dig into http2 support

ocis-pkg/config/helpers.go

@@ -1,11 +1,15 @@
 package config
 
 import (
+	"crypto/tls"
+	"fmt"
 	"path"
 
 	gofig "github.com/gookit/config/v2"
 	gooyaml "github.com/gookit/config/v2/yaml"
 	"github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
+	ociscrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
 )
 
 var (
@@ -34,3 +38,35 @@ func BindSourcesToStructs(service string, dst interface{}) (*gofig.Config, error
 
 	return cnf, nil
 }
+
+// BuildTLSConfig returns a tls.Config struct for the given configuration.
+// When tls is enabled it will try to load the given certificate or generate a self signed certificate
+func BuildTLSConfig(l log.Logger, enabled bool, certPath, keyPath, address string) (*tls.Config, error) {
+	if enabled {
+		var cert tls.Certificate
+		var err error
+		if certPath != "" {
+			// Generate a self-signing cert if no certificate is present
+			if err := ociscrypto.GenCert(certPath, keyPath, l); err != nil {
+				return nil, err
+			}
+			cert, err = tls.LoadX509KeyPair(certPath, keyPath)
+			if err != nil {
+				return nil, fmt.Errorf("error loading server certificate and key: %w", err)
+			}
+		} else {
+			cert, err = ociscrypto.GenTempCertForAddr(address)
+			if err != nil {
+				return nil, err
+			}
+		}
+		return &tls.Config{
+			NextProtos: []string{"h2", "http/1.1"},
+			//MinVersion:   tls.VersionTLS12,
+			InsecureSkipVerify: true,
+			Certificates:       []tls.Certificate{cert},
+		}, nil
+	}
+	return nil, nil
+
+}

ocis-pkg/service/grpc/client.go

@@ -64,6 +64,7 @@ func Configure(opts ...ClientOption) error {
 			}
 			cOpts = append(cOpts, mgrpcc.AuthTLS(tlsConfig))
 		case "on":
+			// TODO use function to add cert to cert pool?
 			tlsConfig = &tls.Config{}
 			// Note: If caCert is empty we use the system's default set of trusted CAs
 			if options.caCert != "" {

ocis-pkg/service/grpc/service.go

@@ -26,6 +26,7 @@ func NewService(opts ...Option) (Service, error) {
 	sopts := newOptions(opts...)
 	tlsConfig := &tls.Config{}
 	if sopts.TLSEnabled {
+		// TODO reuse ocis-pkg/config and pass a real tls.Config
 		var cert tls.Certificate
 		var err error
 		if sopts.TLSCert != "" {

ocis-pkg/service/http/option.go

@@ -2,10 +2,10 @@ package http
 
 import (
 	"context"
+	"crypto/tls"
 	"net/http"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
-	"github.com/owncloud/ocis/v2/ocis-pkg/shared"
 	"github.com/urfave/cli/v2"
 )
 
@@ -15,7 +15,7 @@ type Option func(o *Options)
 // Options defines the available options for this package.
 type Options struct {
 	Logger    log.Logger
-	TLSConfig shared.HTTPServiceTLS
+	TLSConfig *tls.Config
 	Namespace string
 	Name      string
 	Version   string
@@ -88,7 +88,7 @@ func Flags(flags ...cli.Flag) Option {
 }
 
 // TLSConfig provides a function to set the TLSConfig option.
-func TLSConfig(config shared.HTTPServiceTLS) Option {
+func TLSConfig(config *tls.Config) Option {
 	return func(o *Options) {
 		o.TLSConfig = config
 	}

ocis-pkg/service/http/service.go

@@ -1,18 +1,16 @@
 package http
 
 import (
-	"crypto/tls"
-	"fmt"
 	"strings"
 	"time"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/broker"
 	"github.com/owncloud/ocis/v2/ocis-pkg/registry"
 
 	mhttps "github.com/go-micro/plugins/v4/server/http"
-	ociscrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
 	"go-micro.dev/v4"
 	"go-micro.dev/v4/server"
+	"go-micro.dev/v4/transport"
 )
 
