Move more logic into ctlog.go (#114)

* Move more logic into ctlog.go

* return http.Handler, delete cros and co

* remove TODO

Author: phbnf

cmd/gcp/main.go

@@ -29,9 +29,7 @@ import (
 	"time"
 
 	"github.com/google/trillian/monitoring/opencensus"
-	"github.com/google/trillian/monitoring/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/rs/cors"
 	sctfe "github.com/transparency-dev/static-ct"
 	gcpSCTFE "github.com/transparency-dev/static-ct/storage/gcp"
 	tessera "github.com/transparency-dev/trillian-tessera"
@@ -76,7 +74,6 @@ func main() {
 	flag.Parse()
 	ctx := context.Background()
 
-	timeSource := sctfe.SystemTimeSource{}
 	signer, err := NewSecretManagerSigner(ctx, *signerPublicKeySecretName, *signerPrivateKeySecretName)
 	if err != nil {
 		klog.Exitf("Can't create secret manager signer: %v", err)
@@ -92,58 +89,20 @@ func main() {
 		NotAfterLimit:    notAfterLimit.t,
 	}
 
-	log, err := sctfe.NewLog(ctx, *origin, signer, chainValidationConfig, timeSource, newGCPStorage)
+	logHandler, err := sctfe.NewLogHandler(ctx, *origin, signer, chainValidationConfig, newGCPStorage, *httpDeadline, *maskInternalErrors)
 	if err != nil {
-		klog.Exitf("Invalid log config: %v", err)
+		klog.Exitf("Can't initialize CT HTTP Server: %v", err)
 	}
 
-	opts := &sctfe.HandlerOptions{
-		Deadline:           *httpDeadline,
-		MetricFactory:      prometheus.MetricFactory{},
-		RequestLog:         &sctfe.DefaultRequestLog{},
-		MaskInternalErrors: *maskInternalErrors,
-		TimeSource:         timeSource,
-	}
-
-	handlers := sctfe.NewPathHandlers(opts, log)
-
 	klog.CopyStandardLogTo("WARNING")
 	klog.Info("**** CT HTTP Server Starting ****")
+	http.Handle("/", logHandler)
 
 	metricsAt := *metricsEndpoint
 	if metricsAt == "" {
 		metricsAt = *httpEndpoint
 	}
 
-	// Allow cross-origin requests to all handlers registered on corsMux.
-	// This is safe for CT log handlers because the log is public and
-	// unauthenticated so cross-site scripting attacks are not a concern.
-	corsMux := http.NewServeMux()
-	corsHandler := cors.AllowAll().Handler(corsMux)
-	http.Handle("/", corsHandler)
-
-	// Register handlers for all the configured logs.
-	for path, handler := range handlers {
-		corsMux.Handle(path, handler)
-	}
-
-	// Return a 200 on the root, for GCE default health checking :/
-	corsMux.HandleFunc("/", func(resp http.ResponseWriter, req *http.Request) {
-		if req.URL.Path == "/" {
-			resp.WriteHeader(http.StatusOK)
-		} else {
-			resp.WriteHeader(http.StatusNotFound)
-		}
-	})
-
-	// Export a healthz target.
-	corsMux.HandleFunc("/healthz", func(resp http.ResponseWriter, req *http.Request) {
-		// TODO(al): Wire this up to tell the truth.
-		if _, err := resp.Write([]byte("ok")); err != nil {
-			klog.Errorf("resp.Write(): %v", err)
-		}
-	})
-
 	if metricsAt != *httpEndpoint {
 		// Run a separate handler for metrics.
 		go func() {

ctlog.go

@@ -20,6 +20,7 @@ import (
 	"crypto/ecdsa"
 	"errors"
 	"fmt"
+	"net/http"
 	"strconv"
 	"strings"
 	"time"
@@ -82,7 +83,12 @@ type log struct {
 	storage Storage
 }
 
-func NewLog(ctx context.Context, origin string, signer crypto.Signer, cfg ChainValidationConfig, ts timeSource, cs CreateStorage) (*log, error) {
+var sysTimeSource = SystemTimeSource{}
+
+// newLog instantiates a new log instance, with write endpoints.
+// It initiates chain validation to validate writes, and storage to persist
+// chains.
+func newLog(ctx context.Context, origin string, signer crypto.Signer, cfg ChainValidationConfig, cs CreateStorage) (*log, error) {
 	log := &log{}
 
 	if origin == "" {
@@ -110,7 +116,7 @@ func NewLog(ctx context.Context, origin string, signer crypto.Signer, cfg ChainV
 	}
 	log.chainValidationOpts = *vlc
 
-	cpSigner, err := newCpSigner(signer, origin, ts)
+	cpSigner, err := newCpSigner(signer, origin, sysTimeSource)
 	if err != nil {
 		klog.Exitf("failed to create checkpoint Signer: %v", err)
 	}
@@ -217,3 +223,29 @@ var stringToKeyUsage = map[string]x509.ExtKeyUsage{
 	"MicrosoftServerGatedCrypto": x509.ExtKeyUsageMicrosoftServerGatedCrypto,
 	"NetscapeServerGatedCrypto":  x509.ExtKeyUsageNetscapeServerGatedCrypto,
 }
+
+// NewLogHandler creates a Tessera based CT log pluged into HTTP handlers.
+// The HTTP server handlers implement https://c2sp.org/static-ct-api write
+// endpoints.
+func NewLogHandler(ctx context.Context, origin string, signer crypto.Signer, cfg ChainValidationConfig, cs CreateStorage, httpDeadline time.Duration, maskInternalErrors bool) (http.Handler, error) {
+	log, err := newLog(ctx, origin, signer, cfg, cs)
+	if err != nil {
+		return nil, fmt.Errorf("newLog(): %v", err)
+	}
+
+	opts := &HandlerOptions{
+		Deadline:           httpDeadline,
+		RequestLog:         &DefaultRequestLog{},
+		MaskInternalErrors: maskInternalErrors,
+		TimeSource:         sysTimeSource,
+	}
+
+	handlers := NewPathHandlers(opts, log)
+	mux := http.NewServeMux()
+	// Register handlers for all the configured logs.
+	for path, handler := range handlers {
+		mux.Handle(path, handler)
+	}
+
+	return mux, nil
+}

ctlog_test.go

@@ -180,7 +180,7 @@ func TestNewLog(t *testing.T) {
 		},
 	} {
 		t.Run(tc.desc, func(t *testing.T) {
-			log, err := NewLog(ctx, tc.origin, tc.signer, tc.cvcfg, SystemTimeSource{},
+			log, err := newLog(ctx, tc.origin, tc.signer, tc.cvcfg,
 				func(_ context.Context, _ note.Signer) (*CTStorage, error) {
 					return &CTStorage{}, nil
 				})

handlers.go

@@ -172,6 +172,7 @@ func NewPathHandlers(opts *HandlerOptions, log *log) pathHandlers {
 	prefix := strings.TrimRight(log.origin, "/")
 
 	// Bind each endpoint to an appHandler instance.
+	// TODO(phboneff): try and get rid of PathHandlers and appHandler
 	ph := pathHandlers{
 		prefix + ct.AddChainPath:    appHandler{opts: opts, log: log, handler: addChain, name: addChainName, method: http.MethodPost},
 		prefix + ct.AddPreChainPath: appHandler{opts: opts, log: log, handler: addPreChain, name: addPreChainName, method: http.MethodPost},