Launcher, app/base, sentry, update service

internal/config/cache/cache.go

@@ -0,0 +1,65 @@
+// Copyright (c) 2020 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+// Package cache provides access to contents inside a cache directory.
+package cache
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/ProtonMail/proton-bridge/pkg/files"
+)
+
+type Cache struct {
+	dir, version string
+}
+
+func New(dir, version string) (*Cache, error) {
+	if err := os.MkdirAll(filepath.Join(dir, version), 0700); err != nil {
+		return nil, err
+	}
+
+	return &Cache{
+		dir:     dir,
+		version: version,
+	}, nil
+}
+
+// GetDBDir returns folder for db files.
+func (c *Cache) GetDBDir() string {
+	return c.getCurrentCacheDir()
+}
+
+// GetIMAPCachePath returns path to file with IMAP status.
+func (c *Cache) GetIMAPCachePath() string {
+	return filepath.Join(c.getCurrentCacheDir(), "user_info.json")
+}
+
+// GetTransferDir returns folder for import-export rules files.
+func (c *Cache) GetTransferDir() string {
+	return c.getCurrentCacheDir()
+}
+
+// RemoveOldVersions removes any cache dirs that are not the current version.
+func (c *Cache) RemoveOldVersions() error {
+	return files.Remove(c.dir).Except(c.getCurrentCacheDir()).Do()
+}
+
+func (c *Cache) getCurrentCacheDir() string {
+	return filepath.Join(c.dir, c.version)
+}

internal/config/cache/cache_test.go

@@ -0,0 +1,70 @@
+// Copyright (c) 2020 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package cache
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRemoveOldVersions(t *testing.T) {
+	dir, err := ioutil.TempDir("", "test-cache")
+	require.NoError(t, err)
+
+	cache, err := New(dir, "c4")
+	require.NoError(t, err)
+
+	createFilesInDir(t, dir,
+		"unexpected1.txt",
+		"c1/unexpected1.txt",
+		"c2/unexpected2.txt",
+		"c3/unexpected3.txt",
+		"something.txt",
+	)
+
+	require.DirExists(t, filepath.Join(dir, "c4"))
+	require.FileExists(t, filepath.Join(dir, "unexpected1.txt"))
+	require.FileExists(t, filepath.Join(dir, "c1", "unexpected1.txt"))
+	require.FileExists(t, filepath.Join(dir, "c2", "unexpected2.txt"))
+	require.FileExists(t, filepath.Join(dir, "c3", "unexpected3.txt"))
+	require.FileExists(t, filepath.Join(dir, "something.txt"))
+
+	assert.NoError(t, cache.RemoveOldVersions())
+
+	assert.DirExists(t, filepath.Join(dir, "c4"))
+	assert.NoFileExists(t, filepath.Join(dir, "unexpected1.txt"))
+	assert.NoFileExists(t, filepath.Join(dir, "c1", "unexpected1.txt"))
+	assert.NoFileExists(t, filepath.Join(dir, "c2", "unexpected2.txt"))
+	assert.NoFileExists(t, filepath.Join(dir, "c3", "unexpected3.txt"))
+	assert.NoFileExists(t, filepath.Join(dir, "something.txt"))
+}
+
+func createFilesInDir(t *testing.T, dir string, files ...string) {
+	for _, target := range files {
+		require.NoError(t, os.MkdirAll(filepath.Dir(filepath.Join(dir, target)), 0700))
+
+		f, err := os.Create(filepath.Join(dir, target))
+		require.NoError(t, err)
+		require.NoError(t, f.Close())
+	}
+}

