feat: adds tls configuration support and self-signed cert generation

rsdmike · rsdmike · commit 125fbe520263 · 2025-11-03T14:58:21.000-07:00
Adds TLS configuration options to the HTTP server, allowing users to enable TLS with specified certificate and key files. Use HTTP_TLS_ENABLED, HTTP_TLS_CERT_FILE, and HTTP_TLS_KEY_FILE environment variables or corresponding config file settings to configure TLS. Setting HTTP_TLS_ENABLED to true and not specifying cert and key files will generate self-signed certificates and place them in the os.TempDir() -- see logs for file paths. Delete the files in the cert temp dir if the self-signed certs need to be regenerated. closes: #663
diff --git a/.env.example b/.env.example
@@ -1,4 +1,44 @@
-GIN_MODE=release
+# Application
+APP_NAME=console
+APP_REPO=device-management-toolkit/console
+APP_ENCRYPTION_KEY=
+APP_ALLOW_INSECURE_CIPHERS=false
+
+# HTTP Server
+HTTP_HOST=localhost
+HTTP_PORT=8181
+WS_COMPRESSION=false
+HTTP_ALLOWED_ORIGINS=*
+HTTP_ALLOWED_HEADERS=*
+
+# TLS
+# Enable TLS in release if the app terminates TLS itself. If behind an API gateway or LB that provides TLS, set to false.
+HTTP_TLS_ENABLED=true
+# If both are empty and HTTP_TLS_ENABLED=true, the server will generate a self-signed certificate at startup.
+HTTP_TLS_CERT_FILE=
+HTTP_TLS_KEY_FILE=
+
+# Logger
+LOG_LEVEL=info
+
+# Database
+DB_POOL_MAX=2
+DB_URL=
+
+# EA
+EA_URL=http://localhost:8000
+EA_USERNAME=
+EA_PASSWORD=
+
+# Auth
+AUTH_DISABLED=false
+AUTH_ADMIN_USERNAME=standalone
+AUTH_ADMIN_PASSWORD=G@ppm0ym
+AUTH_JWT_KEY=your_secret_jwt_key
+AUTH_JWT_EXPIRATION=24h
+AUTH_REDIRECTION_JWT_EXPIRATION=5m
+AUTH_CLIENT_ID=
+AUTH_ISSUER=GIN_MODE=release
 # DB_URL=postgres://postgresadmin:admin123@localhost:5432/rpsdb
 # OAUTH CONFIGURATION
 AUTH_CLIENT_ID=
diff --git a/cmd/app/main.go b/cmd/app/main.go
@@ -46,7 +46,12 @@ func main() {
 
 	if os.Getenv("GIN_MODE") != "debug" {
 		go func() {
-			browserError := openBrowser("http://localhost:"+cfg.Port, runtime.GOOS)
+			scheme := "http"
+			if cfg.TLS.Enabled {
+				scheme = "https"
+			}
+
+			browserError := openBrowser(scheme+"://localhost:"+cfg.Port, runtime.GOOS)
 			if browserError != nil {
 				panic(browserError)
 			}
diff --git a/config/config.go b/config/config.go
@@ -40,6 +40,14 @@ type (
 		AllowedOrigins []string `env-required:"true" yaml:"allowed_origins" env:"HTTP_ALLOWED_ORIGINS"`
 		AllowedHeaders []string `env-required:"true" yaml:"allowed_headers" env:"HTTP_ALLOWED_HEADERS"`
 		WSCompression  bool     `yaml:"ws_compression" env:"WS_COMPRESSION"`
+		TLS            TLS      `yaml:"tls"`
+	}
+
+	// TLS -.
+	TLS struct {
+		Enabled  bool   `yaml:"enabled" env:"HTTP_TLS_ENABLED"`
+		CertFile string `yaml:"certFile" env:"HTTP_TLS_CERT_FILE"`
+		KeyFile  string `yaml:"keyFile" env:"HTTP_TLS_KEY_FILE"`
 	}
 
 	// Log -.
@@ -85,10 +93,9 @@ type (
 	}
 )
 
-// NewConfig returns app config.
-func NewConfig() (*Config, error) {
-	// set defaults
-	ConsoleConfig = &Config{
+// defaultConfig constructs the in-memory default configuration.
+func defaultConfig() *Config {
+	return &Config{
 		App: App{
 			Name:                 "console",
 			Repo:                 "device-management-toolkit/console",
@@ -102,6 +109,11 @@ func NewConfig() (*Config, error) {
 			AllowedOrigins: []string{"*"},
 			AllowedHeaders: []string{"*"},
 			WSCompression:  true,
+			TLS: TLS{
+				Enabled:  true,
+				CertFile: "",
+				KeyFile:  "",
+			},
 		},
 		Log: Log{
 			Level: "info",
@@ -135,59 +147,86 @@ func NewConfig() (*Config, error) {
 			},
 		},
 	}
+}
 
