Pull request 2382: AGDNS-2714-tls-config

Merge in DNS/adguard-home from AGDNS-2714-tls-config to master

Squashed commit of the following:

commit 073e5ec367db02690e9527602a1da6bfd29321a0
Merge: 18f38c9d4 4d258972d
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Wed Apr 16 18:25:23 2025 +0300

    Merge branch 'master' into AGDNS-2714-tls-config

commit 18f38c9d44337752c6d0f09142658f374de0979f
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Fri Apr 11 15:02:00 2025 +0300

    dnsforward: imp docs

commit ed56d3c2bc239bdc9af000d847721c4c43d173a3
Merge: 3ef281ea2 1cc6c00e4
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Thu Apr 10 17:25:08 2025 +0300

    Merge branch 'master' into AGDNS-2714-tls-config

commit 3ef281ea28dc1fcab0a1291fb3221e6324077a10
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Thu Apr 10 17:24:29 2025 +0300

    all: imp docs

commit b75f2874a816d4814d218c3b062d532f02e26ca5
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Mon Apr 7 17:16:59 2025 +0300

    dnsforward: imp code

commit 8ab17b96bca957a172062faaa23b72d5c7ed4d0d
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Fri Apr 4 21:26:37 2025 +0300

    all: imp code

commit 1abce97b50fe0406dd1ec85b96a0f99b633325cc
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Wed Apr 2 18:22:15 2025 +0300

    home: imp code

commit debf710f4ebbdfe3e4d2f15b1adcf6b86f8dfc0d
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Tue Apr 1 14:52:21 2025 +0300

    home: imp code

commit 4aa26f15b721f2a3f32da29b3f664a02bc5a8608
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Tue Apr 1 14:16:16 2025 +0300

    all: imp code

commit 1a3e72f7a1276f9f797caf9b615f8a552cc9e988
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Mon Mar 31 21:22:40 2025 +0300

    all: imp code

commit 776ab824aef18ea27b59c02ebfc8620c715a867e
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Thu Mar 27 14:00:33 2025 +0300

    home: tls config mu

commit 9ebf912f530181043df5c583e82291484996429a
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Wed Mar 26 18:58:47 2025 +0300

    all: tls config

internal/home/tls.go

@@ -24,11 +24,9 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
-	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/c2h5oh/datasize"
-	"github.com/google/go-cmp/cmp"
 )
 
 // tlsManager contains the current configuration and state of AdGuard Home TLS
@@ -37,6 +35,9 @@ type tlsManager struct {
 	// logger is used for logging the operation of the TLS Manager.
 	logger *slog.Logger
 
+	// mu protects status, certLastMod, conf, and servePlainDNS.
+	mu *sync.Mutex
+
 	// status is the current status of the configuration.  It is never nil.
 	status *tlsConfigStatus
 
@@ -52,6 +53,9 @@ type tlsManager struct {
 	// Resolve it.
 	web *webAPI
 
+	// conf contains the TLS configuration settings.  It must not be nil.
+	conf *tlsConfigSettings
+
 	// configModified is called when the TLS configuration is changed via an
 	// HTTP request.
 	configModified func()
@@ -59,9 +63,6 @@ type tlsManager struct {
 	// customCipherIDs are the ID of the cipher suites that AdGuard Home must use.
 	customCipherIDs []uint16
 
-	confLock sync.Mutex
-	conf     tlsConfigSettings
-
 	// servePlainDNS defines if plain DNS is allowed for incoming requests.
 	servePlainDNS bool
 }
@@ -91,9 +92,10 @@ type tlsManagerConfig struct {
 func newTLSManager(ctx context.Context, conf *tlsManagerConfig) (m *tlsManager, err error) {
 	m = &tlsManager{
 		logger:         conf.logger,
+		mu:             &sync.Mutex{},
 		configModified: conf.configModified,
 		status:         &tlsConfigStatus{},
-		conf:           conf.tlsSettings,
+		conf:           &conf.tlsSettings,
 		servePlainDNS:  conf.servePlainDNS,
 	}
 
