itsi-server 0.2.25 → 0.2.27.rc1

data/Cargo.toml

@@ -8,4 +8,3 @@ resolver = "2"
 
 [patch.crates-io]
 magnus = { git = "https://github.com/matsadler/magnus.git", rev = "1ed232edb2b75a2eed9b1def34ad57e55c411a5c" }
-rb-sys-build = { path = "vendor/rb-sys-build" }

data/Rakefile

@@ -29,6 +29,16 @@ SMOKE_TEST_GLOBS = %w[
   test/middleware/string_rewrite.rb
 ].freeze
 
+def native_build_tasks_requested?
+  requested = Rake.application.top_level_tasks
+  return true if requested.empty?
+
+  requested.any? do |task_name|
+    task_name == "default" ||
+      task_name.start_with?("build", "compile", "cross", "clobber")
+  end
+end
+
 def configure_test_task(task_name, test_globs)
   Minitest::TestTask.create(task_name) do |t|
     t.libs << "test"
@@ -41,17 +51,20 @@ end
 
 configure_test_task(:test, ["test/**/*.rb"])
 configure_test_task("test:smoke", SMOKE_TEST_GLOBS)
+configure_test_task("test:acme", ["test/acme/**/*.rb"])
 
 task "test:full" => :test
 
-require "rb_sys/extensiontask"
+if native_build_tasks_requested?
+  require "rb_sys/extensiontask"
 
-task build: :compile
+  task build: :compile
 
-GEMSPEC = Gem::Specification.load("itsi-server.gemspec")
+  GEMSPEC = Gem::Specification.load("itsi-server.gemspec")
 
-RbSys::ExtensionTask.new("itsi-server", GEMSPEC) do |ext|
-  ext.lib_dir = "lib/itsi/server"
+  RbSys::ExtensionTask.new("itsi-server", GEMSPEC) do |ext|
+    ext.lib_dir = "lib/itsi/server"
+  end
 end
 
 task default: %i[compile test rubocop]

data/ext/itsi_acme/Cargo.toml

@@ -31,13 +31,14 @@ async-trait = "0.1.53"
 rustls = { version = "0.23", default-features = false, features = ["ring"] }
 time = "0.3.36"                                                                 # force the transitive dependency to a more recent minimal version. The build fails with 0.3.20
 
-tokio = { version = "1.20.1", default-features = false }
+tokio = { version = "1.20.1", default-features = false, features = ["fs", "io-util", "rt", "sync", "time"] }
 tokio-rustls = { version = "0.26", default-features = false, features = [
   "tls12",
 ] }
 reqwest = { version = "0.12", default-features = false, features = [
   "rustls-tls",
 ] }
+parking_lot = "0.12"
 
 # Axum
 axum-server = { version = "0.7", features = ["tokio-rustls"], optional = true }

data/ext/itsi_acme/src/acceptor.rs

@@ -16,7 +16,7 @@ pub struct AcmeAcceptor {
 }
 
 impl AcmeAcceptor {
-    pub(crate) fn new(resolver: Arc<ResolvesServerCertAcme>) -> Self {
+    pub fn new(resolver: Arc<ResolvesServerCertAcme>) -> Self {
         let mut config = ServerConfig::builder()
             .with_no_client_auth()
             .with_cert_resolver(resolver);

data/ext/itsi_acme/src/acme.rs

@@ -1,7 +1,7 @@
 use std::sync::Arc;
 
 use crate::https_helper::{https, HttpsRequestError, Method, Response};
-use crate::jose::{key_authorization_sha256, sign, sign_eab, JoseError};
+use crate::jose::{key_authorization, key_authorization_sha256, sign, sign_eab, JoseError};
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use base64::Engine;
 use rcgen::{CustomExtension, Error as RcgenError, PKCS_ECDSA_P256_SHA256};
@@ -191,7 +191,11 @@ impl Account {
             None => return Err(AcmeError::NoTlsAlpn01Challenge),
         };
         let mut params = rcgen::CertificateParams::new(vec![domain])?;
-        let key_auth = key_authorization_sha256(&self.key_pair, &challenge.token)?;
+        let token = challenge
+            .token
+            .as_deref()
+            .ok_or(AcmeError::MissingChallengeToken)?;
+        let key_auth = key_authorization_sha256(&self.key_pair, token)?;
         params.custom_extensions = vec![CustomExtension::new_acme_identifier(key_auth.as_ref())];
 
