tipi 0.40 → 0.45

data/lib/tipi/acme.rb

@@ -0,0 +1,315 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'acme-client'
+require 'localhost/authority'
+
+module Tipi
+  module ACME
+    class Error < StandardError
+    end
+
+    class CertificateManager
+      def initialize(master_ctx:, store:, challenge_handler:)
+        @master_ctx = master_ctx
+        @store = store
+        @challenge_handler = challenge_handler
+        @contexts = {}
+        @requests = Polyphony::Queue.new
+        @worker = spin { run }
+        setup_sni_callback
+      end
+
+      ACME_CHALLENGE_PATH_REGEXP = /\/\.well\-known\/acme\-challenge/.freeze
+
+      def challenge_routing_app(app)
+        ->(req) do
+          (req.path =~ ACME_CHALLENGE_PATH_REGEXP ? @challenge_handler : app)
+            .(req)
+        rescue => e
+          puts "Error while handling request: #{e.inspect} (headers: #{req.headers})"
+          req.respond(nil, ':status' => Qeweney::Status::BAD_REQUEST)
+        end
+      end
+
+      IP_REGEXP = /^\d+\.\d+\.\d+\.\d+$/
+
+      def setup_sni_callback
+        @master_ctx.servername_cb = proc { |_socket, name| get_ctx(name) }
+      end
+
+      def get_ctx(name)
+        state = { ctx: nil }
+
+        ready_ctx = @contexts[name]
+        return ready_ctx if ready_ctx
+        return @master_ctx if name =~ IP_REGEXP
+
+        @requests << [name, state]
+        wait_for_ctx(state)
+        # Eventually we might want to return an error returned in
+        # state[:error]. For the time being we handle errors by returning the
+        # master context
+        state[:ctx] || @master_ctx
+      rescue => e
+        @master_ctx
+      end
+
+      MAX_WAIT_FOR_CTX_DURATION = 30
+
+      def wait_for_ctx(state)
+        t0 = Time.now
+        period = 0.00001
+        while !state[:ctx] && !state[:error]
+          orig_sleep period
+          if period < 0.1
+            period *= 2
+          elsif Time.now - t0 > MAX_WAIT_FOR_CTX_DURATION
+            raise "Timeout waiting for certificate provisioning"
+          end
+        end
+      end
+
+      def run
+        loop do
+          name, state = @requests.shift
+          state[:ctx] = get_context(name)
+        rescue => e
+          state[:error] = e if state
+        end
+      end
+
+      LOCALHOST_REGEXP = /\.?localhost$/.freeze
+
+      def get_context(name)
+        @contexts[name] = setup_context(name)
+      end
+
+      def setup_context(name)
+        ctx = provision_context(name)
+        transfer_ctx_settings(ctx)
+        ctx
+      end
+
+      def provision_context(name)
+        return localhost_context if name =~ LOCALHOST_REGEXP
+
+        info = get_certificate(name)
+        ctx = OpenSSL::SSL::SSLContext.new
+        chain = parse_certificate(info[:certificate])
+        cert = chain.shift
+        ctx.add_certificate(cert, info[:private_key], chain)
+        ctx
+      end
+
+      def transfer_ctx_settings(ctx)
+        ctx.alpn_protocols = @master_ctx.alpn_protocols
+        ctx.alpn_select_cb =  @master_ctx.alpn_select_cb
+        ctx.ciphers = @master_ctx.ciphers
+      end
+
+      CERTIFICATE_REGEXP = /(-----BEGIN CERTIFICATE-----\n[^-]+-----END CERTIFICATE-----\n)/.freeze
+
+      def parse_certificate(certificate)
+        certificate
+          .scan(CERTIFICATE_REGEXP)
+          .map { |p|  OpenSSL::X509::Certificate.new(p.first) }
+      end
+
+      def get_expired_stamp(certificate)
+        chain = parse_certificate(certificate)
+        cert = chain.shift
+        cert.not_after
+      end
+
+      def get_certificate(name)
+        entry = @store.get(name)
+        return entry if entry
+
+        provision_certificate(name).tap do |entry|
+          @store.set(name, **entry)
+        end
+      end
+
+      def localhost_context
+        @localhost_authority ||= Localhost::Authority.fetch
+        @localhost_authority.server_context
+      end
+
+      def private_key
+        @private_key ||= OpenSSL::PKey::RSA.new(4096)
+      end
+
+      ACME_DIRECTORY = 'https://acme-v02.api.letsencrypt.org/directory'
+
+      def acme_client
+        @acme_client ||= setup_acme_client
+      end
+
+      def setup_acme_client
+        client = Acme::Client.new(
+          private_key: private_key,
+          directory: ACME_DIRECTORY
+        )
+        account = client.new_account(
+          contact: 'mailto:info@noteflakes.com',
+          terms_of_service_agreed: true
+        )
+        client
+      end
+
+      def provision_certificate(name)
+        order = acme_client.new_order(identifiers: [name])
+        authorization = order.authorizations.first
+        challenge = authorization.http
+
+        @challenge_handler.add(challenge)
+        challenge.request_validation
+        while challenge.status == 'pending'
+          sleep(0.25)
+          challenge.reload
+        end
+        raise ACME::Error, "Invalid CSR" if challenge.status == 'invalid'
+
+        private_key = OpenSSL::PKey::RSA.new(4096)
+        csr = Acme::Client::CertificateRequest.new(
+          private_key: private_key,
+          subject: { common_name: name }
+        )
+        order.finalize(csr: csr)
+        while order.status == 'processing'
+          sleep(0.25)
+          order.reload
+        end
+        certificate = begin
+          order.certificate(force_chain: 'DST Root CA X3')
+        rescue Acme::Client::Error::ForcedChainNotFound
+          order.certificate
+        end
+        expired_stamp = get_expired_stamp(certificate)
+        puts "Certificate for #{name} expires: #{expired_stamp.inspect}"
+
+        {
+          private_key: private_key,
+          certificate: certificate,
+          expired_stamp: expired_stamp
+        }
+      end
+    end
+
+    class HTTPChallengeHandler
+      def initialize
+        @challenges = {}
+      end
+
+      def add(challenge)
+        path = "/.well-known/acme-challenge/#{challenge.token}"
+        @challenges[path] = challenge
+      end
+
+      def remove(challenge)
+        path = "/.well-known/acme-challenge/#{challenge.token}"
+        @challenges.delete(path)
+      end
+
+      def call(req)
+        challenge = @challenges[req.path]
+
+        # handle incoming request
+        challenge = @challenges[req.path]
+        return req.respond(nil, ':status' => 400) unless challenge
+
+        req.respond(challenge.file_content, 'content-type' => challenge.content_type)
+      end
+    end
+
+    class CertificateStore
+      def set(name, private_key:, certificate:, expired_stamp:)
+        raise NotImplementedError
+      end
+
+      def get(name)
+        raise NotImplementedError
+      end
+    end
+
+    class InMemoryCertificateStore
+      def initialize
+        @store = {}
+      end
+
+      def set(name, private_key:, certificate:, expired_stamp:)
+        @store[name] = {
+          private_key:    private_key,
+          certificate:    certificate,
+          expired_stamp:  expired_stamp
+        }
+      end
+
+      def get(name)
+        entry = @store[name]
+        return nil unless entry
+        if Time.now >= entry[:expired_stamp]
+          @store.delete(name)
+          return nil
+        end
+
+        entry
+      end
+    end
+
+    class SQLiteCertificateStore
+      attr_reader :db
+
+      def initialize(path)
+        require 'extralite'
+
+        @db = Extralite::Database.new(path)
+        @db.query("
+          create table if not exists certificates (
+            name primary key not null,
+            private_key not null,
+            certificate not null,
+            expired_stamp not null
+          );"
+        )
+      end
+
+      def set(name, private_key:, certificate:, expired_stamp:)
+        @db.query("
+          insert into certificates values (?, ?, ?, ?)
+        ", name, private_key.to_s, certificate, expired_stamp.to_i)
+      rescue Extralite::Error => e
+        p error_in_set: e
+        raise e
+      end
+
+      def get(name)
+        remove_expired_certificates
+
+        entry = @db.query_single_row("
+          select name, private_key, certificate, expired_stamp
+            from certificates
+           where name = ?
+        ", name)
+        return nil unless entry
+        entry[:expired_stamp] = Time.at(entry[:expired_stamp])
+        entry[:private_key] = OpenSSL::PKey::RSA.new(entry[:private_key])
+        entry
+      rescue Extralite::Error => e
+        p error_in_get: e
+        raise e
+      end
+
+      def remove_expired_certificates
+        @db.query("
+          delete from certificates
+          where expired_stamp < ?
+        ", Time.now.to_i)
+      rescue Extralite::Error => e
+        p error_in_remove_expired_certificates: e
+        raise e
+      end
+    end
+  end
+end

