open key-database deterministic

2021-12-03 04:15:48 +01:00 · 2021-12-03 04:15:48 +01:00 · 5ca5020cfa
commit 5ca5020cfa
parent 796f24262e
8 changed files with 94 additions and 48 deletions
--- a/cmd/certs.go
+++ b/cmd/certs.go
@ -1,11 +1,12 @@
 package cmd 
  
 import ( 
+"fmt" 
 "os" 
  
 "github.com/urfave/cli/v2" 
  
-pages_server "codeberg.org/codeberg/pages/server" 
+"codeberg.org/codeberg/pages/server/database" 
 ) 
  
 var Certs = &cli.Command{ 
@ -23,15 +24,18 @@ func certs(ctx *cli.Context) error {
  
 domains := ctx.Args().Slice()[2:] 
  
-if pages_server.KeyDatabaseErr != nil { 
-panic(pages_server.KeyDatabaseErr) 
+// TODO: make "key-database.pogreb" set via flag 
+keyDatabase, err := database.New("key-database.pogreb") 
+if err != nil { 
+return fmt.Errorf("could not create database: %v", err) 
 } 
+  
 for _, domain := range domains { 
-if err := pages_server.KeyDatabase.Delete([]byte(domain)); err != nil { 
+if err := keyDatabase.Delete([]byte(domain)); err != nil { 
 panic(err) 
 } 
 } 
-if err := pages_server.KeyDatabase.Sync(); err != nil { 
+if err := keyDatabase.Sync(); err != nil { 
 panic(err) 
 } 
 os.Exit(0) 
--- a/cmd/main.go
+++ b/cmd/main.go
@ -15,6 +15,8 @@ import (
 "github.com/valyala/fasthttp" 
  
 "codeberg.org/codeberg/pages/server" 
+"codeberg.org/codeberg/pages/server/cache" 
+"codeberg.org/codeberg/pages/server/database" 
 "codeberg.org/codeberg/pages/server/utils" 
 ) 
  
@ -84,9 +86,17 @@ func Serve(ctx *cli.Context) error {
 if err != nil { 
 return fmt.Errorf("couldn't create listener: %s", err) 
 } 
-listener = tls.NewListener(listener, server.TlsConfig(mainDomainSuffix, giteaRoot, giteaAPIToken, dnsProvider, acmeUseRateLimits)) 
  
-server.SetupCertificates(mainDomainSuffix, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer) 
+// TODO: make "key-database.pogreb" set via flag 
+keyDatabase, err := database.New("key-database.pogreb") 
+if err != nil { 
+return fmt.Errorf("could not create database: %v", err) 
+} 
+  
+keyCache := cache.NewKeyValueCache() 
+listener = tls.NewListener(listener, server.TLSConfig(mainDomainSuffix, giteaRoot, giteaAPIToken, dnsProvider, acmeUseRateLimits, keyCache, keyDatabase)) 
+  
+server.SetupCertificates(mainDomainSuffix, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer, keyDatabase) 
 if enableHTTPServer { 
 go (func() { 
 challengePath := []byte("/.well-known/acme-challenge/") 
--- a/server/cache/interface.go
+++ b/server/cache/interface.go
@ -0,0 +1,8 @@
+package cache 
+  
+import "time" 
+  
+type SetGetKey interface { 
+Set(key string, value interface{}, ttl time.Duration) error 
+Get(key string) (interface{}, bool) 
+} 
--- a/server/cache/setup.go
+++ b/server/cache/setup.go
@ -0,0 +1,7 @@
+package cache 
+  
+import "github.com/OrlovEvgeny/go-mcache" 
+  
+func NewKeyValueCache() SetGetKey { 
+return mcache.New() 
+} 
--- a/server/certificates.go
+++ b/server/certificates.go
@ -24,8 +24,6 @@ import (
 "time" 
  
