Add token::MemStore, use it for http01 challenges
This commit is contained in:
parent
811aef209a
commit
28104f36e1
@ -2,11 +2,19 @@ use std::{sync, time};
|
|||||||
|
|
||||||
use crate::domain::acme::{self, Certificate, PrivateKey};
|
use crate::domain::acme::{self, Certificate, PrivateKey};
|
||||||
use crate::error::unexpected::{self, Intoable, Mappable};
|
use crate::error::unexpected::{self, Intoable, Mappable};
|
||||||
use crate::{domain, util};
|
use crate::{domain, token, util};
|
||||||
|
|
||||||
const LETS_ENCRYPT_URL: &str = "https://acme-v02.api.letsencrypt.org/directory";
|
const LETS_ENCRYPT_URL: &str = "https://acme-v02.api.letsencrypt.org/directory";
|
||||||
|
|
||||||
pub type GetHttp01ChallengeKeyError = acme::store::GetHttp01ChallengeKeyError;
|
#[derive(thiserror::Error, Debug)]
|
||||||
|
pub enum GetHttp01ChallengeKeyError {
|
||||||
|
#[error("not found")]
|
||||||
|
NotFound,
|
||||||
|
|
||||||
|
#[error(transparent)]
|
||||||
|
Unexpected(#[from] unexpected::Error),
|
||||||
|
}
|
||||||
|
|
||||||
pub type GetCertificateError = acme::store::GetCertificateError;
|
pub type GetCertificateError = acme::store::GetCertificateError;
|
||||||
|
|
||||||
#[mockall::automock]
|
#[mockall::automock]
|
||||||
@ -27,14 +35,20 @@ pub trait Manager {
|
|||||||
|
|
||||||
pub struct ManagerImpl {
|
pub struct ManagerImpl {
|
||||||
store: Box<dyn acme::store::Store + Send + Sync>,
|
store: Box<dyn acme::store::Store + Send + Sync>,
|
||||||
|
token_store: Box<dyn token::Store + Send + Sync>,
|
||||||
account: sync::Arc<acme2::Account>,
|
account: sync::Arc<acme2::Account>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl ManagerImpl {
|
impl ManagerImpl {
|
||||||
pub async fn new<Store: acme::store::Store + Send + Sync + 'static>(
|
pub async fn new<AcmeStore, TokenStore>(
|
||||||
store: Store,
|
store: AcmeStore,
|
||||||
|
token_store: TokenStore,
|
||||||
config: &domain::ConfigACME,
|
config: &domain::ConfigACME,
|
||||||
) -> Result<Self, unexpected::Error> {
|
) -> Result<Self, unexpected::Error>
|
||||||
|
where
|
||||||
|
AcmeStore: acme::store::Store + Send + Sync + 'static,
|
||||||
|
TokenStore: token::Store + Send + Sync + 'static,
|
||||||
|
{
|
||||||
let dir = acme2::DirectoryBuilder::new(LETS_ENCRYPT_URL.to_string())
|
let dir = acme2::DirectoryBuilder::new(LETS_ENCRYPT_URL.to_string())
|
||||||
.build()
|
.build()
|
||||||
.await
|
.await
|
||||||
@ -78,6 +92,7 @@ impl ManagerImpl {
|
|||||||
|
|
||||||
Ok(Self {
|
Ok(Self {
|
||||||
store: Box::from(store),
|
store: Box::from(store),
|
||||||
|
token_store: Box::from(token_store),
|
||||||
account,
|
account,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
@ -140,8 +155,8 @@ impl Manager for ManagerImpl {
|
|||||||
.or_unexpected_while("getting challenge key from authorization")?
|
.or_unexpected_while("getting challenge key from authorization")?
