remove os.Getenv() usage

This commit is contained in:
6543 2021-12-03 03:34:50 +01:00
parent 35e08d2252
commit 5b81a8b8bc
No known key found for this signature in database
GPG key ID: C99B82E40B027BAE
3 changed files with 70 additions and 31 deletions

View file

@ -45,6 +45,7 @@ var ServeFlags = []cli.Flag{
Value: "https://docs.codeberg.org/pages/raw-content/", Value: "https://docs.codeberg.org/pages/raw-content/",
}, },
// Server
&cli.StringFlag{ &cli.StringFlag{
Name: "host", Name: "host",
Usage: "specifies host of listening address", Usage: "specifies host of listening address",
@ -57,8 +58,13 @@ var ServeFlags = []cli.Flag{
EnvVars: []string{"PORT"}, EnvVars: []string{"PORT"},
Value: "443", Value: "443",
}, },
&cli.BoolFlag{
Name: "enable-http-server",
// TODO: desc
EnvVars: []string{"ENABLE_HTTP_SERVER"},
},
// ACME_API // ACME
&cli.StringFlag{ &cli.StringFlag{
Name: "acme-api", Name: "acme-api",
EnvVars: []string{"ACME_API"}, EnvVars: []string{"ACME_API"},
@ -69,4 +75,30 @@ var ServeFlags = []cli.Flag{
EnvVars: []string{"ACME_EMAIL"}, EnvVars: []string{"ACME_EMAIL"},
Value: "noreply@example.email", Value: "noreply@example.email",
}, },
&cli.BoolFlag{
Name: "acme-use-rate-limits",
// TODO: Usage
EnvVars: []string{"ACME_USE_RATE_LIMITS"},
Value: true,
},
&cli.BoolFlag{
Name: "acme-accept-terms",
// TODO: Usage
EnvVars: []string{"ACME_ACCEPT_TERMS"},
},
&cli.StringFlag{
Name: "acme-eab-kid",
// TODO: Usage
EnvVars: []string{"ACME_EAB_KID"},
},
&cli.StringFlag{
Name: "acme-eab-hmac",
// TODO: Usage
EnvVars: []string{"ACME_EAB_HMAC"},
},
&cli.StringFlag{
Name: "dns-provider",
// TODO: Usage
EnvVars: []string{"DNS_PROVIDER"},
},
} }

View file

@ -3,10 +3,10 @@ package cmd
import ( import (
"bytes" "bytes"
"crypto/tls" "crypto/tls"
"errors"
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
"os"
"strings" "strings"
"time" "time"
@ -37,8 +37,19 @@ func Serve(ctx *cli.Context) error {
mainDomainSuffix := []byte(ctx.String("main-domain-suffix")) mainDomainSuffix := []byte(ctx.String("main-domain-suffix"))
rawInfoPage := ctx.String("raw-info-page") rawInfoPage := ctx.String("raw-info-page")
listeningAddress := fmt.Sprintf("%s:%s", ctx.String("host"), ctx.String("port")) listeningAddress := fmt.Sprintf("%s:%s", ctx.String("host"), ctx.String("port"))
enableHTTPServer := ctx.Bool("enable-http-server")
acmeAPI := ctx.String("acme-api") acmeAPI := ctx.String("acme-api")
acmeMail := ctx.String("acme-email") acmeMail := ctx.String("acme-email")
acmeUseRateLimits := ctx.Bool("acme-use-rate-limits")
acmeAcceptTerms := ctx.Bool("acme-accept-terms")
acmeEabKID := ctx.String("acme-eab-kid")
acmeEabHmac := ctx.String("acme-eab-hmac")
dnsProvider := ctx.String("dns-provider")
if acmeAcceptTerms || (dnsProvider == "" && acmeAPI != "https://acme.mock.directory") {
return errors.New("you must set $ACME_ACCEPT_TERMS and $DNS_PROVIDER, unless $ACME_API is set to https://acme.mock.directory")
}
allowedCorsDomains := AllowedCorsDomains allowedCorsDomains := AllowedCorsDomains
if len(rawDomain) != 0 { if len(rawDomain) != 0 {
allowedCorsDomains = append(allowedCorsDomains, []byte(rawDomain)) allowedCorsDomains = append(allowedCorsDomains, []byte(rawDomain))
@ -72,10 +83,10 @@ func Serve(ctx *cli.Context) error {
if err != nil { if err != nil {
return fmt.Errorf("couldn't create listener: %s", err) return fmt.Errorf("couldn't create listener: %s", err)
} }
listener = tls.NewListener(listener, server.TlsConfig(mainDomainSuffix, giteaRoot, giteaAPIToken)) listener = tls.NewListener(listener, server.TlsConfig(mainDomainSuffix, giteaRoot, giteaAPIToken, dnsProvider, acmeUseRateLimits))
server.SetupCertificates(mainDomainSuffix, acmeAPI, acmeMail) server.SetupCertificates(mainDomainSuffix, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer)
if os.Getenv("ENABLE_HTTP_SERVER") == "true" { if enableHTTPServer {
go (func() { go (func() {
challengePath := []byte("/.well-known/acme-challenge/") challengePath := []byte("/.well-known/acme-challenge/")
err := fasthttp.ListenAndServe("[::]:80", func(ctx *fasthttp.RequestCtx) { err := fasthttp.ListenAndServe("[::]:80", func(ctx *fasthttp.RequestCtx) {