 "github.com/OrlovEvgeny/go-mcache" 
-"github.com/akrylysov/pogreb" 
-"github.com/akrylysov/pogreb/fs" 
 "github.com/reugn/equalizer" 
  
 "github.com/go-acme/lego/v4/certcrypto" 
@ -36,11 +34,12 @@ import (
 "github.com/go-acme/lego/v4/providers/dns" 
 "github.com/go-acme/lego/v4/registration" 
  
+"codeberg.org/codeberg/pages/server/cache" 
 "codeberg.org/codeberg/pages/server/database" 
 ) 
  
-// TlsConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates. 
-func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider string, acmeUseRateLimits bool) *tls.Config { 
+// TLSConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates. 
+func TLSConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider string, acmeUseRateLimits bool, keyCache cache.SetGetKey, keyDatabase database.KeyDB) *tls.Config { 
 return &tls.Config{ 
 // check DNS name & get certificate from Let's Encrypt 
 GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { 
@ -96,13 +95,13 @@ func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider st
 var tlsCertificate tls.Certificate 
 var err error 
 var ok bool 
-if tlsCertificate, ok = retrieveCertFromDB(sniBytes, mainDomainSuffix, dnsProvider, acmeUseRateLimits); !ok { 
+if tlsCertificate, ok = retrieveCertFromDB(sniBytes, mainDomainSuffix, dnsProvider, acmeUseRateLimits, keyDatabase); !ok { 
 // request a new certificate 
 if bytes.Equal(sniBytes, mainDomainSuffix) { 
 return nil, errors.New("won't request certificate for main domain, something really bad has happened") 
 } 
  
-tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits) 
+tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits, keyDatabase) 
 if err != nil { 
 return nil, err 
 } 
@ -134,14 +133,6 @@ func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider st
 } 
 } 
  
-// TODO: clean up & move to init 
-var keyCache = mcache.New() 
-var KeyDatabase, KeyDatabaseErr = pogreb.Open("key-database.pogreb", &pogreb.Options{ 
-BackgroundSyncInterval: 30 * time.Second, 
-BackgroundCompactionInterval: 6 * time.Hour, 
-FileSystem: fs.OSMMap, 
-}) 
-  
 func CheckUserLimit(user string) error { 
 userLimit, ok := acmeClientCertificateLimitPerUser[user] 
 if !ok { 
@ -211,10 +202,10 @@ func (a AcmeHTTPChallengeProvider) CleanUp(domain, token, _ string) error {
 return nil 
 } 
  
-func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUseRateLimits bool) (tls.Certificate, bool) { 
+func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUseRateLimits bool, keyDatabase database.KeyDB) (tls.Certificate, bool) { 
 // parse certificate from database 
 res := &certificate.Resource{} 
-if !database.PogrebGet(KeyDatabase, sni, res) { 
+if !database.PogrebGet(keyDatabase, sni, res) { 
 return tls.Certificate{}, false 
 } 
  
@ -242,7 +233,7 @@ func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUs
 } 
 go (func() { 
 res.CSR = nil // acme client doesn't like CSR to be set 
-tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits) 
+tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, keyDatabase) 
 if err != nil { 
 log.Printf("Couldn't renew certificate for %s: %s", sni, err) 
 } 
@ -255,7 +246,7 @@ func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUs
  
 var obtainLocks = sync.Map{} 
  
-func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user, dnsProvider string, mainDomainSuffix []byte, acmeUseRateLimits bool) (tls.Certificate, error) { 
+func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user, dnsProvider string, mainDomainSuffix []byte, acmeUseRateLimits bool, keyDatabase database.KeyDB) (tls.Certificate, error) { 
 name := strings.TrimPrefix(domains[0], "*") 
 if dnsProvider == "" && len(domains[0]) > 0 && domains[0][0] == '*' { 
 domains = domains[1:] 
@ -268,7 +259,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
 time.Sleep(100 * time.Millisecond) 
 _, working = obtainLocks.Load(name) 
 } 
-cert, ok := retrieveCertFromDB([]byte(name), mainDomainSuffix, dnsProvider, acmeUseRateLimits) 
+cert, ok := retrieveCertFromDB([]byte(name), mainDomainSuffix, dnsProvider, acmeUseRateLimits, keyDatabase) 
 if !ok { 
 return tls.Certificate{}, errors.New("certificate failed in synchronous request") 
 } 
@ -277,7 +268,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
 defer obtainLocks.Delete(name) 
  
