From 73ffb58456ef3c75ff8006cd302f8d28146f352d Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Tue, 23 Jul 2024 15:37:36 -0400
Subject: [PATCH] p2phttp support https

---
 Command/P2PHttp.hs              | 24 ++++++++++++++++++++++--
 doc/git-annex-p2phttp.mdwn      | 14 ++++++++++++++
 doc/todo/git-annex_proxies.mdwn |  4 ++++
 3 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/Command/P2PHttp.hs b/Command/P2PHttp.hs
index 8c34ee2660..d0b43c725e 100644
--- a/Command/P2PHttp.hs
+++ b/Command/P2PHttp.hs
@@ -37,6 +37,9 @@ cmd = withAnnexOptions [jobsOption] $ command "p2phttp" SectionPlumbing
 data Options = Options
 	{ portOption :: Maybe PortNumber
 	, bindOption :: Maybe String
+	, certFileOption :: Maybe FilePath
+	, privateKeyFileOption :: Maybe FilePath
+	, chainFileOption :: [FilePath]
 	, authEnvOption :: Bool
 	, authEnvHttpOption :: Bool
 	, unauthReadOnlyOption :: Bool
@@ -54,6 +57,18 @@ optParser _ = Options
 		( long "bind" <> metavar paramAddress
 		<> help "specify address to bind to"
 		))
+	<*> optional (strOption
+		( long "certfile" <> metavar paramFile
+		<> help "TLS certificate file for HTTPS"
+		))
+	<*> optional (strOption
+		( long "privatekeyfile" <> metavar paramFile
+		<> help "TLS private key file for HTTPS"
+		))
+	<*> many (strOption
+		( long "chainfile" <> metavar paramFile
+		<> help "TLS chain file"
+		))
 	<*> switch
 		( long "authenv"
 		<> help "authenticate users from environment (https only)"
@@ -83,8 +98,13 @@ seek o = getAnnexWorkerPool $ \workerpool ->
 			mkGetServerMode authenv o
 		let settings = Warp.setPort port $ Warp.setHost host $
 			Warp.defaultSettings
-		Warp.runSettings settings (p2pHttpApp st)
-		--Warp.runTLS settings (p2pHttpApp st)
+		case (certFileOption o, privateKeyFileOption o) of
+			(Nothing, Nothing) -> Warp.runSettings settings (p2pHttpApp st)
+			(Just certfile, Just privatekeyfile) -> do
+				let tlssettings = Warp.tlsSettingsChain
+					certfile (chainFileOption o) privatekeyfile
+				Warp.runTLS tlssettings settings (p2pHttpApp st)
+			_ -> giveup "You must use both --certfile and --privatekeyfile options to enable HTTPS."
   where
 	port = maybe
 		(fromIntegral defaultP2PHttpProtocolPort)
diff --git a/doc/git-annex-p2phttp.mdwn b/doc/git-annex-p2phttp.mdwn
index f9dcd52c96..7f6f848d4e 100644
--- a/doc/git-annex-p2phttp.mdwn
+++ b/doc/git-annex-p2phttp.mdwn
@@ -52,6 +52,20 @@ convenient way to download the content of any key, by using the path
 
   What address to bind to. The default is to bind to all addresses.
 
+* `--certfile=filename` 
+
+  TLS certificate file to use. Combining this with `--privatekeyfile`
+  makes the server use HTTPS.
+
+* `--privatekeyfile=filename`
+  
+  TLS private key file to use. Combining this with `--certfile`
+  makes the server use HTTPS.
+
+* `--chainfile=filename`
+
+  TLS chain file to use. This option can be repeated any number of times.
+
 * `--authenv`
 
   Allows users to be authenticated with a username and password.
diff --git a/doc/todo/git-annex_proxies.mdwn b/doc/todo/git-annex_proxies.mdwn
index c10e4f6345..ad221aa9a1 100644
--- a/doc/todo/git-annex_proxies.mdwn
+++ b/doc/todo/git-annex_proxies.mdwn
@@ -30,6 +30,8 @@ Planned schedule of work:
 
 * Rest of Remote.Git needs implementing.
 
+* git-annex p2phttp serving .well-known for ACME.
+
 * git-annex p2phttp needs to support https. Including serving .well-known
   for ACME.
 
@@ -57,6 +59,8 @@ Planned schedule of work:
 
 * Allow using annex+http urls in remote.name.annexUrl
 
+* Make git-annex p2phttp support https.
+
 ## items deferred until later for [[design/passthrough_proxy]]
 
 * Check annex.diskreserve when proxying for special remotes