Merge pull request #5 from AniaAlex/Add-tls-support

feat:Add tls support

Author: leifj

cmd/main.go

@@ -154,6 +154,10 @@ func usage() {
 	fmt.Fprintln(os.Stderr, "  --port         API server port (default: 6001)")
 	fmt.Fprintln(os.Stderr, "  --frequency    Pipeline update frequency (default: 5m)")
 	fmt.Fprintln(os.Stderr, "  --no-server    Run pipeline once and exit (no API server)")
+	fmt.Fprintln(os.Stderr, "TLS/HTTPS options:")
+	fmt.Fprintln(os.Stderr, "  --tls-enable   Enable TLS/HTTPS (default: false)")
+	fmt.Fprintln(os.Stderr, "  --tls-cert     TLS certificate file path")
+	fmt.Fprintln(os.Stderr, "  --tls-key      TLS private key file path")
 	fmt.Fprintln(os.Stderr, "Logging options:")
 	fmt.Fprintln(os.Stderr, "  --log-level    Logging level: debug, info, warn, error, fatal (default: info)")
 	fmt.Fprintln(os.Stderr, "  --log-format   Logging format: text or json (default: text)")
@@ -194,6 +198,11 @@ func main() {
 	freq := flag.Duration("frequency", 0, "Pipeline update frequency (overrides config file)")
 	noServer := flag.Bool("no-server", false, "Run pipeline once and exit (no API server)")
 
+	// TLS configuration
+	tlsEnabled := flag.Bool("tls-enable", false, "Enable TLS/HTTPS (overrides config file)")
+	tlsCertFile := flag.String("tls-cert", "", "TLS certificate file path (overrides config file)")
+	tlsKeyFile := flag.String("tls-key", "", "TLS private key file path (overrides config file)")
+
 	// Logging configuration
 	logLevel := flag.String("log-level", "", "Logging level (overrides config file)")
 	logFormat := flag.String("log-format", "", "Logging format (overrides config file)")
@@ -237,6 +246,15 @@ func main() {
 	if *freq != 0 {
 		cfg.Server.Frequency = *freq
 	}
+	if *tlsEnabled {
+		cfg.Server.TLS.Enabled = *tlsEnabled
+	}
+	if *tlsCertFile != "" {
+		cfg.Server.TLS.CertFile = *tlsCertFile
+	}
+	if *tlsKeyFile != "" {
+		cfg.Server.TLS.KeyFile = *tlsKeyFile
+	}
 	if *logLevel != "" {
 		cfg.Logging.Level = *logLevel
 	}
@@ -352,17 +370,36 @@ func main() {
 	listenAddr := fmt.Sprintf("%s:%s", cfg.Server.Host, cfg.Server.Port)
 
 	// Log startup information
+	protocol := "HTTP"
+	if cfg.Server.TLS.Enabled {
+		protocol = "HTTPS"
+	}
 	logger.Info("API server starting",
 		logging.F("address", listenAddr),
+		logging.F("protocol", protocol),
+		logging.F("tls_enabled", cfg.Server.TLS.Enabled),
 		logging.F("version", Version),
 		logging.F("pipeline", pipelineFile),
 		logging.F("log_level", cfg.Logging.Level),
 		logging.F("frequency", cfg.Server.Frequency.String()))
 
-	if err := r.Run(listenAddr); err != nil {
+	// Start server with or without TLS based on configuration
+	var serverErr error
+	if cfg.Server.TLS.Enabled {
+		logger.Info("Starting HTTPS server",
+			logging.F("cert_file", cfg.Server.TLS.CertFile),
+			logging.F("key_file", cfg.Server.TLS.KeyFile))
+		serverErr = r.RunTLS(listenAddr, cfg.Server.TLS.CertFile, cfg.Server.TLS.KeyFile)
+	} else {
+		logger.Info("Starting HTTP server")
+		serverErr = r.Run(listenAddr)
+	}
+
+	if serverErr != nil {
 		logger.Error("API server failed to start",
-			logging.F("error", err.Error()),
-			logging.F("address", listenAddr))
+			logging.F("error", serverErr.Error()),
+			logging.F("address", listenAddr),
+			logging.F("protocol", protocol))
 		os.Exit(1)
 	}
 }

