itsi 0.1.3 → 0.1.5

data/gems/server/ext/itsi_server/src/server/serve_strategy/single_mode.rs

@@ -95,6 +95,12 @@ impl SingleMode {
               let self_ref = self_ref.clone();
               let listener = listener.clone();
               let (shutdown_sender, mut shutdown_receiver) = tokio::sync::watch::channel::<RunningPhase>(RunningPhase::Running);
+              let listener_clone = listener.clone();
+
+              tokio::spawn(async move {
+                listener_clone.spawn_state_task().await;
+              });
+
               listener_task_set.spawn(async move {
                 let strategy = self_ref.clone();
                 loop {

data/gems/server/ext/itsi_server/src/server/tls/locked_dir_cache.rs

@@ -0,0 +1,94 @@
+use async_trait::async_trait;
+use fs2::FileExt; // for lock_exclusive, unlock
+use std::fs::OpenOptions;
+use std::io::Error as IoError;
+use std::path::{Path, PathBuf};
+use tokio_rustls_acme::caches::DirCache;
+use tokio_rustls_acme::{AccountCache, CertCache};
+
+/// A wrapper around DirCache that locks a file before writing cert/account data.
+pub struct LockedDirCache<P: AsRef<Path> + Send + Sync> {
+    inner: DirCache<P>,
+    lock_path: PathBuf,
+}
+
+impl<P: AsRef<Path> + Send + Sync> LockedDirCache<P> {
+    pub fn new(dir: P) -> Self {
+        let dir_path = dir.as_ref().to_path_buf();
+        let lock_path = dir_path.join(".acme.lock");
+        Self {
+            inner: DirCache::new(dir),
+            lock_path,
+        }
+    }
+
+    fn lock_exclusive(&self) -> Result<std::fs::File, IoError> {
+        let lockfile = OpenOptions::new()
+            .write(true)
+            .truncate(true)
+            .open(&self.lock_path)?;
+        lockfile.lock_exclusive()?;
+        Ok(lockfile)
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> CertCache for LockedDirCache<P> {
+    type EC = IoError;
+
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        // Just delegate to the inner DirCache
+        self.inner.load_cert(domains, directory_url).await
+    }
+
+    async fn store_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+        cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        // Acquire the lock before storing
+        let lockfile = self.lock_exclusive()?;
+
+        // Perform the store operation
+        let result = self.inner.store_cert(domains, directory_url, cert).await;
+
+        // Unlock and return
+        let _ = fs2::FileExt::unlock(&lockfile);
+        result
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> AccountCache for LockedDirCache<P> {
+    type EA = IoError;
+
+    async fn load_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        self.inner.load_account(contact, directory_url).await
+    }
+
+    async fn store_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+        account: &[u8],
+    ) -> Result<(), Self::EA> {
+        let lockfile = self.lock_exclusive()?;
+
+        let result = self
+            .inner
+            .store_account(contact, directory_url, account)
+            .await;
+
+        let _ = fs2::FileExt::unlock(&lockfile);
+        result
+    }
+}

