feat: https server

Author: Gabriel-Ladzaretti

.gitignore

@@ -5,4 +5,5 @@ coverage
 *.local.toml
 *.local.yaml
 *.local.json
-TODO.md
+TODO.md
+cert

api.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"bytes"
-	"cmp"
 	"context"
 	"crypto/subtle"
 	"encoding/json"
@@ -485,10 +484,10 @@ func toEnvKey(s string) (key string) {
 }
 
 func paramsToEnv(r *http.Request, pathParams []string) []string {
-	params := r.URL.Query()
-	env := make([]string, 0, len(params)+len(pathParams))
+	queryParams := r.URL.Query()
+	env := make([]string, 0, len(queryParams)+len(pathParams))
 
-	for k, v := range params {
+	for k, v := range queryParams {
 		env = append(env, toEnvKey(k)+"="+strings.Join(v, " "))
 	}
 
@@ -516,7 +515,7 @@ func newAPIRoutes(ctx context.Context, cancelableJobs *safeMap[string, func()])
 	mux := http.NewServeMux()
 
 	for _, e := range config.Endpoints {
-		h, token := newExecHandler(ctx, e, cancelableJobs), cmp.Or(e.Token, config.Token)
+		h, token := newExecHandler(ctx, e, cancelableJobs), config.Server.Token
 		pattern := fmt.Sprintf(
 			"%s %s",
 			strings.ToUpper(e.method),

config.go

@@ -13,12 +13,18 @@ import (
 	"github.com/pelletier/go-toml/v2"
 )
 
+type Server struct {
+	LogLevel   string `json:"log_level,omitempty"     toml:"log_level,commented"`
+	DBPath     string `json:"database_path,omitempty" toml:"database_path,commented"`
+	Token      string `json:"token,omitempty"         toml:"token,commented"`
+	ListenAddr string `json:"listen_addr,omitempty"   toml:"listen_addr,commented"`
+	CertFile   string `json:"cert_file,omitempty"     toml:"cert_file,commented"`
+	KeyFile    string `json:"key_file,omitempty"      toml:"key_file,commented"`
+}
+
 type Config struct {
-	LogLevel   string     `json:"log_level,omitempty"     toml:"log_level,commented"`
-	DBPath     string     `json:"database_path,omitempty" toml:"database_path,commented"`
-	Token      string     `json:"token,omitempty"         toml:"token,commented"`
-	ListenAddr string     `json:"listen_addr,omitempty"   toml:"listen_addr,commented"`
-	Endpoints  []Endpoint `json:"endpoints,omitempty"     toml:"endpoints,commented"`
+	Server    Server     `json:"server,omitempty"    toml:"server,commented"`
+	Endpoints []Endpoint `json:"endpoints,omitempty" toml:"endpoints,commented"`
 
 	configPath string
 	sha        string
@@ -27,15 +33,19 @@ type Config struct {
 func (c *Config) validate() error {
 	uid := os.Getuid()
 
-	if c.ListenAddr == "" {
+	if c.Server.ListenAddr == "" {
 		return errors.New("listen_addr must not be empty")
 	}
 
-	if _, _, err := net.SplitHostPort(c.ListenAddr); err != nil {
+	if c.Server.Token == "" {
+		return errors.New("server token must not be empty")
+	}
+
+	if _, _, err := net.SplitHostPort(c.Server.ListenAddr); err != nil {
 		return fmt.Errorf("listen_addr must be host:port or :port: %v", err)
 	}
 
-	_, err := parseLogLevel(c.LogLevel)
+	_, err := parseLogLevel(c.Server.LogLevel)
 	if err != nil {
 		return fmt.Errorf("invalid log level: %v", err)
 	}
@@ -55,8 +65,6 @@ func (c *Config) validate() error {
 				"path", e.Path,
 				"index", i,
 			)
-		} else if c.Token == "" && e.Token == "" {
-			return fmt.Errorf("token missing for path: %q: set global token or endpoint[%d].token", e.Path, i)
 		}
 
 		if _, dup := seen[e.Path]; dup {
@@ -74,7 +82,7 @@ func (c *Config) setDefaults() error {
 		return errors.New("cannot set defaults on nil config")
 	}
 
