Add cert store option based on sqlite3, mysql & postgres (#173)

Deprecate **pogreb**! close #169 Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/173
2025-04-19 03:26:57 +00:00 · 2023-02-10 03:00:14 +00:00 · 2023-02-10 03:00:14 +00:00 · 7b35a192bf
commit 7b35a192bf
parent 7fce7cf68b
22 changed files with 1000 additions and 255 deletions
--- a/cmd/certs.go
+++ b/cmd/certs.go
@ -2,8 +2,10 @@ package cmd

 import (
 	"fmt"
+	"time"

-	"github.com/akrylysov/pogreb"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/urfave/cli/v2"

 	"codeberg.org/codeberg/pages/server/database"
@ -23,25 +25,85 @@ var Certs = &cli.Command{
 			Usage:  "remove a certificate from the database",
 			Action: removeCert,
 		},
+		{
+			Name:   "migrate",
+			Usage:  "migrate from \"pogreb\" driver to dbms driver",
+			Action: migrateCerts,
+		},
 	},
+	Flags: append(CertStorageFlags, []cli.Flag{
+		&cli.BoolFlag{
+			Name:    "verbose",
+			Usage:   "print trace info",
+			EnvVars: []string{"VERBOSE"},
+			Value:   false,
+		},
+	}...),
+}
+
+func migrateCerts(ctx *cli.Context) error {
+	dbType := ctx.String("db-type")
+	if dbType == "" {
+		dbType = "sqlite3"
+	}
+	dbConn := ctx.String("db-conn")
+	dbPogrebConn := ctx.String("db-pogreb")
+	verbose := ctx.Bool("verbose")
+
+	log.Level(zerolog.InfoLevel)
+	if verbose {
+		log.Level(zerolog.TraceLevel)
+	}
+
+	xormDB, err := database.NewXormDB(dbType, dbConn)
+	if err != nil {
+		return fmt.Errorf("could not connect to database: %w", err)
+	}
+	defer xormDB.Close()
+
+	pogrebDB, err := database.NewPogreb(dbPogrebConn)
+	if err != nil {
+		return fmt.Errorf("could not open database: %w", err)
+	}
+	defer pogrebDB.Close()
+
+	fmt.Printf("Start migration from \"%s\" to \"%s:%s\" ...\n", dbPogrebConn, dbType, dbConn)
+
+	certs, err := pogrebDB.Items(0, 0)
+	if err != nil {
+		return err
+	}
+
+	for _, cert := range certs {
+		if err := xormDB.Put(cert.Domain, cert.Raw()); err != nil {
+			return err
+		}
+	}
+
+	fmt.Println("... done")
+	return nil
 }

 func listCerts(ctx *cli.Context) error {
-	// TODO: make "key-database.pogreb" set via flag
-	keyDatabase, err := database.New("key-database.pogreb")
+	certDB, closeFn, err := openCertDB(ctx)
 	if err != nil {
-		return fmt.Errorf("could not create database: %v", err)
+		return err
+	}
+	defer closeFn()
+
+	items, err := certDB.Items(0, 0)
+	if err != nil {
+		return err
 	}

-	items := keyDatabase.Items()
-	for domain, _, err := items.Next(); err != pogreb.ErrIterationDone; domain, _, err = items.Next() {
-		if err != nil {
-			return err
+	fmt.Printf("Domain\tValidTill\n\n")
+	for _, cert := range items {
+		if cert.Domain[0] == '.' {
+			cert.Domain = "*" + cert.Domain
 		}
-		if domain[0] == '.' {
-			fmt.Printf("*")
-		}
-		fmt.Printf("%s\n", domain)
+		fmt.Printf("%s\t%s\n",
+			cert.Domain,
+			time.Unix(cert.ValidTill, 0).Format(time.RFC3339))
 	}
 	return nil
 }
@ -53,20 +115,17 @@ func removeCert(ctx *cli.Context) error {

 	domains := ctx.Args().Slice()

-	// TODO: make "key-database.pogreb" set via flag
-	keyDatabase, err := database.New("key-database.pogreb")
+	certDB, closeFn, err := openCertDB(ctx)
 	if err != nil {
-		return fmt.Errorf("could not create database: %v", err)
+		return err
 	}
+	defer closeFn()

 	for _, domain := range domains {
 		fmt.Printf("Removing domain %s from the database...\n", domain)
-		if err := keyDatabase.Delete(domain); err != nil {
+		if err := certDB.Delete(domain); err != nil {
 			return err
 		}
 	}
-	if err := keyDatabase.Close(); err != nil {
-		return err
-	}
 	return nil
 }
--- a/cmd/flags.go
+++ b/cmd/flags.go
@ -4,120 +4,149 @@ import (
 	"github.com/urfave/cli/v2"
 )