|
||||||
.ok_or(unexpected::Error::from("expected challenge to have key"))?;
|
.ok_or(unexpected::Error::from("expected challenge to have key"))?;
|
||||||
|
|
||||||
self.store
|
self.token_store
|
||||||
.set_http01_challenge_key(challenge_token, &challenge_key)
|
.set(challenge_token.clone(), challenge_key)
|
||||||
.or_unexpected_while("storing challenge token")?;
|
.or_unexpected_while("storing challenge token")?;
|
||||||
|
|
||||||
// At this point the manager is prepared to serve the challenge key via the
|
// At this point the manager is prepared to serve the challenge key via the
|
||||||
@ -165,8 +180,8 @@ impl Manager for ManagerImpl {
|
|||||||
let challenge_res = challenge.wait_done(time::Duration::from_secs(5), 3).await;
|
let challenge_res = challenge.wait_done(time::Duration::from_secs(5), 3).await;
|
||||||
|
|
||||||
// no matter what the result is, clean up the challenge key
|
// no matter what the result is, clean up the challenge key
|
||||||
self.store
|
self.token_store
|
||||||
.del_http01_challenge_key(challenge_token)
|
.del(challenge_token)
|
||||||
.or_unexpected_while("deleting challenge token")?;
|
.or_unexpected_while("deleting challenge token")?;
|
||||||
|
|
||||||
let challenge = challenge_res.or_unexpected_while("getting challenge status")?;
|
let challenge = challenge_res.or_unexpected_while("getting challenge status")?;
|
||||||
@ -296,7 +311,11 @@ impl Manager for ManagerImpl {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fn get_http01_challenge_key(&self, token: &str) -> Result<String, GetHttp01ChallengeKeyError> {
|
fn get_http01_challenge_key(&self, token: &str) -> Result<String, GetHttp01ChallengeKeyError> {
|
||||||
self.store.get_http01_challenge_key(token)
|
match self.token_store.get(token) {
|
||||||
|
Ok(Some(v)) => Ok(v),
|
||||||
|
Ok(None) => Err(GetHttp01ChallengeKeyError::NotFound),
|
||||||
|
Err(e) => Err(e.into()),
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Returned vec is guaranteed to have len > 0
|
/// Returned vec is guaranteed to have len > 0
|
||||||
|
@ -6,9 +6,7 @@ use crate::domain::acme::{Certificate, PrivateKey};
|
|||||||
use crate::error::unexpected::{self, Mappable};
|
use crate::error::unexpected::{self, Mappable};
|
||||||
use crate::util;
|
use crate::util;
|
||||||
|
|
||||||
use hex::ToHex;
|
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
use sha2::{Digest, Sha256};
|
|
||||||
|
|
||||||
#[derive(thiserror::Error, Debug)]
|
#[derive(thiserror::Error, Debug)]
|
||||||
pub enum GetAccountKeyError {
|
pub enum GetAccountKeyError {
|
||||||
@ -19,15 +17,6 @@ pub enum GetAccountKeyError {
|
|||||||
Unexpected(#[from] unexpected::Error),
|
Unexpected(#[from] unexpected::Error),
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(thiserror::Error, Debug)]
|
|
||||||
pub enum GetHttp01ChallengeKeyError {
|
|
||||||
#[error("not found")]
|
|
||||||
NotFound,
|
|
||||||
|
|
||||||
#[error(transparent)]
|
|
||||||
Unexpected(#[from] unexpected::Error),
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(thiserror::Error, Debug)]
|
#[derive(thiserror::Error, Debug)]
|
||||||
pub enum GetCertificateError {
|
pub enum GetCertificateError {
|
||||||
#[error("not found")]
|
#[error("not found")]
|
||||||
@ -42,10 +31,6 @@ pub trait Store {
|
|||||||
fn set_account_key(&self, k: &PrivateKey) -> Result<(), unexpected::Error>;
|
fn set_account_key(&self, k: &PrivateKey) -> Result<(), unexpected::Error>;
|
||||||
fn get_account_key(&self) -> Result<PrivateKey, GetAccountKeyError>;
|
fn get_account_key(&self) -> Result<PrivateKey, GetAccountKeyError>;