data/lib/tipi/cli.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'tipi'
+require 'fileutils'
+require 'tipi/supervisor'
+require 'optparse'
+
+module Tipi
+  DEFAULT_OPTS = {
+    app_type: :web,
+    mode: :polyphony,
+    workers: 1,
+    threads: 1,
+    listen: ['http', 'localhost', 1234],
+    path: '.',
+  }
+
+  def self.opts_from_argv(argv)
+    opts = DEFAULT_OPTS.dup
+    parser = OptionParser.new do |o|
+      o.banner = "Usage: tipi [options] path"
+      o.on('-h', '--help', 'Show this help') { puts o; exit }
+      o.on('-wNUM', '--workers NUM', 'Number of worker processes (default: 1)') do |v|
+        opts[:workers] = v
+      end
+      o.on('-tNUM', '--threads NUM', 'Number of worker threads (default: 1)') do |v|
+        opts[:threads] = v
+        opts[:mode] = :stock
+      end
+      o.on('-c', '--compatibility', 'Use compatibility mode') do
+        opts[:mode] = :stock
+      end
+      o.on('-lSPEC', '--listen SPEC', 'Setup HTTP listener') do |v|
+        opts[:listen] = parse_listen_spec('http', v)
+      end
+      o.on('-sSPEC', '--secure SPEC', 'Setup HTTPS listener (for localhost)') do |v|
+        opts[:listen] = parse_listen_spec('https', v)
+      end
+      o.on('-fSPEC', '--full-service SPEC', 'Setup HTTP/HTTPS listeners (with automatic certificates)') do |v|
+        opts[:listen] = parse_listen_spec('full', v)
+      end
+      o.on('-v', '--verbose', 'Verbose output') do
+        opts[:verbose] = true
+      end
+    end.parse!(argv)
+    opts[:path] = argv.shift unless argv.empty?
+    verify_path(opts[:path])
+    opts
+  end
+
+  def self.parse_listen_spec(type, spec)
+    [type, *spec.split(':').map { |s| str_to_native_type(s) }]
+  end
+
+  def self.str_to_native_type(str)
+    case str
+    when /^\d+$/
+      str.to_i
+    else
+      str
+    end
+  end
+
+  def self.verify_path(path)
+    return if File.file?(path) || File.directory?(path)
+
+    puts "Invalid path specified #{opts[:path]}"
+    exit!
+  end
+
+  module CLI
+    BANNER =
+      "\n" +
+      "         ooo\n" +
+      "       oo\n" +
+      "     o\n" +
+      "   \\|/    Tipi - a better web server for a better world\n" +
+      "   / \\       \n" +
+      "  /   \\      https://github.com/digital-fabric/tipi\n" +
+      "⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺\n"
+
+    def self.start(argv = ARGV.dup)
+      opts = Tipi.opts_from_argv(argv)
+      display_banner if STDOUT.tty? && !opts[:silent]
+
+      Tipi::Supervisor.run(opts)
+    end
+
+    def self.display_banner
+      puts BANNER
+    end
+  end
+end