-	c.ListenAddr = cmp.Or(c.ListenAddr, defaultListenAddr)
+	c.Server.ListenAddr = cmp.Or(c.Server.ListenAddr, defaultListenAddr)
 
 	return nil
 }
@@ -85,14 +93,10 @@ func (c *Config) redact() *Config {
 	}
 
 	redacted := *c
-
-	if redacted.Token != "" {
-		redacted.Token = redact
-	}
-
 	redacted.Endpoints = append([]Endpoint(nil), redacted.Endpoints...)
-	for i, e := range redacted.Endpoints {
-		redacted.Endpoints[i] = e.redact()
+
+	if redacted.Server.Token != "" {
+		redacted.Server.Token = redact
 	}
 
 	return &redacted

endpoint.go

@@ -30,7 +30,6 @@ type resolvedEndpoint struct {
 type Endpoint struct {
 	Summary      string   `json:"summary,omitempty"       toml:"summary,commented"`
 	Path         string   `json:"path,omitempty"          toml:"path,commented"`
-	Token        string   `json:"token,omitempty"         toml:"token,commented"`
 	Method       string   `json:"method,omitempty"        toml:"method,commented"`
 	Cmd          []string `json:"cmd,omitempty"           toml:"cmd,commented"`
 	EnvAllowlist []string `json:"env_allowlist,omitempty" toml:"env_allowlist,commented"`
@@ -102,17 +101,6 @@ func (e *Endpoint) resolve() {
 	}
 }
 
-func (e *Endpoint) redact() Endpoint {
-	if e.Token == "" {
-		return *e
-	}
-
-	redacted := *e
-	redacted.Token = redact
-
-	return redacted
-}
-
 type ExecResult struct {
 	Stdout   string `json:"stdout,omitempty"`
 	Stderr   string `json:"stderr,omitempty"`

main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/tls"
 	"encoding/hex"
 	"errors"
 	"flag"
@@ -26,7 +27,7 @@ const (
 	defaultConfigName = ".execd.toml"
 	defaultCacheDir   = ".execd.d"
 	defaultDBFilename = "execd.sqlite"
-	defaultListenAddr = ":8081"
+	defaultListenAddr = ":8443"
 	redact            = "*****"
 )
 
@@ -87,14 +88,14 @@ func mustInitialize() {
 
 	logger.Info("config sha256", "sha", c.sha)
 
-	l, _ := parseLogLevel(c.LogLevel) // already validated during config parsing
+	l, _ := parseLogLevel(c.Server.LogLevel) // already validated during config parsing
 
 	logger = slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: l}))
 	logger.Info("resolved config", "path", configPath, "config", c.redact())
 
 	config = c
 
-	reqs, err := newExecDB(c.DBPath)
+	reqs, err := newExecDB(c.Server.DBPath)
 	if err != nil {
 		logger.Error("exec db:", "err", err)
 		os.Exit(1)
@@ -143,29 +144,32 @@ func main() {
 	root.Handle("/hx/", http.StripPrefix("/hx", newHXRoutes(rr)))
 	root.Handle("/ui/", http.StripPrefix("/ui", newUIRoutes(rr)))
 
-	root.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		http.Redirect(w, r, "/ui/", http.StatusFound)
-	}))
-
 	srv := &http.Server{
-		Addr:              config.ListenAddr,
+		Addr:              config.Server.ListenAddr,
 		Handler:           root,
 		ReadHeaderTimeout: 10 * time.Second,
+		TLSConfig: &tls.Config{
+			MinVersion: tls.VersionTLS13,
+		},
 	}
 
 	lc := net.ListenConfig{}
 
-	l, err := lc.Listen(ctx, "tcp", config.ListenAddr)
+	l, err := lc.Listen(ctx, "tcp", config.Server.ListenAddr)
 	if err != nil {
-		logger.Error("listen failed", "addr", config.ListenAddr, "err", err)
+		logger.Error("listen failed", "addr", config.Server.ListenAddr, "err", err)
 		os.Exit(1)
 	}
 
 	logger.Info("server listening", "addr", l.Addr().String())
 
 	errCh := make(chan error, 1)
 	go func(ch chan error) {
-		ch <- srv.Serve(l)
+		ch <- srv.ServeTLS(
+			l,
+			config.Server.CertFile,
+			config.Server.KeyFile,
+		)
 
 		close(ch)
 	}(errCh)