 // Service simply wraps the go-micro web service.
@@ -24,36 +22,7 @@ type Service struct {
 func NewService(opts ...Option) (Service, error) {
 	noopBroker := broker.NoOp{}
 	sopts := newOptions(opts...)
-	var mServer server.Server
-	if sopts.TLSConfig.Enabled {
-		var cert tls.Certificate
-		var err error
-		if sopts.TLSConfig.Cert != "" {
-			cert, err = tls.LoadX509KeyPair(sopts.TLSConfig.Cert, sopts.TLSConfig.Key)
-			if err != nil {
-				sopts.Logger.Error().Err(err).
-					Str("cert", sopts.TLSConfig.Cert).
-					Str("key", sopts.TLSConfig.Key).
-					Msg("error loading server certifcate and key")
-				return Service{}, fmt.Errorf("error loading server certificate and key: %w", err)
-			}
-		} else {
-			// Generate a self-signed server certificate on the fly. This requires the clients
-			// to connect with InsecureSkipVerify.
-			sopts.Logger.Warn().Str("address", sopts.Address).
-				Msg("No server certificate configured. Generating a temporary self-signed certificate")
-			cert, err = ociscrypto.GenTempCertForAddr(sopts.Address)
-			if err != nil {
-				return Service{}, fmt.Errorf("error creating temporary self-signed certificate: %w", err)
-			}
-		}
-		tlsConfig := &tls.Config{
-			Certificates: []tls.Certificate{cert},
-		}
-		mServer = mhttps.NewServer(server.TLSConfig(tlsConfig))
-	} else {
-		mServer = mhttps.NewServer()
-	}
+	mServer := mhttps.NewServer(server.TLSConfig(sopts.TLSConfig))
 
 	wopts := []micro.Option{
 		micro.Server(mServer),
@@ -66,8 +35,10 @@ func NewService(opts ...Option) (Service, error) {
 		micro.Registry(registry.GetRegistry()),
 		micro.RegisterTTL(time.Second * 30),
 		micro.RegisterInterval(time.Second * 10),
+		micro.Transport(transport.NewHTTPTransport(transport.TLSConfig(sopts.TLSConfig))),
 	}
-	if sopts.TLSConfig.Enabled {
+	if sopts.TLSConfig != nil {
+		// mark service in registry as using tls
 		wopts = append(wopts, micro.Metadata(map[string]string{"use_tls": "true"}))
 	}
 

services/frontend/pkg/config/config.go

@@ -76,11 +76,12 @@ type Debug struct {
 }
 
 type HTTPConfig struct {
-	Addr      string `yaml:"addr" env:"FRONTEND_HTTP_ADDR" desc:"The bind address of the HTTP service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"FRONTEND_HTTP_PROTOCOL" desc:"The transport protocol of the HTTP service."`
-	Prefix    string `yaml:"prefix" env:"FRONTEND_HTTP_PREFIX" desc:"The Path prefix where the frontend can be accessed (defaults to /)."`
-	CORS      CORS   `yaml:"cors"`
+	Addr      string                `yaml:"addr" env:"FRONTEND_HTTP_ADDR" desc:"The bind address of the HTTP service."`
+	Namespace string                `yaml:"-"`
+	Protocol  string                `yaml:"protocol" env:"FRONTEND_HTTP_PROTOCOL" desc:"The transport protocol of the HTTP service."`
+	TLS       shared.HTTPServiceTLS `yaml:"tls"`
+	Prefix    string                `yaml:"prefix" env:"FRONTEND_HTTP_PREFIX" desc:"The Path prefix where the frontend can be accessed (defaults to /)."`
+	CORS      CORS                  `yaml:"cors"`
 }
 
 // CORS defines the available cors configuration.

services/frontend/pkg/config/defaults/defaultconfig.go

@@ -27,7 +27,12 @@ func DefaultConfig() *config.Config {
 			Addr:      "127.0.0.1:9140",
 			Namespace: "com.owncloud.web",
 			Protocol:  "tcp",
-			Prefix:    "",
+			TLS: shared.HTTPServiceTLS{
+				Enabled: true,
+				Cert:    "/etc/ssl/certs/test.cert.pem",
+				Key:     "/etc/ssl/certs/test.key.pem",
+			},
+			Prefix: "",
 			CORS: config.CORS{
 				AllowedOrigins: []string{"*"},
 				AllowedMethods: []string{

services/frontend/pkg/revaconfig/config.go

@@ -284,6 +284,8 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 					},
 				},
 			},
+			"certfile": cfg.HTTP.TLS.Cert,
+			"keyfile":  cfg.HTTP.TLS.Key,
 		},
 	}, nil
 }

services/graph/pkg/server/http/server.go

@@ -12,6 +12,7 @@ import (
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-micro/plugins/v4/events/natsjs"
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config"
 	ociscrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
 	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
@@ -30,8 +31,22 @@ import (
 func Server(opts ...Option) (http.Service, error) {
 	options := newOptions(opts...)
 
