coolaj86
/
telebit.js
1
2
Fork 1
Code Issues 46 Pull-Requests 2 Releases Aktivität

[WIP] more new account

Dieser Commit ist enthalten in:
AJ ONeal 2019-03-26 03:22:15 -06:00
Ursprung 7f49650c48
Commit ffc95b4ddf
5 geänderte Dateien mit 201 neuen und 82 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Vergleichs-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

50
bin/telebit-remote.js
Datei anzeigen

@ -25,6 +25,7 @@ var camelCopy = recase.camelCopy.bind(recase);
//var snakeCopy = recase.snakeCopy.bind(recase);
var urequest = require('@coolaj86/urequest');
var urequestAsync = require('util').promisify(urequest);
var common = require('../lib/cli-common.js');
var defaultConfPath = path.join(os.homedir(), '.config/telebit');
@ -336,8 +337,6 @@ var RC;
function parseConfig(err, text) {
function handleConfig(err, config) {
if (err) { throw err; }
state.config = config;
var verstrd = [ pkg.name + ' daemon v' + state.config.version ];
if (state.config.version && state.config.version !== pkg.version) {
@ -682,7 +681,52 @@ function parseConfig(err, text) {
});
}
RC.request({ service: 'config', method: 'GET' }, handleConfig);
var bootState = {};
function bootstrap() {
// Create / retrieve account (sign-in, more or less)
// TODO hit directory resource /.well-known/openid-configuration -> acme_uri (?)
// Occassionally rotate the key just for the sake of testing the key rotation
return urequestAsync({ method: 'HEAD', url: RC.resolve('/acme/new-nonce') }).then(function (resp) {
var nonce = resp.headers['replay-nonce'];
var newAccountUrl = RC.resolve('/new-acct');
return keypairs.signJws({
jwk: state.key
, protected: {
// alg will be filled out automatically
jwk: state.pub
, nonce: nonce
, url: newAccountUrl
}
, payload: JSON.stringify({
// We can auto-agree here because the client is the user agent of the primary user
termsOfServiceAgreed: true
, contact: [] // I don't think we have email yet...
//, externalAccountBinding: null
})
}).then(function (jws) {
return urequestAsync({
url: newAccountUrl
, json: jws
, headers: { "Content-Type": 'application/jose+json' }
}).then(function (resp) {
console.log('resp.body:');
console.log(resp.body);
if (!resp.body || 'valid' !== resp.body.status) {
throw new Error("did not successfully create or restore account");
}
return RC.requestAsync({ service: 'config', method: 'GET' }).catch(function (err) {
console.error(err.stack);
process.exit(27);
}).then(handleConfig);
});
});
}).catch(RC.createErrorHandler(bootstrap, bootState, function (err) {
console.error(err);
process.exit(17);
}));
}
bootstrap();
}
var parsers = {

