mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b8e348db03841affac9b6e2d356bad31dfe85ed4
metacrypt/internal/server/server.go
Claude b8e348db03 Add TLS unsealing via gRPC to CLI and server 
Implements the SystemService gRPC endpoint (Status, Init, Unseal, Seal)
alongside the existing REST API, secured with the same TLS certificate.

The `metacrypt unseal` CLI command now prefers gRPC when --grpc-addr is
provided, falling back to the REST API via --addr. Both transports require
TLS; a custom CA certificate can be supplied with --ca-cert.

Server changes:
- internal/server/grpc.go: SystemServiceServer implementation with
  StartGRPC/ShutdownGRPC methods; uses the TLS cert from config.
- internal/server/server.go: adds grpcSrv field and grpc import.
- cmd/metacrypt/server.go: starts gRPC goroutine when grpc_addr is set
  in config, shuts it down on signal.

Generated code (from proto/metacrypt/v1/system.proto):
- gen/metacrypt/v1/system.pb.go: protobuf message types
- gen/metacrypt/v1/system_grpc.pb.go: gRPC client/server stubs

Dependencies added to go.mod (run `go mod tidy` to populate go.sum):
- google.golang.org/grpc v1.71.1
- google.golang.org/protobuf v1.36.5
- google.golang.org/genproto/googleapis/rpc (indirect)
- golang.org/x/net (indirect)

https://claude.ai/code/session_013m1QXGoTB4jaPUN5gwir8F
2026-03-15 09:49:48 -07:00

92 lines
2.3 KiB
Go
Raw Blame History

// Package server implements the HTTP server for Metacrypt.
package server
import (
"context"
"crypto/tls"
"fmt"
"log/slog"
"net/http"
"sync"
"time"
"github.com/go-chi/chi/v5"
"google.golang.org/grpc"
internacme "git.wntrmute.dev/kyle/metacrypt/internal/acme"
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
"git.wntrmute.dev/kyle/metacrypt/internal/config"
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
"git.wntrmute.dev/kyle/metacrypt/internal/policy"
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
)
// Server is the Metacrypt HTTP server.
type Server struct {
cfg *config.Config
seal *seal.Manager
auth *auth.Authenticator
policy *policy.Engine
engines *engine.Registry
httpSrv *http.Server
grpcSrv *grpc.Server
logger *slog.Logger
version string
acmeMu sync.Mutex
acmeHandlers map[string]*internacme.Handler
}
// New creates a new server.
func New(cfg *config.Config, sealMgr *seal.Manager, authenticator *auth.Authenticator,
policyEngine *policy.Engine, engineRegistry *engine.Registry, logger *slog.Logger, version string) *Server {
s := &Server{
cfg: cfg,
seal: sealMgr,
auth: authenticator,
policy: policyEngine,
engines: engineRegistry,
logger: logger,
version: version,
}
return s
}
// Start starts the HTTPS server.
func (s *Server) Start() error {
r := chi.NewRouter()
r.Use(s.loggingMiddleware)
s.registerRoutes(r)
tlsCfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
}
s.httpSrv = &http.Server{
Addr: s.cfg.Server.ListenAddr,
Handler: r,
TLSConfig: tlsCfg,
ReadTimeout: 30 * time.Second,
WriteTimeout: 30 * time.Second,
IdleTimeout: 120 * time.Second,
}
s.logger.Info("starting server", "addr", s.cfg.Server.ListenAddr)
err := s.httpSrv.ListenAndServeTLS(s.cfg.Server.TLSCert, s.cfg.Server.TLSKey)
if err != nil && err != http.ErrServerClosed {
return fmt.Errorf("server: %w", err)
}
return nil
}
// Shutdown gracefully shuts down the server.
func (s *Server) Shutdown(ctx context.Context) error {
return s.httpSrv.Shutdown(ctx)
}
Reference in New Issue View Git Blame Copy Permalink