roster-server 2.2.10 → 2.2.12

package/vendor/greenlock/accounts.js

@@ -0,0 +1,218 @@
+'use strict';
+
+var A = module.exports;
+var log = require('lemonlog')('greenlock-accounts');
+var U = require('./utils.js');
+var E = require('./errors.js');
+
+var pending = {};
+
+A._getOrCreate = function(gnlck, mconf, db, acme, args) {
+    var email = args.subscriberEmail || mconf.subscriberEmail;
+
+    if (!email) {
+        throw E.NO_SUBSCRIBER('get account', args.subject);
+    }
+
+    // TODO send welcome message with benefit info
+    return U._validMx(email)
+        .catch(function() {
+            throw E.NO_SUBSCRIBER('get account', args.subcriberEmail);
+        })
+        .then(function() {
+            if (pending[email]) {
+                return pending[email];
+            }
+
+            pending[email] = A._rawGetOrCreate(
+                gnlck,
+                mconf,
+                db,
+                acme,
+                args,
+                email
+            )
+                .catch(function(e) {
+                    delete pending[email];
+                    throw e;
+                })
+                .then(function(result) {
+                    delete pending[email];
+                    return result;
+                });
+
+            return pending[email];
+        });
+};
+
+// What we really need out of this is the private key and the ACME "key" id
+A._rawGetOrCreate = function(gnlck, mconf, db, acme, args, email) {
+    var p;
+    if (db.check) {
+        p = A._checkStore(gnlck, mconf, db, acme, args, email);
+    } else {
+        p = Promise.resolve(null);
+    }
+
+    return p.then(function(fullAccount) {
+        if (!fullAccount) {
+            return A._newAccount(gnlck, mconf, db, acme, args, email, null);
+        }
+
+        if (fullAccount.keypair && fullAccount.key && fullAccount.key.kid) {
+            return fullAccount;
+        }
+
+        return A._newAccount(gnlck, mconf, db, acme, args, email, fullAccount);
+    });
+};
+
+A._newAccount = function(gnlck, mconf, db, acme, args, email, fullAccount) {
+    var keyType = args.accountKeyType || mconf.accountKeyType;
+    var query = {
+        subject: args.subject,
+        email: email,
+        subscriberEmail: email,
+        customerEmail: args.customerEmail,
+        account: fullAccount || {},
+        directoryUrl:
+            args.directoryUrl ||
+            mconf.directoryUrl ||
+            gnlck._defaults.directoryUrl
+    };
+
+    return U._getOrCreateKeypair(db, args.subject, query, keyType).then(
+        function(kresult) {
+            var keypair = kresult.keypair;
+            var accReg = {
+                subscriberEmail: email,
+                agreeToTerms:
+                    args.agreeToTerms ||
+                    mconf.agreeToTerms ||
+                    gnlck._defaults.agreeToTerms,
+                accountKey: keypair.privateKeyJwk || keypair.private,
+                debug: args.debug
+            };
+            return acme.accounts.create(accReg).then(function(receipt) {
+                var reg = {
+                    keypair: keypair,
+                    receipt: receipt,
+                    // shudder... not actually a KeyID... but so it is called anyway...
