itsi 0.1.20 → 0.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +1 -8
- data/Cargo.lock +2 -2
- data/LICENSE.txt +698 -0
- data/README.md +15 -4
- data/Rakefile +9 -5
- data/crates/itsi_acme/.gitignore +4 -0
- data/crates/itsi_acme/Cargo.toml +86 -0
- data/crates/itsi_acme/LICENSE-APACHE +201 -0
- data/crates/itsi_acme/LICENSE-MIT +23 -0
- data/crates/itsi_acme/README.md +9 -0
- data/crates/itsi_acme/examples/high_level.rs +63 -0
- data/crates/itsi_acme/examples/high_level_warp.rs +52 -0
- data/crates/itsi_acme/examples/low_level.rs +87 -0
- data/crates/itsi_acme/examples/low_level_axum.rs +66 -0
- data/crates/itsi_acme/src/acceptor.rs +81 -0
- data/crates/itsi_acme/src/acme.rs +354 -0
- data/crates/itsi_acme/src/axum.rs +86 -0
- data/crates/itsi_acme/src/cache.rs +39 -0
- data/crates/itsi_acme/src/caches/boxed.rs +80 -0
- data/crates/itsi_acme/src/caches/composite.rs +69 -0
- data/crates/itsi_acme/src/caches/dir.rs +106 -0
- data/crates/itsi_acme/src/caches/mod.rs +11 -0
- data/crates/itsi_acme/src/caches/no.rs +78 -0
- data/crates/itsi_acme/src/caches/test.rs +136 -0
- data/crates/itsi_acme/src/config.rs +172 -0
- data/crates/itsi_acme/src/https_helper.rs +69 -0
- data/crates/itsi_acme/src/incoming.rs +142 -0
- data/crates/itsi_acme/src/jose.rs +161 -0
- data/crates/itsi_acme/src/lib.rs +142 -0
- data/crates/itsi_acme/src/resolver.rs +59 -0
- data/crates/itsi_acme/src/state.rs +424 -0
- data/crates/itsi_rb_helpers/src/lib.rs +4 -3
- data/crates/itsi_scheduler/Cargo.toml +1 -1
- data/crates/itsi_scheduler/src/itsi_scheduler.rs +8 -2
- data/crates/itsi_scheduler/src/lib.rs +1 -0
- data/crates/itsi_server/Cargo.toml +1 -1
- data/crates/itsi_server/src/lib.rs +2 -1
- data/crates/itsi_server/src/ruby_types/itsi_http_request.rs +18 -1
- data/crates/itsi_server/src/ruby_types/itsi_server/file_watcher.rs +11 -3
- data/crates/itsi_server/src/ruby_types/itsi_server/itsi_server_config.rs +122 -63
- data/crates/itsi_server/src/ruby_types/itsi_server.rs +2 -0
- data/crates/itsi_server/src/server/binds/bind.rs +3 -0
- data/crates/itsi_server/src/server/binds/listener.rs +12 -5
- data/crates/itsi_server/src/server/binds/tls.rs +13 -5
- data/crates/itsi_server/src/server/middleware_stack/middlewares/allow_list.rs +12 -5
- data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_api_key.rs +8 -1
- data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_basic.rs +9 -1
- data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_jwt.rs +48 -43
- data/crates/itsi_server/src/server/middleware_stack/middlewares/cache_control.rs +11 -2
- data/crates/itsi_server/src/server/middleware_stack/middlewares/compression.rs +39 -12
- data/crates/itsi_server/src/server/middleware_stack/middlewares/cors.rs +36 -27
- data/crates/itsi_server/src/server/middleware_stack/middlewares/csp.rs +25 -11
- data/crates/itsi_server/src/server/middleware_stack/middlewares/deny_list.rs +12 -3
- data/crates/itsi_server/src/server/middleware_stack/middlewares/error_response/default_responses.rs +74 -72
- data/crates/itsi_server/src/server/middleware_stack/middlewares/error_response.rs +15 -1
- data/crates/itsi_server/src/server/middleware_stack/middlewares/etag.rs +11 -8
- data/crates/itsi_server/src/server/middleware_stack/middlewares/intrusion_protection.rs +19 -11
- data/crates/itsi_server/src/server/middleware_stack/middlewares/log_requests.rs +5 -5
- data/crates/itsi_server/src/server/middleware_stack/middlewares/max_body.rs +2 -2
- data/crates/itsi_server/src/server/middleware_stack/middlewares/mod.rs +11 -5
- data/crates/itsi_server/src/server/middleware_stack/middlewares/proxy.rs +17 -20
- data/crates/itsi_server/src/server/middleware_stack/middlewares/rate_limit.rs +19 -8
- data/crates/itsi_server/src/server/middleware_stack/middlewares/redirect.rs +16 -37
- data/crates/itsi_server/src/server/middleware_stack/middlewares/request_headers.rs +22 -12
- data/crates/itsi_server/src/server/middleware_stack/middlewares/response_headers.rs +26 -11
- data/crates/itsi_server/src/server/middleware_stack/middlewares/static_assets.rs +7 -1
- data/crates/itsi_server/src/server/middleware_stack/middlewares/string_rewrite.rs +14 -4
- data/crates/itsi_server/src/server/middleware_stack/middlewares/token_source.rs +19 -0
- data/crates/itsi_server/src/server/middleware_stack/mod.rs +49 -13
- data/crates/itsi_server/src/server/mod.rs +1 -0
- data/crates/itsi_server/src/server/redirect_type.rs +26 -0
- data/crates/itsi_server/src/server/serve_strategy/cluster_mode.rs +22 -16
- data/crates/itsi_server/src/server/serve_strategy/single_mode.rs +49 -12
- data/crates/itsi_server/src/server/signal.rs +1 -0
- data/crates/itsi_server/src/server/size_limited_incoming.rs +6 -0
- data/crates/itsi_server/src/server/thread_worker.rs +5 -1
- data/crates/itsi_server/src/services/itsi_http_service.rs +20 -2
- data/crates/itsi_server/src/services/rate_limiter.rs +15 -4
- data/crates/itsi_server/src/services/static_file_server.rs +33 -19
- data/crates/itsi_tracing/src/lib.rs +42 -22
- data/docs/content/_index.md +1 -2
- data/docs/content/acknowledgements/_index.md +5 -2
- data/docs/content/configuration/_index.md +8 -5
- data/docs/content/contact/_index.md +8 -1
- data/docs/content/faqs/_index.md +5 -3
- data/docs/content/features/_index.md +56 -50
- data/docs/content/getting_started/_index.md +8 -5
- data/docs/content/getting_started/local_development.md +68 -8
- data/docs/content/getting_started/logging.md +16 -9
- data/docs/content/getting_started/running_itsi_in_production.md +5 -3
- data/docs/content/getting_started/signals.md +38 -0
- data/docs/content/itsi_scheduler/_index.md +8 -7
- data/docs/content/utilities/_index.md +13 -0
- data/docs/content/utilities/config_file_testing.md +17 -0
- data/docs/content/utilities/passfile_generator.md +41 -0
- data/docs/content/utilities/route_testing.md +27 -0
- data/docs/content/utilities/secrets_management.md +30 -0
- data/docs/hugo.yaml +1 -1
- data/fairytale.txt +3 -4
- data/gems/scheduler/Cargo.lock +1 -1
- data/gems/scheduler/README.md +4 -5
- data/gems/scheduler/Rakefile +0 -4
- data/gems/scheduler/lib/itsi/scheduler/version.rb +1 -1
- data/gems/scheduler/lib/itsi/scheduler.rb +9 -4
- data/gems/scheduler/test/test_active_record.rb +12 -7
- data/gems/server/Cargo.lock +1 -1
- data/gems/server/Rakefile +0 -4
- data/gems/server/exe/itsi +13 -2