         let key_pair = rcgen::KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
@@ -204,6 +208,24 @@ impl Account {
         let certified_key = CertifiedKey::new(vec![cert.der().clone()], pk);
         Ok((challenge, certified_key))
     }
+
+    pub fn http_01<'a>(
+        &self,
+        challenges: &'a [Challenge],
+    ) -> Result<(&'a Challenge, String), AcmeError> {
+        let challenge = challenges.iter().find(|c| c.typ == ChallengeType::Http01);
+
+        let challenge = match challenge {
+            Some(challenge) => challenge,
+            None => return Err(AcmeError::NoHttp01Challenge),
+        };
+        let token = challenge
+            .token
+            .as_deref()
+            .ok_or(AcmeError::MissingChallengeToken)?;
+
+        Ok((challenge, key_authorization(&self.key_pair, token)?))
+    }
 }
 
 #[derive(Debug, Clone, Deserialize)]
@@ -253,6 +275,8 @@ pub enum ChallengeType {
     Dns01,
     #[serde(rename = "tls-alpn-01")]
     TlsAlpn01,
+    #[serde(other)]
+    Unknown,
 }
 
 #[derive(Debug, Deserialize)]
@@ -305,7 +329,7 @@ pub struct Challenge {
     #[serde(rename = "type")]
     pub typ: ChallengeType,
     pub url: String,
-    pub token: String,
+    pub token: Option<String>,
     pub error: Option<Problem>,
 }
 
@@ -335,6 +359,10 @@ pub enum AcmeError {
     Crypto(#[from] Unspecified),
     #[error("acme service response is missing {0} header")]
     MissingHeader(&'static str),
+    #[error("selected challenge is missing token")]
+    MissingChallengeToken,
+    #[error("no http-01 challenge found")]
+    NoHttp01Challenge,
     #[error("no tls-alpn-01 challenge found")]
     NoTlsAlpn01Challenge,
 }

data/ext/itsi_acme/src/http_challenge.rs

@@ -0,0 +1,81 @@
+use parking_lot::RwLock;
+use std::collections::HashMap;
+use std::sync::Arc;
+
+const ACME_CHALLENGE_PREFIX: &str = "/.well-known/acme-challenge/";
+
+#[derive(Debug, Clone, Default)]
+pub struct Http01Handler {
+    challenges: Arc<RwLock<HashMap<String, String>>>,
+}
+
+impl Http01Handler {
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    pub fn add_challenge(&self, token: String, key_authorization: String) {
+        self.challenges.write().insert(token, key_authorization);
+    }
+
+    pub fn remove_challenge(&self, token: &str) {
+        self.challenges.write().remove(token);
+    }
+
+    pub fn handle_challenge_request(&self, path: &str) -> Option<String> {
+        let token = path.strip_prefix(ACME_CHALLENGE_PREFIX)?;
+        if token.is_empty()
+            || !token
+                .chars()
+                .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_')
+        {
+            return None;
+        }
+
+        self.challenges.read().get(token).cloned()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::Http01Handler;
+
+    #[test]
+    fn serves_registered_key_authorization() {
+        let handler = Http01Handler::new();
+        handler.add_challenge("token_123".to_string(), "token_123.thumbprint".to_string());
+
+        assert_eq!(
+            handler.handle_challenge_request("/.well-known/acme-challenge/token_123"),
+            Some("token_123.thumbprint".to_string())
+        );
+    }
+
+    #[test]
+    fn rejects_invalid_paths_and_tokens() {
+        let handler = Http01Handler::new();
+        handler.add_challenge("token_123".to_string(), "token_123.thumbprint".to_string());
+
+        assert_eq!(handler.handle_challenge_request("/not-acme"), None);
+        assert_eq!(
+            handler.handle_challenge_request("/.well-known/acme-challenge/"),
+            None
+        );
+        assert_eq!(
+            handler.handle_challenge_request("/.well-known/acme-challenge/invalid token"),
+            None
+        );
+    }
+
+    #[test]
+    fn removes_tokens() {
+        let handler = Http01Handler::new();
+        handler.add_challenge("token_123".to_string(), "token_123.thumbprint".to_string());
+        handler.remove_challenge("token_123");
+
+        assert_eq!(
+            handler.handle_challenge_request("/.well-known/acme-challenge/token_123"),
+            None
+        );
+    }
+}