internal/config/settings/kvs.go

@@ -0,0 +1,137 @@
+// Copyright (c) 2021 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package settings
+
+import (
+	"encoding/json"
+	"errors"
+	"os"
+	"strconv"
+	"sync"
+
+	"github.com/sirupsen/logrus"
+)
+
+type keyValueStore struct {
+	cache map[string]string
+	path  string
+	lock  *sync.RWMutex
+}
+
+// newKeyValueStore returns loaded preferences.
+func newKeyValueStore(path string) *keyValueStore {
+	p := &keyValueStore{
+		path: path,
+		lock: &sync.RWMutex{},
+	}
+	if err := p.load(); err != nil {
+		logrus.WithError(err).Warn("Cannot load preferences file, creating new one")
+	}
+	return p
+}
+
+func (p *keyValueStore) load() error {
+	if p.cache != nil {
+		return nil
+	}
+
+	p.lock.Lock()
+	defer p.lock.Unlock()
+
+	p.cache = map[string]string{}
+
+	f, err := os.Open(p.path)
+	if err != nil {
+		return err
+	}
+	defer f.Close() //nolint[errcheck]
+
+	return json.NewDecoder(f).Decode(&p.cache)
+}
+
+func (p *keyValueStore) save() error {
+	if p.cache == nil {
+		return errors.New("cannot save preferences: cache is nil")
+	}
+
+	p.lock.Lock()
+	defer p.lock.Unlock()
+
+	f, err := os.Create(p.path)
+	if err != nil {
+		return err
+	}
+	defer f.Close() //nolint[errcheck]
+
+	return json.NewEncoder(f).Encode(p.cache)
+}
+
+func (p *keyValueStore) setDefault(key, value string) {
+	if p.Get(key) == "" {
+		p.Set(key, value)
+	}
+}
+
+func (p *keyValueStore) Get(key string) string {
+	p.lock.RLock()
+	defer p.lock.RUnlock()
+
+	return p.cache[key]
+}
+
+func (p *keyValueStore) GetBool(key string) bool {
+	return p.Get(key) == "true"
+}
+
+func (p *keyValueStore) GetInt(key string) int {
+	value, err := strconv.Atoi(p.Get(key))
+	if err != nil {
+		logrus.WithError(err).Error("Cannot parse int")
+	}
+	return value
+}
+
+func (p *keyValueStore) GetFloat64(key string) float64 {
+	value, err := strconv.ParseFloat(p.Get(key), 64)
+	if err != nil {
+		logrus.WithError(err).Error("Cannot parse float64")
+	}
+	return value
+}
+
+func (p *keyValueStore) Set(key, value string) {
+	p.lock.Lock()
+	p.cache[key] = value
+	p.lock.Unlock()
+
+	if err := p.save(); err != nil {
+		logrus.WithError(err).Warn("Cannot save preferences")
+	}
+}
+
+func (p *keyValueStore) SetBool(key string, value bool) {
+	if value {
+		p.Set(key, "true")
+	} else {
+		p.Set(key, "false")
+	}
+}
+
+func (p *keyValueStore) SetInt(key string, value int) {
+	p.Set(key, strconv.Itoa(value))
+}

