chore: upgrade goVirtualHost to support multi certificates

Author: marjune163

src/goVirtualHost/helper.go

@@ -1,11 +1,69 @@
 package goVirtualHost
 
-import "crypto/tls"
+import (
+	"crypto/tls"
+	"errors"
+)
 
-func LoadCertificate(certFile, keyFile string) (*tls.Certificate, error) {
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, err
+var MissingCertFileAndKeyFile = errors.New("missing certificate file and key file")
+var MissingCertFile = errors.New("missing certificate file")
+var MissingKeyFile = errors.New("missing key file")
+var CertKeyFileCountNotMatch = errors.New("certificate file count and key file count not match")
+
+func LoadCertificate(certFile, keyFile string) (cert tls.Certificate, err error) {
+	if len(certFile) == 0 && len(keyFile) == 0 {
+		err = MissingCertFileAndKeyFile
+		return
+	} else if len(certFile) == 0 {
+		err = MissingCertFile
+		return
+	} else if len(keyFile) == 0 {
+		err = MissingKeyFile
+		return
+	}
+
+	cert, err = tls.LoadX509KeyPair(certFile, keyFile)
+	return
+}
+
+func LoadCertificates(certFiles, keyFiles []string) (certs []tls.Certificate, errs []error) {
+	certLen := len(certFiles)
+	if certLen != len(keyFiles) {
+		errs = append(errs, CertKeyFileCountNotMatch)
+		return
+	}
+
+	if certLen == 0 {
+		return
+	}
+
+	certs = make([]tls.Certificate, 0, certLen)
+	for i := 0; i < certLen; i++ {
+		cert, err := LoadCertificate(certFiles[i], keyFiles[i])
+		if err != nil {
+			errs = append(errs, err)
+		} else {
+			certs = append(certs, cert)
+		}
+	}
+
+	return
+}
+
+func LoadCertificatesFromEntries(certKeyFileEntries [][2]string) (certs []tls.Certificate, errs []error) {
+	certLen := len(certKeyFileEntries)
+	if certLen == 0 {
+		return
+	}
+
+	certs = make([]tls.Certificate, 0, certLen)
+	for i := 0; i < certLen; i++ {
+		cert, err := LoadCertificate(certKeyFileEntries[i][0], certKeyFileEntries[i][1])
+		if err != nil {
+			errs = append(errs, err)
+		} else {
+			certs = append(certs, cert)
+		}
 	}
-	return &cert, nil
+	return
 }

src/goVirtualHost/hostInfo.go

@@ -4,27 +4,28 @@ import "crypto/tls"
 
 func (info *HostInfo) toParam(listen string, useTLS bool) *param {
 	proto, ip, port := splitListen(listen, false)
-	var cert *tls.Certificate
+	var certs []tls.Certificate
 	if useTLS {
-		cert = info.Cert
+		certs = info.Certs
 	}
 
 	param := &param{
 		proto:  proto,
 		ip:     ip,
 		port:   port,
 		useTLS: useTLS,
-		cert:   cert,
+		certs:  certs,
 	}
 
 	return param
 }
 
-func (info *HostInfo) parse() (hostNames []string, params params) {
+func (info *HostInfo) parse() (hostNames []string, params params, certs certs) {
 	hostNames = normalizeHostNames(info.HostNames)
 
+	useTLSForListen := len(info.Certs) > 0
 	for _, listen := range info.Listens {
-		param := info.toParam(listen, info.Cert != nil)
+		param := info.toParam(listen, useTLSForListen)
 		param.hostNames = hostNames
 		params = append(params, param)
 	}
@@ -41,5 +42,9 @@ func (info *HostInfo) parse() (hostNames []string, params params) {
 		params = append(params, param)
 	}
 
+	if (useTLSForListen && len(info.Listens) > 0) || len(info.ListensTLS) > 0 {
+		certs = append(info.Certs)
+	}
+
 	return
 }

src/goVirtualHost/param.go

@@ -23,7 +23,7 @@ func (param *param) hasHostNames(checkHostNames []string) bool {
 }
 
 func (param *param) validate() (errs []error) {
-	if param.useTLS && param.cert == nil {
+	if param.useTLS && len(param.certs) == 0 {
 		err := wrapError(CertificateNotFound, fmt.Sprintf("certificate not found for TLS listens: %+v", param))
 		errs = append(errs, err)
 	}

src/goVirtualHost/param_test.go

@@ -17,20 +17,32 @@ func TestParamValidate(t *testing.T) {
 	}
 	errs = p.validate()
 	if len(errs) > 0 {
-		t.Error()
+		t.Error(errs)
 	}
 
 	p.useTLS = true
 	errs = p.validate()
 	if len(errs) == 0 {
 		t.Error()
 	} else if !errors.Is(errs[0], CertificateNotFound) {
-		t.Error()
+		t.Error(errs)
+	}
+
+	p.certs = nil
+	errs = p.validate()
+	if len(errs) == 0 {
+		t.Error(errs)
 	}
 