- data/gems/server/lib/itsi/http_request/response_status_shortcodes.rb +2 -0
- data/gems/server/lib/itsi/http_request.rb +40 -9
- data/gems/server/lib/itsi/http_response.rb +2 -1
- data/gems/server/lib/itsi/passfile.rb +0 -1
- data/gems/server/lib/itsi/server/config/config_helpers.rb +20 -8
- data/gems/server/lib/itsi/server/config/dsl.rb +20 -435
- data/gems/server/lib/itsi/server/config/known_paths.rb +4 -1
- data/gems/server/lib/itsi/server/config/middleware/_index.md +6 -4
- data/gems/server/lib/itsi/server/config/middleware/allow_list.md +46 -0
- data/gems/server/lib/itsi/server/config/middleware/allow_list.rb +42 -0
- data/gems/server/lib/itsi/server/config/middleware/auth_api_key.md +90 -0
- data/gems/server/lib/itsi/server/config/middleware/auth_api_key.rb +51 -0
- data/gems/server/lib/itsi/server/config/middleware/auth_basic.md +45 -0
- data/gems/server/lib/itsi/server/config/middleware/auth_basic.rb +44 -0
- data/gems/server/lib/itsi/server/config/middleware/auth_jwt.md +82 -0
- data/gems/server/lib/itsi/server/config/middleware/auth_jwt.rb +38 -0
- data/gems/server/lib/itsi/server/config/middleware/cache_control.md +78 -0
- data/gems/server/lib/itsi/server/config/middleware/cache_control.rb +45 -0
- data/gems/server/lib/itsi/server/config/middleware/cidr_to_regex.rb +50 -0
- data/gems/server/lib/itsi/server/config/middleware/compression.md +50 -0
- data/gems/server/lib/itsi/server/config/middleware/compression.rb +37 -0
- data/gems/server/lib/itsi/server/config/middleware/cors.md +93 -0
- data/gems/server/lib/itsi/server/config/middleware/cors.rb +32 -0
- data/gems/server/lib/itsi/server/config/middleware/csp.md +37 -0
- data/gems/server/lib/itsi/server/config/middleware/csp.rb +44 -0
- data/gems/server/lib/itsi/server/config/middleware/deny_list.md +45 -0
- data/gems/server/lib/itsi/server/config/middleware/deny_list.rb +42 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/_index.md +159 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/controller.md +186 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/controller.rb +33 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/delete.md +12 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/delete.rb +42 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/endpoint.rb +99 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/get.md +12 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/get.rb +42 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/http_request.md +44 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/http_response.md +39 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/patch.md +12 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/patch.rb +42 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/post.md +12 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/post.rb +42 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/put.md +12 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/put.rb +42 -0
- data/gems/server/lib/itsi/server/config/middleware/endpoint/schemas.md +122 -0
- data/gems/server/lib/itsi/server/config/middleware/error_response.md +61 -0
- data/gems/server/lib/itsi/server/config/middleware/error_response.rb +36 -0
- data/gems/server/lib/itsi/server/config/middleware/etag.md +59 -0
- data/gems/server/lib/itsi/server/config/middleware/etag.rb +27 -0
- data/gems/server/lib/itsi/server/config/middleware/grpc.md +172 -0
- data/gems/server/lib/itsi/server/config/middleware/grpc.rb +54 -0
- data/gems/server/lib/itsi/server/config/middleware/intrusion_protection.md +124 -0
- data/gems/server/lib/itsi/server/config/middleware/intrusion_protection.rb +61 -0
- data/gems/server/lib/itsi/server/config/middleware/location.md +107 -0
- data/gems/server/lib/itsi/server/config/middleware/location.rb +99 -0
- data/gems/server/lib/itsi/server/config/middleware/log_requests.md +13 -11
- data/gems/server/lib/itsi/server/config/middleware/log_requests.rb +1 -3
- data/gems/server/lib/itsi/server/config/middleware/max_body.md +18 -0
- data/gems/server/lib/itsi/server/config/middleware/max_body.rb +21 -0
- data/gems/server/lib/itsi/server/config/middleware/proxy.md +62 -0
- data/gems/server/lib/itsi/server/config/middleware/proxy.rb +41 -0
- data/gems/server/lib/itsi/server/config/middleware/rackup_file.md +54 -0
- data/gems/server/lib/itsi/server/config/middleware/rackup_file.rb +44 -0
- data/gems/server/lib/itsi/server/config/middleware/rate_limit.md +126 -0
- data/gems/server/lib/itsi/server/config/middleware/rate_limit.rb +34 -0
- data/gems/server/lib/itsi/server/config/middleware/rate_limit_store.rb +25 -0
- data/gems/server/lib/itsi/server/config/middleware/redirect.md +55 -0
- data/gems/server/lib/itsi/server/config/middleware/redirect.rb +25 -0
- data/gems/server/lib/itsi/server/config/middleware/request_headers.md +34 -0
- data/gems/server/lib/itsi/server/config/middleware/request_headers.rb +24 -0
- data/gems/server/lib/itsi/server/config/middleware/response_headers.md +33 -0
- data/gems/server/lib/itsi/server/config/middleware/response_headers.rb +25 -0
- data/gems/server/lib/itsi/server/config/middleware/run.md +60 -0
- data/gems/server/lib/itsi/server/config/middleware/run.rb +43 -0
- data/gems/server/lib/itsi/server/config/middleware/static_assets.md +73 -0
- data/gems/server/lib/itsi/server/config/middleware/static_assets.rb +87 -0
- data/gems/server/lib/itsi/server/config/middleware/static_response.md +44 -0
- data/gems/server/lib/itsi/server/config/middleware/static_response.rb +29 -0
- data/gems/server/lib/itsi/server/config/middleware/string_rewrite.md +67 -0
- data/gems/server/lib/itsi/server/config/middleware/token_source.rb +32 -0
- data/gems/server/lib/itsi/server/config/middleware.rb +4 -0
- data/gems/server/lib/itsi/server/config/option.rb +5 -0
- data/gems/server/lib/itsi/server/config/options/_index.md +3 -2
- data/gems/server/lib/itsi/server/config/options/auto_reload_config.md +13 -0
- data/gems/server/lib/itsi/server/config/options/auto_reload_config.rb +41 -0
- data/gems/server/lib/itsi/server/config/options/bind.md +71 -0
- data/gems/server/lib/itsi/server/config/options/bind.rb +26 -0
- data/gems/server/lib/itsi/server/config/options/certificates.md +65 -0
- data/gems/server/lib/itsi/server/config/options/daemonize.md +14 -0
