open key-database deterministic

This commit is contained in:
6543 2021-12-03 04:15:48 +01:00
parent 796f24262e
commit 5ca5020cfa
No known key found for this signature in database
GPG key ID: C99B82E40B027BAE
8 changed files with 94 additions and 48 deletions

View file

@ -1,11 +1,12 @@
package cmd package cmd
import ( import (
"fmt"
"os" "os"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
pages_server "codeberg.org/codeberg/pages/server" "codeberg.org/codeberg/pages/server/database"
) )
var Certs = &cli.Command{ var Certs = &cli.Command{
@ -23,15 +24,18 @@ func certs(ctx *cli.Context) error {
domains := ctx.Args().Slice()[2:] domains := ctx.Args().Slice()[2:]
if pages_server.KeyDatabaseErr != nil { // TODO: make "key-database.pogreb" set via flag
panic(pages_server.KeyDatabaseErr) keyDatabase, err := database.New("key-database.pogreb")
if err != nil {
return fmt.Errorf("could not create database: %v", err)
} }
for _, domain := range domains { for _, domain := range domains {
if err := pages_server.KeyDatabase.Delete([]byte(domain)); err != nil { if err := keyDatabase.Delete([]byte(domain)); err != nil {
panic(err) panic(err)
} }
} }
if err := pages_server.KeyDatabase.Sync(); err != nil { if err := keyDatabase.Sync(); err != nil {
panic(err) panic(err)
} }
os.Exit(0) os.Exit(0)

View file

@ -15,6 +15,8 @@ import (
"github.com/valyala/fasthttp" "github.com/valyala/fasthttp"
"codeberg.org/codeberg/pages/server" "codeberg.org/codeberg/pages/server"
"codeberg.org/codeberg/pages/server/cache"
"codeberg.org/codeberg/pages/server/database"
"codeberg.org/codeberg/pages/server/utils" "codeberg.org/codeberg/pages/server/utils"
) )
@ -84,9 +86,17 @@ func Serve(ctx *cli.Context) error {
if err != nil { if err != nil {
return fmt.Errorf("couldn't create listener: %s", err) return fmt.Errorf("couldn't create listener: %s", err)
} }
listener = tls.NewListener(listener, server.TlsConfig(mainDomainSuffix, giteaRoot, giteaAPIToken, dnsProvider, acmeUseRateLimits))
server.SetupCertificates(mainDomainSuffix, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer) // TODO: make "key-database.pogreb" set via flag
keyDatabase, err := database.New("key-database.pogreb")
if err != nil {
return fmt.Errorf("could not create database: %v", err)
}
keyCache := cache.NewKeyValueCache()
listener = tls.NewListener(listener, server.TLSConfig(mainDomainSuffix, giteaRoot, giteaAPIToken, dnsProvider, acmeUseRateLimits, keyCache, keyDatabase))
server.SetupCertificates(mainDomainSuffix, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer, keyDatabase)
if enableHTTPServer { if enableHTTPServer {
go (func() { go (func() {
challengePath := []byte("/.well-known/acme-challenge/") challengePath := []byte("/.well-known/acme-challenge/")

8
server/cache/interface.go vendored Normal file
View file

@ -0,0 +1,8 @@
package cache
import "time"
type SetGetKey interface {
Set(key string, value interface{}, ttl time.Duration) error
Get(key string) (interface{}, bool)
}

7
server/cache/setup.go vendored Normal file
View file

@ -0,0 +1,7 @@
package cache
import "github.com/OrlovEvgeny/go-mcache"
func NewKeyValueCache() SetGetKey {
return mcache.New()
}