@@ -112,17 +114,22 @@ func newTLSManager(ctx context.Context, conf *tlsManagerConfig) (m *tlsManager,
 		m.logger.InfoContext(ctx, "using default ciphers")
 	}
 
-	if m.conf.Enabled {
-		err = m.load(ctx)
-		if err != nil {
-			m.conf.Enabled = false
+	m.mu.Lock()
+	defer m.mu.Unlock()
 
-			return m, err
-		}
-
-		m.setCertFileTime(ctx)
+	if !m.conf.Enabled {
+		return m, nil
 	}
 
+	err = m.load(ctx)
+	if err != nil {
+		m.conf.Enabled = false
+
+		return m, err
+	}
+
+	m.setCertFileTime(ctx)
+
 	return m, nil
 }
 
@@ -136,8 +143,9 @@ func (m *tlsManager) setWebAPI(webAPI *webAPI) {
 }
 
 // load reloads the TLS configuration from files or data from the config file.
+// m.mu is expected to be locked.
 func (m *tlsManager) load(ctx context.Context) (err error) {
-	err = m.loadTLSConf(ctx, &m.conf, m.status)
+	err = m.loadTLSConfig(ctx, m.conf, m.status)
 	if err != nil {
 		return fmt.Errorf("loading config: %w", err)
 	}
@@ -145,15 +153,16 @@ func (m *tlsManager) load(ctx context.Context) (err error) {
 	return nil
 }
 
-// WriteDiskConfig - write config
-func (m *tlsManager) WriteDiskConfig(conf *tlsConfigSettings) {
-	m.confLock.Lock()
-	*conf = m.conf
-	m.confLock.Unlock()
+// config returns a deep copy of the stored TLS configuration.
+func (m *tlsManager) config() (conf *tlsConfigSettings) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	return m.conf.clone()
 }
 
 // setCertFileTime sets [tlsManager.certLastMod] from the certificate.  If there
-// are errors, setCertFileTime logs them.
+// are errors, setCertFileTime logs them.  m.mu is expected to be locked.
 func (m *tlsManager) setCertFileTime(ctx context.Context) {
 	if len(m.conf.CertificatePath) == 0 {
 		return
@@ -175,21 +184,21 @@ func (m *tlsManager) setCertFileTime(ctx context.Context) {
 func (m *tlsManager) start(_ context.Context) {
 	m.registerWebHandlers()
 
-	m.confLock.Lock()
-	tlsConf := m.conf
-	m.confLock.Unlock()
+	m.mu.Lock()
+	defer m.mu.Unlock()
 
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
-	m.web.tlsConfigChanged(context.Background(), tlsConf)
+	m.web.tlsConfigChanged(context.Background(), m.conf)
 }
 
 // reload updates the configuration and restarts the TLS manager.
 func (m *tlsManager) reload(ctx context.Context) {
-	m.confLock.Lock()
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
 	tlsConf := m.conf
-	m.confLock.Unlock()
 
 	if !tlsConf.Enabled || len(tlsConf.CertificatePath) == 0 {
 		return
@@ -211,9 +220,7 @@ func (m *tlsManager) reload(ctx context.Context) {
 
 	m.logger.InfoContext(ctx, "certificate file is modified")
 
-	m.confLock.Lock()
 	err = m.load(ctx)
-	m.confLock.Unlock()
 	if err != nil {
 		m.logger.ErrorContext(ctx, "reloading", slogutil.KeyError, err)
 
@@ -227,10 +234,6 @@ func (m *tlsManager) reload(ctx context.Context) {
 		m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
 	}
 
-	m.confLock.Lock()
-	tlsConf = m.conf
-	m.confLock.Unlock()
-
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
@@ -238,15 +241,12 @@ func (m *tlsManager) reload(ctx context.Context) {
 }
 
