itsi 0.2.26 → 0.2.27.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ca7f7c888f0f0907a2459612c698fc9cb9abc64c149dca1de68b159593cc1dc
-  data.tar.gz: 7b4c54ea8118e9042e96a1cf7904cf61408c94b9820b9868cd1d82a65eabcdae
+  metadata.gz: 6ea9fdbfbdd35894f2c5977d2624a4b90cb9467b3133d055d5ae87d1b267d5ff
+  data.tar.gz: ad82474c56c170163d2fcc7e75c6e2351fbc61348e3fd8e60697acda4ffbe65a
 SHA512:
-  metadata.gz: cefa0a3a2b934de6dcc8b9ea17789f472b62c887cf43b2bb28d30f685e236c8e123170ae573c7088fed10a06a5aea16ed37b6105248a0cbf0df6a3768a7f52d6
-  data.tar.gz: 71c3f0bd0bb201d3a4fa889eeff42a07d101c77948b834706bff1d68ebb200d50cbc7bb60b0262015450752996f1d440add00f868fb7b40e98dab80725a23a94
+  metadata.gz: 47615c9e033b2119fe5a1c5780ed9acb4731500667fdc42f75df7a9768f0f4feda2d6e80f04ff85a1a938e8832934704b20d81cea48b7d96a87406bae22511e4
+  data.tar.gz: 33ccb5b47c880ab500dc0551fbb853a8e19a5afd95cd3c8a5e4fc64b3895a602a68e8aaaeaa3b1133ad4bf56e968a4821efc71798b2c46b8d62705a790de78cd

data/Cargo.lock

@@ -1662,7 +1662,7 @@ checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
 
 [[package]]
 name = "itsi-scheduler"
-version = "0.2.26"
+version = "0.2.27"
 dependencies = [
  "bytes",
  "derive_more",
@@ -1680,7 +1680,7 @@ dependencies = [
 
 [[package]]
 name = "itsi-server"
-version = "0.2.26"
+version = "0.2.27"
 dependencies = [
  "argon2",
  "async-channel",
@@ -1742,6 +1742,7 @@ dependencies = [
  "tokio-util",
  "tracing",
  "url",
+ "webpki-roots",
 ]
 
 [[package]]
@@ -1757,6 +1758,7 @@ dependencies = [
  "futures",
  "log",
  "num-bigint",
+ "parking_lot",
  "pem",
  "proc-macro2",
  "rcgen",
@@ -2606,7 +2608,9 @@ dependencies = [
 
 [[package]]
 name = "rb-sys-build"
-version = "0.9.124"
+version = "0.9.126"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "855fc1ad8943d12c89ef12f9147f1cc531f5bf19fb744112fdd317bb6ee7b5c5"
 dependencies = [
  "bindgen 0.72.1",
  "lazy_static",

data/Rakefile

@@ -1,7 +1,19 @@
 # frozen_string_literal: true
 
 require 'bundler/gem_tasks'
-require 'minitest/test_task'
+
+def test_tasks_requested?
+  requested = Rake.application.top_level_tasks
+  return true if requested.empty?
+
+  requested.any? do |task_name|
+    task_name == "test" ||
+      task_name.end_with?(":test") ||
+      task_name.start_with?("test:")
+  end
+end
+
+require 'minitest/test_task' if test_tasks_requested?
 
 # Ensure the nested gems' `lib` directories are included in the LOAD_PATH
 $LOAD_PATH.unshift(File.expand_path('scheduler/lib', __dir__))
@@ -25,17 +37,26 @@ GEMS = [
 ]
 SHARED_TASKS = %i[compile compile:dev test]
 
+def quiet_ruby_env
+  rubyopt = [ENV["RUBYOPT"], "-W0"].compact.join(" ").strip
+  rubyopt.empty? ? {} : { "RUBYOPT" => rubyopt }
+end
+
 GEMS.each do |gem|
   namespace gem[:shortname] do
     desc "Run tasks in the #{gem[:dir]} directory"
     task :default do
-      sh "cd #{gem[:dir]} && bundle exec rake"
+      Dir.chdir(gem[:dir]) do
+        sh quiet_ruby_env, "bundle", "exec", "rake", verbose: false
+      end
     end
 