data/ext/itsi_acme/src/https_helper.rs

@@ -30,7 +30,9 @@ pub(crate) async fn https(
     let client = reqwest::ClientBuilder::new()
         .use_preconfigured_tls(client_config.clone())
         .build()?;
-    let mut request = client.request(method, url.as_ref());
+    let mut request = client
+        .request(method, url.as_ref())
+        .header("User-Agent", concat!("itsi-acme/", env!("CARGO_PKG_VERSION")));
     if let Some(body) = body {
         request = request
             .body(body)

data/ext/itsi_acme/src/jose.rs

@@ -53,11 +53,15 @@ pub(crate) fn key_authorization_sha256(
     key: &EcdsaKeyPair,
     token: &str,
 ) -> Result<Digest, JoseError> {
-    let jwk = Jwk::new(key);
-    let key_authorization = format!("{}.{}", token, jwk.thumb_sha256_base64()?);
+    let key_authorization = key_authorization(key, token)?;
     Ok(digest(&SHA256, key_authorization.as_bytes()))
 }
 
+pub(crate) fn key_authorization(key: &EcdsaKeyPair, token: &str) -> Result<String, JoseError> {
+    let jwk = Jwk::new(key);
+    Ok(format!("{}.{}", token, jwk.thumb_sha256_base64()?))
+}
+
 #[derive(Serialize)]
 pub(crate) struct Body {
     protected: String,

data/ext/itsi_acme/src/lib.rs

@@ -126,6 +126,7 @@ pub mod axum;
 mod cache;
 pub mod caches;
 mod config;
+mod http_challenge;
 mod https_helper;
 mod incoming;
 mod jose;
@@ -137,6 +138,7 @@ pub use tokio_rustls;
 pub use acceptor::*;
 pub use cache::*;
 pub use config::*;
+pub use http_challenge::*;
 pub use incoming::*;
 pub use resolver::*;
 pub use state::*;

data/ext/itsi_acme/src/resolver.rs

@@ -13,24 +13,40 @@ pub struct ResolvesServerCertAcme {
 #[derive(Debug)]
 struct Inner {
     cert: Option<Arc<CertifiedKey>>,
+    certs: BTreeMap<String, Arc<CertifiedKey>>,
     auth_keys: BTreeMap<String, Arc<CertifiedKey>>,
 }
 
 impl ResolvesServerCertAcme {
-    pub(crate) fn new() -> Arc<Self> {
+    pub fn new() -> Arc<Self> {
         Arc::new(Self {
             inner: Mutex::new(Inner {
                 cert: None,
+                certs: Default::default(),
                 auth_keys: Default::default(),
             }),
         })
     }
-    pub(crate) fn set_cert(&self, cert: Arc<CertifiedKey>) {
+    pub fn set_cert(&self, cert: Arc<CertifiedKey>) {
         self.inner.lock().unwrap().cert = Some(cert);
     }
-    pub(crate) fn set_auth_key(&self, domain: String, cert: Arc<CertifiedKey>) {
+    pub fn set_cert_for_domain(&self, domain: String, cert: Arc<CertifiedKey>) {
+        let mut inner = self.inner.lock().unwrap();
+        if inner.cert.is_none() {
+            inner.cert = Some(cert.clone());
+        }
+        inner.certs.insert(domain, cert);
+    }
+    pub fn remove_cert_for_domain(&self, domain: &str) {
+        self.inner.lock().unwrap().certs.remove(domain);
+    }
+    pub fn set_auth_key(&self, domain: String, cert: Arc<CertifiedKey>) {
         self.inner.lock().unwrap().auth_keys.insert(domain, cert);
     }
+
+    pub fn remove_auth_key(&self, domain: &str) {
+        self.inner.lock().unwrap().auth_keys.remove(domain);
+    }
 }
 