-	// Define a command line flag for the config path
-	var configPathFlag string
-	if flag.Lookup("config") == nil {
-		flag.StringVar(&configPathFlag, "config", "", "path to config file")
+// resolveConfigPath determines the effective config file path based on a flag value or default location.
+func resolveConfigPath(configPathFlag string) (string, error) {
+	if configPathFlag != "" {
+		return configPathFlag, nil
 	}
 
-	flag.Parse()
+	ex, err := os.Executable()
+	if err != nil {
+		return "", err
+	}
 
-	// Determine the config path
-	var configPath string
-	if configPathFlag != "" {
-		configPath = configPathFlag
-	} else {
-		ex, err := os.Executable()
-		if err != nil {
-			panic(err)
-		}
+	exPath := filepath.Dir(ex)
 
-		exPath := filepath.Dir(ex)
+	return filepath.Join(exPath, "config", "config.yml"), nil
+}
 
-		configPath = filepath.Join(exPath, "config", "config.yml")
+// readOrInitConfig attempts to read the config file; if it doesn't exist, writes the provided cfg to disk.
+func readOrInitConfig(configPath string, cfg *Config) error {
+	err := cleanenv.ReadConfig(configPath, cfg)
+	if err == nil {
+		return nil
 	}
 
-	err := cleanenv.ReadConfig(configPath, ConsoleConfig)
-
 	var pathErr *os.PathError
-
 	if errors.As(err, &pathErr) {
 		// Write config file out to disk
 		configDir := filepath.Dir(configPath)
-		if err := os.MkdirAll(configDir, os.ModePerm); err != nil {
-			return nil, err
+		if mkErr := os.MkdirAll(configDir, os.ModePerm); mkErr != nil {
+			return mkErr
 		}
 
-		file, err := os.Create(configPath)
-		if err != nil {
-			return nil, err
+		file, cErr := os.Create(configPath)
+		if cErr != nil {
+			return cErr
 		}
 		defer file.Close()
 
 		encoder := yaml.NewEncoder(file)
 		defer encoder.Close()
 
-		if err := encoder.Encode(ConsoleConfig); err != nil {
-			return nil, err
+		if encErr := encoder.Encode(cfg); encErr != nil {
+			return encErr
 		}
+
+		return nil
 	}
 
-	err = cleanenv.ReadEnv(ConsoleConfig)
+	return err
+}
+
+// NewConfig returns app config.
+func NewConfig() (*Config, error) {
+	// set defaults
+	ConsoleConfig = defaultConfig()
+
+	// Define a command line flag for the config path
+	var configPathFlag string
+	if flag.Lookup("config") == nil {
+		flag.StringVar(&configPathFlag, "config", "", "path to config file")
+	}
+
+	if !flag.Parsed() {
+		flag.Parse()
+	}
+
+	// Determine the config path
+	configPath, err := resolveConfigPath(configPathFlag)
 	if err != nil {
 		return nil, err
 	}
 
+	if err := readOrInitConfig(configPath, ConsoleConfig); err != nil {
+		return nil, err
+	}
+
+	if err := cleanenv.ReadEnv(ConsoleConfig); err != nil {
+		return nil, err
+	}
+
 	return ConsoleConfig, nil
 }
diff --git a/config/config.yml b/config/config.yml
@@ -9,6 +9,11 @@ http:
   port: "8181"
   # set to true for WAN settings where bandwidth is a concern, false for LAN/low latency/high bandwidth
   ws_compression: false
+  tls:
+    enabled: true
+    # If certFile/keyFile are both empty and enabled is true, a self-signed certificate will be generated at runtime.
+    certFile: ""
+    keyFile: ""
   allowed_origins:
     - "*"
   allowed_headers:
diff --git a/config/config_test.go b/config/config_test.go
@@ -31,9 +31,11 @@ func TestNewConfig_Defaults(t *testing.T) { //nolint:paralleltest // cannot have
 	assert.Equal(t, "DEVELOPMENT", cfg.Version)
 	assert.Equal(t, "test", cfg.EncryptionKey)
 
+	assert.Equal(t, "localhost", cfg.Host)
 	assert.Equal(t, "8181", cfg.Port)
 	assert.Equal(t, []string{"*"}, cfg.AllowedOrigins)
 	assert.Equal(t, []string{"*"}, cfg.AllowedHeaders)
+	assert.Equal(t, true, cfg.TLS.Enabled)
 
 	assert.Equal(t, "info", cfg.Level)
 