View file

@ -24,8 +24,6 @@ import (
"time" "time"
"github.com/OrlovEvgeny/go-mcache" "github.com/OrlovEvgeny/go-mcache"
"github.com/akrylysov/pogreb"
"github.com/akrylysov/pogreb/fs"
"github.com/reugn/equalizer" "github.com/reugn/equalizer"
"github.com/go-acme/lego/v4/certcrypto" "github.com/go-acme/lego/v4/certcrypto"
@ -36,11 +34,12 @@ import (
"github.com/go-acme/lego/v4/providers/dns" "github.com/go-acme/lego/v4/providers/dns"
"github.com/go-acme/lego/v4/registration" "github.com/go-acme/lego/v4/registration"
"codeberg.org/codeberg/pages/server/cache"
"codeberg.org/codeberg/pages/server/database" "codeberg.org/codeberg/pages/server/database"
) )
// TlsConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates. // TLSConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates.
func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider string, acmeUseRateLimits bool) *tls.Config { func TLSConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider string, acmeUseRateLimits bool, keyCache cache.SetGetKey, keyDatabase database.KeyDB) *tls.Config {
return &tls.Config{ return &tls.Config{
// check DNS name & get certificate from Let's Encrypt // check DNS name & get certificate from Let's Encrypt
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@ -96,13 +95,13 @@ func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider st
var tlsCertificate tls.Certificate var tlsCertificate tls.Certificate
var err error var err error
var ok bool var ok bool
if tlsCertificate, ok = retrieveCertFromDB(sniBytes, mainDomainSuffix, dnsProvider, acmeUseRateLimits); !ok { if tlsCertificate, ok = retrieveCertFromDB(sniBytes, mainDomainSuffix, dnsProvider, acmeUseRateLimits, keyDatabase); !ok {
// request a new certificate // request a new certificate
if bytes.Equal(sniBytes, mainDomainSuffix) { if bytes.Equal(sniBytes, mainDomainSuffix) {
return nil, errors.New("won't request certificate for main domain, something really bad has happened") return nil, errors.New("won't request certificate for main domain, something really bad has happened")
} }
tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits) tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits, keyDatabase)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -134,14 +133,6 @@ func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider st
} }
} }
// TODO: clean up & move to init
var keyCache = mcache.New()
var KeyDatabase, KeyDatabaseErr = pogreb.Open("key-database.pogreb", &pogreb.Options{
BackgroundSyncInterval: 30 * time.Second,
BackgroundCompactionInterval: 6 * time.Hour,
FileSystem: fs.OSMMap,
})
func CheckUserLimit(user string) error { func CheckUserLimit(user string) error {
userLimit, ok := acmeClientCertificateLimitPerUser[user] userLimit, ok := acmeClientCertificateLimitPerUser[user]
if !ok { if !ok {
@ -211,10 +202,10 @@ func (a AcmeHTTPChallengeProvider) CleanUp(domain, token, _ string) error {
return nil return nil
} }
func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUseRateLimits bool) (tls.Certificate, bool) { func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUseRateLimits bool, keyDatabase database.KeyDB) (tls.Certificate, bool) {
// parse certificate from database // parse certificate from database
res := &certificate.Resource{} res := &certificate.Resource{}
if !database.PogrebGet(KeyDatabase, sni, res) { if !database.PogrebGet(keyDatabase, sni, res) {
return tls.Certificate{}, false return tls.Certificate{}, false
} }
@ -242,7 +233,7 @@ func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUs
} }
go (func() { go (func() {
res.CSR = nil // acme client doesn't like CSR to be set res.CSR = nil // acme client doesn't like CSR to be set
tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits) tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, keyDatabase)
if err != nil { if err != nil {
log.Printf("Couldn't renew certificate for %s: %s", sni, err) log.Printf("Couldn't renew certificate for %s: %s", sni, err)
} }
@ -255,7 +246,7 @@ func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUs
var obtainLocks = sync.Map{} var obtainLocks = sync.Map{}
func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user, dnsProvider string, mainDomainSuffix []byte, acmeUseRateLimits bool) (tls.Certificate, error) { func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user, dnsProvider string, mainDomainSuffix []byte, acmeUseRateLimits bool, keyDatabase database.KeyDB) (tls.Certificate, error) {
name := strings.TrimPrefix(domains[0], "*") name := strings.TrimPrefix(domains[0], "*")
if dnsProvider == "" && len(domains[0]) > 0 && domains[0][0] == '*' { if dnsProvider == "" && len(domains[0]) > 0 && domains[0][0] == '*' {
domains = domains[1:] domains = domains[1:]
@ -268,7 +259,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
time.Sleep(100 * time.Millisecond) time.Sleep(100 * time.Millisecond)
_, working = obtainLocks.Load(name) _, working = obtainLocks.Load(name)
} }
cert, ok := retrieveCertFromDB([]byte(name), mainDomainSuffix, dnsProvider, acmeUseRateLimits) cert, ok := retrieveCertFromDB([]byte(name), mainDomainSuffix, dnsProvider, acmeUseRateLimits, keyDatabase)
if !ok { if !ok {
return tls.Certificate{}, errors.New("certificate failed in synchronous request") return tls.Certificate{}, errors.New("certificate failed in synchronous request")
} }
@ -277,7 +268,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
defer obtainLocks.Delete(name) defer obtainLocks.Delete(name)
if acmeClient == nil { if acmeClient == nil {
return mockCert(domains[0], "ACME client uninitialized. This is a server error, please report!", string(mainDomainSuffix)), nil return mockCert(domains[0], "ACME client uninitialized. This is a server error, please report!", string(mainDomainSuffix), keyDatabase), nil
} }
// request actual cert // request actual cert
@ -319,15 +310,15 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
if err == nil && tlsCertificate.Leaf.NotAfter.After(time.Now()) { if err == nil && tlsCertificate.Leaf.NotAfter.After(time.Now()) {
// avoid sending a mock cert instead of a still valid cert, instead abuse CSR field to store time to try again at // avoid sending a mock cert instead of a still valid cert, instead abuse CSR field to store time to try again at
renew.CSR = []byte(strconv.FormatInt(time.Now().Add(6*time.Hour).Unix(), 10)) renew.CSR = []byte(strconv.FormatInt(time.Now().Add(6*time.Hour).Unix(), 10))