-	p.cert = &tls.Certificate{}
+	p.certs = []tls.Certificate{}
+	errs = p.validate()
+	if len(errs) == 0 {
+		t.Error(errs)
+	}
+
+	p.certs = append(p.certs, tls.Certificate{})
 	errs = p.validate()
 	if len(errs) > 0 {
-		t.Error()
+		t.Error(errs)
 	}
 }

src/goVirtualHost/params.go

@@ -33,9 +33,7 @@ func (params params) validateParam(param *param) (errs []error) {
 		}
 
 		if ownParam.proto == param.proto && ownParam.ip == param.ip && ownParam.port == param.port {
-			ownUseTLS := ownParam.cert != nil
-			useTLS := param.cert != nil
-			if ownUseTLS != useTLS {
+			if ownParam.useTLS != param.useTLS {
 				err := wrapError(ConflictTLSMode, fmt.Sprintf("cannot serve for both Plain and TLS mode: %+v, %+v", ownParam, param))
 				errs = append(errs, err)
 			}

src/goVirtualHost/params_test.go

@@ -82,7 +82,7 @@ func TestParamsValidateParam(t *testing.T) {
 		ip:     "",
 		port:   ":80",
 		useTLS: true,
-		cert:   &tls.Certificate{},
+		certs:  []tls.Certificate{},
 	}
 	errs = ps.validateParam(p)
 	if len(errs) == 0 {

src/goVirtualHost/server.go

@@ -54,7 +54,7 @@ func (server *server) updateHttpServerTLSConfig() {
 		certs := []tls.Certificate{}
 
 		for _, vhost := range server.vhosts {
-			certs = append(certs, *vhost.cert)
+			certs = append(certs, vhost.certs...)
 		}
 
 		tlsConfig = &tls.Config{

src/goVirtualHost/service.go

@@ -50,15 +50,15 @@ func (svc *Service) Add(info *HostInfo) (errs []error) {
 		return
 	}
 
-	hostNames, vhostParams := info.parse()
+	hostNames, vhostParams, certs := info.parse()
 
 	errs = svc.params.validate(vhostParams)
 	if len(errs) > 0 {
 		return
 	}
 	svc.params = append(svc.params, vhostParams...)
 
-	vhost := newVhost(info.Cert, hostNames, info.Handler)
+	vhost := newVhost(certs, hostNames, info.Handler)
 	svc.vhosts = append(svc.vhosts, vhost)
 
 	svc.addVhostToServers(vhost, vhostParams)
@@ -114,6 +114,8 @@ func (svc *Service) Open() (errs []error) {
 	svc.state = stateOpened
 	svc.mu.Unlock()
 
+	svc.params = nil // release unused data
+
 	for _, s := range svc.servers {
 		s.updateDefaultVhost()
 		s.updateHttpServerTLSConfig()

src/goVirtualHost/type.go

@@ -12,18 +12,20 @@ type HostInfo struct {
 	Listens      []string
 	ListensPlain []string
 	ListensTLS   []string
-	Cert         *tls.Certificate
+	Certs        []tls.Certificate
 	HostNames    []string
 	Handler      http.Handler
 }
 
+type certs []tls.Certificate
+
 // normalized HostInfo Param
 type param struct {
 	proto     string // "tcp", "tcp4", "tcp6"
 	ip        string
 	port      string
 	useTLS    bool
-	cert      *tls.Certificate
+	certs     certs
 	hostNames []string
 }
 
@@ -52,7 +54,7 @@ type servers []*server
 
 // virtual host
 type vhost struct {
-	cert      *tls.Certificate
+	certs     certs
 	hostNames []string
 	handler   http.Handler
 }

src/goVirtualHost/vhost.go

@@ -1,14 +1,13 @@
 package goVirtualHost
 
 import (
-	"crypto/tls"
 	"net/http"
 	"strings"
 )
 
-func newVhost(cert *tls.Certificate, hostNames []string, handler http.Handler) *vhost {
+func newVhost(certs certs, hostNames []string, handler http.Handler) *vhost {
 	vhost := &vhost{
-		cert:      cert,
+		certs:     certs,
 		hostNames: hostNames,
 		handler:   handler,
 	}