Add support for certificate reloading (#21)

Author: gjcairo

Package.swift

@@ -59,6 +59,7 @@ let package = Package(
                 .product(name: "Logging", package: "swift-log"),
                 .product(name: "NIOHTTPTypesHTTP1", package: "swift-nio-extras"),
                 .product(name: "NIOHTTPTypesHTTP2", package: "swift-nio-extras"),
+                .product(name: "NIOCertificateReloading", package: "swift-nio-extras")
             ],
             swiftSettings: extraSettings
         ),

Sources/Example/Example.swift

@@ -26,7 +26,7 @@ struct Example {
             logger: logger,
             configuration: .init(
                 bindTarget: .hostAndPort(host: "127.0.0.1", port: 12345),
-                tlsConfiguration: .certificateChainAndPrivateKey(
+                transportSecurity: .tls(
                     certificateChain: [
                         try Certificate(
                             version: .v3,

Sources/HTTPServer/HTTPServer.swift

@@ -1,5 +1,6 @@
 public import HTTPTypes
 public import Logging
+import NIOCertificateReloading
 import NIOCore
 import NIOHTTP1
 import NIOHTTP2
@@ -164,21 +165,63 @@ public final class Server<RequestHandler: HTTPServerRequestHandler> {
             )
         }
 
-        switch configuration.tlSConfiguration.backing {
-        case .insecure:
+        switch configuration.transportSecurity.backing {
+        case .plaintext:
             try await Self.serveInsecureHTTP1_1(
                 bindTarget: configuration.bindTarget,
                 handler: handler,
                 asyncChannelConfiguration: asyncChannelConfiguration,
                 logger: logger
             )
 
-        case .certificateChainAndPrivateKey(let certificateChain, let privateKey):
-            let http2Config = NIOHTTP2Handler.Configuration(httpServerHTTP2Configuration: configuration.http2)
+        case .reloadingTLS(let certificateReloader):
+            let http2Config = NIOHTTP2Handler.Configuration(
+                httpServerHTTP2Configuration: configuration.http2
+            )
+
+            var tlsConfiguration: TLSConfiguration = try .makeServerConfiguration(
+                certificateReloader: certificateReloader
+            )
+            tlsConfiguration.applicationProtocols = ["h2", "http/1.1"]
+
             try await Self.serveSecureUpgrade(
                 bindTarget: configuration.bindTarget,
+                tlsConfiguration: tlsConfiguration,
+                handler: handler,
+                asyncChannelConfiguration: asyncChannelConfiguration,
+                http2Configuration: http2Config,
+                logger: logger
+            )
+
+        case .staticTLS(let certificateChain, let privateKey):
+            let http2Config = NIOHTTP2Handler.Configuration(
+                httpServerHTTP2Configuration: configuration.http2
+            )
+
+            let certificateChain = try certificateChain
+                .map {
+                    try NIOSSLCertificate(
+                        bytes: $0.serializeAsPEM().derBytes,
+                        format: .der
+                    )
+                }
+                .map { NIOSSLCertificateSource.certificate($0) }
+            let privateKey = NIOSSLPrivateKeySource.privateKey(
+                try NIOSSLPrivateKey(
+                    bytes: privateKey.serializeAsPEM().derBytes,
+                    format: .der
+                )
+            )
+
+            var tlsConfiguration: TLSConfiguration = .makeServerConfiguration(
                 certificateChain: certificateChain,
-                privateKey: privateKey,
+                privateKey: privateKey
+            )
+            tlsConfiguration.applicationProtocols = ["h2", "http/1.1"]
+
+            try await Self.serveSecureUpgrade(
+                bindTarget: configuration.bindTarget,
+                tlsConfiguration: tlsConfiguration,
                 handler: handler,
                 asyncChannelConfiguration: asyncChannelConfiguration,
                 http2Configuration: http2Config,
@@ -225,8 +268,7 @@ public final class Server<RequestHandler: HTTPServerRequestHandler> {
 