+                    kid:
+                        receipt &&
+                        receipt.key &&
+                        (receipt.key.kid || receipt.kid),
+                    email: args.email,
+                    subscriberEmail: email,
+                    customerEmail: args.customerEmail
+                };
+
+                var keyP;
+                if (kresult.exists) {
+                    keyP = Promise.resolve();
+                } else {
+                    query.keypair = keypair;
+                    query.receipt = receipt;
+                    /*
+					query.server = gnlck._defaults.directoryUrl.replace(
+						/^https?:\/\//i,
+						''
+					);
+                    */
+                    keyP = db.setKeypair(query, keypair);
+                }
+
+                return keyP
+                    .then(function() {
+                        if (!db.set) {
+                            return Promise.resolve({
+                                keypair: keypair
+                            });
+                        }
+                        return db.set(
+                            {
+                                // id to be set by Store
+                                email: email,
+                                subscriberEmail: email,
+                                customerEmail: args.customerEmail,
+                                agreeTos: true,
+                                agreeToTerms: true,
+                                directoryUrl:
+                                    args.directoryUrl ||
+                                    mconf.directoryUrl ||
+                                    gnlck._defaults.directoryUrl
+                                /*
+								server: gnlck._defaults.directoryUrl.replace(
+									/^https?:\/\//i,
+									''
+								)
+                                */
+                            },
+                            reg
+                        );
+                    })
+                    .then(function(fullAccount) {
+                        if (fullAccount && 'object' !== typeof fullAccount) {
+                            throw new Error(
+                                "accounts.set should either return 'null' or an object with an 'id' string"
+                            );
+                        }
+
+                        if (!fullAccount) {
+                            fullAccount = {};
+                        }
+                        fullAccount.keypair = keypair;
+                        if (!fullAccount.key) {
+                            fullAccount.key = {};
+                        }
+                        fullAccount.key.kid = reg.kid;
+
+                        return fullAccount;
+                    });
+            });
+        }
+    );
+};
+
+A._checkStore = function(gnlck, mconf, db, acme, args, email) {
+    if ((args.domain || args.domains) && !args.subject) {
+        log.warn("Use 'subject' instead of 'domain'");
+        args.subject = args.domain;
+    }
+
+    var account = args.account;
+    if (!account) {
+        account = {};
+    }
+
+    if (args.accountKey) {
+        log.warn('Prefer storing accountKey in your account key store instead of passing it');
+        // TODO we probably don't need this
+        return U._importKeypair(args.accountKey);
+    }
+
+    if (!db.check) {
+        return Promise.resolve(null);
+    }
+
+    return db
+        .check({
+            //keypair: undefined,
+            //receipt: undefined,
+            email: email,
+            subscriberEmail: email,
+            customerEmail: args.customerEmail || mconf.customerEmail,
+            account: account,
+            directoryUrl:
+                args.directoryUrl ||
+                mconf.directoryUrl ||
+                gnlck._defaults.directoryUrl
+        })
+        .then(function(fullAccount) {
+            if (!fullAccount) {
+                return null;
+            }
+
+            return fullAccount;
+        });
+};

package/vendor/greenlock/bin/add.js

@@ -0,0 +1,72 @@
+'use strict';
+
+var log = require('lemonlog')('greenlock-add');
+var args = process.argv.slice(3);
+var cli = require('./lib/cli.js');
+//var path = require('path');
+//var pkgpath = path.join(__dirname, '..', 'package.json');
+//var pkgpath = path.join(process.cwd(), 'package.json');
