From 52af33d80a905a3b50669599e40dd0ec84ac5b3b Mon Sep 17 00:00:00 2001
From: Valentin Kuznetsov <vkuznet@gmail.com>
Date: Wed, 3 Aug 2022 09:50:26 -0400
Subject: [PATCH] add tlsrefreshinterval to control how to re-read the proxy

---
 dbs/utils.go  |  6 +++++-
 web/config.go | 14 +++++++++-----
 web/server.go |  1 +
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/dbs/utils.go b/dbs/utils.go
index cf317f65..984cda35 100644
--- a/dbs/utils.go
+++ b/dbs/utils.go
@@ -22,6 +22,9 @@ var Cert string
 // Timeout represents DBS timeout used by HttpClient
 var Timeout int
 
+// TlsRefreshInterval represents refresh interval for Tls proxy
+var TlsRefreshInterval int64
+
 // client X509 certificates
 func tlsCerts(key, cert string) ([]tls.Certificate, error) {
 	uproxy := os.Getenv("X509_USER_PROXY")
@@ -68,11 +71,12 @@ func tlsCerts(key, cert string) ([]tls.Certificate, error) {
 // TLSCertsManager manages TLS certificates
 type TLSCertsManager struct {
 	Certificates []tls.Certificate
+	Time         time.Time
 }
 
 // TlsCerts provides access to TLS certificates for given key and certificate
 func (t *TLSCertsManager) TlsCerts(key, cert string) ([]tls.Certificate, error) {
-	if t.Certificates == nil {
+	if t.Certificates == nil || time.Since(t.Time).Seconds() > float64(TlsRefreshInterval) {
 		certs, err := tlsCerts(key, cert)
 		if err == nil {
 			t.Certificates = certs
diff --git a/web/config.go b/web/config.go
index cd2f8491..1aade0e6 100644
--- a/web/config.go
+++ b/web/config.go
@@ -61,11 +61,12 @@ type Configuration struct {
 	Styles    string `json:"styles"`    // location of server CSS styles
 
 	// security parts
-	ServerKey  string `json:"serverkey"`  // server key for https
-	ServerCrt  string `json:"servercrt"`  // server certificate for https
-	RootCA     string `json:"rootCA"`     // RootCA file
-	CSRFKey    string `json:"csrfKey"`    // CSRF 32-byte-long-auth-key
-	Production bool   `json:"production"` // production server or not
+	ServerKey          string `json:"serverkey"`          // server key for https
+	ServerCrt          string `json:"servercrt"`          // server certificate for https
+	RootCA             string `json:"rootCA"`             // RootCA file
+	CSRFKey            string `json:"csrfKey"`            // CSRF 32-byte-long-auth-key
+	Production         bool   `json:"production"`         // production server or not
+	TlsRefreshInterval int64  `json:"tlsRefreshInterval"` // interval to refresh tls proxy
 
 	// GraphQL parts
 	GraphQLSchema string `json:"graphqlSchema"` // graph ql schema file name
@@ -142,5 +143,8 @@ func ParseConfig(configFile string) error {
 	if Config.MigrationRetries == 0 {
 		Config.MigrationRetries = 3
 	}
+	if Config.TlsRefreshInterval == 0 {
+		Config.TlsRefreshInterval = 4 * 60 * 60 // 4 hours
+	}
 	return nil
 }
diff --git a/web/server.go b/web/server.go
index 6fe7b0b8..91d0a8ed 100644
--- a/web/server.go
+++ b/web/server.go
@@ -356,6 +356,7 @@ func Server(configFile string) {
 	dbs.FileLumiMaxSize = Config.FileLumiMaxSize
 	dbs.FileLumiInsertMethod = Config.FileLumiInsertMethod
 	dbs.ApiParametersFile = Config.ApiParametersFile
+	dbs.TlsRefreshInterval = Config.TlsRefreshInterval
 
 	// initialize templates
 	tmplData := make(map[string]interface{})