|
||||||
|
|
||||||
fn set_http01_challenge_key(&self, token: &str, key: &str) -> Result<(), unexpected::Error>;
|
|
||||||
fn get_http01_challenge_key(&self, token: &str) -> Result<String, GetHttp01ChallengeKeyError>;
|
|
||||||
fn del_http01_challenge_key(&self, token: &str) -> Result<(), unexpected::Error>;
|
|
||||||
|
|
||||||
fn set_certificate(
|
fn set_certificate(
|
||||||
&self,
|
&self,
|
||||||
domain: &str,
|
domain: &str,
|
||||||
@ -93,16 +78,6 @@ impl FSStore {
|
|||||||
self.dir_path.join("account.key")
|
self.dir_path.join("account.key")
|
||||||
}
|
}
|
||||||
|
|
||||||
fn http01_challenge_key_path(&self, token: &str) -> path::PathBuf {
|
|
||||||
// hash it for safety
|
|
||||||
let mut h = Sha256::new();
|
|
||||||
h.write_all(token.as_bytes())
|
|
||||||
.expect("token successfully hashed");
|
|
||||||
let n = h.finalize().encode_hex::<String>();
|
|
||||||
|
|
||||||
self.dir_path.join("http01_challenge_keys").join(n)
|
|
||||||
}
|
|
||||||
|
|
||||||
fn certificate_path(&self, domain: &str) -> path::PathBuf {
|
fn certificate_path(&self, domain: &str) -> path::PathBuf {
|
||||||
let mut domain = domain.to_string();
|
let mut domain = domain.to_string();
|
||||||
domain.push_str(".json");
|
domain.push_str(".json");
|
||||||
@ -144,42 +119,6 @@ impl Store for FSStore {
|
|||||||
.map_err(|err| err.into())
|
.map_err(|err| err.into())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn set_http01_challenge_key(&self, token: &str, key: &str) -> Result<(), unexpected::Error> {
|
|
||||||
let path = self.http01_challenge_key_path(token);
|
|
||||||
{
|
|
||||||
let mut file = fs::File::create(path.as_path()).or_unexpected_while("creating file")?;
|
|
||||||
file.write_all(key.as_bytes())
|
|
||||||
.or_unexpected_while("writing file")
|
|
||||||
}
|
|
||||||
.map_unexpected_while(|| format!("path is {}", path.display()))?;
|
|
||||||
Ok(())
|
|
||||||
}
|
|
||||||
|
|
||||||
fn get_http01_challenge_key(&self, token: &str) -> Result<String, GetHttp01ChallengeKeyError> {
|
|
||||||
let path = self.http01_challenge_key_path(token);
|
|
||||||
{
|
|
||||||
let mut file =
|
|
||||||
match util::open_file(path.as_path()).or_unexpected_while("opening_file")? {
|
|
||||||
Some(file) => file,
|
|
||||||
None => return Err(GetHttp01ChallengeKeyError::NotFound),
|
|
||||||
};
|
|
||||||
|
|
||||||
let mut key = String::new();
|
|
||||||
file.read_to_string(&mut key)
|
|
||||||
.or_unexpected_while("reading file")?;
|
|
||||||
|
|
||||||
Ok::<String, unexpected::Error>(key)
|
|
||||||
}
|
|
||||||
.map_unexpected_while(|| format!("path is {}", path.display()))
|
|
||||||
.map_err(|err| err.into())
|
|
||||||
}
|
|
||||||
|
|
||||||
fn del_http01_challenge_key(&self, token: &str) -> Result<(), unexpected::Error> {
|
|
||||||
let path = self.http01_challenge_key_path(token);
|
|
||||||
fs::remove_file(path.as_path())
|
|
||||||
.map_unexpected_while(|| format!("path is {}", path.display()))
|
|
||||||
}
|
|
||||||
|
|
||||||
fn set_certificate(
|
fn set_certificate(
|
||||||
&self,
|
&self,
|
||||||
domain: &str,
|
domain: &str,
|
||||||
@ -251,38 +190,4 @@ mod tests {
|
|||||||
.expect("account private key retrieved")
|
.expect("account private key retrieved")
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
|
||||||
fn http01_challenge_key() {
|
|
||||||
let tmp_dir = TempDir::new("domain_acme_store_http01_challenge_key").unwrap();
|
|
||||||
let store = FSStore::new(tmp_dir.path()).expect("store created");
|
|
||||||
|
|
||||||
let token = "foo".to_string();
|
|
||||||