data/lib/tipi/config_dsl.rb

@@ -4,28 +4,28 @@ module Tipi
   module Configuration
     class Interpreter
       # make_blank_slate
-      
+
       def initialize(assembler)
         @assembler = assembler
       end
-      
+
       def gzip_response
         @assembler.emit 'req = Tipi::GZip.wrap(req)'
       end
-      
+
       def log(out)
         @assembler.wrap_current_frame 'logger.log_request(req) do |req|'
       end
-        
+
       def error(&block)
         assembler.emit_exception_handler &block
       end
-        
+
       def match(pattern, &block)
         @assembler.emit_conditional "if req.path =~ #{pattern.inspect}", &block
       end
     end
-      
+
     class Assembler
       def self.from_source(code)
         new.from_source code
@@ -36,7 +36,7 @@ module Tipi
         @app_procs = {}
         @interpreter = Interpreter.new self
         @interpreter.instance_eval code
-        
+
         loop do
           frame = @stack.pop
           return assemble_app_proc(frame).join("\n") if @stack.empty?
@@ -51,7 +51,7 @@ module Tipi
           body: []
         }
       end
-        
+
       def add_frame(&block)
         @stack.push new_frame
         yield
@@ -67,20 +67,20 @@ module Tipi
         @stack.push wrapper
         @stack.push frame
       end
-        
+
       def emit(code)
         @stack.last[:body] << code
       end
-      
+
       def emit_prelude(code)
         @stack.last[:prelude] << code
       end
-      
+
       def emit_exception_handler(&block)
         proc_id = add_app_proc block
         @stack.last[:rescue_proc_id] = proc_id
       end
-      
+
       def emit_block(conditional, &block)
         proc_id = add_app_proc block
         @stack.last[:branched] = true
@@ -93,7 +93,7 @@ module Tipi
         @app_procs[id] = proc
         id
       end
-      
+
       def assemble_frame(frame)
         indent = 0
         lines = []

data/lib/tipi/configuration.rb

@@ -12,7 +12,7 @@ module Tipi
           old_runner&.stop
         end
       end
-      
+
       def run(config)
         start_listeners(config)
         config[:forked] ? forked_supervise(config) : simple_supervise(config)
@@ -29,7 +29,7 @@ module Tipi
         suspend
         # supervise(restart: true)
       end
-      
+
       def forked_supervise(config)
         config[:forked].times do
           spin { Polyphony.watch_process { simple_supervise(config) } }

data/lib/tipi/controller/bare_stock.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Tipi
+  module Apps
+    module Bare
+      def start(opts)
+      end
+    end
+  end
+end

data/lib/tipi/controller/stock_http1_adapter.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'tipi/http1_adapter'
+
+module Tipi
+  class StockHTTP1Adapter < HTTP1Adapter
+    def initialize(conn, opts)
+      super(conn, opts)
+
+    end
+
+    def each(&block)
+    end
+  end
+end