Add cert store option based on sqlite3, mysql & postgres (#173)

Deprecate **pogreb**! close #169 Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/173
2025-04-19 11:36:57 +00:00 · 2023-02-10 03:00:14 +00:00 · 2023-02-10 03:00:14 +00:00 · 7b35a192bf
commit 7b35a192bf
parent 7fce7cf68b
22 changed files with 1000 additions and 255 deletions
--- a/server/database/interface.go
+++ b/server/database/interface.go
@ -1,8 +1,11 @@
 package database

 import (
-	"github.com/akrylysov/pogreb"
+	"fmt"
+
+	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/certificate"
+	"github.com/rs/zerolog/log"
 )

 type CertDB interface {
@ -10,6 +13,61 @@ type CertDB interface {
 	Put(name string, cert *certificate.Resource) error
 	Get(name string) (*certificate.Resource, error)
 	Delete(key string) error
+	Items(page, pageSize int) ([]*Cert, error)
+	// Compact deprecated // TODO: remove in next version
 	Compact() (string, error)
-	Items() *pogreb.ItemIterator
+}
+
+type Cert struct {
+	Domain    string `xorm:"pk      NOT NULL UNIQUE    'domain'"`
+	Created   int64  `xorm:"created NOT NULL DEFAULT 0 'created'"`
+	Updated   int64  `xorm:"updated NOT NULL DEFAULT 0 'updated'"`
+	ValidTill int64  `xorm:"        NOT NULL DEFAULT 0 'valid_till'"`
+	// certificate.Resource
+	CertURL           string `xorm:"'cert_url'"`
+	CertStableURL     string `xorm:"'cert_stable_url'"`
+	PrivateKey        []byte `xorm:"'private_key'"`
+	Certificate       []byte `xorm:"'certificate'"`
+	IssuerCertificate []byte `xorm:"'issuer_certificate'"`
+}
+
+func (c Cert) Raw() *certificate.Resource {
+	return &certificate.Resource{
+		Domain:            c.Domain,
+		CertURL:           c.CertURL,
+		CertStableURL:     c.CertStableURL,
+		PrivateKey:        c.PrivateKey,
+		Certificate:       c.Certificate,
+		IssuerCertificate: c.IssuerCertificate,
+	}
+}
+
+func toCert(name string, c *certificate.Resource) (*Cert, error) {
+	tlsCertificates, err := certcrypto.ParsePEMBundle(c.Certificate)
+	if err != nil {
+		return nil, err
+	}
+	if len(tlsCertificates) == 0 || tlsCertificates[0] == nil {
+		err := fmt.Errorf("parsed cert resource has no cert")
+		log.Error().Err(err).Str("domain", c.Domain).Msgf("cert: %v", c)
+		return nil, err
+	}
+	validTill := tlsCertificates[0].NotAfter.Unix()
+
+	// TODO: do we need this or can we just go with domain name for wildcard cert
+	// default *.mock cert is prefixed with '.'
+	if name != c.Domain && name[1:] != c.Domain && name[0] != '.' {
+		return nil, fmt.Errorf("domain key and cert domain not equal")
+	}
+
+	return &Cert{
+		Domain:    c.Domain,
+		ValidTill: validTill,
+
+		CertURL:           c.CertURL,
+		CertStableURL:     c.CertStableURL,
+		PrivateKey:        c.PrivateKey,
+		Certificate:       c.Certificate,
+		IssuerCertificate: c.IssuerCertificate,
+	}, nil
 }
--- a/server/database/mock.go
+++ b/server/database/mock.go
@ -5,7 +5,6 @@ import (
 	"time"

 	"github.com/OrlovEvgeny/go-mcache"
-	"github.com/akrylysov/pogreb"
 	"github.com/go-acme/lego/v4/certificate"
 )

@ -43,8 +42,8 @@ func (p tmpDB) Compact() (string, error) {
 	return "Truncate done", nil
 }

-func (p tmpDB) Items() *pogreb.ItemIterator {
-	panic("ItemIterator not implemented for tmpDB")
+func (p tmpDB) Items(page, pageSize int) ([]*Cert, error) {
+	return nil, fmt.Errorf("items not implemented for tmpDB")
 }

 func NewTmpDB() (CertDB, error) {
--- a/server/database/pogreb.go
+++ b/server/database/pogreb.go
@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/gob"
+	"errors"
 	"fmt"
 	"time"

@ -62,8 +63,32 @@ func (p aDB) Compact() (string, error) {
 	return fmt.Sprintf("%+v", result), nil
 }

