tipi 0.41 → 0.42

data/lib/tipi.rb

@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 
 require 'polyphony'
+
 require_relative './tipi/http1_adapter'
-# require_relative './tipi/http1_adapter_new'
 require_relative './tipi/http2_adapter'
 require_relative './tipi/configuration'
 require_relative './tipi/response_extensions'
+require_relative './tipi/acme'
+
 require 'qeweney/request'
 
 class Qeweney::Request
@@ -49,16 +51,95 @@ module Tipi
     ensure
       client.close rescue nil
     end
-    
+
     def protocol_adapter(socket, opts)
       use_http2 = socket.respond_to?(:alpn_protocol) &&
                   socket.alpn_protocol == H2_PROTOCOL
-      klass = use_http2 ? HTTP2Adapter : HTTP1Adapter#New
+      klass = use_http2 ? HTTP2Adapter : HTTP1Adapter
       klass.new(socket, opts)
     end
 
     def route(&block)
       proc { |req| req.route(&block) }
     end
+
+    CERTIFICATE_STORE_DEFAULT_DIR = File.expand_path('~/.tipi')
+    CERTIFICATE_STORE_DEFAULT_DB_PATH = File.join(
+      CERTIFICATE_STORE_DEFAULT_DIR, 'certificates.db'
+    )
+
+    def default_certificate_store
+      FileUtils.mkdir(CERTIFICATE_STORE_DEFAULT_DIR) rescue nil
+      Tipi::ACME::SQLiteCertificateStore.new(CERTIFICATE_STORE_DEFAULT_DB_PATH)
+    end
+
+    def full_service(
+      http_port: 10080,
+      https_port: 10443,
+      certificate_store: default_certificate_store,
+      app: nil, &block
+    )
+      app ||= block
+      raise "No app given" unless app
+
+      http_handler = ->(r) { r.redirect("https://#{r.host}#{r.path}") }
+    
+      ctx = OpenSSL::SSL::SSLContext.new
+      # ctx.ciphers = 'ECDH+aRSA'
+      Polyphony::Net.setup_alpn(ctx, Tipi::ALPN_PROTOCOLS)
+    
+      challenge_handler = Tipi::ACME::HTTPChallengeHandler.new
+      certificate_manager = Tipi::ACME::CertificateManager.new(
+        master_ctx: ctx,
+        store: certificate_store,
+        challenge_handler: challenge_handler
+      )
+    
+      http_listener = spin do
+        opts = {
+          reuse_addr:   true,
+          reuse_port:   true,
+          dont_linger:  true,
+        }
+        puts "Listening for HTTP on localhost:#{http_port}"
+        server = Polyphony::Net.tcp_listen('0.0.0.0', http_port, opts)
+        wrapped_handler = certificate_manager.challenge_routing_app(http_handler)
+        server.accept_loop do |client|
+          spin do
+            Tipi.client_loop(client, opts, &wrapped_handler)
+          rescue => e
+            puts "Uncaught error in HTTP listener: #{e.inspect}"
+          end
+        end
+      ensure
+        server.close
+      end
+    
+      https_listener = spin do
+        opts = {
+          reuse_addr:     true,
+          reuse_port:     true,
+          dont_linger:    true,
+          secure_context: ctx,
+        }
+      
+        puts "Listening for HTTPS on localhost:#{https_port}"
+        server = Polyphony::Net.tcp_listen('0.0.0.0', https_port, opts)
+        loop do
+          client = server.accept
+          spin do
+            Tipi.client_loop(client, opts, &app)
+          rescue => e
+            puts "Uncaught error in HTTPS listener: #{e.inspect}"
+          end
+        rescue OpenSSL::SSL::SSLError, SystemCallError, TypeError
+          # ignore
+        end
+      ensure
+        server.close
+      end
+
+      Fiber.await(http_listener, https_listener)
+    end
   end
 end