     SHARED_TASKS.each do |task|
       task task do
         Rake::Task[:sync_crates].invoke
-        sh "cd #{gem[:dir]} && bundle exec rake #{task}"
+        Dir.chdir(gem[:dir]) do
+          sh quiet_ruby_env, "bundle", "exec", "rake", task.to_s, verbose: false
+        end
       end
     end
   end

data/crates/itsi_acme/Cargo.toml

@@ -31,13 +31,14 @@ async-trait = "0.1.53"
 rustls = { version = "0.23", default-features = false, features = ["ring"] }
 time = "0.3.36"                                                                 # force the transitive dependency to a more recent minimal version. The build fails with 0.3.20
 
-tokio = { version = "1.20.1", default-features = false }
+tokio = { version = "1.20.1", default-features = false, features = ["fs", "io-util", "rt", "sync", "time"] }
 tokio-rustls = { version = "0.26", default-features = false, features = [
   "tls12",
 ] }
 reqwest = { version = "0.12", default-features = false, features = [
   "rustls-tls",
 ] }
+parking_lot = "0.12"
 
 # Axum
 axum-server = { version = "0.7", features = ["tokio-rustls"], optional = true }

data/crates/itsi_acme/src/acceptor.rs

@@ -16,7 +16,7 @@ pub struct AcmeAcceptor {
 }
 
 impl AcmeAcceptor {
-    pub(crate) fn new(resolver: Arc<ResolvesServerCertAcme>) -> Self {
+    pub fn new(resolver: Arc<ResolvesServerCertAcme>) -> Self {
         let mut config = ServerConfig::builder()
             .with_no_client_auth()
             .with_cert_resolver(resolver);

data/crates/itsi_acme/src/acme.rs

@@ -1,7 +1,7 @@
 use std::sync::Arc;
 
 use crate::https_helper::{https, HttpsRequestError, Method, Response};
-use crate::jose::{key_authorization_sha256, sign, sign_eab, JoseError};
+use crate::jose::{key_authorization, key_authorization_sha256, sign, sign_eab, JoseError};
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use base64::Engine;
 use rcgen::{CustomExtension, Error as RcgenError, PKCS_ECDSA_P256_SHA256};
@@ -191,7 +191,11 @@ impl Account {
             None => return Err(AcmeError::NoTlsAlpn01Challenge),
         };
         let mut params = rcgen::CertificateParams::new(vec![domain])?;
-        let key_auth = key_authorization_sha256(&self.key_pair, &challenge.token)?;
+        let token = challenge
+            .token
+            .as_deref()
+            .ok_or(AcmeError::MissingChallengeToken)?;
+        let key_auth = key_authorization_sha256(&self.key_pair, token)?;
         params.custom_extensions = vec![CustomExtension::new_acme_identifier(key_auth.as_ref())];
 
         let key_pair = rcgen::KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
@@ -204,6 +208,24 @@ impl Account {
         let certified_key = CertifiedKey::new(vec![cert.der().clone()], pk);
         Ok((challenge, certified_key))
     }
+
+    pub fn http_01<'a>(
+        &self,
+        challenges: &'a [Challenge],
+    ) -> Result<(&'a Challenge, String), AcmeError> {
+        let challenge = challenges.iter().find(|c| c.typ == ChallengeType::Http01);
+
+        let challenge = match challenge {
+            Some(challenge) => challenge,
+            None => return Err(AcmeError::NoHttp01Challenge),
+        };
+        let token = challenge
+            .token
+            .as_deref()
+            .ok_or(AcmeError::MissingChallengeToken)?;
+
+        Ok((challenge, key_authorization(&self.key_pair, token)?))
+    }
 }
 
