feat: update ssl cert on proxy for custom ssl (#1057) (#1077)

(cherry picked from commit c214355)

Co-authored-by: Tanmoy Sarkar <57363826+tanmoysrt@users.noreply.github.com>

Author: mergify[bot]

swiftwave_service/graphql/domain.resolvers.go

@@ -2,21 +2,24 @@ package graphql
 
 import (
 	"context"
+	"encoding/pem"
 	"errors"
 	"fmt"
+	"log"
+	"os"
+	"os/user"
+	"path/filepath"
+	"strings"
+
 	containermanger "github.com/swiftwave-org/swiftwave/container_manager"
 	dockerconfiggenerator "github.com/swiftwave-org/swiftwave/docker_config_generator"
 	haproxymanager "github.com/swiftwave-org/swiftwave/haproxy_manager"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/core"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/graphql/model"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/logger"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/manager"
+	"golang.org/x/crypto/ssh"
 	"gorm.io/gorm"
-	"log"
-	"os"
-	"os/user"
-	"path/filepath"
-	"strings"
 )
 
 func convertMapToDockerConfigBuildArgs(input map[string]dockerconfiggenerator.Variable) []*model.DockerConfigBuildArg {
@@ -52,6 +55,37 @@ func sanitizeFileName(fileName string) string {
 	return fileName
 }
 
+func ValidateSSLFullChainCertificate(certString string) error {
+	// Parse the SSL public key (including certificates)
+	pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(certString))
+	if err != nil {
+		return fmt.Errorf("failed to parse SSL public key: %v", err)
+	}
+
+	// Check if it's an SSH certificate
+	_, ok := pubKey.(*ssh.Certificate)
+	if !ok {
+		return fmt.Errorf("provided file is not an SSL certificate")
+	}
+
+	return nil
+}
+
+func ValidateSSLPrivateKey(privateKeyString string) error {
+	// Decode the PEM block
+	block, _ := pem.Decode([]byte(privateKeyString))
+	if block == nil {
+		return fmt.Errorf("failed to decode PEM block from private key")
+	}
+
+	// Try to parse the key as an SSH private key
+	_, err := ssh.ParseRawPrivateKey(block.Bytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse SSL private key: %v", err)
+	}
+	return nil
+}
+
 func FetchDockerManager(ctx context.Context, db *gorm.DB) (*containermanger.Manager, error) {
 	// Fetch a random swarm manager
 	swarmManagerServer, err := core.FetchSwarmManager(db)

swiftwave_service/graphql/helpers.go

@@ -40,6 +40,7 @@ func (m Manager) registerWorkerFunctions() {
 	panicOnError(taskQueueClient.RegisterFunction(redirectRuleApplyQueueName, m.RedirectRuleApply))
 	panicOnError(taskQueueClient.RegisterFunction(redirectRuleDeleteQueueName, m.RedirectRuleDelete))
 	panicOnError(taskQueueClient.RegisterFunction(sslGenerateQueueName, m.SSLGenerate))
+	panicOnError(taskQueueClient.RegisterFunction(sslProxyUpdateQueueName, m.SSLProxyUpdate))
 	panicOnError(taskQueueClient.RegisterFunction(deletePersistentVolumeQueueName, m.PersistentVolumeDeletion))
 	panicOnError(taskQueueClient.RegisterFunction(persistentVolumeBackupQueueName, m.PersistentVolumeBackup))
 	panicOnError(taskQueueClient.RegisterFunction(persistentVolumeRestoreQueueName, m.PersistentVolumeRestore))

swiftwave_service/worker/init.go

@@ -7,11 +7,13 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
+	"log"
+	"strings"
+
 	haproxymanager "github.com/swiftwave-org/swiftwave/haproxy_manager"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/core"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/manager"
 	"gorm.io/gorm"
-	"log"
 )
 
 func (m Manager) SSLGenerate(request SSLGenerateRequest, ctx context.Context, _ context.CancelFunc) error {
@@ -120,6 +122,77 @@ func (m Manager) SSLGenerate(request SSLGenerateRequest, ctx context.Context, _
 	return nil
 }
 