+	tlsConfig, err := config.BuildTLSConfig(
+		options.Logger,
+		options.Config.HTTP.TLS.Enabled,
+		options.Config.HTTP.TLS.Cert,
+		options.Config.HTTP.TLS.Key,
+		options.Config.HTTP.Addr,
+	)
+	if err != nil {
+		options.Logger.Error().
+			Err(err).
+			Msg("could not build certificate")
+		return http.Service{}, fmt.Errorf("could not build certificate: %w", err)
+	}
+
 	service, err := http.NewService(
-		http.TLSConfig(options.Config.HTTP.TLS),
+		http.TLSConfig(tlsConfig),
 		http.Logger(options.Logger),
 		http.Namespace(options.Config.HTTP.Namespace),
 		http.Name("graph"),

services/idp/pkg/config/defaults/defaultconfig.go

@@ -30,7 +30,7 @@ func DefaultConfig() *config.Config {
 			Namespace: "com.owncloud.web",
 			TLSCert:   filepath.Join(defaults.BaseDataPath(), "idp", "server.crt"),
 			TLSKey:    filepath.Join(defaults.BaseDataPath(), "idp", "server.key"),
-			TLS:       false,
+			TLS:       true,
 		},
 		Reva: shared.DefaultRevaConfig(),
 		Service: config.Service{

services/idp/pkg/server/http/server.go

@@ -2,13 +2,11 @@ package http
 
 import (
 	"fmt"
-	"os"
 
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
-	pkgcrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config"
 	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/http"
-	"github.com/owncloud/ocis/v2/ocis-pkg/shared"
 	"github.com/owncloud/ocis/v2/ocis-pkg/version"
 	svc "github.com/owncloud/ocis/v2/services/idp/pkg/service/v0"
 	"go-micro.dev/v4"
@@ -18,17 +16,18 @@ import (
 func Server(opts ...Option) (http.Service, error) {
 	options := newOptions(opts...)
 
-	if options.Config.HTTP.TLS {
-		_, certErr := os.Stat(options.Config.HTTP.TLSCert)
-		_, keyErr := os.Stat(options.Config.HTTP.TLSKey)
-
-		if os.IsNotExist(certErr) || os.IsNotExist(keyErr) {
-			options.Logger.Info().Msgf("Generating certs")
-			if err := pkgcrypto.GenCert(options.Config.HTTP.TLSCert, options.Config.HTTP.TLSKey, options.Logger); err != nil {
-				options.Logger.Fatal().Err(err).Msg("Could not setup TLS")
-				os.Exit(1)
-			}
-		}
+	tlsConfig, err := config.BuildTLSConfig(
+		options.Logger,
+		options.Config.HTTP.TLS,
+		options.Config.HTTP.TLSCert,
+		options.Config.HTTP.TLSKey,
+		options.Config.HTTP.Addr,
+	)
+	if err != nil {
+		options.Logger.Error().
+			Err(err).
+			Msg("could not build certificate")
+		return http.Service{}, fmt.Errorf("could not build certificate: %w", err)
 	}
 
 	service, err := http.NewService(
@@ -39,11 +38,7 @@ func Server(opts ...Option) (http.Service, error) {
 		http.Address(options.Config.HTTP.Addr),
 		http.Context(options.Context),
 		http.Flags(options.Flags...),
-		http.TLSConfig(shared.HTTPServiceTLS{
-			Enabled: options.Config.HTTP.TLS,
-			Cert:    options.Config.HTTP.TLSCert,
-			Key:     options.Config.HTTP.TLSKey,
-		}),
+		http.TLSConfig(tlsConfig),
 	)
 	if err != nil {
 		options.Logger.Error().