     private static func serveSecureUpgrade(
         bindTarget: HTTPServerConfiguration.BindTarget,
-        certificateChain: [Certificate],
-        privateKey: Certificate.PrivateKey,
+        tlsConfiguration: TLSConfiguration,
         handler: RequestHandler,
         asyncChannelConfiguration: NIOAsyncChannel<HTTPRequestPart, HTTPResponsePart>.Configuration,
         http2Configuration: NIOHTTP2Handler.Configuration,
@@ -238,27 +280,6 @@ public final class Server<RequestHandler: HTTPServerRequestHandler> {
                 .serverChannelOption(.socketOption(.so_reuseaddr), value: 1)
                 .bind(host: host, port: port) { channel in
                     channel.eventLoop.makeCompletedFuture {
-                        let certificateChain = try certificateChain
-                            .map {
-                                try NIOSSLCertificate(
-                                    bytes: $0.serializeAsPEM().derBytes,
-                                    format: .der
-                                )
-                            }
-                            .map { NIOSSLCertificateSource.certificate($0) }
-                        let privateKey = NIOSSLPrivateKeySource.privateKey(
-                            try NIOSSLPrivateKey(
-                                bytes: privateKey.serializeAsPEM().derBytes,
-                                format: .der
-                            )
-                        )
-
-                        var tlsConfiguration: TLSConfiguration = .makeServerConfiguration(
-                            certificateChain: certificateChain,
-                            privateKey: privateKey
-                        )
-                        tlsConfiguration.applicationProtocols = ["h2", "http/1.1"]
-
                         try channel.pipeline.syncOperations
                             .addHandler(
                                 NIOSSLServerHandler(

Sources/HTTPServer/HTTPServerConfiguration.swift

@@ -1,4 +1,6 @@
 public import X509
+public import NIOCertificateReloading
+import NIOSSL
 
 /// Configuration settings for the HTTP server.
 ///
@@ -33,34 +35,40 @@ public struct HTTPServerConfiguration: Sendable {
         }
     }
 
-    /// Configuration for TLS/SSL encryption settings.
+    /// Configuration for transport security settings.
     ///
     /// Provides options for running the server with or without TLS encryption.
-    /// When using TLS, you must provide a certificate chain and private key.
-    public struct TLS: Sendable {
+    /// When using TLS, you must either provide a certificate chain and private key, or a `CertificateReloader`.
+    public struct TransportSecurity: Sendable {
         enum Backing {
-            case insecure
-            case certificateChainAndPrivateKey(
+            case plaintext
+            case staticTLS(
                 certificateChain: [Certificate],
                 privateKey: Certificate.PrivateKey
             )
+            case reloadingTLS(certificateReloader: any CertificateReloader)
+
         }
 
         let backing: Backing
 
-        public static let insecure: Self = Self(backing: .insecure)
+        public static let plaintext: Self = Self(backing: .plaintext)
 
-        public static func certificateChainAndPrivateKey(
+        public static func tls(
             certificateChain: [Certificate],
             privateKey: Certificate.PrivateKey
         ) -> Self {
             Self(
-                backing: .certificateChainAndPrivateKey(
+                backing: .staticTLS(
                     certificateChain: certificateChain,
                     privateKey: privateKey
                 )
             )
         }
+
+        public static func tls(certificateReloader: any CertificateReloader) throws -> Self {
+            Self(backing: .reloadingTLS(certificateReloader: certificateReloader))
+        }
     }
 
     /// HTTP/2 specific configuration.
@@ -123,7 +131,7 @@ public struct HTTPServerConfiguration: Sendable {
     public var bindTarget: BindTarget
 
     /// TLS configuration for the server.
-    public var tlSConfiguration: TLS
+    public var transportSecurity: TransportSecurity
 
     /// Backpressure strategy to use in the server.
     public var backpressureStrategy: BackPressureStrategy
@@ -140,12 +148,12 @@ public struct HTTPServerConfiguration: Sendable {
     ///   - http2: A ``HTTP2``. Defaults to ``HTTP2/defaults``.
     public init(
         bindTarget: BindTarget,
-        tlsConfiguration: TLS = .insecure,
+        transportSecurity: TransportSecurity = .plaintext,
         backpressureStrategy: BackPressureStrategy = .watermark(low: 2, high: 10),
         http2: HTTP2 = .defaults
     ) {
         self.bindTarget = bindTarget
-        self.tlSConfiguration = tlsConfiguration
+        self.transportSecurity = transportSecurity
         self.backpressureStrategy = backpressureStrategy
         self.http2 = http2
     }

Tests/HTTPServerTests/HTTPServerTests.swift

@@ -38,6 +38,7 @@ struct HTTPServerTests {
         //}
 
         try await responseConcludingWriter.produceAndConclude { writer in
+            var writer = writer
             try await writer.write([1,2].span)
             return nil
         }