'use strict'; var U = require('./utils.js'); var E = require('./errors.js'); var warned = {}; module.exports.wrap = function(greenlock, manager, gconf) { greenlock.manager = {}; greenlock.sites = {}; //greenlock.accounts = {}; //greenlock.certs = {}; var allowed = [ 'accountKeyType', //: ["P-256", "RSA-2048"], 'serverKeyType', //: ["RSA-2048", "P-256"], 'store', // : { module, specific opts }, 'challenges', // : { "http-01", "dns-01", "tls-alpn-01" }, 'subscriberEmail', 'agreeToTerms', 'agreeTos', 'customerEmail', 'renewOffset', 'renewStagger', 'module', // not allowed, just ignored 'manager' ]; // get / set default site settings such as // subscriberEmail, store, challenges, renewOffset, renewStagger greenlock.manager.defaults = function(conf) { return greenlock._init().then(function() { if (!conf) { return manager.defaults(); } if (conf.sites) { throw new Error('cannot set sites as global config'); } if (conf.routes) { throw new Error('cannot set routes as global config'); } // disallow keys we know to be bad [ 'subject', 'deletedAt', 'altnames', 'lastAttemptAt', 'expiresAt', 'issuedAt', 'renewAt', 'sites', 'routes' ].some(function(k) { if (k in conf) { throw new Error( '`' + k + '` not allowed as a default setting' ); } }); Object.keys(conf).forEach(function(k) { if (!allowed.includes(k) && !warned[k]) { warned[k] = true; console.warn( k + " isn't a known key. Please open an issue and let us know the use case." ); } }); Object.keys(conf).forEach(function(k) { if (-1 !== ['module', 'manager'].indexOf(k)) { return; } if ('undefined' === typeof k) { throw new Error( "'" + k + "' should be set to a value, or `null`, but not left `undefined`" ); } }); return manager.defaults(conf); }); }; greenlock.manager.add = function(args) { if (!args || !Array.isArray(args.altnames) || !args.altnames.length) { throw new Error( 'you must specify `altnames` when adding a new site' ); } if (args.renewAt) { throw new Error( 'you cannot specify `renewAt` when adding a new site' ); } return greenlock.manager.set(args); }; // TODO agreeToTerms should be handled somewhere... maybe? // Add and update remains because I said I had locked the API greenlock.manager.set = greenlock.manager.update = function(args) { return greenlock._init().then(function() { // The goal is to make this decently easy to manage by hand without mistakes // but also reasonably easy to error check and correct // and to make deterministic auto-corrections args.subject = checkSubject(args); //var subscriberEmail = args.subscriberEmail; // TODO shortcut the other array checks when not necessary if (Array.isArray(args.altnames)) { args.altnames = checkAltnames(args.subject, args); } // at this point we know that subject is the first of altnames return Promise.all( (args.altnames || []).map(function(d) { d = d.replace('*.', ''); return U._validDomain(d); }) ).then(function() { if (!U._uniqueNames(args.altnames || [])) { throw E.NOT_UNIQUE( 'add', "'" + args.altnames.join("' '") + "'" ); } // durations if (args.renewOffset) { args.renewOffset = U._parseDuration(args.renewOffset); } if (args.renewStagger) { args.renewStagger = U._parseDuration(args.renewStagger); } return manager.set(args).then(function(result) { if (!gconf._bin_mode) { greenlock.renew({}).catch(function(err) { if (!err.context) { err.contxt = 'renew'; } greenlock._notify('error', err); }); } return result; }); }); }); }; greenlock.manager.remove = function(args) { return Promise.resolve().then(function() { args.subject = checkSubject(args); if (args.servername) { throw new Error( 'remove() should be called with `subject` only, if you wish to remove altnames use `update()`' ); } if (args.altnames) { throw new Error( 'remove() should be called with `subject` only, not `altnames`' ); } // TODO check no altnames return manager.remove(args); }); }; /* { subject: site.subject, altnames: site.altnames, //issuedAt: site.issuedAt, //expiresAt: site.expiresAt, renewOffset: site.renewOffset, renewStagger: site.renewStagger, renewAt: site.renewAt, subscriberEmail: site.subscriberEmail, customerEmail: site.customerEmail, challenges: site.challenges, store: site.store }; */ greenlock._find = function(args) { var servernames = (args.servernames || []) .concat(args.altnames || []) .filter(Boolean) .slice(0); var modified = servernames.slice(0); // servername, wildname, and altnames are all the same ['wildname', 'servername'].forEach(function(k) { var altname = args[k] || ''; if (altname && !modified.includes(altname)) { modified.push(altname); } }); if (modified.length) { servernames = modified; servernames = servernames.altnames.map(U._encodeName); args.altnames = servernames; args.servernames = args.altnames = checkAltnames(false, args); } // documented as args.servernames // preserved as args.altnames for v3 beta backwards compat // my only hesitancy in this choice is that a "servername" // may NOT contain '*.', in which case `altnames` is a better choice. // However, `altnames` is ambiguous - as if it means to find a // certificate by that specific collection of altnames. // ... perhaps `domains` could work? return manager.find(args); }; }; function checkSubject(args) { if (!args || !args.subject) { throw new Error('you must specify `subject` when configuring a site'); } /* if (!args.subject) { throw E.NO_SUBJECT('add'); } */ var subject = (args.subject || '').toLowerCase(); if (subject !== args.subject) { console.warn('`subject` must be lowercase', args.subject); } return U._encodeName(subject); } function checkAltnames(subject, args) { // the things we have to check and get right var altnames = (args.altnames || []).map(function(name) { return String(name || '').toLowerCase(); }); // punycode BEFORE validation // (set, find, remove) if (altnames.join() !== args.altnames.join()) { console.warn( 'all domains in `altnames` must be lowercase:', args.altnames ); } args.altnames = args.altnames.map(U._encodeName); if ( !args.altnames.every(function(d) { return U._validName(d); }) ) { throw E.INVALID_HOSTNAME('add', "'" + args.altnames.join("' '") + "'"); } if (subject && subject !== args.altnames[0]) { throw E.BAD_ORDER( 'add', '(' + args.subject + ") '" + args.altnames.join("' '") + "'" ); } /* if (subject && subject !== altnames[0]) { throw new Error( '`subject` must be the first domain in `altnames`', args.subject, altnames.join(' ') ); } */ return altnames; }