data/gems/server/ext/itsi_server/src/server/tls.rs

@@ -1,21 +1,70 @@
 use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
-use itsi_tracing::{info, warn};
+use itsi_tracing::info;
+use locked_dir_cache::LockedDirCache;
 use rcgen::{CertificateParams, DnType, KeyPair, SanType};
+use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 use rustls_pemfile::{certs, pkcs8_private_keys};
-use std::{collections::HashMap, fs, io::BufReader};
-use tokio_rustls::rustls::{Certificate, PrivateKey, ServerConfig};
-
+use std::{
+    collections::HashMap,
+    env, fs,
+    io::{BufReader, Error},
+    sync::Arc,
+};
+use tokio::sync::Mutex;
+use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
+use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+mod locked_dir_cache;
 const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
 const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
+#[derive(Clone)]
+pub enum ItsiTlsAcceptor {
+    Manual(TlsAcceptor),
+    Automatic(
+        AcmeAcceptor,
+        Arc<Mutex<AcmeState<Error>>>,
+        Arc<ServerConfig>,
+    ),
+}
+
 // Generates a TLS configuration based on either :
 // * Input "cert" and "key" options (either paths or Base64-encoded strings) or
 // * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
 // If a non-local host or optional domain parameter is provided,
 // an automated certificate will attempt to be fetched using let's encrypt.
-pub fn configure_tls(host: &str, query_params: &HashMap<String, String>) -> Result<ServerConfig> {
-    info!("TLS Options {:?}", query_params);
+pub fn configure_tls(
+    host: &str,
+    query_params: &HashMap<String, String>,
+) -> Result<ItsiTlsAcceptor> {
+    let domains = query_params
+        .get("domains")
+        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
+
+    if query_params.get("cert").is_none() || query_params.get("key").is_none() {
+        if let Some(domains) = domains {
+            let directory_url = env::var("ACME_DIRECTORY_URL")
+                .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
+            info!(
+                domains = format!("{:?}", domains),
+                directory_url, "Requesting acme cert"
+            );
+            let acme_state = AcmeConfig::new(domains)
+                .contact(["mailto:wc@pico.net.nz"])
+                .cache(LockedDirCache::new("./rustls_acme_cache"))
+                .directory(directory_url)
+                .state();
+            let rustls_config = ServerConfig::builder()
+                .with_no_client_auth()
+                .with_cert_resolver(acme_state.resolver());
+            let acceptor = acme_state.acceptor();
+            return Ok(ItsiTlsAcceptor::Automatic(
+                acceptor,
+                Arc::new(Mutex::new(acme_state)),
+                Arc::new(rustls_config),
+            ));
+        }
+    }
     let (certs, key) = if let (Some(cert_path), Some(key_path)) =
         (query_params.get("cert"), query_params.get("key"))
     {
@@ -24,36 +73,19 @@ pub fn configure_tls(host: &str, query_params: &HashMap<String, String>) -> Resu
         let key = load_private_key(key_path);
         (certs, key)
     } else {
-        let domains_param = query_params
-            .get("domains")
-            .map(|v| v.split(',').map(String::from).collect());
-        let host_string = host.to_string();
-        let domains = domains_param.or_else(|| {
-            if host_string != "localhost" {
-                Some(vec![host_string])
-            } else {
-                None
-            }
-        });
-
-        if let Some(domains) = domains {
-            retrieve_acme_cert(domains)?
-        } else {
-            generate_ca_signed_cert(vec![host.to_owned()])?
-        }
+        generate_ca_signed_cert(vec![host.to_owned()])?
     };
 
     let mut config = ServerConfig::builder()
-        .with_safe_defaults()
         .with_no_client_auth()
         .with_single_cert(certs, key)
         .expect("Failed to build TLS config");
 
     config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
-    Ok(config)
+    Ok(ItsiTlsAcceptor::Manual(TlsAcceptor::from(Arc::new(config))))
 }
 
-pub fn load_certs(path: &str) -> Vec<Certificate> {
+pub fn load_certs(path: &str) -> Vec<CertificateDer<'static>> {
     let data = if let Some(stripped) = path.strip_prefix("base64:") {
         general_purpose::STANDARD
             .decode(stripped)
@@ -71,14 +103,20 @@ pub fn load_certs(path: &str) -> Vec<Certificate> {
             })
             .collect::<Result<_>>()
             .expect("Failed to parse certificate file");
-        certs_der.into_iter().map(Certificate).collect()
+        certs_der
+            .into_iter()
+            .map(|vec| {
+                // Convert the owned Vec<u8> into a CertificateDer and force 'static.
+                unsafe { std::mem::transmute(CertificateDer::from(vec)) }
+            })
+            .collect()
     } else {
-        vec![Certificate(data)]
+        vec![CertificateDer::from(data)]
     }
 }
 