+
+var Flags = require('./lib/flags.js');
+
+Flags.init().then(function({ flagOptions, greenlock, mconf }) {
+    var myFlags = {};
+    [
+        'subject',
+        'altnames',
+        'renew-offset',
+        'subscriber-email',
+        'customer-email',
+        'server-key-type',
+        'challenge-http-01',
+        'challenge-http-01-xxxx',
+        'challenge-dns-01',
+        'challenge-dns-01-xxxx',
+        'challenge-tls-alpn-01',
+        'challenge-tls-alpn-01-xxxx',
+        'challenge',
+        'challenge-xxxx',
+        'challenge-json',
+        'force-save'
+    ].forEach(function(k) {
+        myFlags[k] = flagOptions[k];
+    });
+
+    cli.parse(myFlags);
+    cli.main(function(argList, flags) {
+        Flags.mangleFlags(flags, mconf);
+        main(argList, flags, greenlock);
+    }, args);
+});
+
+async function main(_, flags, greenlock) {
+    if (!flags.subject || !flags.altnames) {
+        log.error('Provide --subject and --altnames (valid domains)');
+        process.exit(1);
+        return;
+    }
+
+    greenlock
+        .add(flags)
+        .catch(function(err) {
+            log.error('Add failed:', err.message);
+            process.exit(1);
+        })
+        .then(function() {
+            return greenlock
+                ._config({
+                    servername:
+                        flags.altnames[
+                            Math.floor(Math.random() * flags.altnames.length)
+                        ]
+                })
+                .then(function(site) {
+                    if (!site) {
+                        log.error('No config found after add (internal mismatch)');
+                        process.exit(1);
+                        return;
+                    }
+                    log.info('Site config:', site);
+                });
+        });
+}

package/vendor/greenlock/bin/certonly.js

@@ -0,0 +1,368 @@
+'use strict';
+
+var log = require('lemonlog')('greenlock-certonly');
+var mkdirp = require('@root/mkdirp');
+var cli = require('./cli.js');
+
+cli.parse({
+    'directory-url': [
+        false,
+        ' ACME Directory Resource URL',
+        'string',
+        'https://acme-v02.api.letsencrypt.org/directory',
+        'server,acme-url'
+    ],
+    email: [
+        false,
+        ' Email used for registration and recovery contact. (default: null)',
+        'email'
+    ],
+    'agree-tos': [
+        false,
+        " Agree to the Greenlock and Let's Encrypt Subscriber Agreements",
+        'boolean',
+        false
+    ],
+    'community-member': [
+        false,
+        ' Submit stats to and get updates from Greenlock',
+        'boolean',
+        false
+    ],
+    domains: [
+        false,
+        ' Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])',
+        'string'
+    ],
+    'renew-offset': [
+        false,
+        ' Positive (time after issue) or negative (time before expiry) offset, such as 30d or -45d',
+        'string',
+        '45d'
+    ],
+    'renew-within': [
+        false,
+        ' (ignored) use renew-offset instead',
+        'ignore',
+        undefined
+    ],
+    'cert-path': [
+        false,
+        ' Path to where new cert.pem is saved',
+        'string',
+        ':configDir/live/:hostname/cert.pem'
+    ],
+    'fullchain-path': [
+        false,
+        ' Path to where new fullchain.pem (cert + chain) is saved',
+        'string',
+        ':configDir/live/:hostname/fullchain.pem'
+    ],
+    'bundle-path': [
+        false,
+        ' Path to where new bundle.pem (fullchain + privkey) is saved',
+        'string',
+        ':configDir/live/:hostname/bundle.pem'
+    ],
+    'chain-path': [
+        false,
+        ' Path to where new chain.pem is saved',
+        'string',
+        ':configDir/live/:hostname/chain.pem'
+    ],
+    'privkey-path': [
+        false,
+        ' Path to where privkey.pem is saved',
+        'string',
+        ':configDir/live/:hostname/privkey.pem'
+    ],
+    'config-dir': [
+        false,
+        ' Configuration directory.',
+        'string',
+        '~/letsencrypt/etc/'
+    ],
+    store: [
+        false,
+        ' The name of the storage module to use',
+        'string',
+        'greenlock-store-fs'
+    ],
+    'store-xxxx': [
+        false,
