PR changes

gjcairo · gjcairo · commit 2852c842fb50 · 2025-05-14T10:32:14.000+01:00
diff --git a/Sources/NIOCertificateReloading/CertificateReloader.swift b/Sources/NIOCertificateReloading/CertificateReloader.swift
@@ -117,7 +117,7 @@ extension TLSConfiguration {
 
     /// Configure a ``CertificateReloader`` to observe updates for the certificate and key pair used.
     /// - Parameter reloader: A ``CertificateReloader`` to watch for certificate and key pair updates.
-    mutating public func setCertificateReloader(_ reloader: some CertificateReloader) {
+    public mutating func setCertificateReloader(_ reloader: some CertificateReloader) {
         self.sslContextCallback = { _, promise in
             promise.succeed(reloader.sslContextConfigurationOverride)
         }
diff --git a/Sources/NIOCertificateReloading/TimedCertificateReloader.swift b/Sources/NIOCertificateReloading/TimedCertificateReloader.swift
@@ -129,7 +129,7 @@ public struct TimedCertificateReloader: CertificateReloader {
     public struct Location: Sendable, CustomStringConvertible {
         fileprivate enum _Backing: CustomStringConvertible {
             case file(path: String)
-            case memory(provider: @Sendable () -> [UInt8]?)
+            case memory(provider: @Sendable () throws -> [UInt8])
 
             var description: String {
                 switch self {
@@ -157,10 +157,10 @@ public struct TimedCertificateReloader: CertificateReloader {
         public static func file(path: String) -> Self { Self(_Backing.file(path: path)) }
 
         /// This certificate/key is available in memory, and will be provided by the given closure.
-        /// - Parameter provider: A closure providing the bytes for the given certificate or key. This closure should return
-        /// `nil` if a certificate/key isn't currently available for whatever reason.
+        /// - Parameter provider: A closure providing the bytes for the given certificate or key. It may throw if, e.g., a
+        /// certificate or key isn't available.
         /// - Returns: A `Location`.
-        public static func memory(provider: @Sendable @escaping () -> [UInt8]?) -> Self {
+        public static func memory(provider: @Sendable @escaping () throws -> [UInt8]) -> Self {
             Self(_Backing.memory(provider: provider))
         }
     }
@@ -310,7 +310,7 @@ public struct TimedCertificateReloader: CertificateReloader {
     ///   - logger: An optional logger.
     /// - Returns: The newly created ``TimedCertificateReloader``.
     /// - Throws: If either the certificate or private key sources cannot be loaded, an error will be thrown.
-    static public func makeReloaderValidatingSources(
+    public static func makeReloaderValidatingSources(
         refreshInterval: Duration,
         certificateSource: CertificateSource,
         privateKeySource: PrivateKeySource,
@@ -348,18 +348,18 @@ public struct TimedCertificateReloader: CertificateReloader {
 
     /// Manually attempt a certificate and private key pair update.
     public func reload() throws {
-        if let certificateBytes = try self.loadCertificate(),
-            let keyBytes = try self.loadPrivateKey(),
-            let certificate = try self.parseCertificate(from: certificateBytes),
+        let certificateBytes = try self.loadCertificate()
+        let keyBytes = try self.loadPrivateKey()
+        if let certificate = try self.parseCertificate(from: certificateBytes),
             let key = try self.parsePrivateKey(from: keyBytes),
             key.publicKey.isValidSignature(certificate.signature, for: certificate)
         {
             try self.attemptToUpdatePair(certificate: certificate, key: key)
         }
     }
 
-    private func loadCertificate() throws -> [UInt8]? {
-        let certificateBytes: [UInt8]?
+    private func loadCertificate() throws -> [UInt8] {
+        let certificateBytes: [UInt8]
         switch self.certificateSource.location._backing {
         case .file(let path):
             guard let bytes = FileManager.default.contents(atPath: path) else {
@@ -368,13 +368,13 @@ public struct TimedCertificateReloader: CertificateReloader {
             certificateBytes = Array(bytes)
 
         case .memory(let bytesProvider):
-            certificateBytes = bytesProvider()
+            certificateBytes = try bytesProvider()
         }
         return certificateBytes
     }
 