 /// Loads a private key from a file or Base64.
-pub fn load_private_key(path: &str) -> PrivateKey {
+pub fn load_private_key(path: &str) -> PrivateKeyDer<'static> {
     let key_data = if let Some(stripped) = path.strip_prefix("base64:") {
         general_purpose::STANDARD
             .decode(stripped)
@@ -97,13 +135,15 @@ pub fn load_private_key(path: &str) -> PrivateKey {
             .collect::<Result<_>>()
             .expect("Failed to parse private key");
         if !keys.is_empty() {
-            return PrivateKey(keys[0].clone());
+            return PrivateKeyDer::try_from(keys[0].clone()).unwrap();
         }
     }
-    PrivateKey(key_data)
+    PrivateKeyDer::try_from(key_data).unwrap()
 }
 
-pub fn generate_ca_signed_cert(domains: Vec<String>) -> Result<(Vec<Certificate>, PrivateKey)> {
+pub fn generate_ca_signed_cert(
+    domains: Vec<String>,
+) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
     info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
 
     let ca_kp = KeyPair::from_pem(ITS_CA_KEY).expect("Failed to load embedded CA key");
@@ -140,13 +180,10 @@ pub fn generate_ca_signed_cert(domains: Vec<String>) -> Result<(Vec<Certificate>
 
     let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ca_kp).unwrap();
     let ee_cert_der = ee_cert.der().to_vec();
-    let ee_cert = Certificate(ee_cert_der);
-    let ca_cert = Certificate(ca_cert.der().to_vec());
-    Ok((vec![ee_cert, ca_cert], PrivateKey(ee_key.serialize_der())))
-}
-
-/// TODO: Retrieves an ACME certificate for a given domain.
-pub fn retrieve_acme_cert(domains: Vec<String>) -> Result<(Vec<Certificate>, PrivateKey)> {
-    warn!("Retrieving ACME cert for {}", domains.join(", "));
-    generate_ca_signed_cert(domains)
+    let ee_cert = CertificateDer::from(ee_cert_der);
+    let ca_cert = CertificateDer::from(ca_cert.der().to_vec());
+    Ok((
+        vec![ee_cert, ca_cert],
+        PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
+    ))
 }

data/gems/server/lib/itsi/server/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Server
-    VERSION = "0.1.3"
+    VERSION = "0.1.5"
   end
 end

data/lib/itsi/version.rb

@@ -1,3 +1,3 @@
 module Itsi
-  VERSION = "0.1.3"
+  VERSION = "0.1.5"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: itsi
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.5
 platform: ruby
 authors:
 - Wouter Coppieters
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.1.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.1.4
 - !ruby/object:Gem::Dependency
   name: itsi-scheduler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.1.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.1.4
 description: Wrapper Gem for both the Itsi server and it's Fiber scheduler
 email:
 - wc@pico.net.nz
@@ -91,6 +91,7 @@ files:
 - crates/itsi_server/src/server/signal.rs
 - crates/itsi_server/src/server/thread_worker.rs
 - crates/itsi_server/src/server/tls.rs
+- crates/itsi_server/src/server/tls/locked_dir_cache.rs
 - crates/itsi_tracing/Cargo.lock
 - crates/itsi_tracing/Cargo.toml
 - crates/itsi_tracing/src/lib.rs
@@ -148,6 +149,7 @@ files:
 - gems/scheduler/ext/itsi_server/src/server/signal.rs
 - gems/scheduler/ext/itsi_server/src/server/thread_worker.rs
 - gems/scheduler/ext/itsi_server/src/server/tls.rs
+- gems/scheduler/ext/itsi_server/src/server/tls/locked_dir_cache.rs
 - gems/scheduler/ext/itsi_tracing/Cargo.lock
 - gems/scheduler/ext/itsi_tracing/Cargo.toml
 - gems/scheduler/ext/itsi_tracing/src/lib.rs
@@ -218,6 +220,7 @@ files:
 - gems/server/ext/itsi_server/src/server/signal.rs
 - gems/server/ext/itsi_server/src/server/thread_worker.rs
 - gems/server/ext/itsi_server/src/server/tls.rs
+- gems/server/ext/itsi_server/src/server/tls/locked_dir_cache.rs
 - gems/server/ext/itsi_tracing/Cargo.lock
 - gems/server/ext/itsi_tracing/Cargo.toml
 - gems/server/ext/itsi_tracing/src/lib.rs