database.PogrebPut(KeyDatabase, []byte(name), renew) database.PogrebPut(keyDatabase, []byte(name), renew)
return tlsCertificate, nil return tlsCertificate, nil
} }
} }
return mockCert(domains[0], err.Error(), string(mainDomainSuffix)), err return mockCert(domains[0], err.Error(), string(mainDomainSuffix), keyDatabase), err
} }
log.Printf("Obtained certificate for %v", domains) log.Printf("Obtained certificate for %v", domains)
database.PogrebPut(KeyDatabase, []byte(name), res) database.PogrebPut(keyDatabase, []byte(name), res)
tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey) tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey)
if err != nil { if err != nil {
return tls.Certificate{}, err return tls.Certificate{}, err
@ -335,7 +326,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
return tlsCertificate, nil return tlsCertificate, nil
} }
func mockCert(domain, msg, mainDomainSuffix string) tls.Certificate { func mockCert(domain, msg, mainDomainSuffix string, keyDatabase database.KeyDB) tls.Certificate {
key, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048) key, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048)
if err != nil { if err != nil {
panic(err) panic(err)
@ -392,7 +383,7 @@ func mockCert(domain, msg, mainDomainSuffix string) tls.Certificate {
if domain == "*"+mainDomainSuffix || domain == mainDomainSuffix[1:] { if domain == "*"+mainDomainSuffix || domain == mainDomainSuffix[1:] {
databaseName = mainDomainSuffix databaseName = mainDomainSuffix
} }
database.PogrebPut(KeyDatabase, []byte(databaseName), res) database.PogrebPut(keyDatabase, []byte(databaseName), res)
tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey) tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey)
if err != nil { if err != nil {
@ -401,13 +392,9 @@ func mockCert(domain, msg, mainDomainSuffix string) tls.Certificate {
return tlsCertificate return tlsCertificate
} }
func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer bool) { func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer bool, keyDatabase database.KeyDB) {
if KeyDatabaseErr != nil {
panic(KeyDatabaseErr) // TODO: move it into own init and not panic on a unrelated topic!!!!
}
// getting main cert before ACME account so that we can panic here on database failure without hitting rate limits // getting main cert before ACME account so that we can panic here on database failure without hitting rate limits
mainCertBytes, err := KeyDatabase.Get(mainDomainSuffix) mainCertBytes, err := keyDatabase.Get(mainDomainSuffix)
if err != nil { if err != nil {
// key database is not working // key database is not working
panic(err) panic(err)
@ -523,7 +510,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
} }
if mainCertBytes == nil { if mainCertBytes == nil {
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, nil, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits) _, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, nil, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, keyDatabase)
if err != nil { if err != nil {
log.Printf("[ERROR] Couldn't renew main domain certificate, continuing with mock certs only: %s", err) log.Printf("[ERROR] Couldn't renew main domain certificate, continuing with mock certs only: %s", err)
} }
@ -531,7 +518,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
go (func() { go (func() {
for { for {
err := KeyDatabase.Sync() err := keyDatabase.Sync()
if err != nil { if err != nil {
log.Printf("[ERROR] Syncing key database failed: %s", err) log.Printf("[ERROR] Syncing key database failed: %s", err)
} }
@ -544,7 +531,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
// clean up expired certs // clean up expired certs
now := time.Now() now := time.Now()
expiredCertCount := 0 expiredCertCount := 0
keyDatabaseIterator := KeyDatabase.Items() keyDatabaseIterator := keyDatabase.Items()
key, resBytes, err := keyDatabaseIterator.Next() key, resBytes, err := keyDatabaseIterator.Next()
for err == nil { for err == nil {
if !bytes.Equal(key, mainDomainSuffix) { if !bytes.Equal(key, mainDomainSuffix) {
@ -558,7 +545,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate) tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate)
if err != nil || !tlsCertificates[0].NotAfter.After(now) { if err != nil || !tlsCertificates[0].NotAfter.After(now) {
err := KeyDatabase.Delete(key) err := keyDatabase.Delete(key)
if err != nil { if err != nil {
log.Printf("[ERROR] Deleting expired certificate for %s failed: %s", string(key), err) log.Printf("[ERROR] Deleting expired certificate for %s failed: %s", string(key), err)
} else { } else {
@ -571,7 +558,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
log.Printf("[INFO] Removed %d expired certificates from the database", expiredCertCount) log.Printf("[INFO] Removed %d expired certificates from the database", expiredCertCount)
// compact the database // compact the database
result, err := KeyDatabase.Compact() result, err := keyDatabase.Compact()
if err != nil { if err != nil {
log.Printf("[ERROR] Compacting key database failed: %s", err) log.Printf("[ERROR] Compacting key database failed: %s", err)
} else { } else {
@ -580,7 +567,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
// update main cert // update main cert
res := &certificate.Resource{} res := &certificate.Resource{}
if !database.PogrebGet(KeyDatabase, mainDomainSuffix, res) { if !database.PogrebGet(keyDatabase, mainDomainSuffix, res) {
log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", "expected main domain cert to exist, but it's missing - seems like the database is corrupted") log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", "expected main domain cert to exist, but it's missing - seems like the database is corrupted")
} else { } else {
tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate) tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate)
@ -588,7 +575,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac,
// renew main certificate 30 days before it expires // renew main certificate 30 days before it expires
if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) { if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) {
go (func() { go (func() {
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits) _, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, keyDatabase)
if err != nil { if err != nil {
log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", err) log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", err)
} }