- data/gems/server/lib/itsi/server/config/options/daemonize.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/fiber_scheduler.md +1 -2
- data/gems/server/lib/itsi/server/config/options/fiber_scheduler.rb +6 -3
- data/gems/server/lib/itsi/server/config/options/header_read_timeout.md +17 -0
- data/gems/server/lib/itsi/server/config/options/header_read_timeout.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/hooks/_index.md +11 -0
- data/gems/server/lib/itsi/server/config/options/hooks/after_fork.md +13 -0
- data/gems/server/lib/itsi/server/config/options/hooks/after_fork.rb +28 -0
- data/gems/server/lib/itsi/server/config/options/hooks/after_memory_limit_reached.md +14 -0
- data/gems/server/lib/itsi/server/config/options/hooks/after_memory_limit_reached.rb +28 -0
- data/gems/server/lib/itsi/server/config/options/hooks/after_start.md +12 -0
- data/gems/server/lib/itsi/server/config/options/hooks/after_start.rb +28 -0
- data/gems/server/lib/itsi/server/config/options/hooks/before_fork.md +13 -0
- data/gems/server/lib/itsi/server/config/options/hooks/before_fork.rb +28 -0
- data/gems/server/lib/itsi/server/config/options/hooks/before_restart.md +12 -0
- data/gems/server/lib/itsi/server/config/options/hooks/before_restart.rb +28 -0
- data/gems/server/lib/itsi/server/config/options/hooks/before_shutdown.md +12 -0
- data/gems/server/lib/itsi/server/config/options/hooks/before_shutdown.rb +28 -0
- data/gems/server/lib/itsi/server/config/options/include.md +20 -0
- data/gems/server/lib/itsi/server/config/options/include.rb +36 -0
- data/gems/server/lib/itsi/server/config/options/listen_backlog.md +11 -0
- data/gems/server/lib/itsi/server/config/options/listen_backlog.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/log_format.md +18 -0
- data/gems/server/lib/itsi/server/config/options/log_format.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/log_level.md +34 -0
- data/gems/server/lib/itsi/server/config/options/log_level.rb +20 -0
- data/gems/server/lib/itsi/server/config/options/log_target.md +38 -0
- data/gems/server/lib/itsi/server/config/options/log_target.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/log_target_filters.md +17 -0
- data/gems/server/lib/itsi/server/config/options/log_target_filters.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/multithreaded_reactor.md +27 -0
- data/gems/server/lib/itsi/server/config/options/multithreaded_reactor.rb +24 -0
- data/gems/server/lib/itsi/server/config/options/nodelay.md +16 -0
- data/gems/server/lib/itsi/server/config/options/nodelay.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/oob_gc_responses_threshold.md +19 -0
- data/gems/server/lib/itsi/server/config/options/oob_gc_responses_threshold.rb +18 -0
- data/gems/server/lib/itsi/server/config/options/pin_worker_cores.md +17 -0
- data/gems/server/lib/itsi/server/config/options/pin_worker_cores.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/preload.md +21 -0
- data/gems/server/lib/itsi/server/config/options/preload.rb +18 -0
- data/gems/server/lib/itsi/server/config/options/recv_buffer_size.md +15 -0
- data/gems/server/lib/itsi/server/config/options/recv_buffer_size.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/redirect_http_to_https.md +21 -0
- data/gems/server/lib/itsi/server/config/options/redirect_http_to_https.rb +30 -0
- data/gems/server/lib/itsi/server/config/options/request_timeout.md +23 -0
- data/gems/server/lib/itsi/server/config/options/request_timeout.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/reuse_address.md +16 -0
- data/gems/server/lib/itsi/server/config/options/reuse_address.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/reuse_port.md +16 -0
- data/gems/server/lib/itsi/server/config/options/reuse_port.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/scheduler_threads.md +34 -0
- data/gems/server/lib/itsi/server/config/options/scheduler_threads.rb +17 -0
- data/gems/server/lib/itsi/server/config/options/shutdown_timeout.md +17 -0
- data/gems/server/lib/itsi/server/config/options/shutdown_timeout.rb +19 -0
- data/gems/server/lib/itsi/server/config/options/stream_body.md +32 -0
- data/gems/server/lib/itsi/server/config/options/stream_body.rb +18 -0
- data/gems/server/lib/itsi/server/config/options/threads.md +7 -2
- data/gems/server/lib/itsi/server/config/options/threads.rb +1 -1
- data/gems/server/lib/itsi/server/config/options/watch.md +16 -0
- data/gems/server/lib/itsi/server/config/options/watch.rb +28 -0
- data/gems/server/lib/itsi/server/config/options/worker_memory_limit.md +22 -0
- data/gems/server/lib/itsi/server/config/options/worker_memory_limit.rb +18 -0
- data/gems/server/lib/itsi/server/config/options/workers.md +1 -2
- data/gems/server/lib/itsi/server/config/options/workers.rb +1 -1
- data/gems/server/lib/itsi/server/config/typed_struct.rb +59 -20
- data/gems/server/lib/itsi/server/config.rb +77 -48
- data/gems/server/lib/itsi/server/default_config/Itsi.rb +3 -3
- data/gems/server/lib/itsi/server/grpc/grpc_call.rb +1 -1
- data/gems/server/lib/itsi/server/grpc/grpc_interface.rb +11 -4
- data/gems/server/lib/itsi/server/rack/handler/itsi.rb +3 -3
- data/gems/server/lib/itsi/server/route_tester.rb +58 -8
- data/gems/server/lib/itsi/server/signal_trap.rb +1 -1
- data/gems/server/lib/itsi/server/typed_handlers/param_parser.rb +14 -18
- data/gems/server/lib/itsi/server/typed_handlers/source_parser.rb +5 -4
- data/gems/server/lib/itsi/server/typed_handlers.rb +12 -4
- data/gems/server/lib/itsi/server/version.rb +1 -1
- data/gems/server/lib/itsi/server.rb +98 -14
- data/gems/server/lib/ruby_lsp/itsi/addon.rb +20 -18
- data/gems/server/test/helpers/test_helper.rb +89 -29
- data/gems/server/test/middleware/allow_list.rb +128 -0
- data/gems/server/test/middleware/auth_api_key.rb +141 -0
- data/gems/server/test/middleware/auth_basic.rb +91 -0
- data/gems/server/test/middleware/auth_jwt.rb +214 -0
- data/gems/server/test/middleware/cache_control.rb +82 -0
- data/gems/server/test/middleware/cidr_to_regex.rb +46 -0
- data/gems/server/test/middleware/compression.rb +89 -0
- data/gems/server/test/middleware/cors.rb +113 -0
- data/gems/server/test/middleware/csp.rb +62 -0
- data/gems/server/test/middleware/deny_list.rb +131 -0
- data/gems/server/test/middleware/endpoint.rb +300 -0
- data/gems/server/test/middleware/etag.rb +75 -0
- data/gems/server/test/middleware/grpc/grpc.rb +158 -0