internal/config/settings/kvs_test.go

@@ -0,0 +1,105 @@
+// Copyright (c) 2021 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package settings
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+const testPrefFilePath = "/tmp/pref.json"
+
+func TestLoadNoKeyValueStore(t *testing.T) {
+	pref := newTestEmptyKeyValueStore(t)
+	require.Equal(t, "", pref.Get("key"))
+}
+
+func TestLoadBadKeyValueStore(t *testing.T) {
+	require.NoError(t, ioutil.WriteFile(testPrefFilePath, []byte("{\"key\":\"value"), 0700))
+	pref := newKeyValueStore(testPrefFilePath)
+	require.Equal(t, "", pref.Get("key"))
+}
+
+func TestKeyValueStoreGet(t *testing.T) {
+	pref := newTestKeyValueStore(t)
+	require.Equal(t, "value", pref.Get("str"))
+	require.Equal(t, "42", pref.Get("int"))
+	require.Equal(t, "true", pref.Get("bool"))
+	require.Equal(t, "t", pref.Get("falseBool"))
+}
+
+func TestKeyValueStoreGetInt(t *testing.T) {
+	pref := newTestKeyValueStore(t)
+	require.Equal(t, 0, pref.GetInt("str"))
+	require.Equal(t, 42, pref.GetInt("int"))
+	require.Equal(t, 0, pref.GetInt("bool"))
+	require.Equal(t, 0, pref.GetInt("falseBool"))
+}
+
+func TestKeyValueStoreGetBool(t *testing.T) {
+	pref := newTestKeyValueStore(t)
+	require.Equal(t, false, pref.GetBool("str"))
+	require.Equal(t, false, pref.GetBool("int"))
+	require.Equal(t, true, pref.GetBool("bool"))
+	require.Equal(t, false, pref.GetBool("falseBool"))
+}
+
+func TestKeyValueStoreSetDefault(t *testing.T) {
+	pref := newTestEmptyKeyValueStore(t)
+	pref.setDefault("key", "value")
+	pref.setDefault("key", "othervalue")
+	require.Equal(t, "value", pref.Get("key"))
+}
+
+func TestKeyValueStoreSet(t *testing.T) {
+	pref := newTestEmptyKeyValueStore(t)
+	pref.Set("str", "value")
+	checkSavedKeyValueStore(t, "{\"str\":\"value\"}")
+}
+
+func TestKeyValueStoreSetInt(t *testing.T) {
+	pref := newTestEmptyKeyValueStore(t)
+	pref.SetInt("int", 42)
+	checkSavedKeyValueStore(t, "{\"int\":\"42\"}")
+}
+
+func TestKeyValueStoreSetBool(t *testing.T) {
+	pref := newTestEmptyKeyValueStore(t)
+	pref.SetBool("trueBool", true)
+	pref.SetBool("falseBool", false)
+	checkSavedKeyValueStore(t, "{\"falseBool\":\"false\",\"trueBool\":\"true\"}")
+}
+
+func newTestEmptyKeyValueStore(t *testing.T) *keyValueStore {
+	require.NoError(t, os.RemoveAll(testPrefFilePath))
+	return newKeyValueStore(testPrefFilePath)
+}
+
+func newTestKeyValueStore(t *testing.T) *keyValueStore {
+	require.NoError(t, ioutil.WriteFile(testPrefFilePath, []byte("{\"str\":\"value\",\"int\":\"42\",\"bool\":\"true\",\"falseBool\":\"t\"}"), 0700))
+	return newKeyValueStore(testPrefFilePath)
+}
+
+func checkSavedKeyValueStore(t *testing.T, expected string) {
+	data, err := ioutil.ReadFile(testPrefFilePath)
+	require.NoError(t, err)
+	require.Equal(t, expected+"\n", string(data))
+}

internal/config/settings/settings.go

@@ -0,0 +1,86 @@
+// Copyright (c) 2021 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+// Package settings provides access to persistent user settings.
+package settings
+
+import (
+	"fmt"
+	"math/rand"
+	"path/filepath"
+	"time"
+)
+
+// Keys of preferences in JSON file.
+const (
+	FirstStartKey          = "first_time_start"
+	FirstStartGUIKey       = "first_time_start_gui"
+	NextHeartbeatKey       = "next_heartbeat"
+	APIPortKey             = "user_port_api"
+	IMAPPortKey            = "user_port_imap"
+	SMTPPortKey            = "user_port_smtp"
+	SMTPSSLKey             = "user_ssl_smtp"
+	AllowProxyKey          = "allow_proxy"
+	AutostartKey           = "autostart"
+	AutoUpdateKey          = "autoupdate"
+	CookiesKey             = "cookies"
+	ReportOutgoingNoEncKey = "report_outgoing_email_without_encryption"
+	LastVersionKey         = "last_used_version"
+	RolloutKey             = "rollout"
+)
+
+type Settings struct {
+	*keyValueStore
+
+	settingsPath string
+}
+
+func New(settingsPath string) *Settings {
+	s := &Settings{
+		keyValueStore: newKeyValueStore(filepath.Join(settingsPath, "prefs.json")),
+		settingsPath:  settingsPath,
+	}
+
+	s.setDefaultValues()
+
+	return s
+}
+
+const (
+	DefaultIMAPPort = "1143"
+	DefaultSMTPPort = "1025"
+	DefaultAPIPort  = "1042"
+)
+
+func (s *Settings) setDefaultValues() {
+	s.setDefault(FirstStartKey, "true")
+	s.setDefault(FirstStartGUIKey, "true")
+	s.setDefault(NextHeartbeatKey, fmt.Sprintf("%v", time.Now().Unix()))
+	s.setDefault(AllowProxyKey, "true")
+	s.setDefault(AutostartKey, "true")
+	s.setDefault(AutoUpdateKey, "false")
+	s.setDefault(ReportOutgoingNoEncKey, "false")
+	s.setDefault(LastVersionKey, "")
+	s.setDefault(RolloutKey, fmt.Sprintf("%v", rand.Float64()))
+
+	s.setDefault(APIPortKey, DefaultAPIPort)
+	s.setDefault(IMAPPortKey, DefaultIMAPPort)
+	s.setDefault(SMTPPortKey, DefaultSMTPPort)
+
+	// By default, stick to STARTTLS. If the user uses catalina+applemail they'll have to change to SSL.
+	s.setDefault(SMTPSSLKey, "false")
+}

