key_path, cert.serialize_private_key_pem().as_bytes())?;
+    Ok((cert_path, key_path))
+}
+
+pub(crate) fn get_or_create_cert<P: AsRef<Path>>(dir: P) -> Result<(PathBuf, PathBuf)> {
+    let dir = dir.as_ref();
+    let cert_path = dir.join(CERT_FILENAME);
+    let key_path = dir.join(KEY_FILENAME);
+
+    if cert_path.exists() && key_path.exists() {
+        info!(
+            "Found existing TLS certificate and key: {}, {}",
+            cert_path.display(),
+            key_path.display()
+        );
+        Ok((cert_path, key_path))
+    } else {
+        let (cert_path, key_path) = create_and_write_cert(dir)?;
+        info!(
+            "Created new TLS certificate and key: {}, {}",
+            cert_path.display(),
+            key_path.display()
+        );
+        Ok((cert_path, key_path))
+    }
+}
diff --git a/src/lib.rs b/src/lib.rs
@@ -7,6 +7,7 @@ pub mod logger;
 
 pub mod agent;
 pub mod bookmark;
+pub(crate) mod cert;
 pub mod commands;
 pub mod config;
 mod elastic;

diff --git a/src/server/main.rs b/src/server/main.rs
@@ -224,6 +224,11 @@ pub async fn main(args: &clap::ArgMatches) -> Result<()> {
         server_config.host, server_config.port, server_config.tls_enabled
     );
     if server_config.tls_enabled {
+        if server_config.tls_key_filename.is_none() && server_config.tls_cert_filename.is_none() {
+            let (cert_path, key_path) = crate::cert::get_or_create_cert("./certs")?;
+            server_config.tls_cert_filename = Some(cert_path);
+            server_config.tls_key_filename = Some(key_path);
+        }
         debug!("TLS key filename: {:?}", server_config.tls_key_filename);
         debug!("TLS cert filename: {:?}", server_config.tls_cert_filename);
         if let Err(err) = run_axum_server_with_tls(&server_config, context).await {

diff --git a/src/server/mod.rs b/src/server/mod.rs
@@ -9,6 +9,7 @@ pub use main::build_context;
 pub use main::main;
 use serde::Serialize;
 use session::SessionStore;
+use std::path::PathBuf;
 use std::sync::Arc;
 
 pub mod api;
@@ -85,8 +86,8 @@ pub struct ServerConfig {
     pub datastore: String,
     pub sqlite_filename: Option<String>,
     pub tls_enabled: bool,
-    pub tls_cert_filename: Option<String>,
-    pub tls_key_filename: Option<String>,
+    pub tls_cert_filename: Option<PathBuf>,
+    pub tls_key_filename: Option<PathBuf>,
     pub elastic_url: String,
     pub elastic_index: String,
     pub elastic_no_index_suffix: bool,