services/ocdav/pkg/command/server.go

@@ -8,6 +8,7 @@ import (
 	"github.com/cs3org/reva/v2/pkg/sharedconf"
 	"github.com/oklog/run"
 	"github.com/owncloud/ocis/v2/ocis-pkg/broker"
+	pkgconfig "github.com/owncloud/ocis/v2/ocis-pkg/config"
 	"github.com/owncloud/ocis/v2/ocis-pkg/config/configlog"
 	"github.com/owncloud/ocis/v2/ocis-pkg/version"
 	"github.com/owncloud/ocis/v2/services/ocdav/pkg/config"
@@ -50,6 +51,21 @@ func Server(cfg *config.Config) *cli.Command {
 				if err := sharedconf.Decode(sc); err != nil {
 					logger.Error().Err(err).Msg("error decoding shared config for ocdav")
 				}
+
+				tlsConfig, err := pkgconfig.BuildTLSConfig(
+					logger,
+					cfg.HTTP.TLS.Enabled,
+					cfg.HTTP.TLS.Cert,
+					cfg.HTTP.TLS.Key,
+					cfg.HTTP.Addr,
+				)
+				if err != nil {
+					logger.Error().
+						Err(err).
+						Msg("could not build certificate")
+					return fmt.Errorf("could not build certificate: %w", err)
+				}
+
 				opts := []ocdav.Option{
 					ocdav.Name(cfg.HTTP.Namespace + "." + cfg.Service.Name),
 					ocdav.Version(version.GetString()),
@@ -75,7 +91,7 @@ func Server(cfg *config.Config) *cli.Command {
 					ocdav.Broker(broker.NoOp{}),
 					// ocdav.FavoriteManager() // FIXME needs a proper persistence implementation https://github.com/owncloud/ocis/issues/1228
 					// ocdav.LockSystem(), // will default to the CS3 lock system
-					// ocdav.TLSConfig() // tls config for the http server
+					ocdav.TLSConfig(tlsConfig),
 					ocdav.MetricsEnabled(true),
 					ocdav.MetricsNamespace("ocis"),
 				}

services/ocdav/pkg/config/config.go

@@ -62,10 +62,11 @@ type Debug struct {
 }
 
 type HTTPConfig struct {
-	Addr      string `yaml:"addr" env:"OCDAV_HTTP_ADDR" desc:"The bind address of the HTTP service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"OCDAV_HTTP_PROTOCOL" desc:"The transport protocol of the HTTP service."`
-	Prefix    string `yaml:"prefix" env:"OCDAV_HTTP_PREFIX" desc:"A URL path prefix for the handler."`
+	Addr      string                `yaml:"addr" env:"OCDAV_HTTP_ADDR" desc:"The bind address of the HTTP service."`
+	Namespace string                `yaml:"-"`
+	Protocol  string                `yaml:"protocol" env:"OCDAV_HTTP_PROTOCOL" desc:"The transport protocol of the HTTP service."`
+	TLS       shared.HTTPServiceTLS `yaml:"tls"`
+	Prefix    string                `yaml:"prefix" env:"OCDAV_HTTP_PREFIX" desc:"A URL path prefix for the handler."`
 }
 
 // Status holds the configurable values for the status.php

services/ocs/pkg/server/http/server.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
+	"github.com/owncloud/ocis/v2/ocis-pkg/config"
 	"github.com/owncloud/ocis/v2/ocis-pkg/cors"
 	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/http"
@@ -17,8 +18,22 @@ import (
 func Server(opts ...Option) (http.Service, error) {
 	options := newOptions(opts...)
 
+	tlsConfig, err := config.BuildTLSConfig(
+		options.Logger,
+		options.Config.HTTP.TLS.Enabled,
+		options.Config.HTTP.TLS.Cert,
+		options.Config.HTTP.TLS.Key,
+		options.Config.HTTP.Addr,
+	)
+	if err != nil {
+		options.Logger.Error().
+			Err(err).
+			Msg("could not build certificate")
+		return http.Service{}, fmt.Errorf("could not build certificate: %w", err)
+	}
+
 	service, err := http.NewService(
-		http.TLSConfig(options.Config.HTTP.TLS),
+		http.TLSConfig(tlsConfig),
 		http.Logger(options.Logger),
 		http.Name(options.Config.Service.Name),
 		http.Version(version.GetString()),