- data/gems/server/test/middleware/grpc/test_service.proto +32 -0
- data/gems/server/test/middleware/grpc/test_service_impl.rb +28 -0
- data/gems/server/test/middleware/grpc/test_service_pb.rb +18 -0
- data/gems/server/test/middleware/grpc/test_service_services_pb.rb +30 -0
- data/gems/server/test/middleware/header_interpolation.rb +35 -0
- data/gems/server/test/middleware/intrusion_protection.rb +259 -0
- data/gems/server/test/middleware/location.rb +220 -0
- data/gems/server/test/middleware/max_body.rb +20 -0
- data/gems/server/test/middleware/proxy.rb +415 -0
- data/gems/server/test/middleware/rate_limit.rb +211 -0
- data/gems/server/test/middleware/redirect.rb +85 -0
- data/gems/server/test/middleware/request_headers.rb +50 -0
- data/gems/server/test/middleware/response_headers.rb +50 -0
- data/gems/server/test/middleware/static_assets.rb +374 -0
- data/gems/server/test/middleware/static_response.rb +56 -0
- data/gems/server/test/middleware/string_rewrite.rb +112 -0
- data/gems/server/test/options/bind.rb +47 -0
- data/gems/server/test/options/header_read_timeout.rb +23 -0
- data/gems/server/test/options/test_request_timeout.rb +16 -0
- data/gems/server/test/options/test_workers.rb +2 -4
- data/gems/server/test/{test_itsi_server.rb → rack/test_rack_server.rb} +2 -2
- data/grpc_test/Itsi.rb +11 -0
- data/grpc_test/echo.proto +14 -0
- data/grpc_test/echo_pb.rb +16 -0
- data/grpc_test/echo_service_impl.rb +8 -0
- data/grpc_test/echo_services_pb.rb +22 -0
- data/lib/itsi/version.rb +1 -1
- data/tasks.txt +15 -72
- metadata +210 -7
- data/gems/server/lib/itsi/server/default_config/Itsi-rackup.rb +0 -119
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
use axum::{routing::get, Router};
|
|
2
|
+
use clap::Parser;
|
|
3
|
+
use itsi_acme::caches::DirCache;
|
|
4
|
+
use itsi_acme::AcmeConfig;
|
|
5
|
+
use rustls::ServerConfig;
|
|
6
|
+
use std::net::{Ipv6Addr, SocketAddr};
|
|
7
|
+
use std::path::PathBuf;
|
|
8
|
+
use std::sync::Arc;
|
|
9
|
+
use tokio_stream::StreamExt;
|
|
10
|
+
|
|
11
|
+
#[derive(Parser, Debug)]
|
|
12
|
+
struct Args {
|
|
13
|
+
/// Domains
|
|
14
|
+
#[clap(short, required = true)]
|
|
15
|
+
domains: Vec<String>,
|
|
16
|
+
|
|
17
|
+
/// Contact info
|
|
18
|
+
#[clap(short)]
|
|
19
|
+
email: Vec<String>,
|
|
20
|
+
|
|
21
|
+
/// Cache directory
|
|
22
|
+
#[clap(short)]
|
|
23
|
+
cache: Option<PathBuf>,
|
|
24
|
+
|
|
25
|
+
/// Use Let's Encrypt production environment
|
|
26
|
+
/// (see https://letsencrypt.org/docs/staging-environment/)
|
|
27
|
+
#[clap(long)]
|
|
28
|
+
prod: bool,
|
|
29
|
+
|
|
30
|
+
#[clap(short, long, default_value = "443")]
|
|
31
|
+
port: u16,
|
|
32
|
+
}
|
|
33
|
+
|
|
34
|
+
#[tokio::main]
|
|
35
|
+
async fn main() {
|
|
36
|
+
simple_logger::init_with_level(log::Level::Info).unwrap();
|
|
37
|
+
let args = Args::parse();
|
|
38
|
+
|
|
39
|
+
let mut state = AcmeConfig::new(args.domains)
|
|
40
|
+
.contact(args.email.iter().map(|e| format!("mailto:{}", e)))
|
|
41
|
+
.cache_option(args.cache.clone().map(DirCache::new))
|
|
42
|
+
.directory_lets_encrypt(args.prod)
|
|
43
|
+
.state();
|
|
44
|
+
let rustls_config = ServerConfig::builder()
|
|
45
|
+
.with_no_client_auth()
|
|
46
|
+
.with_cert_resolver(state.resolver());
|
|
47
|
+
let acceptor = state.axum_acceptor(Arc::new(rustls_config));
|
|
48
|
+
|
|
49
|
+
tokio::spawn(async move {
|
|
50
|
+
loop {
|
|
51
|
+
match state.next().await.unwrap() {
|
|
52
|
+
Ok(ok) => log::info!("event: {:?}", ok),
|
|
53
|
+
Err(err) => log::error!("error: {:?}", err),
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
});
|
|
57
|
+
|
|
58
|
+
let app = Router::new().route("/", get(|| async { "Hello Tls!" }));
|
|
59
|
+
|
|
60
|
+
let addr = SocketAddr::from((Ipv6Addr::UNSPECIFIED, args.port));
|
|
61
|
+
axum_server::bind(addr)
|
|
62
|
+
.acceptor(acceptor)
|
|
63
|
+
.serve(app.into_make_service())
|
|
64
|
+
.await
|
|
65
|
+
.unwrap();
|
|
66
|
+
}
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
use crate::acme::ACME_TLS_ALPN_NAME;
|
|
2
|
+
use crate::ResolvesServerCertAcme;
|
|
3
|
+
use rustls::server::Acceptor;
|
|
4
|
+
use rustls::ServerConfig;
|
|
5
|
+
use std::future::Future;
|
|
6
|
+
use std::io;
|
|
7
|
+
use std::pin::Pin;
|
|
8
|
+
use std::sync::Arc;
|
|
9
|
+
use std::task::{Context, Poll};
|
|
10
|
+
use tokio::io::{AsyncRead, AsyncWrite};
|
|
11
|
+
use tokio_rustls::{Accept, LazyConfigAcceptor, StartHandshake};
|
|
12
|
+
|
|
13
|
+
#[derive(Clone)]
|
|
14
|
+
pub struct AcmeAcceptor {
|
|
15
|
+
config: Arc<ServerConfig>,
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
impl AcmeAcceptor {
|
|
19
|
+
pub(crate) fn new(resolver: Arc<ResolvesServerCertAcme>) -> Self {
|
|
20
|
+
let mut config = ServerConfig::builder()
|
|
21
|
+
.with_no_client_auth()
|
|
22
|
+
.with_cert_resolver(resolver);
|
|
23
|
+
config.alpn_protocols.push(ACME_TLS_ALPN_NAME.to_vec());
|
|
24
|
+
Self {
|
|
25
|
+
config: Arc::new(config),
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
pub fn accept<IO: AsyncRead + AsyncWrite + Unpin>(&self, io: IO) -> AcmeAccept<IO> {
|
|
29
|
+
AcmeAccept::new(io, self.config.clone())
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
pub struct AcmeAccept<IO: AsyncRead + AsyncWrite + Unpin> {
|
|
34
|
+
acceptor: LazyConfigAcceptor<IO>,
|
|
35
|
+
config: Arc<ServerConfig>,
|
|
36
|
+
validation_accept: Option<Accept<IO>>,
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
impl<IO: AsyncRead + AsyncWrite + Unpin> AcmeAccept<IO> {
|
|
40
|
+
pub(crate) fn new(io: IO, config: Arc<ServerConfig>) -> Self {
|
|
41
|
+
Self {
|
|
42
|
+
acceptor: LazyConfigAcceptor::new(Acceptor::default(), io),
|
|
43
|
+
config,
|
|
44
|
+
validation_accept: None,
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
impl<IO: AsyncRead + AsyncWrite + Unpin> Future for AcmeAccept<IO> {
|
|
50
|
+
type Output = io::Result<Option<StartHandshake<IO>>>;
|
|
51
|
+
|
|
52
|
+
fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
|
|
53
|
+
loop {
|
|
54
|
+
if let Some(validation_accept) = &mut self.validation_accept {
|
|
55
|
+
return match Pin::new(validation_accept).poll(cx) {
|
|
56
|
+
Poll::Ready(Ok(_)) => Poll::Ready(Ok(None)),
|
|
57
|
+
Poll::Ready(Err(err)) => Poll::Ready(Err(err)),
|
|
58
|
+
Poll::Pending => Poll::Pending,
|
|
59
|
+
};
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
