Update client certificates automatically

CHANGELOG-draft.md

@@ -25,3 +25,4 @@ THIS FILE ACCUMULATES THE RELEASE NOTES FOR THE UPCOMING RELEASE.
 ## Federation changes
 
 * Ensure clients only receive messages meant for them in remote convs (#1739)
+* Federator CA store and client credentials are now automatically reloaded (#1730)

services/federator/federator.cabal

@@ -4,7 +4,7 @@ cabal-version: 1.12
 --
 -- see: https://github.com/sol/hpack
 --
--- hash: aef5b26595440dc41b2afea5b58468827dd4bdc290b406e49e8e2263ad2a81ad
+-- hash: 9a181e3a92130220d845ad959ca6e02a217b07a38602513bff4c9376a4ffe145
 
 name:           federator
 version:        1.0.0
@@ -40,6 +40,8 @@ library
       Federator.Env
       Federator.ExternalServer
       Federator.InternalServer
+      Federator.Monitor
+      Federator.Monitor.Internal
       Federator.Options
       Federator.Remote
       Federator.Run
@@ -59,12 +61,15 @@ library
     , base
     , bilge
     , bytestring
+    , containers
     , data-default
     , dns
     , dns-util
     , either
     , exceptions
     , extended
+    , filepath
+    , hinotify
     , http-client
     , http-client-openssl
     , http-types
@@ -90,6 +95,7 @@ library
     , tinylog
     , tls
     , types-common
+    , unix
     , unliftio
     , uri-bytestring
     , uuid
@@ -119,13 +125,16 @@ executable federator
     , base
     , bilge
     , bytestring
+    , containers
     , data-default
     , dns
     , dns-util
     , either
     , exceptions
     , extended
     , federator
+    , filepath
+    , hinotify
     , http-client
     , http-client-openssl
     , http-types
@@ -151,6 +160,7 @@ executable federator
     , tinylog
     , tls
     , types-common
+    , unix
     , unliftio
     , uri-bytestring
     , uuid
@@ -184,6 +194,7 @@ executable federator-integration
     , base
     , bilge
     , bytestring
+    , containers
     , cryptonite
     , data-default
     , dns
@@ -192,6 +203,8 @@ executable federator-integration
     , exceptions
     , extended
     , federator
+    , filepath
+    , hinotify
     , hspec
     , http-client
     , http-client-openssl
@@ -222,6 +235,7 @@ executable federator-integration
     , tinylog
     , tls
     , types-common
+    , unix
     , unliftio
     , uri-bytestring
     , uuid
@@ -243,6 +257,7 @@ test-suite federator-tests
   other-modules:
       Test.Federator.ExternalServer
       Test.Federator.InternalServer
+      Test.Federator.Monitor
       Test.Federator.Options
       Test.Federator.Remote
       Test.Federator.Validation
@@ -258,13 +273,17 @@ test-suite federator-tests
     , base
     , bilge
     , bytestring
+    , containers
     , data-default
+    , directory
     , dns
     , dns-util
     , either
     , exceptions
     , extended
     , federator
+    , filepath
+    , hinotify
     , http-client
     , http-client-openssl
     , http-types
@@ -291,10 +310,14 @@ test-suite federator-tests
     , string-conversions
     , tasty
     , tasty-hunit
+    , tasty-quickcheck
+    , temporary
     , text
     , tinylog
     , tls
+    , transformers
     , types-common
+    , unix
     , unliftio
     , uri-bytestring
     , uuid

services/federator/federator.integration.yaml

@@ -31,7 +31,7 @@ optSettings:
   #     - wire.com
   #     - example.com
 
-  useSystemCAStore: true
+  useSystemCAStore: false
 
   clientCertificate: "test/resources/integration-leaf.pem"
   clientPrivateKey: "test/resources/integration-leaf-key.pem"

services/federator/package.yaml

@@ -14,12 +14,15 @@ dependencies:
 - base
 - bilge
 - bytestring
+- containers
 - data-default
 - dns
 - dns-util
 - either
 - exceptions
 - extended
+- filepath
+- hinotify
 - HsOpenSSL
 - HsOpenSSL-x509-system
 - http2-client
@@ -47,6 +50,7 @@ dependencies:
 - tinylog
 - tls
 - types-common
+- unix
 - unliftio
 - uri-bytestring
 - uuid
@@ -100,12 +104,16 @@ tests:
     - -with-rtsopts=-N
     dependencies:
     - bytestring
+    - directory
     - federator
     - interpolate
     - polysemy-mocks
     - streaming-commons
     - tasty
+    - tasty-quickcheck
     - tasty-hunit
+    - temporary
+    - transformers
     - wai
     - warp
     - warp-tls