 // reconfigureDNSServer updates the DNS server configuration using the stored
-// TLS settings.
+// TLS settings.  m.mu is expected to be locked.
 func (m *tlsManager) reconfigureDNSServer() (err error) {
-	tlsConf := &tlsConfigSettings{}
-	m.WriteDiskConfig(tlsConf)
-
 	newConf, err := newServerConfig(
 		&config.DNS,
 		config.Clients.Sources,
-		tlsConf,
+		m.conf,
 		m,
 		httpRegister,
 		globalContext.clients.storage,
@@ -263,9 +263,11 @@ func (m *tlsManager) reconfigureDNSServer() (err error) {
 	return nil
 }
 
-// loadTLSConf loads and validates the TLS configuration.  The returned error is
-// also set in status.WarningValidation.
-func (m *tlsManager) loadTLSConf(
+// loadTLSConfig loads and validates the TLS configuration.  It also sets
+// [tlsConfigSettings.CertificateChainData] and
+// [tlsConfigSettings.PrivateKeyData] properties.  The returned error is also
+// set in status.WarningValidation.
+func (m *tlsManager) loadTLSConfig(
 	ctx context.Context,
 	tlsConf *tlsConfigSettings,
 	status *tlsConfigStatus,
@@ -357,10 +359,10 @@ type tlsConfigStatus struct {
 	KeyType string `json:"key_type,omitempty"`
 
 	// NotBefore is the NotBefore field of the first certificate in the chain.
-	NotBefore time.Time `json:"not_before,omitempty"`
+	NotBefore time.Time `json:"not_before"`
 
 	// NotAfter is the NotAfter field of the first certificate in the chain.
-	NotAfter time.Time `json:"not_after,omitempty"`
+	NotAfter time.Time `json:"not_after"`
 
 	// WarningValidation is a validation warning message with the issue
 	// description.
@@ -410,15 +412,23 @@ type tlsConfigSettingsExt struct {
 
 // handleTLSStatus is the handler for the GET /control/tls/status HTTP API.
 func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
-	m.confLock.Lock()
+	var tlsConf *tlsConfigSettings
+	var servePlainDNS bool
+	func() {
+		m.mu.Lock()
+		defer m.mu.Unlock()
+
+		tlsConf = m.conf.clone()
+		servePlainDNS = m.servePlainDNS
+	}()
+
 	data := tlsConfig{
 		tlsConfigSettingsExt: tlsConfigSettingsExt{
-			tlsConfigSettings: m.conf,
-			ServePlainDNS:     aghalg.BoolToNullBool(m.servePlainDNS),
+			tlsConfigSettings: *tlsConf,
+			ServePlainDNS:     aghalg.BoolToNullBool(servePlainDNS),
 		},
 		tlsConfigStatus: m.status,
 	}
-	m.confLock.Unlock()
 
 	marshalTLS(w, r, data)
 }
@@ -434,6 +444,9 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
 	if setts.PrivateKeySaved {
 		setts.PrivateKey = m.conf.PrivateKey
 	}
@@ -449,7 +462,7 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	// Skip the error check, since we are only interested in the value of
 	// status.WarningValidation.
 	status := &tlsConfigStatus{}
-	_ = m.loadTLSConf(ctx, &setts.tlsConfigSettings, status)
+	_ = m.loadTLSConfig(ctx, &setts.tlsConfigSettings, status)
 	resp := tlsConfig{
 		tlsConfigSettingsExt: setts,
 		tlsConfigStatus:      status,
@@ -458,42 +471,23 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	marshalTLS(w, r, resp)
 }
 