 impl ResolvesServerCert for ResolvesServerCertAcme {
@@ -53,7 +69,14 @@ impl ResolvesServerCert for ResolvesServerCertAcme {
                 }
             }
         } else {
-            self.inner.lock().unwrap().cert.clone()
+            let inner = self.inner.lock().unwrap();
+            match client_hello.server_name() {
+                Some(domain) => {
+                    let domain = AsRef::<str>::as_ref(&domain);
+                    inner.certs.get(domain).cloned().or_else(|| inner.cert.clone())
+                }
+                None => inner.cert.clone(),
+            }
         }
     }
 }

data/ext/itsi_acme/src/state.rs

@@ -20,8 +20,9 @@ use x509_parser::parse_x509_certificate;
 
 use crate::acceptor::AcmeAcceptor;
 use crate::acme::{
-    Account, AcmeError, Auth, AuthStatus, Directory, Identifier, Order, OrderStatus,
+    Account, AcmeError, Auth, AuthStatus, Challenge, Directory, Identifier, Order, OrderStatus,
 };
+use crate::http_challenge::Http01Handler;
 use crate::{AcmeConfig, Incoming, ResolvesServerCertAcme};
 
 type Timer = std::pin::Pin<Box<Sleep>>;
@@ -36,6 +37,9 @@ pub struct AcmeState<EC: Debug = Infallible, EA: Debug = EC> {
     config: Arc<AcmeConfig<EC, EA>>,
     resolver: Arc<ResolvesServerCertAcme>,
     account_key: Option<Vec<u8>>,
+    http01_handler: Arc<Http01Handler>,
+    http01_enabled: bool,
+    managed_domain: Option<String>,
 