-var ServeFlags = []cli.Flag{
-	// MainDomainSuffix specifies the main domain (starting with a dot) for which subdomains shall be served as static
-	// pages, or used for comparison in CNAME lookups. Static pages can be accessed through
-	// https://{owner}.{MainDomain}[/{repo}], with repo defaulting to "pages".
-	&cli.StringFlag{
-		Name:    "pages-domain",
-		Usage:   "specifies the main domain (starting with a dot) for which subdomains shall be served as static pages",
-		EnvVars: []string{"PAGES_DOMAIN"},
-		Value:   "codeberg.page",
-	},
-	// GiteaRoot specifies the root URL of the Gitea instance, without a trailing slash.
-	&cli.StringFlag{
-		Name:    "gitea-root",
-		Usage:   "specifies the root URL of the Gitea instance, without a trailing slash.",
-		EnvVars: []string{"GITEA_ROOT"},
-		Value:   "https://codeberg.org",
-	},
-	// GiteaApiToken specifies an api token for the Gitea instance
-	&cli.StringFlag{
-		Name:    "gitea-api-token",
-		Usage:   "specifies an api token for the Gitea instance",
-		EnvVars: []string{"GITEA_API_TOKEN"},
-		Value:   "",
-	},
-	// RawDomain specifies the domain from which raw repository content shall be served in the following format:
-	// https://{RawDomain}/{owner}/{repo}[/{branch|tag|commit}/{version}]/{filepath...}
-	// (set to []byte(nil) to disable raw content hosting)
-	&cli.StringFlag{
-		Name:    "raw-domain",
-		Usage:   "specifies the domain from which raw repository content shall be served, not set disable raw content hosting",
-		EnvVars: []string{"RAW_DOMAIN"},
-		Value:   "raw.codeberg.page",
-	},
-	// RawInfoPage will be shown (with a redirect) when trying to access RawDomain directly (or without owner/repo/path).
-	&cli.StringFlag{
-		Name:    "raw-info-page",
-		Usage:   "will be shown (with a redirect) when trying to access $RAW_DOMAIN directly (or without owner/repo/path)",
-		EnvVars: []string{"RAW_INFO_PAGE"},
-		Value:   "https://docs.codeberg.org/codeberg-pages/raw-content/",
-	},
+var (
+	CertStorageFlags = []cli.Flag{
+		&cli.StringFlag{
+			// TODO: remove in next version
+			// DEPRICATED
+			Name:    "db-pogreb",
+			Value:   "key-database.pogreb",
+			EnvVars: []string{"DB_POGREB"},
+		},
+		&cli.StringFlag{
+			Name:    "db-type",
+			Value:   "", // TODO: "sqlite3" in next version
+			EnvVars: []string{"DB_TYPE"},
+		},
+		&cli.StringFlag{
+			Name:    "db-conn",
+			Value:   "certs.sqlite",
+			EnvVars: []string{"DB_CONN"},
+		},
+	}

-	// Server
-	&cli.StringFlag{
-		Name:    "host",
-		Usage:   "specifies host of listening address",
-		EnvVars: []string{"HOST"},
-		Value:   "[::]",
-	},
-	&cli.StringFlag{
-		Name:    "port",
-		Usage:   "specifies port of listening address",
-		EnvVars: []string{"PORT"},
-		Value:   "443",
-	},
-	&cli.BoolFlag{
-		Name: "enable-http-server",
-		// TODO: desc
-		EnvVars: []string{"ENABLE_HTTP_SERVER"},
-	},
-	// Server Options
-	&cli.BoolFlag{
-		Name:    "enable-lfs-support",
-		Usage:   "enable lfs support, require gitea v1.17.0 as backend",
-		EnvVars: []string{"ENABLE_LFS_SUPPORT"},
-		Value:   true,
-	},
-	&cli.BoolFlag{
-		Name:    "enable-symlink-support",
-		Usage:   "follow symlinks if enabled, require gitea v1.18.0 as backend",
-		EnvVars: []string{"ENABLE_SYMLINK_SUPPORT"},
-		Value:   true,
-	},
-	&cli.StringFlag{
-		Name:    "log-level",
-		Value:   "warn",
-		Usage:   "specify at which log level should be logged. Possible options: info, warn, error, fatal",
-		EnvVars: []string{"LOG_LEVEL"},
-	},
+	ServerFlags = append(CertStorageFlags, []cli.Flag{
+		// #############
+		// ### Gitea ###
+		// #############
+		// GiteaRoot specifies the root URL of the Gitea instance, without a trailing slash.
+		&cli.StringFlag{
+			Name:    "gitea-root",
+			Usage:   "specifies the root URL of the Gitea instance, without a trailing slash.",
+			EnvVars: []string{"GITEA_ROOT"},
+			Value:   "https://codeberg.org",
+		},
+		// GiteaApiToken specifies an api token for the Gitea instance
+		&cli.StringFlag{
+			Name:    "gitea-api-token",
+			Usage:   "specifies an api token for the Gitea instance",
+			EnvVars: []string{"GITEA_API_TOKEN"},
+			Value:   "",
+		},