internal/config/tls/tls.go

@@ -0,0 +1,191 @@
+// Copyright (c) 2021 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package tls
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+type TLS struct {
+	settingsPath string
+}
+
+func New(settingsPath string) *TLS {
+	return &TLS{
+		settingsPath: settingsPath,
+	}
+}
+
+var tlsTemplate = x509.Certificate{ //nolint[gochecknoglobals]
+	SerialNumber: big.NewInt(-1),
+	Subject: pkix.Name{
+		Country:            []string{"CH"},
+		Organization:       []string{"Proton Technologies AG"},
+		OrganizationalUnit: []string{"ProtonMail"},
+		CommonName:         "127.0.0.1",
+	},
+	KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+	ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+	BasicConstraintsValid: true,
+	IsCA:                  true,
+	IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+	NotBefore:             time.Now(),
+	NotAfter:              time.Now().Add(20 * 365 * 24 * time.Hour),
+}
+
+var ErrTLSCertExpireSoon = fmt.Errorf("TLS certificate will expire soon")
+
+// getTLSCertPath returns path to certificate; used for TLS servers (IMAP, SMTP).
+func (t *TLS) getTLSCertPath() string {
+	return filepath.Join(t.settingsPath, "cert.pem")
+}
+
+// getTLSKeyPath returns path to private key; used for TLS servers (IMAP, SMTP).
+func (t *TLS) getTLSKeyPath() string {
+	return filepath.Join(t.settingsPath, "key.pem")
+}
+
+// GenerateConfig generates certs and keys at the given filepaths and returns a TLS Config which holds them.
+// See https://golang.org/src/crypto/tls/generate_cert.go
+func (t *TLS) GenerateConfig() (tlsConfig *tls.Config, err error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		err = fmt.Errorf("failed to generate private key: %s", err)
+		return
+	}
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		err = fmt.Errorf("failed to generate serial number: %s", err)
+		return
+	}
+
+	tlsTemplate.SerialNumber = serialNumber
+	derBytes, err := x509.CreateCertificate(rand.Reader, &tlsTemplate, &tlsTemplate, &priv.PublicKey, priv)
+	if err != nil {
+		err = fmt.Errorf("failed to create certificate: %s", err)
+		return
+	}
+
+	certOut, err := os.Create(t.getTLSCertPath())
+	if err != nil {
+		return
+	}
+	defer certOut.Close() //nolint[errcheck]
+	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	if err != nil {
+		return
+	}
+
+	keyOut, err := os.OpenFile(t.getTLSKeyPath(), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return
+	}
+	defer keyOut.Close() //nolint[errcheck]
+	err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
+	if err != nil {
+		return
+	}
+
+	return loadTLSConfig(t.getTLSCertPath(), t.getTLSKeyPath())
+}
+
+// GetConfig tries to load TLS config or generate new one which is then returned.
+func (t *TLS) GetConfig() (tlsConfig *tls.Config, err error) {
+	certPath := t.getTLSCertPath()
+	keyPath := t.getTLSKeyPath()
+	tlsConfig, err = loadTLSConfig(certPath, keyPath)
+	if err != nil {
+		logrus.WithError(err).Warn("Cannot load cert, generating a new one")
+		tlsConfig, err = t.GenerateConfig()
+		if err != nil {
+			return
+		}
+
+		if runtime.GOOS == "darwin" {
+			if err := exec.Command( // nolint[gosec]
+				"/usr/bin/security",
+				"execute-with-privileges",
+				"/usr/bin/security",
+				"add-trusted-cert",
+				"-d",
+				"-r", "trustRoot",
+				"-p", "ssl",
+				"-k", "/Library/Keychains/System.keychain",
+				certPath,
+			).Run(); err != nil {
+				logrus.WithError(err).Error("Failed to add cert to system keychain")
+			}
+		}
+	}
+
+	tlsConfig.ServerName = "127.0.0.1"
+	tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AddCert(tlsConfig.Certificates[0].Leaf)
+	tlsConfig.RootCAs = caCertPool
+	tlsConfig.ClientCAs = caCertPool
+
+	/* This is deprecated:
+	 * SA1019: tlsConfig.BuildNameToCertificate is deprecated:
+	 * NameToCertificate only allows associating a single certificate with a given name.
+	 * Leave that field nil to let the library select the first compatible chain from Certificates.
+	 */
+	tlsConfig.BuildNameToCertificate() // nolint[staticcheck]
+
+	return tlsConfig, err
+}
+
+func loadTLSConfig(certPath, keyPath string) (tlsConfig *tls.Config, err error) {
+	c, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return
+	}
+
+	c.Leaf, err = x509.ParseCertificate(c.Certificate[0])
+	if err != nil {
+		return
+	}
+
+	tlsConfig = &tls.Config{
+		Certificates: []tls.Certificate{c},
+	}
+
+	if time.Now().Add(31 * 24 * time.Hour).After(c.Leaf.NotAfter) {
+		err = ErrTLSCertExpireSoon
+		return
+	}
+	return
+}