data/lib/tipi/acme.rb

@@ -0,0 +1,308 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'acme-client'
+require 'localhost/authority'
+
+module Tipi
+  module ACME
+    class Error < StandardError
+    end
+
+    class CertificateManager
+      def initialize(master_ctx:, store:, challenge_handler:)
+        @master_ctx = master_ctx
+        @store = store
+        @challenge_handler = challenge_handler
+        @contexts = {}
+        @requests = Polyphony::Queue.new
+        @worker = spin { run }
+        setup_sni_callback
+      end
+
+      ACME_CHALLENGE_PATH_REGEXP = /\/\.well\-known\/acme\-challenge/.freeze
+
+      def challenge_routing_app(app)
+        ->(req) do
+          (req.path =~ ACME_CHALLENGE_PATH_REGEXP ? @challenge_handler : app)
+            .(req)
+        rescue => e
+          puts "Error while handling request: #{e.inspect} (headers: #{req.headers})"
+          req.respond(nil, ':status' => Qeweney::Status::BAD_REQUEST)
+        end
+      end
+
+      IP_REGEXP = /^\d+\.\d+\.\d+\.\d+$/
+
+      def setup_sni_callback
+        @master_ctx.servername_cb = proc do |_socket, name|
+          p servername_cb: name
+          state = { ctx: nil }
+
+          if name =~ IP_REGEXP
+            @master_ctx
+          else
+            @requests << [name, state]
+            wait_for_ctx(state)
+            p name: name, error: state if state[:error]
+            # Eventually we might want to return an error returned in
+            # state[:error]. For the time being we handle errors by returning the
+            # master context
+            state[:ctx] || @master_ctx
+          end
+        end
+      end
+    
+      def wait_for_ctx(state)
+        period = 0.00001
+        while !state[:ctx] && !state[:error]
+          orig_sleep period
+          period *= 2 if period < 0.1
+        end
+      end
+      
+      def run
+        loop do
+          name, state = @requests.shift
+          state[:ctx] = get_context(name)
+        rescue => e
+          state[:error] = e if state
+        end
+      end
+    
+      LOCALHOST_REGEXP = /\.?localhost$/.freeze
+
+      def get_context(name)
+        @contexts[name] = setup_context(name)
+      end
+    
+      def setup_context(name)
+        ctx = provision_context(name)
+        transfer_ctx_settings(ctx)
+        ctx
+      end
+
+      def provision_context(name)
+        return localhost_context if name =~ LOCALHOST_REGEXP
+
+        info = get_certificate(name)
+        ctx = OpenSSL::SSL::SSLContext.new
+        chain = parse_certificate(info[:certificate])
+        cert = chain.shift
+        ctx.add_certificate(cert, info[:private_key], chain)
+        ctx
+      end
+
+      def transfer_ctx_settings(ctx)
+        ctx.alpn_protocols = @master_ctx.alpn_protocols
+        ctx.alpn_select_cb =  @master_ctx.alpn_select_cb
+        ctx.ciphers = @master_ctx.ciphers
+      end
+
+      CERTIFICATE_REGEXP = /(-----BEGIN CERTIFICATE-----\n[^-]+-----END CERTIFICATE-----\n)/.freeze
+    
+      def parse_certificate(certificate)
+        certificate
+          .scan(CERTIFICATE_REGEXP)
+          .map { |p|  OpenSSL::X509::Certificate.new(p.first) }
+      end
+
+      def get_expired_stamp(certificate)
+        chain = parse_certificate(certificate)
+        cert = chain.shift
+        cert.not_after
+      end
+
+      def get_certificate(name)
+        entry = @store.get(name)
+        return entry if entry
+
+        provision_certificate(name).tap do |entry|
+          @store.set(name, **entry)
+        end
+      end
+
+      def localhost_context
+        @localhost_authority ||= Localhost::Authority.fetch
+        @localhost_authority.server_context
+      end
+    
+      def private_key
+        @private_key ||= OpenSSL::PKey::RSA.new(4096)
+      end
+    
+      ACME_DIRECTORY = 'https://acme-v02.api.letsencrypt.org/directory'
+    
+      def acme_client
+        @acme_client ||= setup_acme_client
+      end
+    
+      def setup_acme_client
+        client = Acme::Client.new(
+          private_key: private_key,
+          directory: ACME_DIRECTORY
+        )
+        account = client.new_account(
+          contact: 'mailto:info@noteflakes.com',
+          terms_of_service_agreed: true
+        )
+        client
+      end
+    
+      def provision_certificate(name)
+        p provision_certificate: name
+        order = acme_client.new_order(identifiers: [name])
+        authorization = order.authorizations.first
+        challenge = authorization.http
+      
+        @challenge_handler.add(challenge)
+        challenge.request_validation
+        while challenge.status == 'pending'