View file

@ -38,7 +38,7 @@ import (
) )
// TlsConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates. // TlsConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates.
func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken string) *tls.Config { func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider string, acmeUseRateLimits bool) *tls.Config {
return &tls.Config{ return &tls.Config{
// check DNS name & get certificate from Let's Encrypt // check DNS name & get certificate from Let's Encrypt
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@ -94,13 +94,13 @@ func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken string) *tls.Co
var tlsCertificate tls.Certificate var tlsCertificate tls.Certificate
var err error var err error
var ok bool var ok bool
if tlsCertificate, ok = retrieveCertFromDB(sniBytes, mainDomainSuffix); !ok { if tlsCertificate, ok = retrieveCertFromDB(sniBytes, mainDomainSuffix, dnsProvider, acmeUseRateLimits); !ok {
// request a new certificate // request a new certificate
if bytes.Equal(sniBytes, mainDomainSuffix) { if bytes.Equal(sniBytes, mainDomainSuffix) {
return nil, errors.New("won't request certificate for main domain, something really bad has happened") return nil, errors.New("won't request certificate for main domain, something really bad has happened")
} }
tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, mainDomainSuffix) tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -209,7 +209,7 @@ func (a AcmeHTTPChallengeProvider) CleanUp(domain, token, _ string) error {
return nil return nil
} }
func retrieveCertFromDB(sni, mainDomainSuffix []byte) (tls.Certificate, bool) { func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUseRateLimits bool) (tls.Certificate, bool) {
// parse certificate from database // parse certificate from database
res := &certificate.Resource{} res := &certificate.Resource{}
if !PogrebGet(KeyDatabase, sni, res) { if !PogrebGet(KeyDatabase, sni, res) {
@ -240,7 +240,7 @@ func retrieveCertFromDB(sni, mainDomainSuffix []byte) (tls.Certificate, bool) {
} }
go (func() { go (func() {
res.CSR = nil // acme client doesn't like CSR to be set res.CSR = nil // acme client doesn't like CSR to be set
tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "", mainDomainSuffix) tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits)
if err != nil { if err != nil {
log.Printf("Couldn't renew certificate for %s: %s", sni, err) log.Printf("Couldn't renew certificate for %s: %s", sni, err)
} }
@ -253,9 +253,9 @@ func retrieveCertFromDB(sni, mainDomainSuffix []byte) (tls.Certificate, bool) {
var obtainLocks = sync.Map{} var obtainLocks = sync.Map{}
func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user string, mainDomainSuffix []byte) (tls.Certificate, error) { func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user, dnsProvider string, mainDomainSuffix []byte, acmeUseRateLimits bool) (tls.Certificate, error) {
name := strings.TrimPrefix(domains[0], "*") name := strings.TrimPrefix(domains[0], "*")
if os.Getenv("DNS_PROVIDER") == "" && len(domains[0]) > 0 && domains[0][0] == '*' { if dnsProvider == "" && len(domains[0]) > 0 && domains[0][0] == '*' {
domains = domains[1:] domains = domains[1:]
} }
@ -266,7 +266,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
time.Sleep(100 * time.Millisecond) time.Sleep(100 * time.Millisecond)
_, working = obtainLocks.Load(name) _, working = obtainLocks.Load(name)
} }
cert, ok := retrieveCertFromDB([]byte(name), mainDomainSuffix) cert, ok := retrieveCertFromDB([]byte(name), mainDomainSuffix, dnsProvider, acmeUseRateLimits)
if !ok { if !ok {
return tls.Certificate{}, errors.New("certificate failed in synchronous request") return tls.Certificate{}, errors.New("certificate failed in synchronous request")
} }
@ -282,7 +282,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
var res *certificate.Resource var res *certificate.Resource
var err error var err error
if renew != nil && renew.CertURL != "" { if renew != nil && renew.CertURL != "" {
if os.Getenv("ACME_USE_RATE_LIMITS") != "false" { if acmeUseRateLimits {
acmeClientRequestLimit.Take() acmeClientRequestLimit.Take()
} }
log.Printf("Renewing certificate for %v", domains) log.Printf("Renewing certificate for %v", domains)
@ -299,7 +299,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
} }
} }
if os.Getenv("ACME_USE_RATE_LIMITS") != "false" { if acmeUseRateLimits {
acmeClientOrderLimit.Take() acmeClientOrderLimit.Take()
acmeClientRequestLimit.Take() acmeClientRequestLimit.Take()
} }
@ -399,13 +399,9 @@ func mockCert(domain, msg, mainDomainSuffix string) tls.Certificate {
return tlsCertificate return tlsCertificate
} }
func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) { func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer bool) {
if KeyDatabaseErr != nil { if KeyDatabaseErr != nil {
panic(KeyDatabaseErr) panic(KeyDatabaseErr) // TODO: move it into own init and not panic on a unrelated topic!!!!
}