-	// ACME
-	&cli.StringFlag{
-		Name:    "acme-api-endpoint",
-		EnvVars: []string{"ACME_API"},
-		Value:   "https://acme-v02.api.letsencrypt.org/directory",
-	},
-	&cli.StringFlag{
-		Name:    "acme-email",
-		EnvVars: []string{"ACME_EMAIL"},
-		Value:   "noreply@example.email",
-	},
-	&cli.BoolFlag{
-		Name: "acme-use-rate-limits",
-		// TODO: Usage
-		EnvVars: []string{"ACME_USE_RATE_LIMITS"},
-		Value:   true,
-	},
-	&cli.BoolFlag{
-		Name: "acme-accept-terms",
-		// TODO: Usage
-		EnvVars: []string{"ACME_ACCEPT_TERMS"},
-	},
-	&cli.StringFlag{
-		Name: "acme-eab-kid",
-		// TODO: Usage
-		EnvVars: []string{"ACME_EAB_KID"},
-	},
-	&cli.StringFlag{
-		Name: "acme-eab-hmac",
-		// TODO: Usage
-		EnvVars: []string{"ACME_EAB_HMAC"},
-	},
-	&cli.StringFlag{
-		Name: "dns-provider",
-		// TODO: Usage
-		EnvVars: []string{"DNS_PROVIDER"},
-	},
-}
+		// ###########################
+		// ### Page Server Domains ###
+		// ###########################
+		// MainDomainSuffix specifies the main domain (starting with a dot) for which subdomains shall be served as static
+		// pages, or used for comparison in CNAME lookups. Static pages can be accessed through
+		// https://{owner}.{MainDomain}[/{repo}], with repo defaulting to "pages".
+		&cli.StringFlag{
+			Name:    "pages-domain",
+			Usage:   "specifies the main domain (starting with a dot) for which subdomains shall be served as static pages",
+			EnvVars: []string{"PAGES_DOMAIN"},
+			Value:   "codeberg.page",
+		},
+		// RawDomain specifies the domain from which raw repository content shall be served in the following format:
+		// https://{RawDomain}/{owner}/{repo}[/{branch|tag|commit}/{version}]/{filepath...}
+		// (set to []byte(nil) to disable raw content hosting)
+		&cli.StringFlag{
+			Name:    "raw-domain",
+			Usage:   "specifies the domain from which raw repository content shall be served, not set disable raw content hosting",
+			EnvVars: []string{"RAW_DOMAIN"},
+			Value:   "raw.codeberg.page",
+		},
+		// RawInfoPage will be shown (with a redirect) when trying to access RawDomain directly (or without owner/repo/path).
+		&cli.StringFlag{
+			Name:    "raw-info-page",
+			Usage:   "will be shown (with a redirect) when trying to access $RAW_DOMAIN directly (or without owner/repo/path)",
+			EnvVars: []string{"RAW_INFO_PAGE"},
+			Value:   "https://docs.codeberg.org/codeberg-pages/raw-content/",
+		},
+
+		// Server
+		&cli.StringFlag{
+			Name:    "host",
+			Usage:   "specifies host of listening address",
+			EnvVars: []string{"HOST"},
+			Value:   "[::]",
+		},
+		&cli.StringFlag{
+			Name:    "port",
+			Usage:   "specifies port of listening address",
+			EnvVars: []string{"PORT"},
+			Value:   "443",
+		},
+		&cli.BoolFlag{
+			Name: "enable-http-server",
+			// TODO: desc
+			EnvVars: []string{"ENABLE_HTTP_SERVER"},
+		},
+		// Server Options
+		&cli.BoolFlag{
+			Name:    "enable-lfs-support",
+			Usage:   "enable lfs support, require gitea v1.17.0 as backend",
+			EnvVars: []string{"ENABLE_LFS_SUPPORT"},
+			Value:   true,
+		},
+		&cli.BoolFlag{
+			Name:    "enable-symlink-support",
+			Usage:   "follow symlinks if enabled, require gitea v1.18.0 as backend",
+			EnvVars: []string{"ENABLE_SYMLINK_SUPPORT"},
+			Value:   true,
+		},
+		&cli.StringFlag{
+			Name:    "log-level",
+			Value:   "warn",
+			Usage:   "specify at which log level should be logged. Possible options: info, warn, error, fatal",
+			EnvVars: []string{"LOG_LEVEL"},
+		},
+
+		// ACME
+		&cli.StringFlag{
+			Name:    "acme-api-endpoint",
+			EnvVars: []string{"ACME_API"},
+			Value:   "https://acme-v02.api.letsencrypt.org/directory",
+		},
+		&cli.StringFlag{
+			Name:    "acme-email",
+			EnvVars: []string{"ACME_EMAIL"},
+			Value:   "noreply@example.email",
+		},
+		&cli.BoolFlag{
+			Name: "acme-use-rate-limits",
+			// TODO: Usage
+			EnvVars: []string{"ACME_USE_RATE_LIMITS"},
+			Value:   true,
+		},
+		&cli.BoolFlag{
+			Name: "acme-accept-terms",
+			// TODO: Usage
+			EnvVars: []string{"ACME_ACCEPT_TERMS"},
+		},
+		&cli.StringFlag{
+			Name: "acme-eab-kid",
+			// TODO: Usage
+			EnvVars: []string{"ACME_EAB_KID"},
+		},
+		&cli.StringFlag{
+			Name: "acme-eab-hmac",
+			// TODO: Usage
+			EnvVars: []string{"ACME_EAB_HMAC"},
+		},
+		&cli.StringFlag{
+			Name: "dns-provider",
+			// TODO: Usage
+			EnvVars: []string{"DNS_PROVIDER"},
+		},
+	}...)
+)
--- a/cmd/main.go
+++ b/cmd/main.go
@ -18,7 +18,6 @@ import (
 	"codeberg.org/codeberg/pages/server"
 	"codeberg.org/codeberg/pages/server/cache"
 	"codeberg.org/codeberg/pages/server/certificates"
-	"codeberg.org/codeberg/pages/server/database"
 	"codeberg.org/codeberg/pages/server/gitea"
 	"codeberg.org/codeberg/pages/server/handler"
 )
@ -38,7 +37,7 @@ var BlacklistedPaths = []string{