+          sleep(0.25)
+          challenge.reload
+        end
+        raise ACME::Error, "Invalid CSR" if challenge.status == 'invalid'
+      
+        p challenge_status: challenge.status
+        private_key = OpenSSL::PKey::RSA.new(4096)
+        csr = Acme::Client::CertificateRequest.new(
+          private_key: private_key,
+          subject: { common_name: name }
+        )
+        order.finalize(csr: csr)
+        while order.status == 'processing'
+          sleep(0.25)
+          order.reload
+        end
+        certificate = begin
+          order.certificate(force_chain: 'DST Root CA X3')
+        rescue Acme::Client::Error::ForcedChainNotFound
+          order.certificate
+        end
+        expired_stamp = get_expired_stamp(certificate)
+        puts "Certificate for #{name} expires: #{expired_stamp.inspect}"
+
+        {
+          private_key: private_key,
+          certificate: certificate,
+          expired_stamp: expired_stamp
+        }
+      end
+    end
+  
+    class HTTPChallengeHandler
+      def initialize
+        @challenges = {}
+      end
+    
+      def add(challenge)
+        path = "/.well-known/acme-challenge/#{challenge.token}"
+        @challenges[path] = challenge
+      end
+    
+      def remove(challenge)
+        path = "/.well-known/acme-challenge/#{challenge.token}"
+        @challenges.delete(path)
+      end
+    
+      def call(req)
+        challenge = @challenges[req.path]
+    
+        # handle incoming request
+        challenge = @challenges[req.path]
+        return req.respond(nil, ':status' => 400) unless challenge
+    
+        req.respond(challenge.file_content, 'content-type' => challenge.content_type)
+      end
+    end    
+  
+    class CertificateStore
+      def set(name, private_key:, certificate:, expired_stamp:)
+        raise NotImplementedError
+      end
+
+      def get(name)
+        raise NotImplementedError
+      end
+    end
+
+    class InMemoryCertificateStore
+      def initialize
+        @store = {}
+      end
+
+      def set(name, private_key:, certificate:, expired_stamp:)
+        @store[name] = {
+          private_key:    private_key,
+          certificate:    certificate,
+          expired_stamp:  expired_stamp
+        }
+      end
+
+      def get(name)
+        entry = @store[name]
+        return nil unless entry
+        if Time.now >= entry[:expired_stamp]
+          @store.delete(name)
+          return nil
+        end
+
+        entry
+      end
+    end
+
+    class SQLiteCertificateStore
+      attr_reader :db
+
+      def initialize(path)
+        require 'extralite'
+
+        @db = Extralite::Database.new(path)
+        @db.query("
+          create table if not exists certificates (
+            name primary key not null,
+            private_key not null,
+            certificate not null,
+            expired_stamp not null
+          );"
+        )
+      end
+
+      def set(name, private_key:, certificate:, expired_stamp:)
+        @db.query("
+          insert into certificates values (?, ?, ?, ?)
+        ", name, private_key.to_s, certificate, expired_stamp.to_i)
+      rescue Extralite::Error => e
+        p error_in_set: e
+        raise e
+      end
+
+      def get(name)
+        remove_expired_certificates
+
+        entry = @db.query_single_row("
+          select name, private_key, certificate, expired_stamp
+            from certificates
+           where name = ?
+        ", name)
+        return nil unless entry
+        entry[:expired_stamp] = Time.at(entry[:expired_stamp])
+        entry[:private_key] = OpenSSL::PKey::RSA.new(entry[:private_key])
+        entry
+      rescue Extralite::Error => e
+        p error_in_get: e
+        raise e
+      end
+
+      def remove_expired_certificates
+        @db.query("
+          delete from certificates
+          where expired_stamp < ?
+        ", Time.now.to_i)
+      rescue Extralite::Error => e
+        p error_in_remove_expired_certificates: e
+        raise e
+      end
+    end
+  end
+end

data/lib/tipi/cli.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'tipi'
+require 'fileutils'
+
+module Tipi
+  module CLI
+    BANNER = "
+         ooo
+       oo
+     o
+   \\|/    Tipi - a better web server for a better world
+   / \\       
+  /   \\      https://github.com/digital-fabric/tipi
+⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺⎺
+"
+
+    def self.start
+      display_banner
+      require File.expand_path(ARGV[0] || 'app.rb', FileUtils.pwd)
+    end
+
+    def self.display_banner
+      puts BANNER
+      puts
+    end
+  end
+end
+
+__END__