services/federator/src/Federator/Env.hs

@@ -26,6 +26,7 @@ import Control.Lens (makeLenses)
 import Data.Metrics (Metrics)
 import Data.X509.CertificateStore
 import Federator.Options (RunSettings)
+import Imports
 import Network.DNS.Resolver (Resolver)
 import qualified Network.HTTP.Client as HTTP
 import qualified Network.TLS as TLS
@@ -45,7 +46,7 @@ data Env = Env
     _runSettings :: RunSettings,
     _service :: Component -> RPC.Request,
     _httpManager :: HTTP.Manager,
-    _tls :: TLSSettings
+    _tls :: IORef TLSSettings
   }
 
 makeLenses ''TLSSettings

services/federator/src/Federator/InternalServer.hs

@@ -41,6 +41,7 @@ import qualified Mu.Server as Mu
 import Polysemy
 import qualified Polysemy.Error as Polysemy
 import Polysemy.IO (embedToMonadIO)
+import qualified Polysemy.Input as Polysemy
 import qualified Polysemy.Reader as Polysemy
 import Polysemy.TinyLog (TinyLog)
 import qualified Polysemy.TinyLog as Log
@@ -102,19 +103,19 @@ serveOutward env port = do
            TinyLog,
            DNSLookup,
            Polysemy.Error ServerError,
-           Embed IO,
            Polysemy.Reader RunSettings,
-           Polysemy.Reader TLSSettings,
+           Polysemy.Input TLSSettings,
+           Embed IO,
            Embed Federator
          ]
         a ->
       ServerErrorIO a
     transformer action =
       runAppT env
         . runM -- Embed Federator
-        . Polysemy.runReader (view tls env) -- Reader TLSSettings
-        . Polysemy.runReader (view runSettings env) -- Reader RunSettings
         . embedToMonadIO @Federator -- Embed IO
+        . Polysemy.runInputSem (embed @IO (readIORef (view tls env))) -- Input TLSSettings
+        . Polysemy.runReader (view runSettings env) -- Reader RunSettings
         . absorbServerError
         . Lookup.runDNSLookupWithResolver (view dnsResolver env)
         . Log.runTinyLog (view applog env)

services/federator/src/Federator/Monitor.hs

@@ -0,0 +1,53 @@
+-- This file is part of the Wire Server implementation.
+--
+-- Copyright (C) 2021 Wire Swiss GmbH <opensource@wire.com>
+--
+-- This program is free software: you can redistribute it and/or modify it under
+-- the terms of the GNU Affero General Public License as published by the Free
+-- Software Foundation, either version 3 of the License, or (at your option) any
+-- later version.
+--
+-- This program is distributed in the hope that it will be useful, but WITHOUT
+-- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+-- details.
+--
+-- You should have received a copy of the GNU Affero General Public License along
+-- with this program. If not, see <https://www.gnu.org/licenses/>.
+
+module Federator.Monitor
+  ( withMonitor,
+    mkTLSSettingsOrThrow,
+    FederationSetupError (..),
+  )
+where
+
+import Control.Exception (bracket, throw)
+import Federator.Env (TLSSettings (..))
+import Federator.Monitor.Internal
+import Federator.Options (RunSettings (..))
+import Imports
+import qualified Polysemy
+import qualified Polysemy.Error as Polysemy
+import System.Logger (Logger)
+
+mkTLSSettingsOrThrow :: RunSettings -> IO TLSSettings
+mkTLSSettingsOrThrow =
+  Polysemy.runM
+    . (either (Polysemy.embed @IO . throw) pure =<<)
+    . Polysemy.runError @FederationSetupError
+    . mkTLSSettings
+
+withMonitor :: Logger -> IORef TLSSettings -> RunSettings -> IO a -> IO a
+withMonitor logger tlsVar rs action =
+  bracket
+    ( runSemDefault
+        logger
+        ( mkMonitor
+            (runSemDefault logger . logAndIgnoreErrors)
+            tlsVar
+            rs
+        )
+    )
+    (runSemDefault logger . delMonitor)
+    (const action)