example/config.yaml

@@ -6,11 +6,17 @@ server:
   # HTTP server hostname (default: 127.0.0.1)
   # Environment variable: GT_HOST
   host: "127.0.0.1"
-  
+
+  # TLS/HTTPS configuration
+  tls:
+    enabled: false
+    cert_file: "/etc/certs/go-trust.pem"
+    key_file: "/etc/certsgo-trust.key"
+
   # HTTP server port (default: 6001)
   # Environment variable: GT_PORT
   port: "6001"
-  
+
   # Pipeline update frequency (default: 5m)
   # Accepts duration strings: 10s, 1m, 5m, 1h
   # Environment variable: GT_FREQUENCY
@@ -21,11 +27,11 @@ logging:
   # Log level: debug, info, warn, error, fatal (default: info)
   # Environment variable: GT_LOG_LEVEL
   level: "info"
-  
+
   # Log format: text or json (default: text)
   # Environment variable: GT_LOG_FORMAT
   format: "text"
-  
+
   # Log output: stdout, stderr, or file path (default: stdout)
   # Environment variable: GT_LOG_OUTPUT
   output: "stdout"
@@ -35,15 +41,15 @@ pipeline:
   # Request timeout duration (default: 30s)
   # Environment variable: GT_PIPELINE_TIMEOUT
   timeout: "30s"
-  
+
   # Maximum request size in bytes (default: 10485760 = 10MB)
   # Environment variable: GT_MAX_REQUEST_SIZE
   max_request_size: 10485760
-  
+
   # Maximum number of HTTP redirects to follow (default: 3)
   # Environment variable: GT_MAX_REDIRECTS
   max_redirects: 3
-  
+
   # List of allowed hosts for TSL fetching (wildcard supported)
   # Leave empty to allow all hosts
   # Environment variable: GT_ALLOWED_HOSTS (comma-separated)
@@ -56,11 +62,11 @@ security:
   # API rate limit in requests per second (default: 100)
   # Environment variable: GT_RATE_LIMIT_RPS
   rate_limit_rps: 100
-  
+
   # Enable CORS (Cross-Origin Resource Sharing) (default: false)
   # Environment variable: GT_ENABLE_CORS (true/false)
   enable_cors: false
-  
+
   # List of allowed CORS origins (requires enable_cors: true)
   # Environment variable: GT_ALLOWED_ORIGINS (comma-separated)
   allowed_origins:

pkg/config/config.go

@@ -28,6 +28,14 @@ type ServerConfig struct {
 	Port        string        `yaml:"port"`
 	Frequency   time.Duration `yaml:"frequency"`
 	ExternalURL string        `yaml:"external_url"` // External URL for PDP discovery (e.g., https://pdp.example.com)
+	TLS         TLSConfig     `yaml:"tls"`
+}
+
+// TLSConfig contains TLS/HTTPS server configuration settings.
+type TLSConfig struct {
+	Enabled  bool   `yaml:"enabled"`  // Enable TLS/HTTPS
+	CertFile string `yaml:"cert_file"` // Path to TLS certificate file
+	KeyFile  string `yaml:"key_file"`  // Path to TLS private key file
 }
 
 // LoggingConfig contains logging configuration settings.
@@ -59,6 +67,11 @@ func DefaultConfig() *Config {
 			Host:      "127.0.0.1",
 			Port:      "6001",
 			Frequency: 5 * time.Minute,
+			TLS: TLSConfig{
+				Enabled:  false,
+				CertFile: "",
+				KeyFile:  "",
+			},
 		},
 		Logging: LoggingConfig{
 			Level:  "info",
@@ -130,6 +143,20 @@ func applyEnvOverrides(cfg *Config) {
 			cfg.Server.Frequency = d
 		}
 	}
+	if v := os.Getenv("GT_EXTERNAL_URL"); v != "" {
+		cfg.Server.ExternalURL = v
+	}
+
+	// TLS configuration
+	if v := os.Getenv("GT_TLS_ENABLED"); v != "" {
+		cfg.Server.TLS.Enabled = strings.ToLower(v) == "true" || v == "1"
+	}
+	if v := os.Getenv("GT_TLS_CERT_FILE"); v != "" {
+		cfg.Server.TLS.CertFile = v
+	}
+	if v := os.Getenv("GT_TLS_KEY_FILE"); v != "" {
+		cfg.Server.TLS.KeyFile = v
+	}
 
 	// Logging configuration
 	if v := os.Getenv("GT_LOG_LEVEL"); v != "" {
@@ -187,6 +214,23 @@ func (c *Config) Validate() error {
 		return fmt.Errorf("server frequency must be positive")
 	}
 
+	// Validate TLS configuration
+	if c.Server.TLS.Enabled {
+		if c.Server.TLS.CertFile == "" {
+			return fmt.Errorf("TLS certificate file is required when TLS is enabled")
+		}
+		if c.Server.TLS.KeyFile == "" {
+			return fmt.Errorf("TLS key file is required when TLS is enabled")
+		}
+		// Check if certificate and key files exist
+		if err := validation.ValidateFilePath(c.Server.TLS.CertFile); err != nil {
+			return fmt.Errorf("invalid TLS certificate file: %w", err)
+		}
+		if err := validation.ValidateFilePath(c.Server.TLS.KeyFile); err != nil {
+			return fmt.Errorf("invalid TLS key file: %w", err)
+		}
+	}
+
 	// Validate logging configuration
 	validLevels := map[string]bool{"debug": true, "info": true, "warn": true, "error": true, "fatal": true}
 	if !validLevels[strings.ToLower(c.Logging.Level)] {