+func (m Manager) SSLProxyUpdate(request SSLProxyUpdateRequest, ctx context.Context, _ context.CancelFunc) error {
+	dbWithoutTx := m.ServiceManager.DbClient
+	// fetch domain
+	var domain core.Domain
+	err := domain.FindById(ctx, dbWithoutTx, request.DomainId)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			// if not found, return nil as no queue is required
+			return nil
+		}
+		return err
+	}
+	// If domain is IPv4, don't generate SSL
+	if domain.IsIPv4() {
+		return nil
+	}
+	// If domain doesn't have SSL, return
+	if domain.SSLStatus == core.DomainSSLStatusNone || strings.Compare(domain.SSLFullChain, "") == 0 || strings.Compare(domain.SSLPrivateKey, "") == 0 {
+		return nil
+	}
+	// fetch all proxy servers
+	proxyServers, err := core.FetchProxyActiveServers(&m.ServiceManager.DbClient)
+	if err != nil {
+		return err
+	}
+	// fetch all haproxy managers
+	haproxyManagers, err := manager.HAProxyClients(context.Background(), proxyServers)
+	if err != nil {
+		return err
+	}
+	// map of server ip and transaction id
+	transactionIdMap := make(map[*haproxymanager.Manager]string)
+	isFailed := false
+
+	for _, haproxyManager := range haproxyManagers {
+		// generate a new transaction id for haproxy
+		transactionId, err := haproxyManager.FetchNewTransactionId()
+		if err != nil {
+			return err
+		}
+		// add to map
+		transactionIdMap[haproxyManager] = transactionId
+		// upload certificate to haproxy
+		err = haproxyManager.UpdateSSL(transactionId, domain.Name, []byte(domain.SSLPrivateKey), []byte(domain.SSLFullChain))
+		if err != nil {
+			isFailed = true
+			break
+		}
+	}
+	for haproxyManager, haproxyTransactionId := range transactionIdMap {
+		if !isFailed {
+			// commit the haproxy transaction
+			err = haproxyManager.CommitTransaction(haproxyTransactionId)
+		}
+		if isFailed || err != nil {
+			isFailed = true
+			log.Println("failed to commit haproxy transaction", err)
+			err := haproxyManager.DeleteTransaction(haproxyTransactionId)
+			if err != nil {
+				log.Println("failed to rollback haproxy transaction", err)
+			}
+		}
+	}
+
+	if isFailed {
+		return domain.UpdateSSLStatus(ctx, dbWithoutTx, core.DomainSSLStatusFailed)
+	} else {
+		return domain.UpdateSSLStatus(ctx, dbWithoutTx, core.DomainSSLStatusIssued)
+	}
+}
+
 // private functions
 func generatePrivateKey() (string, error) {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)

swiftwave_service/worker/process_ssl_request.go

@@ -35,6 +35,12 @@ func (m Manager) EnqueueSSLGenerateRequest(domainId uint) error {
 	})
 }
 
+func (m Manager) EnqueueSSLProxyUpdateRequest(domainId uint) error {
+	return m.ServiceManager.TaskQueueClient.EnqueueTask(sslProxyUpdateQueueName, SSLProxyUpdateRequest{
+		DomainId: domainId,
+	})
+}
+
 func (m Manager) EnqueueIngressRuleApplyRequest(ingressRuleId uint) error {
 	return m.ServiceManager.TaskQueueClient.EnqueueTask(ingressRuleApplyQueueName, IngressRuleApplyRequest{
 		Id: ingressRuleId,

swiftwave_service/worker/publisher.go

@@ -22,6 +22,7 @@ const (
 	redirectRuleApplyQueueName                                 = "redirect_rule_apply"
 	redirectRuleDeleteQueueName                                = "redirect_rule_delete"
 	sslGenerateQueueName                                       = "ssl_generate"
+	sslProxyUpdateQueueName                                    = "ssl_update_proxy"
 	persistentVolumeBackupQueueName                            = "persistent_volume_backup"
 	persistentVolumeRestoreQueueName                           = "persistent_volume_restore"
 	installDependenciesOnServerQueueName                       = "install_dependencies_on_server"
@@ -77,6 +78,11 @@ type SSLGenerateRequest struct {
 	DomainId uint `json:"domain_id"`
 }
 
+// SSLProxyUpdateRequest : request payload for updatin SSL ceritifcate on proxies
+type SSLProxyUpdateRequest struct {
+	DomainId uint `json:"domain_id"`
+}
+
 // DeleteApplicationRequest : request payload for application delete
 type DeleteApplicationRequest struct {
 	Id string `json:"id"`