return match Pin::new(&mut self.acceptor).poll(cx) {
|
|
63
|
+
Poll::Ready(Ok(handshake)) => {
|
|
64
|
+
let is_validation = handshake
|
|
65
|
+
.client_hello()
|
|
66
|
+
.alpn()
|
|
67
|
+
.into_iter()
|
|
68
|
+
.flatten()
|
|
69
|
+
.eq([ACME_TLS_ALPN_NAME]);
|
|
70
|
+
if is_validation {
|
|
71
|
+
self.validation_accept = Some(handshake.into_stream(self.config.clone()));
|
|
72
|
+
continue;
|
|
73
|
+
}
|
|
74
|
+
Poll::Ready(Ok(Some(handshake)))
|
|
75
|
+
}
|
|
76
|
+
Poll::Ready(Err(err)) => Poll::Ready(Err(err)),
|
|
77
|
+
Poll::Pending => Poll::Pending,
|
|
78
|
+
};
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
}
|
|
@@ -0,0 +1,354 @@
|
|
|
1
|
+
use std::sync::Arc;
|
|
2
|
+
|
|
3
|
+
use crate::https_helper::{https, HttpsRequestError, Method, Response};
|
|
4
|
+
use crate::jose::{key_authorization_sha256, sign, sign_eab, JoseError};
|
|
5
|
+
use base64::engine::general_purpose::URL_SAFE_NO_PAD;
|
|
6
|
+
use base64::Engine;
|
|
7
|
+
use rcgen::{CustomExtension, Error as RcgenError, PKCS_ECDSA_P256_SHA256};
|
|
8
|
+
use ring::error::{KeyRejected, Unspecified};
|
|
9
|
+
use ring::rand::SystemRandom;
|
|
10
|
+
use ring::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, ECDSA_P256_SHA256_FIXED_SIGNING};
|
|
11
|
+
use rustls::{crypto::ring::sign::any_ecdsa_type, sign::CertifiedKey};
|
|
12
|
+
use rustls::{
|
|
13
|
+
pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer},
|
|
14
|
+
ClientConfig,
|
|
15
|
+
};
|
|
16
|
+
use serde::{Deserialize, Serialize};
|
|
17
|
+
use serde_json::json;
|
|
18
|
+
use thiserror::Error;
|
|
19
|
+
|
|
20
|
+
pub const LETS_ENCRYPT_STAGING_DIRECTORY: &str =
|
|
21
|
+
"https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
22
|
+
pub const LETS_ENCRYPT_PRODUCTION_DIRECTORY: &str =
|
|
23
|
+
"https://acme-v02.api.letsencrypt.org/directory";
|
|
24
|
+
pub const ACME_TLS_ALPN_NAME: &[u8] = b"acme-tls/1";
|
|
25
|
+
|
|
26
|
+
#[derive(Debug)]
|
|
27
|
+
pub struct Account {
|
|
28
|
+
pub key_pair: EcdsaKeyPair,
|
|
29
|
+
pub directory: Directory,
|
|
30
|
+
pub kid: String,
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
static ALG: &EcdsaSigningAlgorithm = &ECDSA_P256_SHA256_FIXED_SIGNING;
|
|
34
|
+
|
|
35
|
+
impl Account {
|
|
36
|
+
pub fn generate_key_pair() -> Vec<u8> {
|
|
37
|
+
let rng = SystemRandom::new();
|
|
38
|
+
let pkcs8 = EcdsaKeyPair::generate_pkcs8(ALG, &rng).unwrap();
|
|
39
|
+
pkcs8.as_ref().to_vec()
|
|
40
|
+
}
|
|
41
|
+
pub async fn create<'a, S, I>(
|
|
42
|
+
client_config: &Arc<ClientConfig>,
|
|
43
|
+
directory: Directory,
|
|
44
|
+
contact: I,
|
|
45
|
+
eab: &Option<ExternalAccountKey>,
|
|
46
|
+
) -> Result<Self, AcmeError>
|
|
47
|
+
where
|
|
48
|
+
S: AsRef<str> + 'a,
|
|
49
|
+
I: IntoIterator<Item = &'a S>,
|
|
50
|
+
{
|
|
51
|
+
let key_pair = Self::generate_key_pair();
|
|
52
|
+
Self::create_with_keypair(client_config, directory, contact, &key_pair, eab).await
|
|
53
|
+
}
|
|
54
|
+
pub async fn create_with_keypair<'a, S, I>(
|
|
55
|
+
client_config: &Arc<ClientConfig>,
|
|
56
|
+
directory: Directory,
|
|
57
|
+
contact: I,
|
|
58
|
+
key_pair: &[u8],
|
|
59
|
+
eab: &Option<ExternalAccountKey>,
|
|
60
|
+
) -> Result<Self, AcmeError>
|
|
61
|
+
where
|
|
62
|
+
S: AsRef<str> + 'a,
|
|
63
|
+
I: IntoIterator<Item = &'a S>,
|
|
64
|
+
{
|
|
65
|
+
let key_pair = EcdsaKeyPair::from_pkcs8(ALG, key_pair, &SystemRandom::new())?;
|
|
66
|
+
let contact: Vec<&'a str> = contact.into_iter().map(AsRef::<str>::as_ref).collect();
|
|
67
|
+
|
|
68
|
+
let payload = if let Some(eab) = &eab.as_ref() {
|
|
69
|
+
let eab_body = sign_eab(&key_pair, &eab.key, &eab.kid, &directory.new_account)?;
|
|
70
|
+
|
|
71
|
+
json!({
|
|
72
|
+
"termsOfServiceAgreed": true,
|
|
73
|
+
"contact": contact,
|
|
74
|
+
"externalAccountBinding": eab_body,
|
|
75
|
+
})
|
|
76
|
+
} else {
|
|
77
|
+
json!({
|
|
78
|
+
"termsOfServiceAgreed": true,
|
|
79
|
+
"contact": contact,
|
|
80
|
+
})
|
|
81
|
+
}
|
|
82
|
+
.to_string();
|
|
83
|
+
|
|
84
|
+
let body = sign(
|
|
85
|
+
&key_pair,
|
|
86
|
+
None,
|
|
87
|
+
directory.nonce(client_config).await?,
|
|
88
|
+
&directory.new_account,
|
|
89
|
+
&payload,
|
|
90
|
+
)?;
|
|
91
|
+
let response = https(
|
|
92
|
+
client_config,
|
|
93
|
+
&directory.new_account,
|
|
94
|
+
Method::Post,
|
|
95
|
+
Some(body),
|
|
96
|
+
)
|
|
97
|
+
.await?;
|
|
98
|
+
let kid = get_header(&response, "Location")?;
|
|
99
|
+
Ok(Account {
|
|
100
|
+
key_pair,
|
|
101
|
+
kid,
|
|
102
|
+
directory,
|
|
103
|
+
})
|
|
104
|
+
}
|
|
105
|
+
async fn request(
|
|
106
|
+
&self,
|
|
107
|
+
client_config: &Arc<ClientConfig>,
|
|
108
|
+
url: impl AsRef<str>,
|
|
109
|
+
payload: &str,
|
|
110
|
+
) -> Result<(Option<String>, String), AcmeError> {
|
|
111
|
+
let body = sign(
|
|
112
|
+
&self.key_pair,
|
|
113
|
+
Some(&self.kid),
|
|
114
|
+
self.directory.nonce(client_config).await?,
|
|
115
|
+
url.as_ref(),
|
|
116
|
+
payload,
|
|
117
|
+
)?;
|
|
118
|
+
let response = https(client_config, url.as_ref(), Method::Post, Some(body)).await?;
|
|
119
|
+
let location = get_header(&response, "Location").ok();
|
|
120
|
+
let body = response.text().await.map_err(HttpsRequestError::from)?;
|
|
121
|
+
log::debug!("response: {:?}", body);
|
|
122
|
+
Ok((location, body))
|
|
123
|
+
}
|
|
124
|
+
pub async fn new_order(
|
|
125
|
+
&self,
|
|
126
|
+
client_config: &Arc<ClientConfig>,
|
|
127
|
+
domains: Vec<String>,
|
|
128
|
+
) -> Result<(String, Order), AcmeError> {
|
|
129
|
+
let domains: Vec<Identifier> = domains.into_iter().map(Identifier::Dns).collect();
|
|
130
|
+
let payload = format!("{{\"identifiers\":{}}}", serde_json::to_string(&domains)?);
|
|
131
|
+
let response = self
|
|
132
|
+
.request(client_config, &self.directory.new_order, &payload)
|
|
133
|
+
.await?;
|
|
134
|
+
let url = response.0.ok_or(AcmeError::MissingHeader("Location"))?;
|
|
135
|
+
let order = serde_json::from_str(&response.1)?;
|
|
136
|
+
Ok((url, order))
|
|
137
|
+
}
|
|
138
|
+
pub async fn auth(
|
|
139
|
+
&self,
|
|
140
|
+
client_config: &Arc<ClientConfig>,
|
|
141
|
+
url: impl AsRef<str>,
|
|
142
|
+
) -> Result<Auth, AcmeError> {
|
|
143
|
+
let payload = "".to_string();
|
|
144
|
+
let response = self.request(client_config, url, &payload).await?;
|
|
145
|
+
Ok(serde_json::from_str(&response.1)?)