-func (p aDB) Items() *pogreb.ItemIterator {
-	return p.intern.Items()
+func (p aDB) Items(_, _ int) ([]*Cert, error) {
+	items := make([]*Cert, 0, p.intern.Count())
+	iterator := p.intern.Items()
+	for {
+		key, resBytes, err := iterator.Next()
+		if err != nil {
+			if errors.Is(err, pogreb.ErrIterationDone) {
+				break
+			}
+			return nil, err
+		}
+
+		res := &certificate.Resource{}
+		if err := gob.NewDecoder(bytes.NewBuffer(resBytes)).Decode(res); err != nil {
+			return nil, err
+		}
+
+		cert, err := toCert(string(key), res)
+		if err != nil {
+			return nil, err
+		}
+
+		items = append(items, cert)
+	}
+
+	return items, nil
 }

 var _ CertDB = &aDB{}
@ -82,7 +107,7 @@ func (p aDB) sync() {
 	}
 }

-func New(path string) (CertDB, error) {
+func NewPogreb(path string) (CertDB, error) {
 	if path == "" {
 		return nil, fmt.Errorf("path not set")
 	}
--- a/server/database/xorm.go
+++ b/server/database/xorm.go
@ -0,0 +1,121 @@
+package database
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/rs/zerolog/log"
+
+	"github.com/go-acme/lego/v4/certificate"
+	"xorm.io/xorm"
+
+	// register sql driver
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/lib/pq"
+	_ "github.com/mattn/go-sqlite3"
+)
+
+var _ CertDB = xDB{}
+
+var ErrNotFound = errors.New("entry not found")
+
+type xDB struct {
+	engine *xorm.Engine
+}
+
+func NewXormDB(dbType, dbConn string) (CertDB, error) {
+	if !supportedDriver(dbType) {
+		return nil, fmt.Errorf("not supported db type '%s'", dbType)
+	}
+	if dbConn == "" {
+		return nil, fmt.Errorf("no db connection provided")
+	}
+
+	e, err := xorm.NewEngine(dbType, dbConn)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := e.Sync2(new(Cert)); err != nil {
+		return nil, fmt.Errorf("cound not sync db model :%w", err)
+	}
+
+	return &xDB{
+		engine: e,
+	}, nil
+}
+
+func (x xDB) Close() error {
+	return x.engine.Close()
+}
+
+func (x xDB) Put(domain string, cert *certificate.Resource) error {
+	log.Trace().Str("domain", cert.Domain).Msg("inserting cert to db")
+	c, err := toCert(domain, cert)
+	if err != nil {
+		return err
+	}
+
+	_, err = x.engine.Insert(c)
+	return err
+}
+
+func (x xDB) Get(domain string) (*certificate.Resource, error) {
+	// TODO: do we need this or can we just go with domain name for wildcard cert
+	domain = strings.TrimPrefix(domain, ".")
+
+	cert := new(Cert)
+	log.Trace().Str("domain", domain).Msg("get cert from db")
+	if found, err := x.engine.ID(domain).Get(cert); err != nil {
+		return nil, err
+	} else if !found {
+		return nil, fmt.Errorf("%w: name='%s'", ErrNotFound, domain)
+	}
+	return cert.Raw(), nil
+}
+
+func (x xDB) Delete(domain string) error {
+	log.Trace().Str("domain", domain).Msg("delete cert from db")
+	_, err := x.engine.ID(domain).Delete(new(Cert))
+	return err
+}
+
+func (x xDB) Compact() (string, error) {
+	// not needed
+	return "", nil
+}
+
+// Items return al certs from db, if pageSize is 0 it does not use limit
+func (x xDB) Items(page, pageSize int) ([]*Cert, error) {
+	// paginated return
+	if pageSize > 0 {
+		certs := make([]*Cert, 0, pageSize)
+		if page >= 0 {
+			page = 1
+		}
+		err := x.engine.Limit(pageSize, (page-1)*pageSize).Find(&certs)
+		return certs, err
+	}
+
+	// return all
+	certs := make([]*Cert, 0, 64)
+	err := x.engine.Find(&certs)
+	return certs, err
+}
+
+// Supported database drivers
+const (
+	DriverSqlite   = "sqlite3"
+	DriverMysql    = "mysql"
+	DriverPostgres = "postgres"
+)
+
+func supportedDriver(driver string) bool {
+	switch driver {
+	case DriverMysql, DriverPostgres, DriverSqlite:
+		return true
+	default:
+		return false
+	}
+}