 if acmeClient == nil { 
-return mockCert(domains[0], "ACME client uninitialized. This is a server error, please report!", string(mainDomainSuffix)), nil 
+return mockCert(domains[0], "ACME client uninitialized. This is a server error, please report!", string(mainDomainSuffix), keyDatabase), nil 
 } 
  
 // request actual cert 
@ -319,15 +310,15 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
 if err == nil && tlsCertificate.Leaf.NotAfter.After(time.Now()) { 
 // avoid sending a mock cert instead of a still valid cert, instead abuse CSR field to store time to try again at 
 renew.CSR = []byte(strconv.FormatInt(time.Now().Add(6*time.Hour).Unix(), 10)) 
-database.PogrebPut(KeyDatabase, []byte(name), renew) 
+database.PogrebPut(keyDatabase, []byte(name), renew) 
 return tlsCertificate, nil 
 } 
 } 
-return mockCert(domains[0], err.Error(), string(mainDomainSuffix)), err 
+return mockCert(domains[0], err.Error(), string(mainDomainSuffix), keyDatabase), err 
 } 
 log.Printf("Obtained certificate for %v", domains) 
  
-database.PogrebPut(KeyDatabase, []byte(name), res) 
+database.PogrebPut(keyDatabase, []byte(name), res) 
 tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey) 
 if err != nil { 
 return tls.Certificate{}, err 
@ -335,7 +326,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
 return tlsCertificate, nil 
 } 
  
-func mockCert(domain, msg, mainDomainSuffix string) tls.Certificate { 
+func mockCert(domain, msg, mainDomainSuffix string, keyDatabase database.KeyDB) tls.Certificate { 
 key, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048) 
 if err != nil { 
 panic(err) 
@ -392,7 +383,7 @@ func mockCert(domain, msg, mainDomainSuffix string) tls.Certificate {
 if domain == "*"+mainDomainSuffix || domain == mainDomainSuffix[1:] { 
 databaseName = mainDomainSuffix 
 } 
-database.PogrebPut(KeyDatabase, []byte(databaseName), res) 
+database.PogrebPut(keyDatabase, []byte(databaseName), res) 
  
 tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey) 
 if err != nil { 
@ -401,13 +392,9 @@ func mockCert(domain, msg, mainDomainSuffix string) tls.Certificate {
 return tlsCertificate 
 } 
  
-func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer bool) { 
-if KeyDatabaseErr != nil { 
-panic(KeyDatabaseErr) // TODO: move it into own init and not panic on a unrelated topic!!!! 
-} 
-  
+func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer bool, keyDatabase database.KeyDB) { 
 // getting main cert before ACME account so that we can panic here on database failure without hitting rate limits 
-mainCertBytes, err := KeyDatabase.Get(mainDomainSuffix) 
+mainCertBytes, err := keyDatabase.Get(mainDomainSuffix) 
 if err != nil { 
 // key database is not working 
 panic(err) 
@ -523,7 +510,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
 } 
  
 if mainCertBytes == nil { 
-_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, nil, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits) 
+_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, nil, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, keyDatabase) 
 if err != nil { 
 log.Printf("[ERROR] Couldn't renew main domain certificate, continuing with mock certs only: %s", err) 
 } 
@ -531,7 +518,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
  