     early_action: Option<BoxFuture<Event<EC, EA>>>,
     load_cert: Option<BoxFuture<Result<Option<Vec<u8>>, EC>>>,
@@ -128,12 +132,29 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeState<EC, EA> {
     pub fn resolver(&self) -> Arc<ResolvesServerCertAcme> {
         self.resolver.clone()
     }
+    pub fn http01_handler(&self) -> Arc<Http01Handler> {
+        self.http01_handler.clone()
+    }
+    pub fn set_http01_enabled(&mut self, enabled: bool) {
+        self.http01_enabled = enabled;
+    }
     pub fn new(config: AcmeConfig<EC, EA>) -> Self {
+        Self::new_with_resolver(config, ResolvesServerCertAcme::new(), Arc::new(Http01Handler::new()), None)
+    }
+    pub fn new_with_resolver(
+        config: AcmeConfig<EC, EA>,
+        resolver: Arc<ResolvesServerCertAcme>,
+        http01_handler: Arc<Http01Handler>,
+        managed_domain: Option<String>,
+    ) -> Self {
         let config = Arc::new(config);
         Self {
             config: config.clone(),
-            resolver: ResolvesServerCertAcme::new(),
+            resolver,
             account_key: None,
+            http01_handler,
+            http01_enabled: false,
+            managed_domain,
             early_action: None,
             load_cert: Some(Box::pin({
                 let config = config.clone();
@@ -195,7 +216,11 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeState<EC, EA> {
                 }
             }
         };
-        self.resolver.set_cert(Arc::new(cert));
+        let cert = Arc::new(cert);
+        match self.managed_domain.as_ref() {
+            Some(domain) => self.resolver.set_cert_for_domain(domain.clone(), cert),
+            None => self.resolver.set_cert(cert),
+        }
         let wait_duration = (validity[1] - (validity[1] - validity[0]) / 3 - Utc::now())
             .max(chrono::Duration::zero())
             .to_std()
@@ -220,6 +245,8 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeState<EC, EA> {
     async fn order(
         config: Arc<AcmeConfig<EC, EA>>,
         resolver: Arc<ResolvesServerCertAcme>,
+        http01_handler: Arc<Http01Handler>,
+        http01_enabled: bool,
         key_pair: Vec<u8>,
     ) -> Result<Vec<u8>, OrderError> {
         let directory = Directory::discover(&config.client_config, &config.directory_url).await?;
@@ -242,10 +269,16 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeState<EC, EA> {
         loop {
             match order.status {
                 OrderStatus::Pending => {
-                    let auth_futures = order
-                        .authorizations
-                        .iter()
-                        .map(|url| Self::authorize(&config, &resolver, &account, url));
+                    let auth_futures = order.authorizations.iter().map(|url| {
+                        Self::authorize(
+                            &config,
+                            &resolver,
+                            &http01_handler,
+                            http01_enabled,
+                            &account,
+                            url,
+                        )
+                    });
                     try_join_all(auth_futures).await?;
                     log::info!("completed all authorizations");
                     order = account.order(&config.client_config, &order_url).await?;
@@ -289,40 +322,147 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeState<EC, EA> {
     async fn authorize(
         config: &AcmeConfig<EC, EA>,
         resolver: &ResolvesServerCertAcme,
+        http01_handler: &Http01Handler,
+        http01_enabled: bool,
         account: &Account,
         url: &String,
     ) -> Result<(), OrderError> {
         let auth = account.auth(&config.client_config, url).await?;
-        let (domain, challenge_url) = match auth.status {
+        let (domain, challenges) = match auth.status {
             AuthStatus::Pending => {
                 let Identifier::Dns(domain) = auth.identifier;
-                log::info!("trigger challenge for {}", &domain);
+                (domain, auth.challenges)
+            }
+            AuthStatus::Valid => return Ok(()),
+            _ => return Err(OrderError::BadAuth(auth)),
+        };
+
+        log::info!("trigger challenge for {}", &domain);
+
+        let primary = if http01_enabled {
+            ChallengeKind::Http01
+        } else {
+            ChallengeKind::TlsAlpn01
+        };
+        let secondary = match primary {
+            ChallengeKind::Http01 => ChallengeKind::TlsAlpn01,
+            ChallengeKind::TlsAlpn01 => ChallengeKind::Http01,
+        };
+
+        match Self::attempt_authorization(
+            config,
+            resolver,
+            http01_handler,
+            account,
+            &domain,
+            url,
+            &challenges,
+            primary,
+        )
+        .await?
+        {
+            AttemptOutcome::Validated => return Ok(()),
+            AttemptOutcome::Unavailable | AttemptOutcome::RetryableFailure => {}
+        }
+
+        match Self::attempt_authorization(
+            config,
+            resolver,
+            http01_handler,
+            account,
+            &domain,
+            url,
+            &challenges,
+            secondary,
+        )
+        .await?
+        {
+            AttemptOutcome::Validated => Ok(()),
+            AttemptOutcome::Unavailable | AttemptOutcome::RetryableFailure => {