143
bin/telebitd.js
Datei anzeigen

@ -16,6 +16,7 @@ var crypto = require('crypto');
var path = require('path');
var os = require('os');
var fs = require('fs');
var fsp = fs.promises;
var urequest = require('@coolaj86/urequest');
var urequestAsync = require('util').promisify(urequest);
var common = require('../lib/cli-common.js');
@ -110,8 +111,20 @@ function getServername(servernames, sub) {
})[0];
}
/*global Promise*/
var _savingConfig = Promise.resolve();
function saveConfig(cb) {
fs.writeFile(confpath, YAML.safeDump(snakeCopy(state.config)), cb);
// simple sequencing chain so that write corruption is not possible
_savingConfig = _savingConfig.then(function () {
return fsp.writeFile(confpath, YAML.safeDump(snakeCopy(state.config))).then(function () {
try {
cb();
} catch(e) {
console.error(e.stack);
process.exit(47);
}
}).catch(cb);
});
}
var controllers = {};
controllers.http = function (req, res) {
@ -395,7 +408,8 @@ controllers.newNonce = function (req, res) {
//var indexUrl = "https://acme-staging-v02.api.letsencrypt.org/index"
var port = (state.config.ipc && state.config.ipc.port || state._ipc.port || undefined);
var indexUrl = "http://localhost:" + port + "/index";
res.headers.set("Link", "Link: <" + indexUrl + ">;rel=\"index\"");
res.headers.set("Link", "<" + indexUrl + ">;rel=\"index\"");
res.headers.set("Cache-Control", "max-age=0, no-cache, no-store");
res.headers.set("Pragma", "no-cache");
//res.headers.set("Strict-Transport-Security", "max-age=604800");
res.headers.set("X-Frame-Options", "DENY");
@ -418,11 +432,13 @@ controllers.newAccount = function (req, res) {
// req.body.contact: [ 'mailto:email' ]
res.statusCode = 422;
res.send({ error: { message: "jws signed payload should contain a valid mailto:email in the contact array" } });
return;
}
if (!req.body.termsOfServiceAgreed) {
// req.body.termsOfServiceAgreed: true
res.statusCode = 422;
res.send({ error: { message: "jws signed payload should have termsOfServiceAgreed: true" } });
return;
}
// We verify here regardless of whether or not it was verified before,
@ -435,46 +451,74 @@ controllers.newAccount = function (req, res) {
return;
}
// Note: we can get any number of account requests
// and these need to be stored for some space of time
// to await verification.
// we'll have to expire them somehow and prevent DoS
var jwk = req.jws.header.jwk;
return keypairs.thumbprint({ jwk: jwk }).then(function (thumb) {
// Note: we can get any number of account requests
// and these need to be stored for some space of time
// to await verification.
// we'll have to expire them somehow and prevent DoS
// check if this account already exists
DB.accounts.some(function (/*jwk*/) {
// calculate thumbprint from jwk
// find a key with matching jwk
});
// TODO fail if onlyReturnExisting is not false
// req.body.onlyReturnExisting: false
// check if this account already exists
var account;
DB.accounts.some(function (acc) {
// TODO calculate thumbprint from jwk
// find a key with matching jwk
if (acc.thumb === thumb) {
account = acc;
return true;
}
// TODO ACME requires kid to be the account URL (STUPID!!!)
// rather than the key id (as decided by the key issuer)
// not sure if it's necessary to handle it that way though
});
res.statusCode = 500;
res.send({
error: { message: "not implemented" },
"id": 0, // 5937234,
"key": req.jws.header.jwk, // TODO trim to basics
/*{
"kty": "EC",
"crv": "P-256",
"x": "G7kuV4JiqZs-GztrzpsmUM7Raf9tDUELWt5O337sTqw",
"y": "n5SFz9z2i-ZF_zu5aoS9t9O8y_g2qfonXv3Cna2e39k"
},*/
"contact": req.body.contact, // [ "mailto:john.doe@gmail.com" ],
// I'm not sure if we have the real IP through telebit's network wrapper at this point
// TODO we also need to set X-Forwarded-Addr as a proxy