-// setConfig updates manager conf with the given one.
+// setConfig updates manager TLS configuration with the given one.  m.mu is
+// expected to be locked.
 func (m *tlsManager) setConfig(
 	ctx context.Context,
 	newConf tlsConfigSettings,
 	status *tlsConfigStatus,
 	servePlain aghalg.NullBool,
 ) (restartHTTPS bool) {
-	m.confLock.Lock()
-	defer m.confLock.Unlock()
-
-	// Reset the DNSCrypt data before comparing, since we currently do not
-	// accept these from the frontend.
-	//
-	// TODO(a.garipov): Define a custom comparer for dnsforward.TLSConfig.
-	newConf.DNSCryptConfigFile = m.conf.DNSCryptConfigFile
-	newConf.PortDNSCrypt = m.conf.PortDNSCrypt
-	if !cmp.Equal(m.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
+	if !m.conf.setPrivateFieldsAndCompare(&newConf) {
 		m.logger.InfoContext(ctx, "config has changed, restarting https server")
 		restartHTTPS = true
 	} else {
 		m.logger.InfoContext(ctx, "config has not changed")
 	}
 
-	// Note: don't do just `t.conf = data` because we must preserve all other members of t.conf
-	m.conf.Enabled = newConf.Enabled
-	m.conf.ServerName = newConf.ServerName
-	m.conf.ForceHTTPS = newConf.ForceHTTPS
-	m.conf.PortHTTPS = newConf.PortHTTPS
-	m.conf.PortDNSOverTLS = newConf.PortDNSOverTLS
-	m.conf.PortDNSOverQUIC = newConf.PortDNSOverQUIC
-	m.conf.CertificateChain = newConf.CertificateChain
-	m.conf.CertificatePath = newConf.CertificatePath
-	m.conf.CertificateChainData = newConf.CertificateChainData
-	m.conf.PrivateKey = newConf.PrivateKey
-	m.conf.PrivateKeyPath = newConf.PrivateKeyPath
-	m.conf.PrivateKeyData = newConf.PrivateKeyData
+	m.conf = &newConf
+
 	m.status = status
 
 	if servePlain != aghalg.NBNull {
@@ -515,6 +509,16 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	var restartHTTPS bool
+	defer func() {
+		if restartHTTPS {
+			m.configModified()
+		}
+	}()
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
 	if req.PrivateKeySaved {
 		req.PrivateKey = m.conf.PrivateKey
 	}
@@ -526,7 +530,7 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 	}
 
 	status := &tlsConfigStatus{}
-	err = m.loadTLSConf(ctx, &req.tlsConfigSettings, status)
+	err = m.loadTLSConfig(ctx, &req.tlsConfigSettings, status)
 	if err != nil {
 		resp := tlsConfig{
 			tlsConfigSettingsExt: req,
@@ -538,20 +542,18 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	restartHTTPS := m.setConfig(ctx, req.tlsConfigSettings, status, req.ServePlainDNS)
+	restartHTTPS = m.setConfig(ctx, req.tlsConfigSettings, status, req.ServePlainDNS)
 	m.setCertFileTime(ctx)
 
 	if req.ServePlainDNS != aghalg.NBNull {
 		func() {
-			m.confLock.Lock()
-			defer m.confLock.Unlock()
+			config.Lock()
+			defer config.Unlock()
 
 			config.DNS.ServePlainDNS = req.ServePlainDNS == aghalg.NBTrue
 		}()
 	}
 
-	m.configModified()
-
 	err = m.reconfigureDNSServer()
 	if err != nil {
 		m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
@@ -567,18 +569,18 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 	}
 
 	marshalTLS(w, r, resp)
-	if f, ok := w.(http.Flusher); ok {
-		f.Flush()
+	rc := http.NewResponseController(w)
+	err = rc.Flush()
+	if err != nil {
+		m.logger.ErrorContext(ctx, "flushing response", slogutil.KeyError, err)
 	}
 
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
-	// request. It is also should be done in a separate goroutine due to the
+	// request.  It is also should be done in a separate goroutine due to the
 	// same reason.
 	if restartHTTPS {
-		go func() {
-			m.web.tlsConfigChanged(context.Background(), req.tlsConfigSettings)
-		}()
+		go m.web.tlsConfigChanged(context.Background(), &req.tlsConfigSettings)
 	}
 }