if os.Getenv("ACME_ACCEPT_TERMS") != "true" || (os.Getenv("DNS_PROVIDER") == "" && os.Getenv("ACME_API") != "https://acme.mock.directory") {
panic(errors.New("you must set ACME_ACCEPT_TERMS and DNS_PROVIDER, unless ACME_API is set to https://acme.mock.directory"))
} }
// getting main cert before ACME account so that we can panic here on database failure without hitting rate limits // getting main cert before ACME account so that we can panic here on database failure without hitting rate limits
@ -449,8 +445,8 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
log.Printf("[ERROR] Can't create ACME client, continuing with mock certs only: %s", err) log.Printf("[ERROR] Can't create ACME client, continuing with mock certs only: %s", err)
} else { } else {
// accept terms & log in to EAB // accept terms & log in to EAB
if os.Getenv("ACME_EAB_KID") == "" || os.Getenv("ACME_EAB_HMAC") == "" { if acmeEabKID == "" || acmeEabHmac == "" {
reg, err := tempClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: os.Getenv("ACME_ACCEPT_TERMS") == "true"}) reg, err := tempClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: acmeAcceptTerms})
if err != nil { if err != nil {
log.Printf("[ERROR] Can't register ACME account, continuing with mock certs only: %s", err) log.Printf("[ERROR] Can't register ACME account, continuing with mock certs only: %s", err)
} else { } else {
@ -458,9 +454,9 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
} }
} else { } else {
reg, err := tempClient.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{ reg, err := tempClient.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
TermsOfServiceAgreed: os.Getenv("ACME_ACCEPT_TERMS") == "true", TermsOfServiceAgreed: acmeAcceptTerms,
Kid: os.Getenv("ACME_EAB_KID"), Kid: acmeEabKID,
HmacEncoded: os.Getenv("ACME_EAB_HMAC"), HmacEncoded: acmeEabHmac,
}) })
if err != nil { if err != nil {
log.Printf("[ERROR] Can't register ACME account, continuing with mock certs only: %s", err) log.Printf("[ERROR] Can't register ACME account, continuing with mock certs only: %s", err)
@ -494,7 +490,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
if err != nil { if err != nil {
log.Printf("[ERROR] Can't create TLS-ALPN-01 provider: %s", err) log.Printf("[ERROR] Can't create TLS-ALPN-01 provider: %s", err)
} }
if os.Getenv("ENABLE_HTTP_SERVER") == "true" { if enableHTTPServer {
err = acmeClient.Challenge.SetHTTP01Provider(AcmeHTTPChallengeProvider{}) err = acmeClient.Challenge.SetHTTP01Provider(AcmeHTTPChallengeProvider{})
if err != nil { if err != nil {
log.Printf("[ERROR] Can't create HTTP-01 provider: %s", err) log.Printf("[ERROR] Can't create HTTP-01 provider: %s", err)
@ -506,14 +502,14 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
if err != nil { if err != nil {
log.Printf("[ERROR] Can't create ACME client, continuing with mock certs only: %s", err) log.Printf("[ERROR] Can't create ACME client, continuing with mock certs only: %s", err)
} else { } else {
if os.Getenv("DNS_PROVIDER") == "" { if dnsProvider == "" {
// using mock server, don't use wildcard certs // using mock server, don't use wildcard certs
err := mainDomainAcmeClient.Challenge.SetTLSALPN01Provider(AcmeTLSChallengeProvider{}) err := mainDomainAcmeClient.Challenge.SetTLSALPN01Provider(AcmeTLSChallengeProvider{})
if err != nil { if err != nil {
log.Printf("[ERROR] Can't create TLS-ALPN-01 provider: %s", err) log.Printf("[ERROR] Can't create TLS-ALPN-01 provider: %s", err)
} }
} else { } else {
provider, err := dns.NewDNSChallengeProviderByName(os.Getenv("DNS_PROVIDER")) provider, err := dns.NewDNSChallengeProviderByName(dnsProvider)
if err != nil { if err != nil {
log.Printf("[ERROR] Can't create DNS Challenge provider: %s", err) log.Printf("[ERROR] Can't create DNS Challenge provider: %s", err)
} }
@ -525,7 +521,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
} }
if mainCertBytes == nil { if mainCertBytes == nil {
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, nil, "", mainDomainSuffix) _, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, nil, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits)
if err != nil { if err != nil {
log.Printf("[ERROR] Couldn't renew main domain certificate, continuing with mock certs only: %s", err) log.Printf("[ERROR] Couldn't renew main domain certificate, continuing with mock certs only: %s", err)
} }
@ -590,7 +586,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
// renew main certificate 30 days before it expires // renew main certificate 30 days before it expires
if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) { if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) {
go (func() { go (func() {
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, res, "", mainDomainSuffix) _, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits)
if err != nil { if err != nil {
log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", err) log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", err)
} }