|
|
146
|
+
}
|
|
147
|
+
pub async fn challenge(
|
|
148
|
+
&self,
|
|
149
|
+
client_config: &Arc<ClientConfig>,
|
|
150
|
+
url: impl AsRef<str>,
|
|
151
|
+
) -> Result<(), AcmeError> {
|
|
152
|
+
self.request(client_config, &url, "{}").await?;
|
|
153
|
+
Ok(())
|
|
154
|
+
}
|
|
155
|
+
pub async fn order(
|
|
156
|
+
&self,
|
|
157
|
+
client_config: &Arc<ClientConfig>,
|
|
158
|
+
url: impl AsRef<str>,
|
|
159
|
+
) -> Result<Order, AcmeError> {
|
|
160
|
+
let response = self.request(client_config, &url, "").await?;
|
|
161
|
+
Ok(serde_json::from_str(&response.1)?)
|
|
162
|
+
}
|
|
163
|
+
pub async fn finalize(
|
|
164
|
+
&self,
|
|
165
|
+
client_config: &Arc<ClientConfig>,
|
|
166
|
+
url: impl AsRef<str>,
|
|
167
|
+
csr: Vec<u8>,
|
|
168
|
+
) -> Result<Order, AcmeError> {
|
|
169
|
+
let payload = format!("{{\"csr\":\"{}\"}}", URL_SAFE_NO_PAD.encode(csr),);
|
|
170
|
+
let response = self.request(client_config, &url, &payload).await?;
|
|
171
|
+
Ok(serde_json::from_str(&response.1)?)
|
|
172
|
+
}
|
|
173
|
+
pub async fn certificate(
|
|
174
|
+
&self,
|
|
175
|
+
client_config: &Arc<ClientConfig>,
|
|
176
|
+
url: impl AsRef<str>,
|
|
177
|
+
) -> Result<String, AcmeError> {
|
|
178
|
+
Ok(self.request(client_config, &url, "").await?.1)
|
|
179
|
+
}
|
|
180
|
+
pub fn tls_alpn_01<'a>(
|
|
181
|
+
&self,
|
|
182
|
+
challenges: &'a [Challenge],
|
|
183
|
+
domain: String,
|
|
184
|
+
) -> Result<(&'a Challenge, CertifiedKey), AcmeError> {
|
|
185
|
+
let challenge = challenges
|
|
186
|
+
.iter()
|
|
187
|
+
.find(|c| c.typ == ChallengeType::TlsAlpn01);
|
|
188
|
+
|
|
189
|
+
let challenge = match challenge {
|
|
190
|
+
Some(challenge) => challenge,
|
|
191
|
+
None => return Err(AcmeError::NoTlsAlpn01Challenge),
|
|
192
|
+
};
|
|
193
|
+
let mut params = rcgen::CertificateParams::new(vec![domain])?;
|
|
194
|
+
let key_auth = key_authorization_sha256(&self.key_pair, &challenge.token)?;
|
|
195
|
+
params.custom_extensions = vec![CustomExtension::new_acme_identifier(key_auth.as_ref())];
|
|
196
|
+
|
|
197
|
+
let key_pair = rcgen::KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
|
|
198
|
+
let cert = params.self_signed(&key_pair)?;
|
|
199
|
+
|
|
200
|
+
let pk_bytes = key_pair.serialize_der();
|
|
201
|
+
let pk_der: PrivatePkcs8KeyDer = pk_bytes.into();
|
|
202
|
+
let pk_der: PrivateKeyDer = pk_der.into();
|
|
203
|
+
let pk = any_ecdsa_type(&pk_der).unwrap();
|
|
204
|
+
let certified_key = CertifiedKey::new(vec![cert.der().clone()], pk);
|
|
205
|
+
Ok((challenge, certified_key))
|
|
206
|
+
}
|
|
207
|
+
}
|
|
208
|
+
|
|
209
|
+
#[derive(Debug, Clone, Deserialize)]
|
|
210
|
+
#[serde(rename_all = "camelCase")]
|
|
211
|
+
pub struct Directory {
|
|
212
|
+
pub new_nonce: String,
|
|
213
|
+
pub new_account: String,
|
|
214
|
+
pub new_order: String,
|
|
215
|
+
}
|
|
216
|
+
|
|
217
|
+
impl Directory {
|
|
218
|
+
pub async fn discover(
|
|
219
|
+
client_config: &Arc<ClientConfig>,
|
|
220
|
+
url: impl AsRef<str>,
|
|
221
|
+
) -> Result<Self, AcmeError> {
|
|
222
|
+
let response = https(client_config, url, Method::Get, None).await?;
|
|
223
|
+
let body = response.bytes().await.map_err(HttpsRequestError::from)?;
|
|
224
|
+
|
|
225
|
+
Ok(serde_json::from_slice(&body)?)
|
|
226
|
+
}
|
|
227
|
+
pub async fn nonce(&self, client_config: &Arc<ClientConfig>) -> Result<String, AcmeError> {
|
|
228
|
+
let response = &https(client_config, &self.new_nonce.as_str(), Method::Head, None).await?;
|
|
229
|
+
get_header(response, "replay-nonce")
|
|
230
|
+
}
|
|
231
|
+
}
|
|
232
|
+
|
|
233
|
+
/// See RFC 8555 section 7.3.4 for more information.