 #[derive(Debug, Clone, Deserialize)]
@@ -253,6 +275,8 @@ pub enum ChallengeType {
     Dns01,
     #[serde(rename = "tls-alpn-01")]
     TlsAlpn01,
+    #[serde(other)]
+    Unknown,
 }
 
 #[derive(Debug, Deserialize)]
@@ -305,7 +329,7 @@ pub struct Challenge {
     #[serde(rename = "type")]
     pub typ: ChallengeType,
     pub url: String,
-    pub token: String,
+    pub token: Option<String>,
     pub error: Option<Problem>,
 }
 
@@ -335,6 +359,10 @@ pub enum AcmeError {
     Crypto(#[from] Unspecified),
     #[error("acme service response is missing {0} header")]
     MissingHeader(&'static str),
+    #[error("selected challenge is missing token")]
+    MissingChallengeToken,
+    #[error("no http-01 challenge found")]
+    NoHttp01Challenge,
     #[error("no tls-alpn-01 challenge found")]
     NoTlsAlpn01Challenge,
 }

data/crates/itsi_acme/src/http_challenge.rs

@@ -0,0 +1,81 @@
+use parking_lot::RwLock;
+use std::collections::HashMap;
+use std::sync::Arc;
+
+const ACME_CHALLENGE_PREFIX: &str = "/.well-known/acme-challenge/";
+
+#[derive(Debug, Clone, Default)]
+pub struct Http01Handler {
+    challenges: Arc<RwLock<HashMap<String, String>>>,
+}
+
+impl Http01Handler {
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    pub fn add_challenge(&self, token: String, key_authorization: String) {
+        self.challenges.write().insert(token, key_authorization);
+    }
+
+    pub fn remove_challenge(&self, token: &str) {
+        self.challenges.write().remove(token);
+    }
+
+    pub fn handle_challenge_request(&self, path: &str) -> Option<String> {
+        let token = path.strip_prefix(ACME_CHALLENGE_PREFIX)?;
+        if token.is_empty()
+            || !token
+                .chars()
+                .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_')
+        {
+            return None;
+        }
+
+        self.challenges.read().get(token).cloned()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::Http01Handler;
+
+    #[test]
+    fn serves_registered_key_authorization() {
+        let handler = Http01Handler::new();
+        handler.add_challenge("token_123".to_string(), "token_123.thumbprint".to_string());
+
+        assert_eq!(
+            handler.handle_challenge_request("/.well-known/acme-challenge/token_123"),
+            Some("token_123.thumbprint".to_string())
+        );
+    }
+
+    #[test]
+    fn rejects_invalid_paths_and_tokens() {
+        let handler = Http01Handler::new();
+        handler.add_challenge("token_123".to_string(), "token_123.thumbprint".to_string());
+
+        assert_eq!(handler.handle_challenge_request("/not-acme"), None);
+        assert_eq!(
+            handler.handle_challenge_request("/.well-known/acme-challenge/"),
+            None
+        );
+        assert_eq!(
+            handler.handle_challenge_request("/.well-known/acme-challenge/invalid token"),
+            None
+        );
+    }
+
+    #[test]
+    fn removes_tokens() {
+        let handler = Http01Handler::new();
+        handler.add_challenge("token_123".to_string(), "token_123.thumbprint".to_string());
+        handler.remove_challenge("token_123");
+
+        assert_eq!(
+            handler.handle_challenge_request("/.well-known/acme-challenge/token_123"),
+            None
+        );
+    }
+}

data/crates/itsi_acme/src/https_helper.rs

@@ -30,7 +30,9 @@ pub(crate) async fn https(
     let client = reqwest::ClientBuilder::new()
         .use_preconfigured_tls(client_config.clone())
         .build()?;
-    let mut request = client.request(method, url.as_ref());
+    let mut request = client
+        .request(method, url.as_ref())
+        .header("User-Agent", concat!("itsi-acme/", env!("CARGO_PKG_VERSION")));
     if let Some(body) = body {
         request = request
             .body(body)