let key = "bar".to_string();
|
|
||||||
|
|
||||||
assert!(matches!(
|
|
||||||
store.get_http01_challenge_key(&token),
|
|
||||||
Err::<String, GetHttp01ChallengeKeyError>(GetHttp01ChallengeKeyError::NotFound)
|
|
||||||
));
|
|
||||||
|
|
||||||
store
|
|
||||||
.set_http01_challenge_key(&token, &key)
|
|
||||||
.expect("http01 challenge set");
|
|
||||||
|
|
||||||
assert_eq!(
|
|
||||||
key,
|
|
||||||
store
|
|
||||||
.get_http01_challenge_key(&token)
|
|
||||||
.expect("retrieved http01 challenge"),
|
|
||||||
);
|
|
||||||
|
|
||||||
store
|
|
||||||
.del_http01_challenge_key(&token)
|
|
||||||
.expect("deleted http01 challenge");
|
|
||||||
|
|
||||||
assert!(matches!(
|
|
||||||
store.get_http01_challenge_key(&token),
|
|
||||||
Err::<String, GetHttp01ChallengeKeyError>(GetHttp01ChallengeKeyError::NotFound)
|
|
||||||
));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
@ -7,4 +7,5 @@ pub mod domain;
|
|||||||
pub mod error;
|
pub mod error;
|
||||||
pub mod origin;
|
pub mod origin;
|
||||||
pub mod service;
|
pub mod service;
|
||||||
|
pub mod token;
|
||||||
pub mod util;
|
pub mod util;
|
||||||
|
@ -78,6 +78,8 @@ async fn main() {
|
|||||||
config
|
config
|
||||||
};
|
};
|
||||||
|
|
||||||
|
let token_store = domani::token::MemStore::new();
|
||||||
|
|
||||||
let origin_store = domani::origin::git::FSStore::new(&config.origin)
|
let origin_store = domani::origin::git::FSStore::new(&config.origin)
|
||||||
.expect("git origin store initialization failed");
|
.expect("git origin store initialization failed");
|
||||||
|
|
||||||
@ -107,7 +109,11 @@ async fn main() {
|
|||||||
.expect("domain acme store initialization failed");
|
.expect("domain acme store initialization failed");
|
||||||
|
|
||||||
Some(
|
Some(
|
||||||
domani::domain::acme::manager::ManagerImpl::new(domain_acme_store, &acme_config)
|
domani::domain::acme::manager::ManagerImpl::new(
|
||||||
|
domain_acme_store,
|
||||||
|
token_store,
|
||||||
|
&acme_config,
|
||||||
|
)
|
||||||
.await
|
.await
|
||||||
.expect("domain acme manager initialization failed"),
|
.expect("domain acme manager initialization failed"),
|
||||||
)
|
)
|
||||||
|
37
src/token.rs
Normal file
37
src/token.rs
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
/// Provides utilites for storing and retrieving various named string tokens which are needed.
|
||||||
|
use crate::error::unexpected;
|
||||||
|
use std::{collections, sync};
|
||||||
|
|
||||||
|
pub trait Store {
|
||||||
|
fn get(&self, key: &str) -> unexpected::Result<Option<String>>;
|
||||||
|
fn set(&self, key: String, val: String) -> unexpected::Result<()>;
|
||||||
|
fn del(&self, key: &str) -> unexpected::Result<()>;
|
||||||
|
}
|
||||||
|
|
||||||
|
pub struct MemStore {
|
||||||
|
m: sync::Mutex<collections::HashMap<String, String>>,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl MemStore {
|
||||||
|
pub fn new() -> MemStore {
|
||||||
|
MemStore {
|
||||||
|
m: sync::Mutex::default(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Store for MemStore {
|
||||||
|
fn get(&self, key: &str) -> unexpected::Result<Option<String>> {
|
||||||
|
Ok(self.m.lock().unwrap().get(key).map(|s| s.to_string()))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn set(&self, key: String, val: String) -> unexpected::Result<()> {
|
||||||
|
self.m.lock().unwrap().insert(key, val);
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn del(&self, key: &str) -> unexpected::Result<()> {
|
||||||
|
self.m.lock().unwrap().remove(key);
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user