+        ' An option for the chosen storage module, such as --store-apikey or --store-bucket',
+        'bag'
+    ],
+    'store-json': [
+        false,
+        ' A JSON string containing all option for the chosen store module (instead of --store-xxxx)',
+        'json',
+        '{}'
+    ],
+    challenge: [
+        false,
+        ' The name of the HTTP-01, DNS-01, or TLS-ALPN-01 challenge module to use',
+        'string',
+        '@greenlock/acme-http-01-fs'
+    ],
+    'challenge-xxxx': [
+        false,
+        ' An option for the chosen challenge module, such as --challenge-apikey or --challenge-bucket',
+        'bag'
+    ],
+    'challenge-json': [
+        false,
+        ' A JSON string containing all option for the chosen challenge module (instead of --challenge-xxxx)',
+        'json',
+        '{}'
+    ],
+    'skip-dry-run': [
+        false,
+        ' Use with caution (and test with the staging url first). Creates an Order on the ACME server without a self-test.',
+        'boolean'
+    ],
+    'skip-challenge-tests': [
+        false,
+        ' Use with caution (and with the staging url first). Presents challenges to the ACME server without first testing locally.',
+        'boolean'
+    ],
+    'http-01-port': [
+        false,
+        ' Required to be 80 for live servers. Do not use. For special test environments only.',
+        'int'
+    ],
+    'dns-01': [false, ' Use DNS-01 challange type', 'boolean', false],
+    standalone: [
+        false,
+        ' Obtain certs using a "standalone" webserver.',
+        'boolean',
+        false
+    ],
+    manual: [
+        false,
+        ' Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (uses acme-http-01-cli or acme-dns-01-cli)',
+        'boolean',
+        false
+    ],
+    debug: [false, ' show traces and logs', 'boolean', false],
+    root: [
+        false,
+        ' public_html / webroot path (may use the :hostname template such as /srv/www/:hostname)',
+        'string',
+        undefined,
+        'webroot-path'
+    ],
+
+    //
+    // backwards compat
+    //
+    duplicate: [
+        false,
+        ' Allow getting a certificate that duplicates an existing one/is an early renewal',
+        'boolean',
+        false
+    ],
+    'rsa-key-size': [
+        false,
+        ' (ignored) use server-key-type or account-key-type instead',
+        'ignore',
+        2048
+    ],
+    'server-key-path': [
+        false,
+        ' Path to privkey.pem to use for certificate (default: generate new)',
+        'string',
+        undefined,
+        'domain-key-path'
+    ],
+    'server-key-type': [
+        false,
+        " One of 'RSA' (2048), 'RSA-3084', 'RSA-4096', 'ECDSA' (P-256), or 'P-384'. For best compatibility, security, and efficiency use the default (More bits != More security)",
+        'string',
+        'RSA'
+    ],
+    'account-key-path': [
+        false,
+        ' Path to privkey.pem to use for account (default: generate new)',
+        'string'
+    ],
+    'account-key-type': [
+        false,
+        " One of 'ECDSA' (P-256), 'P-384', 'RSA', 'RSA-3084', or 'RSA-4096'. Stick with 'ECDSA' (P-256) unless you need 'RSA' (2048) for legacy compatibility. (More bits != More security)",
+        'string',
+        'P-256'
+    ],
+    webroot: [false, ' (ignored) for certbot compatibility', 'ignore', false],
+    //, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-alpn-01)", 'string', 'http-01']
+    'work-dir': [
+        false,
+        ' for certbot compatibility (ignored)',
+        'string',
+        '~/letsencrypt/var/lib/'
+    ],
+    'logs-dir': [
+        false,
+        ' for certbot compatibility (ignored)',
+        'string',
+        '~/letsencrypt/var/log/'
+    ],
+    'acme-version': [
+        false,
+        ' (ignored) ACME is now RFC 8555 and prior drafts are no longer supported',
+        'ignore',
+        'rfc8555'
+    ]
+});
+
+// ignore certonly and extraneous arguments
+cli.main(function(_, options) {
+
+    [
+        'configDir',
+        'privkeyPath',
+        'certPath',
+        'chainPath',
+        'fullchainPath',
+        'bundlePath'
+    ].forEach(function(k) {
+        if (options[k]) {
+            options.storeOpts[k] = options[k];
+        }
+        delete options[k];
+    });
+
+    if (options.workDir) {