internal/config/tls/tls_test.go

@@ -0,0 +1,64 @@
+// Copyright (c) 2021 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package tls
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestTLSKeyRenewal(t *testing.T) {
+	// Remove keys.
+	configPath := "/tmp"
+	certPath := filepath.Join(configPath, "cert.pem")
+	keyPath := filepath.Join(configPath, "key.pem")
+	_ = os.Remove(certPath)
+	_ = os.Remove(keyPath)
+
+	dir, err := ioutil.TempDir("", "test-tls")
+	require.NoError(t, err)
+
+	tls := New(dir)
+
+	// Put old key there.
+	tlsTemplate.NotBefore = time.Now().Add(-365 * 24 * time.Hour)
+	tlsTemplate.NotAfter = time.Now()
+	cert, err := tls.GenerateConfig()
+	require.Equal(t, err, ErrTLSCertExpireSoon)
+	require.Equal(t, len(cert.Certificates), 1)
+	time.Sleep(time.Second)
+	now, notValidAfter := time.Now(), cert.Certificates[0].Leaf.NotAfter
+	require.True(t, now.After(notValidAfter), "old certificate expected to not be valid at %v but have valid until %v", now, notValidAfter)
+
+	// Renew key.
+	tlsTemplate.NotBefore = time.Now()
+	tlsTemplate.NotAfter = time.Now().Add(2 * 365 * 24 * time.Hour)
+	cert, err = tls.GetConfig()
+	if runtime.GOOS != "darwin" { // Darwin is not supported.
+		require.NoError(t, err)
+	}
+	require.Equal(t, len(cert.Certificates), 1)
+	now, notValidAfter = time.Now(), cert.Certificates[0].Leaf.NotAfter
+	require.False(t, now.After(notValidAfter), "new certificate expected to be valid at %v but have valid until %v", now, notValidAfter)
+}