|
|
234
|
+
pub struct ExternalAccountKey {
|
|
235
|
+
pub kid: String,
|
|
236
|
+
pub key: ring::hmac::Key,
|
|
237
|
+
}
|
|
238
|
+
|
|
239
|
+
impl ExternalAccountKey {
|
|
240
|
+
pub fn new(kid: String, key: &[u8]) -> Self {
|
|
241
|
+
Self {
|
|
242
|
+
kid,
|
|
243
|
+
key: ring::hmac::Key::new(ring::hmac::HMAC_SHA256, key),
|
|
244
|
+
}
|
|
245
|
+
}
|
|
246
|
+
}
|
|
247
|
+
|
|
248
|
+
#[derive(Debug, Deserialize, Eq, PartialEq)]
|
|
249
|
+
pub enum ChallengeType {
|
|
250
|
+
#[serde(rename = "http-01")]
|
|
251
|
+
Http01,
|
|
252
|
+
#[serde(rename = "dns-01")]
|
|
253
|
+
Dns01,
|
|
254
|
+
#[serde(rename = "tls-alpn-01")]
|
|
255
|
+
TlsAlpn01,
|
|
256
|
+
}
|
|
257
|
+
|
|
258
|
+
#[derive(Debug, Deserialize)]
|
|
259
|
+
#[serde(rename_all = "camelCase")]
|
|
260
|
+
pub struct Order {
|
|
261
|
+
#[serde(flatten)]
|
|
262
|
+
pub status: OrderStatus,
|
|
263
|
+
pub authorizations: Vec<String>,
|
|
264
|
+
pub finalize: String,
|
|
265
|
+
pub error: Option<Problem>,
|
|
266
|
+
}
|
|
267
|
+
|
|
268
|
+
#[derive(Debug, Deserialize, Clone, PartialEq, Eq)]
|
|
269
|
+
#[serde(tag = "status", rename_all = "camelCase")]
|
|
270
|
+
pub enum OrderStatus {
|
|
271
|
+
Pending,
|
|
272
|
+
Ready,
|
|
273
|
+
Valid { certificate: String },
|
|
274
|
+
Invalid,
|
|
275
|
+
Processing,
|
|
276
|
+
}
|
|
277
|
+
|
|
278
|
+
#[derive(Debug, Deserialize)]
|
|
279
|
+
#[serde(rename_all = "camelCase")]
|
|
280
|
+
pub struct Auth {
|
|
281
|
+
pub status: AuthStatus,
|
|
282
|
+
pub identifier: Identifier,
|
|
283
|
+
pub challenges: Vec<Challenge>,
|
|
284
|
+
}
|
|
285
|
+
|
|
286
|
+
#[derive(Debug, Deserialize)]
|
|
287
|
+
#[serde(rename_all = "camelCase")]
|
|
288
|
+
pub enum AuthStatus {
|
|
289
|
+
Pending,
|
|
290
|
+
Valid,
|
|
291
|
+
Invalid,
|
|
292
|
+
Revoked,
|
|
293
|
+
Expired,
|
|
294
|
+
Deactivated,
|
|
295
|
+
}
|
|
296
|
+
|
|
297
|
+
#[derive(Clone, Debug, Serialize, Deserialize)]
|
|
298
|
+
#[serde(tag = "type", content = "value", rename_all = "camelCase")]
|
|
299
|
+
pub enum Identifier {
|
|
300
|
+
Dns(String),
|
|
301
|
+
}
|
|
302
|
+
|
|
303
|
+
#[derive(Debug, Deserialize)]
|
|
304
|
+
pub struct Challenge {
|
|
305
|
+
#[serde(rename = "type")]
|
|
306
|
+
pub typ: ChallengeType,
|
|
307
|
+
pub url: String,
|
|
308
|
+
pub token: String,
|
|
309
|
+
pub error: Option<Problem>,
|
|
310
|
+
}
|
|
311
|
+
|
|
312
|
+
#[derive(Clone, Debug, Serialize, Deserialize)]
|
|
313
|
+
#[serde(rename_all = "camelCase")]
|
|
314
|
+
pub struct Problem {
|
|
315
|
+
#[serde(rename = "type")]
|
|
316
|
+
pub typ: Option<String>,
|
|
317
|
+
pub detail: Option<String>,
|
|
318
|
+
}
|
|
319
|
+
|
|
320
|
+
#[derive(Error, Debug)]
|
|
321
|
+
pub enum AcmeError {
|
|
322
|
+
#[error("io error: {0}")]
|
|
323
|
+
Io(#[from] std::io::Error),
|
|
324
|
+
#[error("certificate generation error: {0}")]
|
|
325
|
+
Rcgen(#[from] RcgenError),
|
|
326
|
+
#[error("JOSE error: {0}")]
|
|
327
|
+
Jose(#[from] JoseError),
|
|
328
|
+
#[error("JSON error: {0}")]
|
|
329
|
+
Json(#[from] serde_json::Error),
|
|
330
|
+
#[error("http request error: {0}")]
|
|
331
|
+
HttpRequest(#[from] HttpsRequestError),
|
|
332
|
+
#[error("invalid key pair: {0}")]
|
|
333
|
+
KeyRejected(#[from] KeyRejected),
|
|
334
|
+
#[error("crypto error: {0}")]
|
|
335
|
+
Crypto(#[from] Unspecified),
|
|
336
|
+
#[error("acme service response is missing {0} header")]
|
|
337
|
+
MissingHeader(&'static str),
|
|
338
|
+
#[error("no tls-alpn-01 challenge found")]
|
|
339
|
+
NoTlsAlpn01Challenge,
|
|
340
|
+
}
|
|
341
|
+
|
|
342
|
+
fn get_header(response: &Response, header: &'static str) -> Result<String, AcmeError> {
|
|
343
|
+
let h = response
|
|
344
|
+
.headers()
|
|
345
|
+
.get_all(header)
|
|
346
|
+
.iter()
|
|
347
|
+
.next_back()
|
|
348
|
+
.and_then(|v| v.to_str().ok())
|
|
349
|
+
.map(|s| s.to_string());
|
|
350
|
+
match h {
|
|
351
|
+
None => Err(AcmeError::MissingHeader(header)),
|
|
352
|
+
Some(value) => Ok(value),
|
|
353
|
+
}
|
|
354
|
+
}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
use crate::{AcmeAccept, AcmeAcceptor};
|
|
2
|
+
use rustls::ServerConfig;
|
|
3
|
+
use std::future::Future;
|
|
4
|
+
use std::io;
|
|
5
|
+
use std::io::ErrorKind;
|
|
6
|
+
use std::pin::Pin;
|
|
7
|
+
use std::sync::Arc;
|
|
8
|
+
use std::task::{Context, Poll};
|
|
9
|
+
use tokio::io::{AsyncRead, AsyncWrite};
|
|
10
|
+
use tokio_rustls::Accept;
|
|
11
|
+
|
|
12
|
+
#[derive(Clone)]
|
|
13
|
+
pub struct AxumAcceptor {
|
|
14
|
+
acme_acceptor: AcmeAcceptor,
|
|
15
|
+
config: Arc<ServerConfig>,
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
impl AxumAcceptor {
|
|
19
|
+
pub fn new(acme_acceptor: AcmeAcceptor, config: Arc<ServerConfig>) -> Self {
|
|
20
|
+
Self {
|
|
21
|
+
acme_acceptor,
|
|
22
|
+
config,
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
impl<I: AsyncRead + AsyncWrite + Unpin + Send + 'static, S: Send + 'static>
|
|
28
|
+
axum_server::accept::Accept<I, S> for AxumAcceptor
|
|
29
|
+
{
|
|
30
|
+
type Stream = tokio_rustls::server::TlsStream<I>;
|
|
31
|
+
type Service = S;
|
|
32
|
+
type Future = AxumAccept<I, S>;
|
|
33
|
+
|
|
34
|
+
fn accept(&self, stream: I, service: S) -> Self::Future {
|
|
35
|
+
let acme_accept = self.acme_acceptor.accept(stream);
|
|
36
|
+
Self::Future {
|
|
37
|
+
config: self.config.clone(),
|
|
38
|
+