 // Serve sets up and starts the web server.
 func Serve(ctx *cli.Context) error {
-	// Initalize the logger.
+	// Initialize the logger.
 	logLevel, err := zerolog.ParseLevel(ctx.String("log-level"))
 	if err != nil {
 		return err
@ -74,6 +73,13 @@ func Serve(ctx *cli.Context) error {
 		mainDomainSuffix = "." + mainDomainSuffix
 	}

+	// Init ssl cert database
+	certDB, closeFn, err := openCertDB(ctx)
+	if err != nil {
+		return err
+	}
+	defer closeFn()
+
 	keyCache := cache.NewKeyValueCache()
 	challengeCache := cache.NewKeyValueCache()
 	// canonicalDomainCache stores canonical domains
@ -104,13 +110,6 @@ func Serve(ctx *cli.Context) error {
 		return fmt.Errorf("couldn't create listener: %v", err)
 	}

-	// TODO: make "key-database.pogreb" set via flag
-	certDB, err := database.New("key-database.pogreb")
-	if err != nil {
-		return fmt.Errorf("could not create database: %v", err)
-	}
-	defer certDB.Close() //nolint:errcheck    // database has no close ... sync behave like it
-
 	listener = tls.NewListener(listener, certificates.TLSConfig(mainDomainSuffix,
 		giteaClient,
 		dnsProvider,
--- a/cmd/setup.go
+++ b/cmd/setup.go
@ -0,0 +1,45 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/rs/zerolog/log"
+	"github.com/urfave/cli/v2"
+
+	"codeberg.org/codeberg/pages/server/database"
+)
+
+func openCertDB(ctx *cli.Context) (certDB database.CertDB, closeFn func(), err error) {
+	if ctx.String("db-type") != "" {
+		log.Trace().Msg("use xorm mode")
+		certDB, err = database.NewXormDB(ctx.String("db-type"), ctx.String("db-conn"))
+		if err != nil {
+			return nil, nil, fmt.Errorf("could not connect to database: %w", err)
+		}
+	} else {
+		// TODO: remove in next version
+		fmt.Println(`
+######################
+## W A R N I N G !!! #
+######################
+
+You use "pogreb" witch is deprecated and will be removed in the next version.
+Please switch to sqlite, mysql or postgres !!!
+
+The simplest way is, to use './pages certs migrate' and set environment var DB_TYPE to 'sqlite' on next start.`)
+		log.Error().Msg("depricated \"pogreb\" used\n")
+
+		certDB, err = database.NewPogreb(ctx.String("db-pogreb"))
+		if err != nil {
+			return nil, nil, fmt.Errorf("could not create database: %w", err)
+		}
+	}
+
+	closeFn = func() {
+		if err := certDB.Close(); err != nil {
+			log.Error().Err(err)
+		}
+	}
+
+	return certDB, closeFn, nil
+}