@@ -47,6 +49,7 @@ func TestNewConfig_EnvVars(t *testing.T) { //nolint:paralleltest // cannot have
 	os.Setenv("LOG_LEVEL", "debug")
 	os.Setenv("DB_POOL_MAX", "10")
 	os.Setenv("DB_URL", "postgres://user:password@localhost:5432/testdb")
+	os.Setenv("HTTP_TLS_ENABLED", "false")
 
 	defer clearEnv() // Ensure environment variables are cleared after test
 
@@ -60,6 +63,7 @@ func TestNewConfig_EnvVars(t *testing.T) { //nolint:paralleltest // cannot have
 	assert.Equal(t, "debug", cfg.Level)
 	assert.Equal(t, 10, cfg.PoolMax)
 	assert.Equal(t, "postgres://user:password@localhost:5432/testdb", cfg.DB.URL)
+	assert.Equal(t, false, cfg.TLS.Enabled)
 }
 
 func TestNewConfig_FileAndEnvVars(t *testing.T) { //nolint:paralleltest // cannot have simultaneous tests modifying environment variables
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -23,6 +23,7 @@ services:
     environment:
       APP_ENCRYPTION_KEY: "Jf3Q2nXJ+GZzN1dbVQms0wbB4+i/5PjL" # This is a test encryption key for the app
       HTTP_HOST: ""
+      HTTP_TLS_ENABLED: "false"
       GIN_MODE: "debug"
       DB_URL: "postgres://postgresadmin:admin123@postgres:5432/rpsdb"
       AUTH_DISABLED: true
diff --git a/internal/app/app.go b/internal/app/app.go
@@ -30,6 +30,9 @@ func Run(cfg *config.Config) {
 	log := logger.New(cfg.Level)
 	cfg.Version = Version
 	log.Info("app - Run - version: " + cfg.Version)
+	// route standard and Gin logs through our JSON logger
+	logger.SetupStdLog(log)
+	logger.SetupGin(log)
 	// Repository
 	database, err := db.New(cfg.DB.URL, sql.Open, db.MaxPoolSize(cfg.PoolMax), db.EnableForeignKeys(true))
 	if err != nil {
@@ -73,7 +76,17 @@ func Run(cfg *config.Config) {
 	}
 
 	wsv1.RegisterRoutes(handler, log, usecases.Devices, upgrader)
-	httpServer := httpserver.New(handler, httpserver.Port(cfg.Host, cfg.Port))
+	// Configure TLS based on config
+	tlsEnabled := cfg.TLS.Enabled
+	certFile := cfg.TLS.CertFile
+	keyFile := cfg.TLS.KeyFile
+
+	httpServer := httpserver.New(
+		handler,
+		httpserver.Port(cfg.Host, cfg.Port),
+		httpserver.TLS(tlsEnabled, certFile, keyFile),
+		httpserver.Logger(log),
+	)
 
 	// Waiting signal
 	interrupt := make(chan os.Signal, 1)
diff --git a/internal/controller/http/router.go b/internal/controller/http/router.go
@@ -135,6 +135,10 @@ func injectConfigToMainJS(l logger.Interface, cfg *config.Config) string {
 		protocol = "https://"
 	}
 
+	if cfg.TLS.Enabled {
+		protocol = "https://"
+	}
+
 	// if there is a clientID, we assume oauth will be configured, so inject UI config values from YAML
 	if cfg.ClientID != "" {
 		strictDiscoveryReplacement := ",strictDiscoveryDocumentValidation:!1"
diff --git a/pkg/httpserver/options.go b/pkg/httpserver/options.go
@@ -3,6 +3,8 @@ package httpserver
 import (
 	"net"
 	"time"
+
+	appLogger "github.com/device-management-toolkit/console/pkg/logger"
 )
 
 // Option -.
@@ -15,6 +17,22 @@ func Port(host, port string) Option {
 	}
 }
 
+// TLS enables TLS and optionally sets cert and key file paths.
+func TLS(enable bool, certFile, keyFile string) Option {
+	return func(s *Server) {
+		s.useTLS = enable
+		s.certFile = certFile
+		s.keyFile = keyFile
+	}
+}
+
+// Listener injects a pre-bound listener (useful for tests to avoid binding real ports).
+func Listener(l net.Listener) Option {
+	return func(s *Server) {
+		s.listener = l
+	}
+}
+
 // ReadTimeout -.
 func ReadTimeout(timeout time.Duration) Option {
 	return func(s *Server) {
@@ -35,3 +53,10 @@ func ShutdownTimeout(timeout time.Duration) Option {
 		s.shutdownTimeout = timeout
 	}
 }
+
+// Logger injects a logger to be used by the HTTP server internals.
+func Logger(l appLogger.Interface) Option {
+	return func(s *Server) {
+		s.log = l
+	}
+}
diff --git a/pkg/httpserver/server.go b/pkg/httpserver/server.go
diff --git a/pkg/httpserver/server_tls_test.go b/pkg/httpserver/server_tls_test.go
diff --git a/pkg/logger/adapters.go b/pkg/logger/adapters.go