acme_accept,
|
|
39
|
+
tls_accept: None,
|
|
40
|
+
service: Some(service),
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
pub struct AxumAccept<I: AsyncRead + AsyncWrite + Unpin + Send + 'static, S: Send + 'static> {
|
|
46
|
+
config: Arc<ServerConfig>,
|
|
47
|
+
acme_accept: AcmeAccept<I>,
|
|
48
|
+
tls_accept: Option<Accept<I>>,
|
|
49
|
+
service: Option<S>,
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
impl<I: AsyncRead + AsyncWrite + Unpin + Send + 'static, S: Send + 'static> Unpin
|
|
53
|
+
for AxumAccept<I, S>
|
|
54
|
+
{
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
impl<I: AsyncRead + AsyncWrite + Unpin + Send + 'static, S: Send + 'static> Future
|
|
58
|
+
for AxumAccept<I, S>
|
|
59
|
+
{
|
|
60
|
+
type Output = io::Result<(tokio_rustls::server::TlsStream<I>, S)>;
|
|
61
|
+
|
|
62
|
+
fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
|
|
63
|
+
loop {
|
|
64
|
+
if let Some(tls_accept) = &mut self.tls_accept {
|
|
65
|
+
return match Pin::new(&mut *tls_accept).poll(cx) {
|
|
66
|
+
Poll::Ready(Ok(tls)) => Poll::Ready(Ok((tls, self.service.take().unwrap()))),
|
|
67
|
+
Poll::Ready(Err(err)) => Poll::Ready(Err(err)),
|
|
68
|
+
Poll::Pending => Poll::Pending,
|
|
69
|
+
};
|
|
70
|
+
}
|
|
71
|
+
return match Pin::new(&mut self.acme_accept).poll(cx) {
|
|
72
|
+
Poll::Ready(Ok(Some(start_handshake))) => {
|
|
73
|
+
let config = self.config.clone();
|
|
74
|
+
self.tls_accept = Some(start_handshake.into_stream(config));
|
|
75
|
+
continue;
|
|
76
|
+
}
|
|
77
|
+
Poll::Ready(Ok(None)) => Poll::Ready(Err(io::Error::new(
|
|
78
|
+
ErrorKind::Other,
|
|
79
|
+
"TLS-ALPN-01 validation request",
|
|
80
|
+
))),
|
|
81
|
+
Poll::Ready(Err(err)) => Poll::Ready(Err(err)),
|
|
82
|
+
Poll::Pending => Poll::Pending,
|
|
83
|
+
};
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
use std::fmt::Debug;
|
|
2
|
+
|
|
3
|
+
use async_trait::async_trait;
|
|
4
|
+
|
|
5
|
+
pub trait Cache: CertCache + AccountCache {}
|
|
6
|
+
|
|
7
|
+
impl<T> Cache for T where T: CertCache + AccountCache {}
|
|
8
|
+
|
|
9
|
+
#[async_trait]
|
|
10
|
+
pub trait CertCache: Send + Sync {
|
|
11
|
+
type EC: Debug;
|
|
12
|
+
async fn load_cert(
|
|
13
|
+
&self,
|
|
14
|
+
domains: &[String],
|
|
15
|
+
directory_url: &str,
|
|
16
|
+
) -> Result<Option<Vec<u8>>, Self::EC>;
|
|
17
|
+
async fn store_cert(
|
|
18
|
+
&self,
|
|
19
|
+
domains: &[String],
|
|
20
|
+
directory_url: &str,
|
|
21
|
+
cert: &[u8],
|
|
22
|
+
) -> Result<(), Self::EC>;
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
#[async_trait]
|
|
26
|
+
pub trait AccountCache: Send + Sync {
|
|
27
|
+
type EA: Debug;
|
|
28
|
+
async fn load_account(
|
|
29
|
+
&self,
|
|
30
|
+
contact: &[String],
|
|
31
|
+
directory_url: &str,
|
|
32
|
+
) -> Result<Option<Vec<u8>>, Self::EA>;
|
|
33
|
+
async fn store_account(
|
|
34
|
+
&self,
|
|
35
|
+
contact: &[String],
|
|
36
|
+
directory_url: &str,
|
|
37
|
+
account: &[u8],
|
|
38
|
+
) -> Result<(), Self::EA>;
|
|
39
|
+
}
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
use crate::{AccountCache, CertCache};
|
|
2
|
+
use async_trait::async_trait;
|
|
3
|
+
use std::fmt::Debug;
|
|
4
|
+
|
|
5
|
+
pub struct BoxedErrCache<T: Send + Sync> {
|
|
6
|
+
inner: T,
|
|
7
|
+
}
|
|
8
|
+
|
|
9
|
+
impl<T: Send + Sync> BoxedErrCache<T> {
|
|
10
|
+
pub fn new(inner: T) -> Self {
|
|
11
|
+
Self { inner }
|
|
12
|
+
}
|
|
13
|
+
pub fn into_inner(self) -> T {
|
|
14
|
+
self.inner
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
fn box_err(e: impl Debug + 'static) -> Box<dyn Debug> {
|
|
19
|
+
Box::new(e)
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
#[async_trait]
|
|
23
|
+
impl<T: CertCache> CertCache for BoxedErrCache<T>
|
|
24
|
+
where
|
|
25
|
+
<T as CertCache>::EC: 'static,
|
|
26
|
+
{
|
|
27
|
+
type EC = Box<dyn Debug>;
|
|
28
|
+
async fn load_cert(
|
|
29
|
+
&self,
|
|
30
|
+
domains: &[String],
|
|
31
|
+
directory_url: &str,
|
|
32
|
+
) -> Result<Option<Vec<u8>>, Self::EC> {
|
|
33
|
+
self.inner
|
|
34
|
+
.load_cert(domains, directory_url)
|
|
35
|
+
.await
|
|
36
|
+
.map_err(box_err)
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
async fn store_cert(
|
|
40
|
+
&self,
|
|
41
|
+
domains: &[String],
|
|
42
|
+
directory_url: &str,
|
|
43
|
+
cert: &[u8],
|
|
44
|
+
) -> Result<(), Self::EC> {
|
|
45
|
+
self.inner
|
|
46
|
+
.store_cert(domains, directory_url, cert)
|
|
47
|
+
.await
|
|
48
|
+
.map_err(box_err)
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
#[async_trait]
|
|
53
|
+
impl<T: AccountCache> AccountCache for BoxedErrCache<T>
|
|
54
|
+
where
|
|
55
|
+
<T as AccountCache>::EA: 'static,
|
|
56
|
+
{
|
|
57
|
+
type EA = Box<dyn Debug>;
|
|
58
|
+
async fn load_account(
|
|
59
|
+
&self,
|
|
60
|
+
contact: &[String],
|
|
61
|
+
directory_url: &str,
|
|
62
|
+
) -> Result<Option<Vec<u8>>, Self::EA> {
|
|
63
|
+
self.inner
|
|
64
|
+
.load_account(contact, directory_url)
|
|
65
|
+
.await
|
|
66
|
+
.map_err(box_err)
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
async fn store_account(
|
|
70
|
+
&self,
|
|
71
|
+
contact: &[String],
|
|
72
|
+
directory_url: &str,
|
|
73
|
+
account: &[u8],
|
|
74
|
+
) -> Result<(), Self::EA> {
|
|
75
|
+
self.inner
|
|
76
|
+
.store_account(contact, directory_url, account)
|
|
77
|
+
.await
|
|
78
|
+
.map_err(box_err)
|
|
79
|
+
}
|
|
80
|
+
}
|