-    private func loadPrivateKey() throws -> [UInt8]? {
-        let keyBytes: [UInt8]?
+    private func loadPrivateKey() throws -> [UInt8] {
+        let keyBytes: [UInt8]
         switch self.privateKeySource.location._backing {
         case .file(let path):
             guard let bytes = FileManager.default.contents(atPath: path) else {
@@ -383,7 +383,7 @@ public struct TimedCertificateReloader: CertificateReloader {
             keyBytes = Array(bytes)
 
         case .memory(let bytesProvider):
-            keyBytes = bytesProvider()
+            keyBytes = try bytesProvider()
         }
         return keyBytes
     }
diff --git a/Tests/NIOCertificateReloadingTests/TimedCertificateReloaderTests.swift b/Tests/NIOCertificateReloadingTests/TimedCertificateReloaderTests.swift
@@ -20,6 +20,12 @@ import SwiftASN1
 import X509
 import XCTest
 
+#if canImport(FoundationEssentials)
+import FoundationEssentials
+#else
+import Foundation
+#endif
+
 final class TimedCertificateReloaderTests: XCTestCase {
     func testCertificatePathDoesNotExist() async throws {
         try await runTimedCertificateReloaderTest(
@@ -58,7 +64,7 @@ final class TimedCertificateReloaderTests: XCTestCase {
     func testKeyPathDoesNotExist() async throws {
         try await runTimedCertificateReloaderTest(
             certificate: .init(
-                location: .memory(provider: { try? Self.sampleCert.serializeAsPEM().derBytes }),
+                location: .memory(provider: { try Self.sampleCert.serializeAsPEM().derBytes }),
                 format: .der
             ),
             privateKey: .init(
@@ -77,7 +83,7 @@ final class TimedCertificateReloaderTests: XCTestCase {
         do {
             try await runTimedCertificateReloaderTest(
                 certificate: .init(
-                    location: .memory(provider: { try? Self.sampleCert.serializeAsPEM().derBytes }),
+                    location: .memory(provider: { try Self.sampleCert.serializeAsPEM().derBytes }),
                     format: .der
                 ),
                 privateKey: .init(
@@ -95,10 +101,39 @@ final class TimedCertificateReloaderTests: XCTestCase {
         }
     }
 
-    func testCertificateIsInUnexpectedFormat() async throws {
+    func testCertificateIsInUnexpectedFormat_FromMemory() async throws {
+        try await runTimedCertificateReloaderTest(
+            certificate: .init(
+                location: .memory(provider: { try Self.sampleCert.serializeAsPEM().derBytes }),
+                format: .pem
+            ),
+            privateKey: .init(
+                location: .memory(provider: { Array(Self.samplePrivateKey.derRepresentation) }),
+                format: .der
+            )
+        ) { reloader in
+            let override = reloader.sslContextConfigurationOverride
+            XCTAssertNil(override.certificateChain)
+            XCTAssertNil(override.privateKey)
+        }
+    }
+
+    private func createTempFile(contents: Data) throws -> URL {
+        let directory = FileManager.default.temporaryDirectory
+        let filename = UUID().uuidString
+        let fileURL = directory.appendingPathComponent(filename)
+        guard FileManager.default.createFile(atPath: fileURL.path, contents: contents) else {
+            throw TestError.couldNotCreateFile
+        }
+        return fileURL
+    }
+
+    func testCertificateIsInUnexpectedFormat_FromFile() async throws {
+        let certBytes = try Self.sampleCert.serializeAsPEM().derBytes
+        let file = try self.createTempFile(contents: Data(certBytes))
         try await runTimedCertificateReloaderTest(
             certificate: .init(
-                location: .memory(provider: { try? Self.sampleCert.serializeAsPEM().derBytes }),
+                location: .file(path: file.path),
                 format: .pem
             ),
             privateKey: .init(
@@ -112,10 +147,10 @@ final class TimedCertificateReloaderTests: XCTestCase {
         }
     }
 
-    func testKeyIsInUnexpectedFormat() async throws {
+    func testKeyIsInUnexpectedFormat_FromMemory() async throws {
         try await runTimedCertificateReloaderTest(
             certificate: .init(
-                location: .memory(provider: { try? Self.sampleCert.serializeAsPEM().derBytes }),
+                location: .memory(provider: { try Self.sampleCert.serializeAsPEM().derBytes }),
                 format: .der
             ),
             privateKey: .init(
@@ -129,10 +164,29 @@ final class TimedCertificateReloaderTests: XCTestCase {
         }
     }
 