data/crates/itsi_acme/src/jose.rs

@@ -53,11 +53,15 @@ pub(crate) fn key_authorization_sha256(
     key: &EcdsaKeyPair,
     token: &str,
 ) -> Result<Digest, JoseError> {
-    let jwk = Jwk::new(key);
-    let key_authorization = format!("{}.{}", token, jwk.thumb_sha256_base64()?);
+    let key_authorization = key_authorization(key, token)?;
     Ok(digest(&SHA256, key_authorization.as_bytes()))
 }
 
+pub(crate) fn key_authorization(key: &EcdsaKeyPair, token: &str) -> Result<String, JoseError> {
+    let jwk = Jwk::new(key);
+    Ok(format!("{}.{}", token, jwk.thumb_sha256_base64()?))
+}
+
 #[derive(Serialize)]
 pub(crate) struct Body {
     protected: String,

data/crates/itsi_acme/src/lib.rs

@@ -126,6 +126,7 @@ pub mod axum;
 mod cache;
 pub mod caches;
 mod config;
+mod http_challenge;
 mod https_helper;
 mod incoming;
 mod jose;
@@ -137,6 +138,7 @@ pub use tokio_rustls;
 pub use acceptor::*;
 pub use cache::*;
 pub use config::*;
+pub use http_challenge::*;
 pub use incoming::*;
 pub use resolver::*;
 pub use state::*;

data/crates/itsi_acme/src/resolver.rs

@@ -13,24 +13,40 @@ pub struct ResolvesServerCertAcme {
 #[derive(Debug)]
 struct Inner {
     cert: Option<Arc<CertifiedKey>>,
+    certs: BTreeMap<String, Arc<CertifiedKey>>,
     auth_keys: BTreeMap<String, Arc<CertifiedKey>>,
 }
 
 impl ResolvesServerCertAcme {
-    pub(crate) fn new() -> Arc<Self> {
+    pub fn new() -> Arc<Self> {
         Arc::new(Self {
             inner: Mutex::new(Inner {
                 cert: None,
+                certs: Default::default(),
                 auth_keys: Default::default(),
             }),
         })
     }
-    pub(crate) fn set_cert(&self, cert: Arc<CertifiedKey>) {
+    pub fn set_cert(&self, cert: Arc<CertifiedKey>) {
         self.inner.lock().unwrap().cert = Some(cert);
     }
-    pub(crate) fn set_auth_key(&self, domain: String, cert: Arc<CertifiedKey>) {
+    pub fn set_cert_for_domain(&self, domain: String, cert: Arc<CertifiedKey>) {
+        let mut inner = self.inner.lock().unwrap();
+        if inner.cert.is_none() {
+            inner.cert = Some(cert.clone());
+        }
+        inner.certs.insert(domain, cert);
+    }
+    pub fn remove_cert_for_domain(&self, domain: &str) {
+        self.inner.lock().unwrap().certs.remove(domain);
+    }
+    pub fn set_auth_key(&self, domain: String, cert: Arc<CertifiedKey>) {
         self.inner.lock().unwrap().auth_keys.insert(domain, cert);
     }
+
+    pub fn remove_auth_key(&self, domain: &str) {
+        self.inner.lock().unwrap().auth_keys.remove(domain);
+    }
 }
 
 impl ResolvesServerCert for ResolvesServerCertAcme {
@@ -53,7 +69,14 @@ impl ResolvesServerCert for ResolvesServerCertAcme {
                 }
             }
         } else {
-            self.inner.lock().unwrap().cert.clone()
+            let inner = self.inner.lock().unwrap();
+            match client_hello.server_name() {
+                Some(domain) => {
+                    let domain = AsRef::<str>::as_ref(&domain);
+                    inner.certs.get(domain).cloned().or_else(|| inner.cert.clone())
+                }
+                None => inner.cert.clone(),
+            }
         }
     }
 }