+                Err(OrderError::TooManyAttemptsAuth(domain))
+            }
+        }
+    }
+
+    async fn attempt_authorization(
+        config: &AcmeConfig<EC, EA>,
+        resolver: &ResolvesServerCertAcme,
+        http01_handler: &Http01Handler,
+        account: &Account,
+        domain: &str,
+        auth_url: &str,
+        challenges: &[Challenge],
+        kind: ChallengeKind,
+    ) -> Result<AttemptOutcome, OrderError> {
+        match kind {
+            ChallengeKind::TlsAlpn01 => {
                 let (challenge, auth_key) =
-                    account.tls_alpn_01(&auth.challenges, domain.clone())?;
-                resolver.set_auth_key(domain.clone(), Arc::new(auth_key));
+                    match account.tls_alpn_01(challenges, domain.to_string()) {
+                        Ok(value) => value,
+                        Err(AcmeError::NoTlsAlpn01Challenge) => {
+                            return Ok(AttemptOutcome::Unavailable);
+                        }
+                        Err(error) => return Err(OrderError::Acme(error)),
+                    };
+
+                resolver.set_auth_key(domain.to_string(), Arc::new(auth_key));
                 account
                     .challenge(&config.client_config, &challenge.url)
                     .await?;
-                (domain, challenge.url.clone())
+                let outcome =
+                    Self::poll_authorization(config, account, domain, auth_url, &challenge.url)
+                        .await?;
+                resolver.remove_auth_key(domain);
+                Ok(outcome)
             }
-            AuthStatus::Valid => return Ok(()),
-            _ => return Err(OrderError::BadAuth(auth)),
-        };
+            ChallengeKind::Http01 => {
+                let (challenge, key_authorization) = match account.http_01(challenges) {
+                    Ok(value) => value,
+                    Err(AcmeError::NoHttp01Challenge) => return Ok(AttemptOutcome::Unavailable),
+                    Err(error) => return Err(OrderError::Acme(error)),
+                };
+                let token = challenge
+                    .token
+                    .clone()
+                    .ok_or(OrderError::Acme(AcmeError::MissingChallengeToken))?;
+
+                http01_handler.add_challenge(token.clone(), key_authorization);
+                account
+                    .challenge(&config.client_config, &challenge.url)
+                    .await?;
+                let outcome =
+                    Self::poll_authorization(config, account, domain, auth_url, &challenge.url)
+                        .await?;
+                http01_handler.remove_challenge(&token);
+                Ok(outcome)
+            }
+        }
+    }
+
+    async fn poll_authorization(
+        config: &AcmeConfig<EC, EA>,
+        account: &Account,
+        domain: &str,
+        auth_url: &str,
+        challenge_url: &str,
+    ) -> Result<AttemptOutcome, OrderError> {
         for i in 0u64..5 {
             after(Duration::from_secs(1u64 << i)).await;
-            let auth = account.auth(&config.client_config, url).await?;
+            let auth = account.auth(&config.client_config, auth_url).await?;
             match auth.status {
                 AuthStatus::Pending => {
-                    log::info!("authorization for {} still pending", &domain);
+                    log::info!("authorization for {} still pending", domain);
                     account
-                        .challenge(&config.client_config, &challenge_url)
-                        .await?
+                        .challenge(&config.client_config, challenge_url)
+                        .await?;
                 }
-                AuthStatus::Valid => return Ok(()),
+                AuthStatus::Valid => return Ok(AttemptOutcome::Validated),
+                AuthStatus::Invalid => return Ok(AttemptOutcome::RetryableFailure),
                 _ => return Err(OrderError::BadAuth(auth)),
             }
         }
-        Err(OrderError::TooManyAttemptsAuth(domain))
+
+        Ok(AttemptOutcome::RetryableFailure)
     }
     fn poll_next_infinite(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Event<EC, EA>> {
         loop {
@@ -408,13 +548,34 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeState<EC, EA> {
             };
             let config = self.config.clone();
             let resolver = self.resolver.clone();
+            let http01_handler = self.http01_handler.clone();
+            let http01_enabled = self.http01_enabled;
             self.order = Some(Box::pin({
-                Self::order(config.clone(), resolver.clone(), account_key)
+                Self::order(
+                    config.clone(),
+                    resolver.clone(),
+                    http01_handler,
+                    http01_enabled,
+                    account_key,
+                )
             }));
         }
     }
 }
 
+#[derive(Clone, Copy, Debug)]
+enum ChallengeKind {
+    Http01,
+    TlsAlpn01,
+}
+
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+enum AttemptOutcome {
+    Validated,
+    RetryableFailure,
+    Unavailable,
+}
+
 impl<EC: 'static + Debug, EA: 'static + Debug> Stream for AcmeState<EC, EA> {
     type Item = Event<EC, EA>;
 

data/ext/itsi_scheduler/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-scheduler"
-version = "0.2.25"
+version = "0.2.27-rc1"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"