+    func testKeyIsInUnexpectedFormat_FromFile() async throws {
+        let keyBytes = Self.samplePrivateKey.derRepresentation
+        let file = try self.createTempFile(contents: keyBytes)
+        try await runTimedCertificateReloaderTest(
+            certificate: .init(
+                location: .memory(provider: { try Self.sampleCert.serializeAsPEM().derBytes }),
+                format: .der
+            ),
+            privateKey: .init(
+                location: .file(path: file.path),
+                format: .pem
+            )
+        ) { reloader in
+            let override = reloader.sslContextConfigurationOverride
+            XCTAssertNil(override.certificateChain)
+            XCTAssertNil(override.privateKey)
+        }
+    }
+
     func testCertificateAndKeyDoNotMatch() async throws {
         try await runTimedCertificateReloaderTest(
             certificate: .init(
-                location: .memory(provider: { try? Self.sampleCert.serializeAsPEM().derBytes }),
+                location: .memory(provider: { try Self.sampleCert.serializeAsPEM().derBytes }),
                 format: .der
             ),
             privateKey: .init(
@@ -146,17 +200,31 @@ final class TimedCertificateReloaderTests: XCTestCase {
         }
     }
 
-    func testReloadSuccessfully() async throws {
-        let certificateBox: NIOLockedValueBox<[UInt8]?> = NIOLockedValueBox(nil)
+    enum TestError: Error {
+        case emptyCertificate
+        case emptyPrivateKey
+        case couldNotCreateFile
+    }
+
+    func testReloadSuccessfully_FromMemory() async throws {
+        let certificateBox: NIOLockedValueBox<[UInt8]> = NIOLockedValueBox([])
         try await runTimedCertificateReloaderTest(
             certificate: .init(
-                location: .memory(provider: { certificateBox.withLockedValue({ $0 }) }),
+                location: .memory(provider: {
+                    let cert = certificateBox.withLockedValue({ $0 })
+                    if cert.isEmpty {
+                        throw TestError.emptyCertificate
+                    }
+                    return cert
+                }),
                 format: .der
             ),
             privateKey: .init(
                 location: .memory(provider: { Array(Self.samplePrivateKey.derRepresentation) }),
                 format: .der
-            )
+            ),
+            // We need to disable validation because the provider will initially be empty.
+            validateSources: false
         ) { reloader in
             // On first attempt, we should have no certificate or private key overrides available,
             // since the certificate box is empty.
@@ -183,13 +251,61 @@ final class TimedCertificateReloaderTests: XCTestCase {
         }
     }
 
+    func testReloadSuccessfully_FromFile() async throws {
+        // Start with empty files.
+        let certificateFile = try self.createTempFile(contents: Data())
+        let privateKeyFile = try self.createTempFile(contents: Data())
+        try await runTimedCertificateReloaderTest(
+            certificate: .init(
+                location: .file(path: certificateFile.path),
+                format: .der
+            ),
+            privateKey: .init(
+                location: .file(path: privateKeyFile.path),
+                format: .der
+            ),
+            // We need to disable validation because the files will not initially have any contents.
+            validateSources: false
+        ) { reloader in
+            // On first attempt, we should have no certificate or private key overrides available,
+            // since the certificate box is empty.
+            var override = reloader.sslContextConfigurationOverride
+            XCTAssertNil(override.certificateChain)
+            XCTAssertNil(override.privateKey)
+
+            // Update the files to contain data
+            try Data(try Self.sampleCert.serializeAsPEM().derBytes).write(to: certificateFile)
+            try Self.samplePrivateKey.derRepresentation.write(to: privateKeyFile)
+
+            // Give the reload loop some time to run and update the cert-key pair.
+            try await Task.sleep(for: .milliseconds(100), tolerance: .zero)
+
+            // Now the overrides should be present.
+            override = reloader.sslContextConfigurationOverride
+            XCTAssertEqual(
+                override.certificateChain,
+                [.certificate(try .init(bytes: Self.sampleCert.serializeAsPEM().derBytes, format: .der))]
+            )
+            XCTAssertEqual(
+                override.privateKey,
+                .privateKey(try .init(bytes: Array(Self.samplePrivateKey.derRepresentation), format: .der))
+            )
+        }
+    }
+
     func testCertificateNotFoundAtReload() async throws {
-        let certificateBox: NIOLockedValueBox<[UInt8]?> = NIOLockedValueBox(
+        let certificateBox: NIOLockedValueBox<[UInt8]> = NIOLockedValueBox(
             try! Self.sampleCert.serializeAsPEM().derBytes
         )
         try await runTimedCertificateReloaderTest(
             certificate: .init(
-                location: .memory(provider: { certificateBox.withLockedValue({ $0 }) }),
+                location: .memory(provider: {
+                    let cert = certificateBox.withLockedValue({ $0 })
+                    if cert.isEmpty {
+                        throw TestError.emptyCertificate
+                    }
+                    return cert
+                }),
                 format: .der
             ),
             privateKey: .init(
@@ -208,8 +324,8 @@ final class TimedCertificateReloaderTests: XCTestCase {
                 .privateKey(try .init(bytes: Array(Self.samplePrivateKey.derRepresentation), format: .der))
             )
 