+        options.challengeOpts.workDir = options.workDir;
+        delete options.workDir;
+    }
+
+    if (options.debug) log.debug('certonly options', options);
+
+    var args = {};
+    var homedir = require('os').homedir();
+
+    Object.keys(options).forEach(function(key) {
+        var val = options[key];
+
+        if ('string' === typeof val) {
+            val = val.replace(/^~/, homedir);
+        }
+
+        key = key.replace(/\-([a-z0-9A-Z])/g, function(c) {
+            return c[1].toUpperCase();
+        });
+        args[key] = val;
+    });
+
+    Object.keys(args).forEach(function(key) {
+        var val = args[key];
+
+        if ('string' === typeof val) {
+            val = val.replace(/(\:configDir)|(\:config)/, args.configDir);
+        }
+
+        args[key] = val;
+    });
+
+    if (args.domains) {
+        args.domains = args.domains.split(',');
+    }
+
+    if (
+        !(Array.isArray(args.domains) && args.domains.length) ||
+        !args.email ||
+        !args.agreeTos ||
+        (!args.server && !args.directoryUrl)
+    ) {
+        log.error(
+            'Usage: greenlock certonly --standalone --agree-tos --email user@example.com --domains example.com --config-dir ~/acme/etc (see greenlock --help)'
+        );
+        return;
+    }
+
+    if (args.http01Port) {
+        // [@agnat]: Coerce to string. cli returns a number although we request a string.
+        args.http01Port = '' + args.http01Port;
+        args.http01Port = args.http01Port.split(',').map(function(port) {
+            return parseInt(port, 10);
+        });
+    }
+
+    function run() {
+        var challenges = {};
+        if (/http.?01/i.test(args.challenge)) {
+            challenges['http-01'] = args.challengeOpts;
+        }
+        if (/dns.?01/i.test(args.challenge)) {
+            challenges['dns-01'] = args.challengeOpts;
+        }
+        if (/alpn.?01/i.test(args.challenge)) {
+            challenges['tls-alpn-01'] = args.challengeOpts;
+        }
+        if (!Object.keys(challenges).length) {
+            throw new Error(
+                "Could not determine the challenge type for '" +
+                    args.challengeOpts.module +
+                    "'. Expected a name like @you/acme-xxxx-01-foo. Please name the module with http-01, dns-01, or tls-alpn-01."
+            );
+        }
+        args.challengeOpts.module = args.challenge;
+        args.storeOpts.module = args.store;
+
+        require(args.challenge);
+        require(args.store);
+
+        var greenlock = require('../').create({
+            maintainerEmail: args.maintainerEmail || 'coolaj86@gmail.com',
+            manager: './manager.js',
+            configFile: '~/.config/greenlock/certs.json',
+            challenges: challenges,
+            store: args.storeOpts,
+            renewOffset: args.renewOffset || '30d',
+            renewStagger: '1d'
+        });
+
+        // for long-running processes
+        if (args.renewEvery) {
+            setInterval(function() {
+                greenlock.renew({
+                    period: args.renewEvery
+                });
+            }, args.renewEvery);
+        }
+
+        // TODO should greenlock.add simply always include greenlock.renew?
+        // the concern is conflating error events
+        return greenlock
+            .add({
+                subject: args.subject,
+                altnames: args.altnames,
+                subscriberEmail: args.subscriberEmail || args.email
+            })
+            .then(function(changes) {
+                log.info('Certificate order result:', changes);
+                // renew should always
+                return greenlock
+                    .renew({
+                        subject: args.subject,
+                        force: false
+                    })
+                    .then(function() {});
+            });
+    }
+
+    if ('greenlock-store-fs' !== args.store) {
+        run();
+        return;
+    }
+
+    // TODO remove mkdirp and let greenlock-store-fs do this?
+    mkdirp(args.storeOpts.configDir, function(err) {
+        if (!err) {
+            run();
+        }
+
+        log.error("Could not create config dir '%s': %s. Try --config-dir '/tmp'", args.configDir, err.code);
+        return;
+    });
+}, process.argv.slice(3));