"initialIp": req.connection.remoteAddress, //"128.187.116.28",
"createdAt": (new Date()).toISOString(), // "2018-04-17T21:29:10.833305103Z",
"status": "invalid" //"valid"
var myBaseUrl = (req.connection.encrypted ? 'https' : 'http') + '://' + req.headers.host;
if (!account) {
// fail if onlyReturnExisting is not false
if (req.body.onlyReturnExisting) {
res.statusCode = 422;
res.send({ error: { message: "onlyReturnExisting is set, so there's nothing to do" } });
return;
}
res.statusCode = 201;
account = {};
account._id = crypto.randomBytes(16).toString('base64');
// TODO be better about this
account.location = myBaseUrl + '/acme/accounts/' + account._id;
account.thumb = thumb;
account.pub = jwk;
account.contact = req.body.contact;
DB.accounts.push(account);
state.config.accounts = DB.accounts;
saveConfig(function () {});
}
var result = {
status: 'valid'
, contact: account.contact // [ "mailto:john.doe@gmail.com" ],
, orders: account.location + '/orders'
// optional / off-spec
, id: account._id
, jwk: account.pub
/*
// I'm not sure if we have the real IP through telebit's network wrapper at this point
// TODO we also need to set X-Forwarded-Addr as a proxy
"initialIp": req.connection.remoteAddress, //"128.187.116.28",
"createdAt": (new Date()).toISOString(), // "2018-04-17T21:29:10.833305103Z",
*/
};
res.setHeader('Location', account.location);
res.send(result);
/*
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json
Expires: Tue, 17 Apr 2018 21:29:10 GMT
Link: <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/5937234
Pragma: no-cache
Replay-nonce: DKxX61imF38y_qkKvVcnWyo9oxQlHll0t9dMwGbkcxw
*/
});
/*
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json
Expires: Tue, 17 Apr 2018 21:29:10 GMT
Link: <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/5937234
Pragma: no-cache
Replay-nonce: DKxX61imF38y_qkKvVcnWyo9oxQlHll0t9dMwGbkcxw
*/
});
});
};
@ -550,7 +594,7 @@ function verifyJws(jwk, jws) {
return keypairs.export({ jwk: jwk }).then(function (pem) {
var alg = 'SHA' + jws.header.alg.replace(/[^\d]+/i, '');
var sig = ecdsaAsn1SigToJwtSig(jws.header.alg, jws.signature);
return require('crypto')
return crypto
.createVerify(alg)
.update(jws.protected + '.' + jws.payload)
.verify(pem, sig, 'base64');
@ -915,14 +959,32 @@ function handleApi() {
}
// TODO turn strings into regexes to match beginnings
app.use('/.well-known/openid-configuration', function (req, res) {
res.headers.set("Access-Control-Allow-Headers", "Content-Type");
res.headers.set("Access-Control-Allow-Origin", "*");
res.headers.set("Access-Control-Expose-Headers", "Link, Replay-Nonce, Location");
res.headers.set("Access-Control-Max-Age", "86400");
if ('OPTIONS' === req.method) { res.end(); return; }
res.send({
jwks_uri: 'http://localhost/.well-known/jwks.json'
, acme_uri: 'http://localhost/acme/directory'
});
});
app.use('/acme', function acmeCors(req, res, next) {
// Taken from New-Nonce
res.headers.set("Access-Control-Allow-Headers", "Content-Type");
res.headers.set("Access-Control-Allow-Origin", "*");
res.headers.set("Access-Control-Expose-Headers", "Link, Replay-Nonce, Location");
res.headers.set("Access-Control-Max-Age", "86400");
if ('OPTIONS' === req.method) { res.end(); return; }
next();
});
app.use('/acme/directory', function (req, res) {
res.send({
'new-nonce': '/acme/new-nonce'
, 'new-account': '/acme/new-acct'
});
});
app.use('/acme/new-nonce', controllers.newNonce);
app.use('/acme/new-acct', controllers.newAccount);
app.use(/\b(relay)\b/, controllers.relay);
@ -1098,6 +1160,7 @@ function parseConfig(err, text) {
}
state.config = camelCopy(state.config || {}) || {};
DB.accounts = state.config.accounts || [];
run();