 go (func() { 
 for { 
-err := KeyDatabase.Sync() 
+err := keyDatabase.Sync() 
 if err != nil { 
 log.Printf("[ERROR] Syncing key database failed: %s", err) 
 } 
@ -544,7 +531,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
 // clean up expired certs 
 now := time.Now() 
 expiredCertCount := 0 
-keyDatabaseIterator := KeyDatabase.Items() 
+keyDatabaseIterator := keyDatabase.Items() 
 key, resBytes, err := keyDatabaseIterator.Next() 
 for err == nil { 
 if !bytes.Equal(key, mainDomainSuffix) { 
@ -558,7 +545,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
  
 tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate) 
 if err != nil || !tlsCertificates[0].NotAfter.After(now) { 
-err := KeyDatabase.Delete(key) 
+err := keyDatabase.Delete(key) 
 if err != nil { 
 log.Printf("[ERROR] Deleting expired certificate for %s failed: %s", string(key), err) 
 } else { 
@ -571,7 +558,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
 log.Printf("[INFO] Removed %d expired certificates from the database", expiredCertCount) 
  
 // compact the database 
-result, err := KeyDatabase.Compact() 
+result, err := keyDatabase.Compact() 
 if err != nil { 
 log.Printf("[ERROR] Compacting key database failed: %s", err) 
 } else { 
@ -580,7 +567,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
  
 // update main cert 
 res := &certificate.Resource{} 
-if !database.PogrebGet(KeyDatabase, mainDomainSuffix, res) { 
+if !database.PogrebGet(keyDatabase, mainDomainSuffix, res) { 
 log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", "expected main domain cert to exist, but it's missing - seems like the database is corrupted") 
 } else { 
 tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate) 
@ -588,7 +575,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
 // renew main certificate 30 days before it expires 
 if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) { 
 go (func() { 
-_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits) 
+_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, keyDatabase) 
 if err != nil { 
 log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", err) 
 } 
--- a/server/database/helpers.go
+++ b/server/database/helpers.go
@ -3,10 +3,9 @@ package database
 import ( 
 "bytes" 
 "encoding/gob" 
-"github.com/akrylysov/pogreb" 
 ) 
  
-func PogrebPut(db *pogreb.DB, name []byte, obj interface{}) { 
+func PogrebPut(db KeyDB, name []byte, obj interface{}) { 
 var resGob bytes.Buffer 
 resEnc := gob.NewEncoder(&resGob) 
 err := resEnc.Encode(obj) 
@ -19,7 +18,7 @@ func PogrebPut(db *pogreb.DB, name []byte, obj interface{}) {
 } 
 } 
  
-func PogrebGet(db *pogreb.DB, name []byte, obj interface{}) bool { 
+func PogrebGet(db KeyDB, name []byte, obj interface{}) bool { 
 resBytes, err := db.Get(name) 
 if err != nil { 
 panic(err) 
--- a/server/database/interface.go
+++ b/server/database/interface.go
@ -0,0 +1,12 @@
+package database 
+  
+import "github.com/akrylysov/pogreb" 
+  
+type KeyDB interface { 
+Sync() error 
+Put(key []byte, value []byte) error 
+Get(key []byte) ([]byte, error) 
+Delete(key []byte) error 
+Compact() (pogreb.CompactionResult, error) 
+Items() *pogreb.ItemIterator 
+} 
--- a/server/database/setup.go
+++ b/server/database/setup.go
@ -0,0 +1,19 @@
+package database 
+  
+import ( 
+"fmt" 
+"github.com/akrylysov/pogreb" 
+"github.com/akrylysov/pogreb/fs" 
+"time" 
+) 
+  
+func New(path string) (KeyDB, error) { 
+if path == "" { 
+return nil, fmt.Errorf("path not set") 
+} 
+return pogreb.Open(path, &pogreb.Options{ 
+BackgroundSyncInterval: 30 * time.Second, 
+BackgroundCompactionInterval: 6 * time.Hour, 
+FileSystem: fs.OSMMap, 
+}) 
+}