-            // Update the box to not contain a certificate.
-            certificateBox.withLockedValue({ $0 = nil })
+            // Update the box to contain empty bytes: this will cause the provider to throw.
+            certificateBox.withLockedValue({ $0 = [] })
 
             // Give the reload loop some time to run and update the cert-key pair.
             try await Task.sleep(for: .milliseconds(100), tolerance: .zero)
@@ -228,16 +344,22 @@ final class TimedCertificateReloaderTests: XCTestCase {
     }
 
     func testKeyNotFoundAtReload() async throws {
-        let keyBox: NIOLockedValueBox<[UInt8]?> = NIOLockedValueBox(
+        let keyBox: NIOLockedValueBox<[UInt8]> = NIOLockedValueBox(
             Array(Self.samplePrivateKey.derRepresentation)
         )
         try await runTimedCertificateReloaderTest(
             certificate: .init(
-                location: .memory(provider: { try! Self.sampleCert.serializeAsPEM().derBytes }),
+                location: .memory(provider: { try Self.sampleCert.serializeAsPEM().derBytes }),
                 format: .der
             ),
             privateKey: .init(
-                location: .memory(provider: { keyBox.withLockedValue({ $0 }) }),
+                location: .memory(provider: {
+                    let key = keyBox.withLockedValue({ $0 })
+                    if key.isEmpty {
+                        throw TestError.emptyPrivateKey
+                    }
+                    return key
+                }),
                 format: .der
             )
         ) { reloader in
@@ -252,8 +374,8 @@ final class TimedCertificateReloaderTests: XCTestCase {
                 .privateKey(try .init(bytes: Array(Self.samplePrivateKey.derRepresentation), format: .der))
             )
 
-            // Update the box to not contain a key.
-            keyBox.withLockedValue({ $0 = nil })
+            // Update the box to contain empty bytes: this will cause the provider to throw.
+            keyBox.withLockedValue({ $0 = [] })
 
             // Give the reload loop some time to run and update the cert-key pair.
             try await Task.sleep(for: .milliseconds(100), tolerance: .zero)
@@ -272,12 +394,12 @@ final class TimedCertificateReloaderTests: XCTestCase {
     }
 
     func testCertificateAndKeyDoNotMatchOnReload() async throws {
-        let keyBox: NIOLockedValueBox<[UInt8]?> = NIOLockedValueBox(
+        let keyBox: NIOLockedValueBox<[UInt8]> = NIOLockedValueBox(
             Array(Self.samplePrivateKey.derRepresentation)
         )
         try await runTimedCertificateReloaderTest(
             certificate: .init(
-                location: .memory(provider: { try! Self.sampleCert.serializeAsPEM().derBytes }),
+                location: .memory(provider: { try Self.sampleCert.serializeAsPEM().derBytes }),
                 format: .der
             ),
             privateKey: .init(

Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ extension TLSConfiguration {`
`117`	`117`
`118`	`118`	/// Configure a ``CertificateReloader`` to observe updates for the certificate and key pair used.
`119`	`119`	/// - Parameter reloader: A ``CertificateReloader`` to watch for certificate and key pair updates.
`120`		`- mutating public func setCertificateReloader(_ reloader: some CertificateReloader) {`
	`120`	`+ public mutating func setCertificateReloader(_ reloader: some CertificateReloader) {`
`121`	`121`	`self.sslContextCallback = { _, promise in`
`122`	`122`	`promise.succeed(reloader.sslContextConfigurationOverride)`
`123`	`123`	`}`