82
lib/rc/index.js
Datei anzeigen

@ -72,6 +72,49 @@ module.exports.create = function (state) {
}
var RC = {};
RC.resolve = function (pathstr) {
// TODO use real hostname and return reqOpts rather than string?
return 'http://localhost:' + RC.port({}).port.toString() + '/' + pathstr.replace(/^\//, '');
};
RC.port = function (reqOpts) {
var fs = require('fs');
var portFile = path.join(path.dirname(state._ipc.path), 'telebit.port');
if (fs.existsSync(portFile)) {
reqOpts.host = 'localhost';
reqOpts.port = parseInt(fs.readFileSync(portFile, 'utf8').trim(), 10);
if (!state.ipc) {
state.ipc = {};
}
state.ipc.type = 'port';
state.ipc.path = path.dirname(state._ipc.path);
state.ipc.port = reqOpts.port;
} else {
reqOpts.socketPath = state._ipc.path;
}
return reqOpts;
};
RC.createErrorhandler = function (replay, opts, cb) {
return function (err) {
// ENOENT - never started, cleanly exited last start, or creating socket at a different path
// ECONNREFUSED - leftover socket just needs to be restarted
if ('ENOENT' === err.code || 'ECONNREFUSED' === err.code) {
if (opts._taketwo) {
cb(err);
return;
}
require('../../usr/share/install-launcher.js').install({ env: process.env }, function (err) {
if (err) { cb(err); return; }
opts._taketwo = true;
setTimeout(function () {
replay(opts, cb);
}, 2500);
});
return;
}
cb(err);
};
};
RC.request = function request(opts, fn) {
if (!opts) { opts = {}; }
var service = opts.service || 'config';
@ -93,44 +136,12 @@ module.exports.create = function (state) {
method: method
, path: url
};
var fs = require('fs');
var portFile = path.join(path.dirname(state._ipc.path), 'telebit.port');
if (fs.existsSync(portFile)) {
reqOpts.host = 'localhost';
reqOpts.port = parseInt(fs.readFileSync(portFile, 'utf8').trim(), 10);
if (!state.ipc) {
state.ipc = {};
}
state.ipc.type = 'port';
state.ipc.path = path.dirname(state._ipc.path);
state.ipc.port = reqOpts.port;
} else {
reqOpts.socketPath = state._ipc.path;
}
reqOpts = RC.port(reqOpts);
var req = http.request(reqOpts, function (resp) {
makeResponder(service, resp, fn);
});
req.on('error', function (err) {
// ENOENT - never started, cleanly exited last start, or creating socket at a different path
// ECONNREFUSED - leftover socket just needs to be restarted
if ('ENOENT' === err.code || 'ECONNREFUSED' === err.code) {
if (opts._taketwo) {
fn(err);
return;
}
require('../../usr/share/install-launcher.js').install({ env: process.env }, function (err) {
if (err) { fn(err); return; }
opts._taketwo = true;
setTimeout(function () {
RC.request(opts, fn);
}, 2500);
});
return;
}
fn(err);
});
req.on('error', RC.createErrorHandler(RC.request, opts, fn));
// Simple GET
if ('POST' !== method || !opts.data) {
@ -150,7 +161,8 @@ module.exports.create = function (state) {
// alg will be filled out automatically
jwk: state.pub
, nonce: require('crypto').randomBytes(16).toString('hex') // TODO get from server
, url: 'https://' + reqOpts.host + reqOpts.path
// TODO make localhost exceptional
, url: RC.resolve(reqOpts.path)
}
, payload: JSON.stringify(opts.data)
}).then(function (jws) {

6
package-lock.json generiert
Datei anzeigen

@ -435,9 +435,9 @@
}
},
"keypairs": {
"version": "1.2.12",
"resolved": "https://registry.npmjs.org/keypairs/-/keypairs-1.2.12.tgz",
"integrity": "sha512-zYjYdDvo7G4AIkkZVM3WEJBTRUIrFzYswYNqCxcCPHUsgbBBdewSHAH1CiaQ+VA6Yb7BLEPIv8gFrRz5wJrgsw==",
"version": "1.2.14",
"resolved": "https://registry.npmjs.org/keypairs/-/keypairs-1.2.14.tgz",
"integrity": "sha512-ZoZfZMygyB0QcjSlz7Rh6wT2CJasYEHBPETtmHZEfxuJd7bnsOG5AdtPZqHZBT+hoHvuWCp/4y8VmvTvH0Y9uA==",
"requires": {
"eckles": "^1.4.1",
"rasha": "^1.2.4"

2
package.json
Datei anzeigen

@ -58,7 +58,7 @@
"greenlock": "^2.6.7",
"js-yaml": "^3.11.0",
"keyfetch": "^1.1.8",
"keypairs": "^1.2.12",
"keypairs": "^1.2.14",
"mkdirp": "^0.5.1",
"proxy-packer": "^2.0.2",
"ps-list": "^5.0.0",