View file

@ -3,10 +3,9 @@ package database
import ( import (
"bytes" "bytes"
"encoding/gob" "encoding/gob"
"github.com/akrylysov/pogreb"
) )
func PogrebPut(db *pogreb.DB, name []byte, obj interface{}) { func PogrebPut(db KeyDB, name []byte, obj interface{}) {
var resGob bytes.Buffer var resGob bytes.Buffer
resEnc := gob.NewEncoder(&resGob) resEnc := gob.NewEncoder(&resGob)
err := resEnc.Encode(obj) err := resEnc.Encode(obj)
@ -19,7 +18,7 @@ func PogrebPut(db *pogreb.DB, name []byte, obj interface{}) {
} }
} }
func PogrebGet(db *pogreb.DB, name []byte, obj interface{}) bool { func PogrebGet(db KeyDB, name []byte, obj interface{}) bool {
resBytes, err := db.Get(name) resBytes, err := db.Get(name)
if err != nil { if err != nil {
panic(err) panic(err)

View file

@ -0,0 +1,12 @@
package database
import "github.com/akrylysov/pogreb"
type KeyDB interface {
Sync() error
Put(key []byte, value []byte) error
Get(key []byte) ([]byte, error)
Delete(key []byte) error
Compact() (pogreb.CompactionResult, error)
Items() *pogreb.ItemIterator
}

19
server/database/setup.go Normal file
View file

@ -0,0 +1,19 @@
package database
import (
"fmt"
"github.com/akrylysov/pogreb"
"github.com/akrylysov/pogreb/fs"
"time"
)
func New(path string) (KeyDB, error) {
if path == "" {
return nil, fmt.Errorf("path not set")
}
return pogreb.Open(path, &pogreb.Options{
BackgroundSyncInterval: 30 * time.Second,
BackgroundCompactionInterval: 6 * time.Hour,
FileSystem: fs.OSMMap,
})
}